Session
session
The Session object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Count | count | Integer | The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. |
| Created Time | created_time | Timestamp | The time when the session was created. |
| User Credential ID | credential_uid | String | Entity: |
| Expiration Reason | expiration_reason | String | The reason which triggered the session expiration. |
| Expiration Time | expiration_time | Timestamp | The session expiration time. |
| Multi Factor Authentication | is_mfa | Boolean | Indicates whether Multi Factor Authentication was used during authentication. |
| Remote | is_remote | Boolean | The indication of whether the session is remote. |
| VPN Session | is_vpn | Boolean | The indication of whether the session is a VPN session. |
| Issuer Details | issuer | String | The identifier of the session issuer. |
| Raw Data | raw_data | JSON | Group: |
| Record ID | record_id | String | Group: |
| Terminal | terminal | String | The Pseudo Terminal associated with the session. Ex: the tty or pts value. |
| Unique ID | uid | String | The unique identifier of the session. |
| Alternate ID | uid_alt | String | The alternate unique identifier of the session. e.g. AWS ARN - |
| Unmapped | unmapped | Unmapped[] | Data from the source that was not mapped into the schema. |
| UUID | uuid | UUID | The universally unique identifier of the session. |
Relationships
Inbound Relationships
These objects and events reference Session in their attributes:
- Actor
- Authorize Session
- Linux Process
- Tunnel Activity
- Authentication
- User Session Query
- Network Connection Information
Outbound Relationships
Session references the following objects and events in its attributes:
This page describes ocsf-1.4.0
Updated 17 days ago