1. Home
  2. Data Components
  3. Logon Session Metadata

Logon Session Metadata

Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it

ID: DC0088
Domains: ICS, Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
auditd:SYSCALL ssh logins or execve of remote commands
auditd:SYSCALL execve,socket,connect,openat
auditd:USER_LOGIN USER_LOGIN
azure:audit Add delegated admin / Assign admin roles / Update application consent
azure:signinLogs SAML-based login with anomalous issuer or NotOnOrAfter lifetime
esxi:auth None
esxi:hostd /var/log/hostd.log
gcp:audit google.iam.credentials.generateAccessToken / serviceAccountTokenCreator
kubernetes:audit Unauthorized container creation or kubelet exec logs
linux:syslog None
linux:syslog sssd / sudo logs
Logon Session None
m365:signin UserLogin
m365:unified Abnormal user claims or unexpected elevated role assignment in SAML assertion
m365:unified FileAccessed, SharingSet
macos:unifiedlog LoginWindow context with associated PID linked to reopened plist paths
macos:unifiedlog authd generating multiple MFA token requests
macos:unifiedlog Remote login (ssh) or screen sharing authentication attempts
macos:unifiedlog loginwindow or sshd
macos:unifiedlog Group membership change for admin or wheel
macos:unifiedlog Unusual Kerberos TGS-REQ without TGT or anomalous ticket lifetime
macos:unifiedlog loginwindow, sshd
macos:unifiedlog loginwindow or sshd events with external IP
macos:unifiedlog process = 'sshd'
NSM:Connections Successful sudo or ssh from unknown IPs
saas:okta user.session.start, app.oauth2.as.authorize, policy.mfa.bypass
saas:okta user.authentication.sso
saas:salesforce ConnectedApp OAuth policy change / Login as user
WinEventLog:Security EventCode=4672
WinEventLog:Security EventCode=4624, 4634, 4672, 4768, 4769
WinEventLog:Security EventCode=4624, 4625, 4768, 4769
WinEventLog:Security EventCode=4624, 4634, 4672, 4769
WinEventLog:Security EventCode=4624, 4672
WinEventLog:Security EventCode=4778, EventCode=4779
WinEventLog:Security EventCode=4800, 4801
WinEventLog:Security EventCode=4776,4771,4770
WinEventLog:Security EventCode=4624,4672
WinEventLog:Security EventCode=4624, 4672, 4634, 4768, 4769

Detection Strategy

ID Name Technique Detected
DET0210 Abuse of Domain Accounts T1078.002
DET0354 Behavior-chain detection for T1133 External Remote Services across Windows, Linux, macOS, Containers T1133
DET0283 Behavior-chain detection for T1134 Access Token Manipulation on Windows T1134
DET0456 Behavior-chain detection for T1134.002 Create Process with Token (Windows) T1134.002
DET0021 Behavioral Detection for Service Stop across Platforms T1489
DET0590 Behavioral Detection of External Website Defacement across Platforms T1491.002
DET0596 Behavioral Detection of Remote SSH Logins Followed by Post-Login Execution T1021.004
DET0178 Behavioral Detection of Unauthorized VNC Remote Control Sessions T1021.005
DET0498 Behavior‑chain detection for T1134.003 Make and Impersonate Token (Windows) T1134.003
DET0488 Detect abuse of Trusted Relationships (third-party and delegated admin access) T1199
DET0312 Detect Active Setup Persistence via StubPath Execution T1547.014
DET0507 Detect browser session hijacking via privilege, handle access, and remote thread into browsers T1185
DET0061 Detect Default File Association Hijack via Registry & Execution Correlation on Windows T1546.001
DET0144 Detect Forged Kerberos Golden Tickets (T1558.001) T1558.001
DET0241 Detect Forged Kerberos Silver Tickets (T1558.002) T1558.002
DET0157 Detect Kerberoasting Attempts (T1558.003) T1558.003
DET0522 Detect Kerberos Ticket Theft or Forgery (T1558) T1558
DET0125 Detect persistence via reopened application plist modification (macOS) T1547.007
DET0420 Detect User Activity Based Sandbox Evasion via Input & Artifact Probing T1497.002
DET0546 Detection of Abused or Compromised Cloud Accounts for Access and Persistence T1078.004
DET0465 Detection of Default Account Abuse Across Platforms T1078.001
DET0803 Detection of External Remote Services T0822
DET0796 Detection of Internet Accessible Device T0883
DET0407 Detection of Local Account Abuse for Initial Access and Persistence T1078.003
DET0560 Detection of Valid Account Abuse Across Platforms T1078
DET0724 Detection of Valid Accounts T0859
DET0345 Detection Strategy for Abuse Elevation Control Mechanism (T1548) T1548
DET0514 Detection Strategy for Exploitation for Privilege Escalation T1068
DET0148 Detection Strategy for Forged SAML Tokens T1606.002
DET0160 Detection Strategy for Multi-Factor Authentication Request Generation (T1621) T1621
DET0388 Detection Strategy for T1548.002 – Bypass User Account Control (UAC) T1548.002
DET0054 Internal Spearphishing via Trusted Accounts T1534
DET0327 Multi-event Detection Strategy for RDP-Based Remote Logins and Post-Access Activity T1021.001