Unique user or system session identifier.
Data Type
String
Aliases
|
Use |
Alias |
|---|---|
|
Client Console Full Name |
Session |
|
Client Console Short Name |
Session |
|
Web Console Tab/Name |
Session |
|
Elasticsearch Field Name |
session |
|
Rule Builder Column Name |
Session |
|
Regex Pattern |
<session> |
|
NetMon Name |
SessionID |
Field Relationships
-
Account
-
Login
-
SessionType
-
Protname
-
Protnum
-
IP Address Fields
-
Process
-
ProcessID
Common Applications
-
SSH
-
Remote Desktop
-
Telnet
-
FTP
-
Web Application
-
Shell
-
Web Browser
Use Case
-
NetMon session identifier.
-
User session for a web session or computer session.
-
Session ID for a VoIP call.
-
Session record for a vulnerability scan.
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
-
Unique non-permanent identifier for a user/system session.
-
Session Token identifier/number.
-
Used for tracking activity associated with a session.
-
Not ProcessID.
Examples
-
Linux Host
10 15 2010 10:50:31 1.1.1.1 <SAU1:INFO> Oct 15 10:50:30 USABLDRRECFLOW01: [ID 702911 Host7] 700 Auth_method_success, Username: pete.store, Auth method: keyboard-interactive, Session-Id: 10707
Session-ID parses into Session.
-
Windows Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-22222222222}'/><EventID>4742</EventID><Version>0</Version><Level>Information</Level><Task>Computer Account Management</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2016-02-24T19:46:19.175040100Z'/><EventRecordID>4814831973</EventRecordID><Correlation/><Execution ProcessID='560' ThreadID='8892'/><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData><Data Name='ComputerAccountChange'>-</Data><Data Name='TargetUserName'> USABLDRRECFLOW01$</Data><Data Name='TargetDomainName'>SAFAWARE</Data><Data Name='TargetSid'>SAFAWARE\ USABLDRRECFLOW01$</Data><Data Name='SubjectUserSid'>NT AUTHORITY\ANONYMOUS LOGON</Data><Data Name='SubjectUserName'>ANONYMOUS LOGON</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e6</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>2/24/2016 12:46:19 PM</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>-</Data><Data Name='NewUacValue'>-</Data><Data Name='UserAccountControl'>-</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>-</Data><Data Name='LogonHours'>-</Data><Data Name='DnsHostName'>-</Data><Data Name='ServicePrincipalNames'>-</Data></EventData></Event>
SubjectLogonID parses into Session. Used to track user activity from login to logout.
-
Windows Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{222222-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>0</Version><Level>Information</Level><Task>Logon</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2016-02-09T00:45:00.703363000Z'/><EventRecordID>2269912024</EventRecordID><Correlation/><Execution ProcessID='520' ThreadID='12080'/><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'> USABLDRRECFLOW01$</Data><Data Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'></Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x200</Data><Data Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data></EventData></Event>
TargetLogonID is parsed instead of SubjectLogonID. Using Target because it is the initiation of a new session that can be tracked separate from the initiator session. For example, Process Run As a different user in Windows.