Session
Unique user or system session identifier.
Data Type
String
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | Session |
Client Console Short Name | Session |
Web Console Tab/Name | Session |
Elasticsearch Field Name | session |
Rule Builder Column Name | Session |
Regex Pattern | <session> |
NetMon Name | SessionID |
Field Relationships
- Account
- Login
- SessionType
- Protname
- Protnum
- IP Address Fields
- Process
- ProcessID
Common Applications
- SSH
- Remote Desktop
- Telnet
- FTP
- Web Application
- Shell
- Web Browser
Use Case
- NetMon session identifier.
- User session for a web session or computer session.
- Session ID for a VoIP call.
- Session record for a vulnerability scan.
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
- Unique non-permanent identifier for a user/system session.
- Session Token identifier/number.
- Used for tracking activity associated with a session.
- Not ProcessID.
Examples
- Linux Host
10 15 2010 10:50:31 1.1.1.1 <SAU1:INFO> Oct 15 10:50:30 USABLDRRECFLOW01: [ID 702911 Host7] 700 Auth_method_success, Username: pete.store, Auth method: keyboard-interactive, Session-Id: 10707
Session-ID parses into Session.
- Windows Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-22222222222}'/><EventID>4742</EventID><Version>0</Version><Level>Information</Level><Task>Computer Account Management</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2016-02-24T19:46:19.175040100Z'/><EventRecordID>4814831973</EventRecordID><Correlation/><Execution ProcessID='560' ThreadID='8892'/><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData><Data Name='ComputerAccountChange'>-</Data><Data Name='TargetUserName'> USABLDRRECFLOW01$</Data><Data Name='TargetDomainName'>SAFAWARE</Data><Data Name='TargetSid'>SAFAWARE\ USABLDRRECFLOW01$</Data><Data Name='SubjectUserSid'>NT AUTHORITY\ANONYMOUS LOGON</Data><Data Name='SubjectUserName'>ANONYMOUS LOGON</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e6</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>2/24/2016 12:46:19 PM</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>-</Data><Data Name='NewUacValue'>-</Data><Data Name='UserAccountControl'>-</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>-</Data><Data Name='LogonHours'>-</Data><Data Name='DnsHostName'>-</Data><Data Name='ServicePrincipalNames'>-</Data></EventData></Event>
SubjectLogonID parses into Session. Used to track user activity from login to logout.
- Windows Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{222222-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>0</Version><Level>Information</Level><Task>Logon</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2016-02-09T00:45:00.703363000Z'/><EventRecordID>2269912024</EventRecordID><Correlation/><Execution ProcessID='520' ThreadID='12080'/><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'> USABLDRRECFLOW01$</Data><Data Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'></Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x200</Data><Data Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data></EventData></Event>
TargetLogonID is parsed instead of SubjectLogonID. Using Target because it is the initiation of a new session that can be tracked separate from the initiator session. For example, Process Run As a different user in Windows.