Session
session
The Session object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer.
Attributes
Caption | Name | Type | Description |
---|---|---|---|
Count | count | Integer | The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. |
Created Time | created_time | Timestamp | The time when the session was created. |
User Credential ID | credential_uid | String | Entity: |
Expiration Reason | expiration_reason | String | The reason which triggered the session expiration. |
Expiration Time | expiration_time | Timestamp | The session expiration time. |
Multi Factor Authentication | is_mfa | Boolean | Indicates whether Multi Factor Authentication was used during authentication. |
Remote | is_remote | Boolean | The indication of whether the session is remote. |
VPN Session | is_vpn | Boolean | The indication of whether the session is a VPN session. |
Issuer Details | issuer | String | The identifier of the session issuer. |
Raw Data | raw_data | JSON | Group: |
Record ID | record_id | String | Group: |
Terminal | terminal | String | The Pseudo Terminal associated with the session. Ex: the tty or pts value. |
Unique ID | uid | String | The unique identifier of the session. |
Alternate ID | uid_alt | String | The alternate unique identifier of the session. e.g. AWS ARN - |
Unmapped | unmapped | Unmapped[] | Data from the source that was not mapped into the schema. |
UUID | uuid | UUID | The universally unique identifier of the session. |
Relationships
Inbound Relationships
These objects and events reference Session in their attributes:
- Actor
- Authorize Session
- Linux Process
- Tunnel Activity
- Authentication
- User Session Query
- Network Connection Information
Outbound Relationships
Session references the following objects and events in its attributes:
This page describes ocsf-1.4.0
Updated 17 days ago