Session
The Session object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer. Defined by D3FEND d3f:Session.
Attributes
Caption | Name | Type | Description |
---|---|---|---|
Count | count |
Integer | The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. |
Created Time | created_time |
Timestamp | The time when the session was created. |
User Credential ID | credential_uid |
String | The unique identifier of the user's credential. For example, AWS Access Key ID. |
Expiration Reason | expiration_reason |
String | The reason which triggered the session expiration. |
Expiration Time | expiration_time |
Timestamp | The session expiration time. |
Multi Factor Authentication | is_mfa |
Boolean | Indicates whether Multi Factor Authentication was used during authentication. |
Remote | is_remote |
Boolean | The indication of whether the session is remote. |
VPN Session | is_vpn |
Boolean | The indication of whether the session is a VPN session. |
Issuer Details | issuer |
String | The identifier of the session issuer. |
Multi Factor Authentication | mfa |
Boolean |
The Multi Factor Authentication was used during authentication.
|
Raw Data | raw_data |
JSON | The event data as received from the event source. |
Record ID | record_id |
String | Unique identifier for the object |
Terminal | terminal |
String | The Pseudo Terminal associated with the session. Ex: the tty or pts value. |
Unique ID | uid |
String | The unique identifier of the session. |
Alternate ID | uid_alt |
String |
The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session .
|
Unmapped Data | unmapped |
Unmapped[] | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
UUID | uuid |
UUID | The universally unique identifier of the session. |
Relationships
Inbound Relationships
These objects and events reference Session in their attributes:
- Network Connection Information
- Linux Process
- User Session Query
- Tunnel Activity
- Actor
- Authorize Session
- Authentication
Outbound Relationships
Session references the following objects and events in its attributes:
This page describes qdm-1.3.2+ocsf-1.3.0
Updated 3 months ago