1. Home
  2. Data Components
  3. Logon Session Creation

Logon Session Creation

The successful establishment of a new user session following a successful authentication attempt. This typically signifies that a user has provided valid credentials or authentication tokens, and the system has initiated a session associated with that user account. This data is crucial for tracking authentication events and identifying potential unauthorized access. Examples:

  • Windows Systems
    • Event ID: 4624
      • Logon Type: 2 (Interactive) or 10 (Remote Interactive via RDP).
      • Account Name: JohnDoe
      • Source Network Address: 192.168.1.100
      • Authentication Package: NTLM
  • Linux Systems
    • /var/log/utmp or /var/log/wtmp:
      • Log format: login user [tty] from [source_ip]
      • User: jane
      • IP: 10.0.0.5
      • Timestamp: 2024-12-28 08:30:00
  • macOS Systems
    • /var/log/asl.log or unified logging framework:
      • Log: com.apple.securityd: Authentication succeeded for user 'admin'
  • Cloud Environments
    • Azure Sign-In Logs:
      • Activity: Sign-in successful
      • Client App: Browser
      • Location: Unknown (Country: X)
  • Google Workspace
    • Activity: Login
      • Event Type: successful_login
      • Source IP: 203.0.113.55

This data component can be collected through the following measures:

  • Windows Systems
    • Event Logs: Monitor Security Event Logs using Event ID 4624 for successful logons.
    • PowerShell Example: Get-EventLog -LogName Security -InstanceId 4624
  • Linux Systems
    • Log Files: Monitor /var/log/utmp, /var/log/wtmp, or /var/log/auth.log for logon events.
    • Tools: Use last or who commands to parse login records.
  • macOS Systems
    • Log Sources: Monitor /var/log/asl.log or Apple Unified Logs using the log show command.
    • Command Example: log show --predicate 'eventMessage contains "Authentication succeeded"' --info
  • Cloud Environments
    • Azure AD: Use Azure Monitor to analyze sign-in logs. Example CLI Query: az monitor log-analytics query -w <workspace_id> --analytics-query "AzureActivity | where ActivityStatus == 'Success' and OperationName == 'Sign-in'"
    • Google Workspace: Enable and monitor Login Audit logs from the Admin Console.
    • Office 365: Use Audit Log Search in Microsoft 365 Security & Compliance Center for login-related events.
  • Network Logs
    • Sources: Network authentication mechanisms (e.g., RADIUS or TACACS logs).
  • Enable EDR Monitoring:
    • EDR tools monitor logon session activity, including the creation of new sessions.
    • Configure alerts for: Suspicious logon types (e.g., Logon Type 10 for RDP or Type 5 for Service). Logons from unusual locations, accounts, or devices.
    • Leverage EDR telemetry for session attributes like source IP, session duration, and originating process.
ID: DC0067
Domains: ICS, Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
auditd:SYSCALL capset or setns
AWS:CloudTrail ConsoleLogin, AssumeRole, ListResources
AWS:CloudTrail ConsoleLogin
AWS:CloudTrail Web console logins using session cookies without corresponding MFA event
AWS:CloudTrail ConsoleLogin: If IdP backed by cloud provider, Console login from new IP/agent after correlated endpoint compromise
AWS:CloudTrail SendSSHPublicKey, StartSession (SSM), EC2InstanceConnect
AWS:CloudTrail Temporary security credentials used to authenticate into management console or APIs
AWS:CloudTrail AWS ConsoleLogin, StartSession
AWS:CloudTrail GetConsoleOutput
AWS:CloudTrail sudden role assumption after credential file access
AWS:CloudTrail AssumeRole,AssumeRoleWithSAML,AssumeRoleWithWebIdentity
azure:ad SignInEvents
azure:signin UserLoginSuccess, TokenIssued
azure:signin Microsoft.Compute/virtualMachines/serialConsole/connect/action
azure:signinlogs Abnormal sign-in from scripting tools (PowerShell, AADInternals)
azure:signinlogs Suspicious login to cloud mailbox system
azure:signinlogs Failed MFA attempts, unusual conditional access triggers, login attempts from unexpected IP ranges
azure:signinlogs InteractiveUserLogin: Discovery behavior linked to privileged logins from atypical IP ranges
azure:signinlogs InteractiveUser, ServicePrincipalSignIn
azure:signinlogs InteractiveUser, NonInteractiveUser
azure:signinlogs UserLogin, ConditionalAccessPolicyEvaluated
CloudTrail:Signin SAML login without corresponding IdP authentication log
esxi:auth Shell login or escalation
esxi:vmkernel vim.fault.*, DCUI login, SSH shell
gcp:audit LoginAudit, DriveAudit
gcp:audit cloud.ssh.publicKey.inserted, compute.instances.osLogin
gcp:audit admin.googleapis.com
linux:auth User login event followed by unexpected process tree
linux:syslog sshd: Accepted password/publickey
linux:syslog authentication success after file access
linux:syslog auth.log / secure.log
linux:syslog Accepted publickey/password for * from * port * ssh2
linux:syslog None
Logon Session None
m365:sharepoint File access with forged or anomalous SAML claims
m365:signin SignInSuccess, RoleAssignmentRead
m365:signin Token usage events with device/user mismatch
m365:signinlogs UserLogin: Discovery operations shortly after account logins from new geolocations
m365:signinlogs UserLoggedIn
m365:unified UserLoggedIn
m365:unified ViewAdminReport
macos:unifiedlog UserLoggedIn
macos:unifiedlog Authentication inconsistencies where commands are executed without corresponding login events
macos:unifiedlog authentication
macos:unifiedlog Session reuse without new auth event
macos:unifiedlog Access to Keychain items or browser credential stores
macos:unifiedlog eventMessage CONTAINS 'screensharingd' or 'AuthorizationRefCreate'
macos:unifiedlog Keychain or user login post-access
macos:unifiedlog authentication plugin load or modification events
macos:unifiedlog loginwindow or sshd successful login events
networkdevice:Firewall Login from untrusted IP, or new admin account accessing firewall console/API
NSM:Connections Mismatch between recorded user logon and active sessions (e.g., wtmp/utmp entries without corresponding authentication in auth.log)
NSM:Connections Missing new login event but session activity continues
NSM:Connections Accepted publickey for user from unusual IP or without tty
NSM:Connections simultaneous or anomalous logon sessions across multiple systems
Okta:SystemLog user.authentication.sso, app.oauth.grant
saas:access Multiple concurrent logins using same cookie from different locations
saas:auth LoginSuccess, APIKeyUse, AdminAction
saas:auth Login, TokenGranted: Discovery actions tied to anomalous login sessions or tokens
saas:confluence logon
saas:github Login from unusual IP, device fingerprint, or location; access token creation from new client
saas:okta user.session.start
saas:okta session.token.reuse
saas:zoom Zoom Admin Dashboard accessed from unfamiliar IP/device
WinEventLog:Security EventCode=4624
WinEventLog:Security EventCode=4624, 4648
WinEventLog:Security EventCode=4624 with LogonType=9 or smartcard logon
WinEventLog:Security EventCode=4624 (LogonType=10 or 3), EventCode=4648
WinEventLog:Security EventCode=4624 (LogonType=3)
WinEventLog:Security Anomalous logon without MFA enforcement
WinEventLog:Security EventCode=4624 (LogonType=10), EventCode=4648
WinEventLog:Security EventCode=4624, 4672, 4648
WinEventLog:Security 4624
WinEventLog:Security EventCode=4624,4648, 4672
WinEventLog:Security EventCode=4624,4648,4672,4769
WinEventLog:Security EventID=4624
WinEventLog:Security EventCode=4624, 4634

Detection Strategy

ID Name Technique Detected
DET0103 Behavioral Detection of Network Share Connection Removal via CLI and SMB Disconnects T1070.005
DET0008 Behavioral Detection of Remote Cloud Logins via Valid Accounts T1021.007
DET0596 Behavioral Detection of Remote SSH Logins Followed by Post-Login Execution T1021.004
DET0178 Behavioral Detection of Unauthorized VNC Remote Control Sessions T1021.005
DET0384 Behavioral Detection of Unix Shell Execution T1059.004
DET0477 Behavioral Detection of WinRM-Based Remote Access T1021.006
DET0269 Behavioral Detection Strategy for Remote Service Logins and Post-Access Activity T1021
DET0338 Behavioral Detection Strategy for Use Alternate Authentication Material (T1550) T1550
DET0488 Detect abuse of Trusted Relationships (third-party and delegated admin access) T1199
DET0307 Detect Access to Unsecured Credential Files Across Platforms T1552.001
DET0507 Detect browser session hijacking via privilege, handle access, and remote thread into browsers T1185
DET0271 Detect Domain Controller Authentication Process Modification (Skeleton Key) T1556.001
DET0293 Detect Hybrid Identity Authentication Process Modification T1556.007
DET0157 Detect Kerberoasting Attempts (T1558.003) T1558.003
DET0072 Detect Logon Script Modifications and Execution T1037.001
DET0454 Detect Malicious Modification of Pluggable Authentication Modules (PAM) T1556.003
DET0048 Detect Remote Email Collection via Abnormal Login and Programmatic Access T1114.002
DET0074 Detect Use of Stolen Web Session Cookies Across Platforms T1550.004
DET0500 Detecting Abnormal SharePoint Data Mining by Privileged or Rare Users T1213.002
DET0263 Detecting Bulk or Anomalous Access to Private Code Repositories via SaaS Platforms T1213.003
DET0550 Detecting Suspicious Access to CRM Data in SaaS Environments T1213.004
DET0567 Detecting Unauthorized Collection from Messaging Applications in SaaS and Office Environments T1213.005
DET0588 Detection fo Remote Service Session Hijacking for RDP. T1563.002
DET0546 Detection of Abused or Compromised Cloud Accounts for Access and Persistence T1078.004
DET0291 Detection of Cloud Service Dashboard Usage via GUI-Based Cloud Access T1538
DET0754 Detection of Data from Information Repositories T0811
DET0465 Detection of Default Account Abuse Across Platforms T1078.001
DET0756 Detection of Default Credentials T0812
DET0211 Detection of Direct VM Console Access via Cloud-Native Methods T1021.008
DET0772 Detection of Graphical User Interface T0823
DET0798 Detection of Hardcoded Credentials T0891
DET0407 Detection of Local Account Abuse for Initial Access and Persistence T1078.003
DET0079 Detection of Remote Service Session Hijacking T1563
DET0804 Detection of Remote Services T0886
DET0560 Detection of Valid Account Abuse Across Platforms T1078
DET0724 Detection of Valid Accounts T0859
DET0509 Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts T1539
DET0726 Detection of Wireless Compromise T0860
DET0402 Detection Strategy for Cloud Service Discovery T1526
DET0514 Detection Strategy for Exploitation for Privilege Escalation T1068
DET0495 Detection Strategy for Financial Theft T1657
DET0148 Detection Strategy for Forged SAML Tokens T1606.002
DET0171 Detection Strategy for Forged Web Cookies T1606.001
DET0260 Detection Strategy for Forged Web Credentials T1606
DET0286 Detection Strategy for Impersonation T1656
DET0246 Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying T1111
DET0070 Detection Strategy for Phishing across platforms. T1566
DET0256 Detection Strategy for SSH Session Hijacking T1563.001
DET0409 Detection Strategy for T1550.002 - Pass the Hash (Windows) T1550.002
DET0352 Detection Strategy for T1550.003 - Pass the Ticket (Windows) T1550.003
DET0176 Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189) T1189
DET0476 Email Collection via Local Email Access and Auto-Forwarding Behavior T1114
DET0474 Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy T1480.001
DET0054 Internal Spearphishing via Trusted Accounts T1534
DET0390 Linux Detection Strategy for T1547.013 - XDG Autostart Entries T1547.013
DET0285 Multi-Event Behavioral Detection for DCOM-Based Remote Code Execution T1021.003
DET0530 Multi-Event Detection for SMB Admin Share Lateral Movement T1021.002
DET0327 Multi-event Detection Strategy for RDP-Based Remote Logins and Post-Access Activity T1021.001
DET0562 Multi-Platform Execution Guardrails Environmental Validation Detection Strategy T1480
DET0358 Programmatic and Excessive Access to Confluence Documentation T1213.001
DET0003 T1136.002 Detection Strategy - Domain Account Creation Across Platforms T1136.002
DET0306 Unauthorized Network Firewall Rule Modification (T1562.013) T1562.013
DET0394 Web Shell Detection via Server Behavior and File Execution Chains T1505.003