Session

session

The Session object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer.

Attributes

Caption	Name	Type	Description
Count	`count`	Integer	The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time.
Created Time	`created_time`	Timestamp	The time when the session was created.
User Credential ID	`credential_uid`	String	Entity:`USER_CREDENTIAL_ID` The unique identifier of the user's credential. For example, AWS Access Key ID.
Expiration Reason	`expiration_reason`	String	The reason which triggered the session expiration.
Expiration Time	`expiration_time`	Timestamp	The session expiration time.
Multi Factor Authentication	`is_mfa`	Boolean	Indicates whether Multi Factor Authentication was used during authentication.
Remote	`is_remote`	Boolean	The indication of whether the session is remote.
VPN Session	`is_vpn`	Boolean	The indication of whether the session is a VPN session.
Issuer Details	`issuer`	String	The identifier of the session issuer.
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Terminal	`terminal`	String	The Pseudo Terminal associated with the session. Ex: the tty or pts value.
Unique ID	`uid`	String	The unique identifier of the session.
Alternate ID	`uid_alt`	String	The alternate unique identifier of the session. e.g. AWS ARN - `arn:aws:sts::123344444444:assumed-role/Admin/example-session`.
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.
UUID	`uuid`	UUID	The universally unique identifier of the session.

Relationships

Inbound Relationships

These objects and events reference Session in their attributes:

Outbound Relationships

Session references the following objects and events in its attributes:

Unmapped

This page describes ocsf-1.4.0