Session

session

The Session object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer.

Attributes

CaptionNameTypeDescription
CountcountInteger

The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time.

Created Timecreated_timeTimestamp

The time when the session was created.

User Credential IDcredential_uidString

Entity:USER_CREDENTIAL_ID
The unique identifier of the user's credential. For example, AWS Access Key ID.

Expiration Reasonexpiration_reasonString

The reason which triggered the session expiration.

Expiration Timeexpiration_timeTimestamp

The session expiration time.

Multi Factor Authenticationis_mfaBoolean

Indicates whether Multi Factor Authentication was used during authentication.

Remoteis_remoteBoolean

The indication of whether the session is remote.

VPN Sessionis_vpnBoolean

The indication of whether the session is a VPN session.

Issuer DetailsissuerString

The identifier of the session issuer.

Raw Dataraw_dataJSON

Group:context
The event data as received from the event source.

Record IDrecord_idString

Group:primary
Unique identifier for the object

TerminalterminalString

The Pseudo Terminal associated with the session. Ex: the tty or pts value.

Unique IDuidString

The unique identifier of the session.

Alternate IDuid_altString

The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session.

UnmappedunmappedUnmapped[]

Data from the source that was not mapped into the schema.

UUIDuuidUUID

The universally unique identifier of the session.

Relationships

Session shown in context

Inbound Relationships

These objects and events reference Session in their attributes:

Outbound Relationships

Session references the following objects and events in its attributes:

This page describes ocsf-1.4.0