Class: Session
The Session object describes details about an authenticated session. e.g.
Session Creation Time, Session Issuer.
URI: ocsf:Session
classDiagram
class Session
click Session href "../Session/"
Object <|-- Session
click Object href "../Object/"
Session : count
Session : created_time
Session : credential_uid
Session : expiration_reason
Session : expiration_time
Session : is_mfa
Session : is_remote
Session : is_vpn
Session : issuer
Session : terminal
Session : uid
Session : uid_alt
Session : uuid
Inheritance
- OcsfObject
- Object
- Session
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| count | 0..1 Integer |
The number of identical sessions spawned from the same source IP, destination | direct |
| created_time | 0..1 recommended TimestampT |
The time when the session was created | direct |
| credential_uid | 0..1 String |
The unique identifier of the user's credential | direct |
| expiration_reason | 0..1 String |
The reason which triggered the session expiration | direct |
| expiration_time | 0..1 TimestampT |
The session expiration time | direct |
| is_mfa | 0..1 Boolean |
Indicates whether Multi Factor Authentication was used during authentication | direct |
| is_remote | 0..1 recommended Boolean |
The indication of whether the session is remote | direct |
| is_vpn | 0..1 Boolean |
The indication of whether the session is a VPN session | direct |
| issuer | 0..1 recommended String |
The identifier of the session issuer | direct |
| terminal | 0..1 String |
The Pseudo Terminal associated with the session | direct |
| uid | 0..1 recommended String |
The unique identifier of the session | direct |
| uid_alt | 0..1 String |
The alternate unique identifier of the session | direct |
| uuid | 0..1 UuidT |
The universally unique identifier of the session | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| QueryEvidence | session | range | Session |
| Actor | session | range | Session |
| NetworkConnectionInfo | session | range | Session |
| Process | session | range | Session |
| SessionQuery | session | range | Session |
| Authentication | session | range | Session |
| AuthorizeSession | session | range | Session |
| TunnelActivity | session | range | Session |
| LinuxProcess | session | range | Session |
| MacosProcess | session | range | Session |
| WindowsProcess | session | range | Session |
| WindowsQueryEvidence | session | range | Session |
In Subsets
Aliases
- Session
See Also
Notes
- D3FEND™ Ontology d3f:Session — https://d3fend.mitre.org/dao/artifact/d3f:Session/
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Session |
| native | ocsf:Session |
LinkML Source
Direct
name: Session
description: 'The Session object describes details about an authenticated session.
e.g.
Session Creation Time, Session Issuer.'
notes:
- 'D3FEND™ Ontology d3f:Session —
https://d3fend.mitre.org/dao/artifact/d3f:Session/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:Session/
aliases:
- Session
is_a: Object
slots:
- count
- created_time
- credential_uid
- expiration_reason
- expiration_time
- is_mfa
- is_remote
- is_vpn
- issuer
- terminal
- uid
- uid_alt
- uuid
slot_usage:
count:
name: count
description: 'The number of identical sessions spawned from the same source IP,
destination
IP, application, and content/threat type seen over a period of time.'
created_time:
name: created_time
description: The time when the session was created.
recommended: true
expiration_reason:
name: expiration_reason
description: The reason which triggered the session expiration.
expiration_time:
name: expiration_time
description: The session expiration time.
is_remote:
name: is_remote
recommended: true
issuer:
name: issuer
description: The identifier of the session issuer.
recommended: true
terminal:
name: terminal
description: 'The Pseudo Terminal associated with the session. Ex: the tty or
pts value.'
uid:
name: uid
description: The unique identifier of the session.
recommended: true
uid_alt:
name: uid_alt
description: 'The alternate unique identifier of the session. e.g. AWS ARN -
<code>arn:aws:sts::123344444444:assumed-role/Admin/example-session</code>.'
uuid:
name: uuid
description: The universally unique identifier of the session.
Induced
name: Session
description: 'The Session object describes details about an authenticated session.
e.g.
Session Creation Time, Session Issuer.'
notes:
- 'D3FEND™ Ontology d3f:Session —
https://d3fend.mitre.org/dao/artifact/d3f:Session/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:Session/
aliases:
- Session
is_a: Object
slot_usage:
count:
name: count
description: 'The number of identical sessions spawned from the same source IP,
destination
IP, application, and content/threat type seen over a period of time.'
created_time:
name: created_time
description: The time when the session was created.
recommended: true
expiration_reason:
name: expiration_reason
description: The reason which triggered the session expiration.
expiration_time:
name: expiration_time
description: The session expiration time.
is_remote:
name: is_remote
recommended: true
issuer:
name: issuer
description: The identifier of the session issuer.
recommended: true
terminal:
name: terminal
description: 'The Pseudo Terminal associated with the session. Ex: the tty or
pts value.'
uid:
name: uid
description: The unique identifier of the session.
recommended: true
uid_alt:
name: uid_alt
description: 'The alternate unique identifier of the session. e.g. AWS ARN -
<code>arn:aws:sts::123344444444:assumed-role/Admin/example-session</code>.'
uuid:
name: uuid
description: The universally unique identifier of the session.
attributes:
count:
name: count
description: 'The number of identical sessions spawned from the same source IP,
destination
IP, application, and content/threat type seen over a period of time.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Count
rank: 1000
alias: count
owner: Session
domain_of:
- Observation
- RelatedEvent
- Session
- DiscoveryDetails
- UnmannedSystemOperatingArea
- BaseEvent
range: integer
created_time:
name: created_time
description: The time when the session was created.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Created Time
rank: 1000
alias: created_time
owner: Session
domain_of:
- Osint
- RelatedEvent
- Sbom
- Scim
- Session
- Sso
- Token
- Whois
- Resource
- Advisory
- AuthenticationToken
- Certificate
- Cve
- Database
- Databucket
- DigitalSignature
- Enrichment
- Epss
- File
- FindingObject
- FindingInfo
- Job
- KbArticle
- LdapPerson
- ProcessEntity
- Table
- Device
range: TimestampT
recommended: true
credential_uid:
name: credential_uid
annotations:
observable_id:
tag: observable_id
value: 19
description: The unique identifier of the user's credential. For example, AWS
Access Key ID.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- User Credential ID
rank: 1000
alias: credential_uid
owner: Session
domain_of:
- Session
- User
range: string
expiration_reason:
name: expiration_reason
description: The reason which triggered the session expiration.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Expiration Reason
rank: 1000
alias: expiration_reason
owner: Session
domain_of:
- Session
range: string
expiration_time:
name: expiration_time
description: The session expiration time.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Expiration Time
rank: 1000
alias: expiration_time
owner: Session
domain_of:
- Osint
- Session
- Token
- AuthenticationToken
- Certificate
- HttpCookie
- FileHosting
- NetworkFileActivity
range: TimestampT
is_mfa:
name: is_mfa
description: Indicates whether Multi Factor Authentication was used during authentication.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Multi Factor Authentication
rank: 1000
alias: is_mfa
owner: Session
domain_of:
- Session
- Authentication
range: boolean
is_remote:
name: is_remote
description: The indication of whether the session is remote.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Remote
rank: 1000
alias: is_remote
owner: Session
domain_of:
- Session
- Authentication
range: boolean
recommended: true
is_vpn:
name: is_vpn
description: The indication of whether the session is a VPN session.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- VPN Session
rank: 1000
alias: is_vpn
owner: Session
domain_of:
- Session
range: boolean
issuer:
name: issuer
description: The identifier of the session issuer.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Issuer Details
rank: 1000
alias: issuer
owner: Session
domain_of:
- Session
- Certificate
- Idp
range: string
recommended: true
terminal:
name: terminal
description: 'The Pseudo Terminal associated with the session. Ex: the tty or
pts value.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Terminal
rank: 1000
alias: terminal
owner: Session
domain_of:
- Session
range: string
uid:
name: uid
description: The unique identifier of the session.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: Session
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true
uid_alt:
name: uid_alt
description: 'The alternate unique identifier of the session. e.g. AWS ARN -
<code>arn:aws:sts::123344444444:assumed-role/Admin/example-session</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Alternate ID
rank: 1000
alias: uid_alt
owner: Session
domain_of:
- Scim
- Session
- Resource
- Agent
- Aircraft
- ApplicationObject
- FindingInfo
- Group
- UnmannedAerialSystem
- User
- Device
range: string
uuid:
name: uuid
description: The universally unique identifier of the session.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- UUID
rank: 1000
alias: uuid
owner: Session
domain_of:
- RpcInterface
- Session
- DeviceHwInfo
- UnmannedAerialSystem
range: UuidT