DC0088: Logon Session Metadata
Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it
Analyst context for executives and security teams
Logon Session Metadata is the context that explains who was logged on, what kind of logon occurred, what security context or access tokens were present, and what activity was associated with that session. For leaders, its value is not the logon event alone; it is the ability to connect identity, access, and activity into evidence that supports investigations, audit questions, and decisions about whether an account or session represented legitimate business activity or potential misuse.
Executive priority
This data component matters because many security and compliance decisions depend on proving what identity context existed during activity. Executives and risk owners should ask whether the organization can reconstruct meaningful session context during an incident: username, logon type, security identifiers, logon identifiers, token context, and related activity. If that context is missing or fragmented, incident responders may struggle to scope activity, validate user accountability, or provide defensible evidence for audit and post-incident review.
Technical view
SOC, detection engineering, and incident response teams should treat Logon Session Metadata as an evidence layer that links authentication context to later activity. The supplied ATT&CK object does not specify platforms, tactics, or detection logic, so validation should focus on whether local telemetry sources preserve logon-session context consistently enough to correlate usernames, logon types, access tokens, user SIDs, logon identifiers, logon SIDs, and activity occurring within the session. Detection teams should confirm that alerts using identity or session context are not relying only on isolated event timestamps or usernames without durable session identifiers where available.
Likely telemetry
- Authentication and logon records containing username and logon type
- Session identifiers such as logon identifiers or logon SIDs where collected
- Security context and access token-related metadata where available
- User security identifiers associated with the session
- Activity records that can be correlated back to a specific logon session
Detection direction
- Validate that identity-focused detections can correlate activity to a logon session, not only to an account name.
- Check whether logon type, SID, token, and logon identifier fields are populated, retained, and searchable in the SOC workflow.
- Tune analytics to account for legitimate administrative, service, and automated sessions so session-context alerts do not become noisy.
- Identify blind spots where activity logs exist but cannot be joined to the originating logon session.
- Because ATT&CK provides no official detection text for this data component, derive detection content from local log sources and the specific techniques or incidents being investigated.
Mitigation priorities
- Prioritize reliable collection and retention of logon-session context before building higher-level identity analytics.
- Standardize field normalization for usernames, SIDs, logon types, session identifiers, and related activity so investigations can correlate evidence quickly.
- Review access governance and privileged-session monitoring requirements to ensure session metadata supports incident response and audit evidence needs.
- Periodically test whether responders can reconstruct a session timeline from available logs using real enterprise telemetry.
- Document known gaps where platforms or applications do not expose sufficient session context.
Analyst notes and limits
This is a data component, not an adversary technique. Its main defensive value is evidentiary: it helps connect identity context to activity during detection, triage, incident response, and compliance review. The ATT&CK object is intentionally broad and does not specify platforms, tactics, procedures, or detection examples.
No official detection guidance, platforms, tactics, or relationships were supplied. Any concrete log source names, event IDs, vendor mappings, or detection rules must be derived from the organization’s environment and cannot be inferred from this ATT&CK object alone.
Logon Session Metadata
Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 1383c026d3be… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DC0088Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.