Session
session
The Session object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer. Defined by D3FEND d3f:Session.
Contents
Attributes
Caption | Name | Type | Is Array | Default | Description |
---|---|---|---|---|---|
Count | count | Integer | The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. | ||
Created Time | created_time | Timestamp | The time when the session was created. | ||
User Credential ID | credential_uid | String | The unique identifier of the user's credential. For example, AWS Access Key ID. | ||
Expiration Reason | expiration_reason | String | The reason which triggered the session expiration. | ||
Expiration Time | expiration_time | Timestamp | The session expiration time. | ||
Multi Factor Authentication | is_mfa | Boolean | Indicates whether Multi Factor Authentication was used during authentication. | ||
Remote | is_remote | Boolean | The indication of whether the session is remote. | ||
VPN Session | is_vpn | Boolean | The indication of whether the session is a VPN session. | ||
Issuer Details | issuer | String | The identifier of the session issuer. | ||
Multi Factor Authentication | mfa | Boolean |
The Multi Factor Authentication was used during authentication.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
Raw Data | raw_data | JSON | The event data as received from the event source. | ||
Record ID | record_id | String | Unique identifier for the object | ||
Terminal | terminal | String | The Pseudo Terminal associated with the session. Ex: the tty or pts value. | ||
Unique ID | uid | String | The unique identifier of the session. | ||
Alternate ID | uid_alt | String |
The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session .
|
||
Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | ||
UUID | uuid | UUID | The universally unique identifier of the session. |
References
Context
JSON
{
"caption": "Session",
"description": "The Session object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Session/'>d3f:Session</a>.",
"extends": "object",
"name": "session",
"attributes": {
"count": {
"description": "The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time.",
"requirement": "optional",
"caption": "Count",
"type": "integer_t"
},
"created_time": {
"description": "The time when the session was created.",
"requirement": "recommended",
"caption": "Created Time",
"type": "timestamp_t"
},
"credential_uid": {
"requirement": "optional",
"caption": "User Credential ID",
"description": "The unique identifier of the user's credential. For example, AWS Access Key ID.",
"type": "string_t"
},
"expiration_time": {
"description": "The session expiration time.",
"requirement": "optional",
"caption": "Expiration Time",
"type": "timestamp_t"
},
"expiration_reason": {
"description": "The reason which triggered the session expiration.",
"requirement": "optional",
"caption": "Expiration Reason",
"type": "string_t"
},
"is_remote": {
"requirement": "recommended",
"caption": "Remote",
"description": "The indication of whether the session is remote.",
"type": "boolean_t"
},
"is_mfa": {
"requirement": "optional",
"caption": "Multi Factor Authentication",
"description": "Indicates whether Multi Factor Authentication was used during authentication.",
"type": "boolean_t"
},
"is_vpn": {
"requirement": "optional",
"caption": "VPN Session",
"description": "The indication of whether the session is a VPN session.",
"type": "boolean_t"
},
"issuer": {
"description": "The identifier of the session issuer.",
"requirement": "recommended",
"caption": "Issuer Details",
"type": "string_t"
},
"terminal": {
"description": "The Pseudo Terminal associated with the session. Ex: the tty or pts value.",
"requirement": "optional",
"caption": "Terminal",
"type": "string_t"
},
"uid": {
"description": "The unique identifier of the session.",
"requirement": "recommended",
"caption": "Unique ID",
"type": "string_t"
},
"uid_alt": {
"description": "The alternate unique identifier of the session. e.g. AWS ARN - <code>arn:aws:sts::123344444444:assumed-role/Admin/example-session</code>.",
"requirement": "optional",
"caption": "Alternate ID",
"type": "string_t"
},
"uuid": {
"description": "The universally unique identifier of the session.",
"requirement": "optional",
"caption": "UUID",
"type": "uuid_t"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
},
"mfa": {
"requirement": "optional",
"caption": "Multi Factor Authentication",
"description": "The Multi Factor Authentication was used during authentication.",
"type": "boolean_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
}
}
}