Authorize Session events report privileges or groups assigned to a new user session, usually at login time.
- Category: Identity & Access Management
- Extends:
iam - UID:
3003
Attributes
Section titled “Attributes”Classification
Section titled “Classification”activity_id
- Type:
integer_t - Requirement: required
- Values:
0-Unknown: The event activity is unknown.1-Assign Privileges: Assign special privileges to a new logon.2-Assign Groups: Assign special groups to a new logon.99-Other: The event activity is not mapped. See theactivity_nameattribute, which contains a data source specific value.
The normalized identifier of the activity that triggered the event.
category_uid
- Type:
integer_t - Requirement: required
- Values:
3-Identity & Access Management: Identity & Access Management (IAM) events relate to the supervision of the system’s authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.
The category unique identifier of the event.
class_uid
- Type:
integer_t - Requirement: required
- Values:
3003-Authorize Session: Authorize Session events report privileges or groups assigned to a new user session, usually at login time.
The unique identifier of a class. A class describes the attributes available in an event.
severity_id
- Type:
integer_t - Requirement: required
- Values:
0-Unknown: The event/finding severity is unknown.1-Informational: Informational message. No action required.2-Low: The user decides if action is needed.3-Medium: Action is required but the situation is not serious at this time.4-High: Action is required immediately.5-Critical: Action is required immediately and the scope is broad.6-Fatal: An error occurred but it is too late to take remedial action.99-Other: The event/finding severity is not mapped. See theseverityattribute, which contains a data source specific value.
The normalized identifier of the event/finding severity.The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.
type_uid
- Type:
long_t - Requirement: required
- Values:
300300-Authorize Session: Unknown300301-Authorize Session: Assign Privileges: Assign special privileges to a new logon.300302-Authorize Session: Assign Groups: Assign special groups to a new logon.300399-Authorize Session: Other
The event/finding type ID. It identifies the event’s semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.
activity_name
- Type:
string_t - Requirement: optional
The event activity name, as defined by the activity_id.
category_name
- Type:
string_t - Requirement: optional
The event category name, as defined by category_uid value: Identity & Access Management.
class_name
- Type:
string_t - Requirement: optional
The event class name, as defined by class_uid value: Authorize Session.
severity
- Type:
string_t - Requirement: optional
The event/finding severity, normalized to the caption of the severity_id value. In the case of ‘Other’, it is defined by the source.
type_name
- Type:
string_t - Requirement: optional
The event/finding type name, as defined by the type_uid.
Context
Section titled “Context”metadata
- Type:
metadata - Requirement: required
The metadata associated with the event or a finding.
api cloud
- Type:
api - Requirement: optional
Describes details about a typical API (Application Programming Interface) call.
dst_endpoint
- Type:
network_endpoint - Requirement: optional
The Endpoint for which the user session was targeted.
enrichments
- Type:
enrichment - Requirement: optional
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]
http_request
- Type:
http_request - Requirement: optional
Details about the underlying HTTP request.
raw_data
- Type:
string_t - Requirement: optional
The raw event/finding data as received from the source.
unmapped
- Type:
object - Requirement: optional
The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.
Occurrence
Section titled “Occurrence”time
- Type:
timestamp_t - Requirement: required
The normalized event occurrence time or the finding creation time.
timezone_offset
- Type:
integer_t - Requirement: recommended
The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.
count
- Type:
integer_t - Requirement: optional
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
duration
- Type:
integer_t - Requirement: optional
The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.
end_time
- Type:
timestamp_t - Requirement: optional
The end time of a time period, or the time of the most recent event included in the aggregate event.
end_time_dt datetime
- Type:
datetime_t - Requirement: optional
The end time of a time period, or the time of the most recent event included in the aggregate event.
start_time
- Type:
timestamp_t - Requirement: optional
The start time of a time period, or the time of the least recent event included in the aggregate event.
start_time_dt datetime
- Type:
datetime_t - Requirement: optional
The start time of a time period, or the time of the least recent event included in the aggregate event.
time_dt datetime
- Type:
datetime_t - Requirement: optional
The normalized event occurrence time or the finding creation time.
Primary
Section titled “Primary”cloud cloud
- Type:
cloud - Requirement: required
Describes details about the Cloud environment where the event was originally created or logged.
user
- Type:
user - Requirement: required
The user to which new privileges were assigned.
device host
- Type:
device - Requirement: recommended
An addressable device, computer system or host.
group
- Type:
group - Requirement: recommended
Group that was assigned to the new user session.
message
- Type:
string_t - Requirement: recommended
The description of the event/finding, as defined by the source.
observables
- Type:
observable - Requirement: recommended
The observables associated with the event or a finding.
privileges
- Type:
string_t - Requirement: recommended
The list of sensitive privileges, assigned to the new user session.
session
- Type:
session - Requirement: recommended
The user session with the assigned privileges.
src_endpoint
- Type:
network_endpoint - Requirement: recommended
Details about the source of the IAM activity.
status
- Type:
string_t - Requirement: recommended
The event status, normalized to the caption of the status_id value. In the case of ‘Other’, it is defined by the event source.
status_code
- Type:
string_t - Requirement: recommended
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of ‘Failure Code’, e.g. 0x18.
status_detail
- Type:
string_t - Requirement: recommended
The status details contains additional information about the event/finding outcome.
status_id
- Type:
integer_t - Requirement: recommended
- Values:
0-Unknown: The status is unknown.1-Success2-Failure99-Other: The event status is not mapped. See thestatusattribute, which contains a data source specific value.
The normalized identifier of the event status.
actor host
- Type:
actor - Requirement: optional
The actor object describes details about the user/role/process that was the source of the activity.