Class: AuthenticationToken
The Authentication Token object extends the base token object and
represents standardized authentication tokens, tickets, or assertions that
conform to established authentication protocols such as Kerberos, OIDC, and
SAML. This object inherits all attributes from token and adds
protocol-specific attributes (e.g., kerberos_flags,
encryption_details) for authentication events. Use this object in
authentication events to represent protocol-specific tokens: Kerberos Ticket
Granting Tickets (TGT) and Service Tickets (ST), OIDC Identity Tokens and
Refresh Tokens, and SAML Assertions. These tokens are issued by authentication
servers and identity providers and carry protocol-specific metadata, lifecycle
information, and security attributes defined by their respective
specifications. When to use this object: Use authentication_token
when representing protocol-specific authentication tokens (type_id values 1-5:
Kerberos TGT/ST, OIDC ID/Refresh tokens, SAML assertions) in authentication
events. When NOT to use this object: Do NOT use
authentication_token for API tokens or client tokens (type_id
values 6-7) used in API activity events - use the base token
object instead. Do NOT use authentication_token for generic API
keys - use the base token object instead.
classDiagram
class AuthenticationToken
click AuthenticationToken href "../AuthenticationToken/"
Token <|-- AuthenticationToken
click Token href "../Token/"
AuthenticationToken : created_time
AuthenticationToken : encryption_details
AuthenticationToken --> "0..1 _recommended_" EncryptionDetails : encryption_details
click EncryptionDetails href "../EncryptionDetails/"
AuthenticationToken : expiration_time
AuthenticationToken : is_renewable
AuthenticationToken : kerberos_flags
AuthenticationToken : modified_time
AuthenticationToken : name
AuthenticationToken : tenant_uid
AuthenticationToken : type
AuthenticationToken : type_id
AuthenticationToken --> "0..1 _recommended_" AuthenticationTokenTypeIdEnum : type_id
click AuthenticationTokenTypeIdEnum href "../AuthenticationTokenTypeIdEnum/"
AuthenticationToken : uid
AuthenticationToken : zone
Inheritance
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| created_time | 0..1 recommended TimestampT |
The time that the authentication token was created or issued | direct |
| encryption_details | 0..1 recommended EncryptionDetails |
The encryption details of the authentication token | direct |
| expiration_time | 0..1 TimestampT |
The expiration time of the authentication token | direct |
| is_renewable | 0..1 Boolean |
Indicates whether the authentication token is renewable | direct |
| kerberos_flags | 0..1 recommended String |
A bitmask, either in hexadecimal or decimal form, which encodes various | direct |
| type | 0..1 recommended String |
The type of the authentication token | direct |
| type_id | 0..1 recommended AuthenticationTokenTypeIdEnum |
The normalized authentication token type identifier | direct |
| modified_time | 0..1 TimestampT |
The last time the token was updated | Token |
| name | 0..1 String |
The human-friendly name of a token or key, if available, such as the | Token |
| tenant_uid | 0..1 String |
The unique identifier of the tenant or organization that owns the token or ke... | Token |
| uid | 0..1 String |
The unique ID of a token or key, if available, such as the Secret |
Token |
| zone | 0..1 String |
The network zone or geographic region that the token or key is authorized to ... | Token |
Usages
| used by | used in | type | used |
|---|---|---|---|
| Authentication | authentication_token | range | AuthenticationToken |
In Subsets
Aliases
- Authentication Token
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:AuthenticationToken |
| native | ocsf:AuthenticationToken |
LinkML Source
Direct
name: AuthenticationToken
description: 'The Authentication Token object extends the base <code>token</code>
object and
represents standardized authentication tokens, tickets, or assertions that
conform to established authentication protocols such as Kerberos, OIDC, and
SAML. This object inherits all attributes from <code>token</code> and adds
protocol-specific attributes (e.g., <code>kerberos_flags</code>,
<code>encryption_details</code>) for authentication events. Use this object in
authentication events to represent protocol-specific tokens: Kerberos Ticket
Granting Tickets (TGT) and Service Tickets (ST), OIDC Identity Tokens and
Refresh Tokens, and SAML Assertions. These tokens are issued by authentication
servers and identity providers and carry protocol-specific metadata, lifecycle
information, and security attributes defined by their respective
specifications. When to use this object: Use <code>authentication_token</code>
when representing protocol-specific authentication tokens (type_id values 1-5:
Kerberos TGT/ST, OIDC ID/Refresh tokens, SAML assertions) in authentication
events. When NOT to use this object: Do NOT use
<code>authentication_token</code> for API tokens or client tokens (type_id
values 6-7) used in API activity events - use the base <code>token</code>
object instead. Do NOT use <code>authentication_token</code> for generic API
keys - use the base <code>token</code> object instead.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Authentication Token
is_a: Token
slots:
- created_time
- encryption_details
- expiration_time
- is_renewable
- kerberos_flags
- type
- type_id
slot_usage:
created_time:
name: created_time
description: 'The time that the authentication token was created or issued. This
corresponds
to the token issuance time, such as the <code>iat</code> (issued at) claim in
OIDC tokens, the issue instant in SAML assertions, or the ticket start time
in
Kerberos tickets.'
recommended: true
encryption_details:
name: encryption_details
description: The encryption details of the authentication token.
recommended: true
expiration_time:
name: expiration_time
description: The expiration time of the authentication token.
is_renewable:
name: is_renewable
description: Indicates whether the authentication token is renewable.
kerberos_flags:
name: kerberos_flags
recommended: true
type:
name: type
description: The type of the authentication token.
recommended: true
type_id:
name: type_id
description: 'The normalized authentication token type identifier. This attribute
restricts
the base <code>token.type_id</code> enum to only protocol-specific
authentication token types (values 0, 1-5, 99). API tokens and client tokens
(values 6-7) are not valid for <code>authentication_token</code> - use the base
<code>token</code> object for those types.'
range: AuthenticationTokenTypeIdEnum
recommended: true
Induced
name: AuthenticationToken
description: 'The Authentication Token object extends the base <code>token</code>
object and
represents standardized authentication tokens, tickets, or assertions that
conform to established authentication protocols such as Kerberos, OIDC, and
SAML. This object inherits all attributes from <code>token</code> and adds
protocol-specific attributes (e.g., <code>kerberos_flags</code>,
<code>encryption_details</code>) for authentication events. Use this object in
authentication events to represent protocol-specific tokens: Kerberos Ticket
Granting Tickets (TGT) and Service Tickets (ST), OIDC Identity Tokens and
Refresh Tokens, and SAML Assertions. These tokens are issued by authentication
servers and identity providers and carry protocol-specific metadata, lifecycle
information, and security attributes defined by their respective
specifications. When to use this object: Use <code>authentication_token</code>
when representing protocol-specific authentication tokens (type_id values 1-5:
Kerberos TGT/ST, OIDC ID/Refresh tokens, SAML assertions) in authentication
events. When NOT to use this object: Do NOT use
<code>authentication_token</code> for API tokens or client tokens (type_id
values 6-7) used in API activity events - use the base <code>token</code>
object instead. Do NOT use <code>authentication_token</code> for generic API
keys - use the base <code>token</code> object instead.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Authentication Token
is_a: Token
slot_usage:
created_time:
name: created_time
description: 'The time that the authentication token was created or issued. This
corresponds
to the token issuance time, such as the <code>iat</code> (issued at) claim in
OIDC tokens, the issue instant in SAML assertions, or the ticket start time
in
Kerberos tickets.'
recommended: true
encryption_details:
name: encryption_details
description: The encryption details of the authentication token.
recommended: true
expiration_time:
name: expiration_time
description: The expiration time of the authentication token.
is_renewable:
name: is_renewable
description: Indicates whether the authentication token is renewable.
kerberos_flags:
name: kerberos_flags
recommended: true
type:
name: type
description: The type of the authentication token.
recommended: true
type_id:
name: type_id
description: 'The normalized authentication token type identifier. This attribute
restricts
the base <code>token.type_id</code> enum to only protocol-specific
authentication token types (values 0, 1-5, 99). API tokens and client tokens
(values 6-7) are not valid for <code>authentication_token</code> - use the base
<code>token</code> object for those types.'
range: AuthenticationTokenTypeIdEnum
recommended: true
attributes:
created_time:
name: created_time
description: 'The time that the authentication token was created or issued. This
corresponds
to the token issuance time, such as the <code>iat</code> (issued at) claim in
OIDC tokens, the issue instant in SAML assertions, or the ticket start time
in
Kerberos tickets.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Created Time
rank: 1000
alias: created_time
owner: AuthenticationToken
domain_of:
- Osint
- RelatedEvent
- Sbom
- Scim
- Session
- Sso
- Token
- Whois
- Resource
- Advisory
- AuthenticationToken
- Certificate
- Cve
- Database
- Databucket
- DigitalSignature
- Enrichment
- Epss
- File
- FindingObject
- FindingInfo
- Job
- KbArticle
- LdapPerson
- ProcessEntity
- Table
- Device
range: TimestampT
recommended: true
encryption_details:
name: encryption_details
description: The encryption details of the authentication token.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Encryption Details
rank: 1000
alias: encryption_details
owner: AuthenticationToken
domain_of:
- AuthenticationToken
- Databucket
- File
range: EncryptionDetails
recommended: true
expiration_time:
name: expiration_time
description: The expiration time of the authentication token.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Expiration Time
rank: 1000
alias: expiration_time
owner: AuthenticationToken
domain_of:
- Osint
- Session
- Token
- AuthenticationToken
- Certificate
- HttpCookie
- FileHosting
- NetworkFileActivity
range: TimestampT
is_renewable:
name: is_renewable
description: Indicates whether the authentication token is renewable.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Renewable
rank: 1000
alias: is_renewable
owner: AuthenticationToken
domain_of:
- Token
- AuthenticationToken
range: boolean
kerberos_flags:
name: kerberos_flags
description: 'A bitmask, either in hexadecimal or decimal form, which encodes
various
attributes or permissions associated with a Kerberos ticket. These flags
delineate specific characteristics of the ticket, such as its renewability or
forwardability.'
notes:
- 'RFC 4120: 5.2.8. KerberosFlags —
https://www.rfc-editor.org/rfc/rfc4120#section-5.2.8'
- 'Microsoft Windows Security 4769 (see ''Ticket Options'') —
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4769'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://www.rfc-editor.org/rfc/rfc4120#section-5.2.8
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4769
aliases:
- Kerberos Flags
rank: 1000
alias: kerberos_flags
owner: AuthenticationToken
domain_of:
- AuthenticationToken
range: string
recommended: true
type:
name: type
description: The type of the authentication token.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: AuthenticationToken
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
recommended: true
type_id:
name: type_id
annotations:
sibling:
tag: sibling
value: type
description: 'The normalized authentication token type identifier. This attribute
restricts
the base <code>token.type_id</code> enum to only protocol-specific
authentication token types (values 0, 1-5, 99). API tokens and client tokens
(values 6-7) are not valid for <code>authentication_token</code> - use the base
<code>token</code> object for those types.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_id
owner: AuthenticationToken
domain_of:
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Account
- Agent
- Analytic
- AuthenticationToken
- Database
- Databucket
- DomainContact
- Endpoint
- File
- Ja4Fingerprint
- Kernel
- ManagedEntity
- NetworkEndpoint
- NetworkInterface
- PeripheralDevice
- Scan
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- Device
- DatastoreActivity
- RegValue
- WinResource
range: AuthenticationTokenTypeIdEnum
recommended: true
modified_time:
name: modified_time
description: The last time the token was updated.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Modified Time
rank: 1000
alias: modified_time
owner: AuthenticationToken
domain_of:
- Osint
- RelatedEvent
- Scim
- Sso
- Token
- Resource
- Advisory
- Cve
- Database
- Databucket
- File
- FindingObject
- FindingInfo
- LdapPerson
- Metadata
- Table
- Device
- RegKey
- RegValue
range: TimestampT
name:
name: name
description: 'The human-friendly name of a token or key, if available, such as
the
<code>name</code> from the Okta API Token API.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: AuthenticationToken
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
tenant_uid:
name: tenant_uid
description: 'The unique identifier of the tenant or organization that owns the
token or key,
or the tenant context in which the token is authorized for use. This is
particularly relevant in multi-tenant Identity Provider scenarios where tokens
are scoped to specific tenants.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Tenant UID
rank: 1000
alias: tenant_uid
owner: AuthenticationToken
domain_of:
- Token
- Idp
- Metadata
range: string
uid:
name: uid
description: 'The unique ID of a token or key, if available, such as the <code>Secret
ID</code> of Entra ID Application Registration Client Secrets.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: AuthenticationToken
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
zone:
name: zone
description: 'The network zone or geographic region that the token or key is authorized
to be
used from. This may represent network-based access restrictions, geographic
limitations, or other zone-based authorization policies. Examples include
Okta''s network zone restrictions or cloud provider region restrictions.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Zone
rank: 1000
alias: zone
owner: AuthenticationToken
domain_of:
- Token
- Cloud
- Databucket
- Endpoint
- ResourceDetails
range: string