Session Creation and Destruction
Overview
Section titled “Overview”Evidence: Session Creation and Destruction
Description: Filter sessions creation and destruction events
Category: System
Platform: macos
Short Name: scd
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”The securityd daemon manages security sessions on macOS including user sessions, authorization sessions, and security contexts. It tracks session lifecycle events from creation through destruction, managing authentication and authorization tokens throughout the session.
Data Collected
Section titled “Data Collected”This collector gathers structured data about session creation and destruction.
Collection Method
Section titled “Collection Method”This collector uses the macOS ‘log’ command with predicate-based filtering to extract securityd session events over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType=‘Session Creation and Destruction’.
Forensic Value
Section titled “Forensic Value”Session events are critical for understanding user activity timelines, session hijacking attempts, authentication token abuse, and concurrent session patterns. They help establish when users were active on the system, detect anomalous session behaviors, and investigate unauthorized access through session manipulation.