diff --git a/rfcs/text/0004-session.md b/rfcs/text/0004-session.md
index 2617ea441c..c55982e30a 100644
--- a/rfcs/text/0004-session.md
+++ b/rfcs/text/0004-session.md
@@ -1,79 +1,29 @@
 # 0004: Session
 <!--^ The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC, taking care not to conflict with other RFCs.-->
 
-- Stage: **0 (strawperson)** <!-- Update to reflect target stage -->
-- Date: 7/30/2020 <!-- Update to reflect date of most recent stage advancement -->
+- Stage: **2 (candidate)** <!-- Update to reflect target stage -->
+- Date: TBD <!-- Update to reflect date of most recent stage advancement -->
 
-<!--
-Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
--->
+This RFC calls for the addition of session fields to describe events related to
+various types of "sessions" reported by appliances, security devices, systems,
+management portals, applications, etc.
+
+In addition to these fields, a new `event.category` value of "session" should be added.
+Any event that captures information about a session should include "session" in
+the array field `event.category`.
 
 ## Fields
-This RFC calls for the addition of session fields to describe events related to various types of "sessions" reported by appliances, security devices, systems, management portals, applications, etc.
 
 | Field | Description |
 | ----- | ----------- |
-|session.kind:            | local, remote, network
-|session.authorization:   | user, admin, service
-|session.type:            | system, virtual, application, wired, wireless, vpn
+|session.kind:            | system, application, network
+|session.type:            | [ local, remote, virtual, wired, wireless, vpn ]
+|session.authorization:   | user, admin, service, access
 |session.name             | locally relevant name if available (e.g. HQ Client VPN, Win19-VDI, FIN-EXCEL-vApp)
-|session.id               | session id provided by server or custom fingerprint
-
-
-
-## Fields (yaml)
-```yaml
----
-- name: session
-  title: Session
-  group: 2
-  short: User, admin, application, network, or service sessions
-  description: |-
-    These fields are used to track an entity's interaction with various assets, services, and applications in an enterprise.  Sessions will typically include a start event, often a login / authorization event performed locally or via network based mechanisms, and an end event indicating a logoff or session termination.  Related events during the scope of the session will typically be associated via tuples of user, source and or destination ip/port, or cookies.
-
-    When available, event start/end or duration fields should be populated, as well as iam, user, network, host, observer, process, source, destination, client, and server fields as appropriate to describe the specifics of the interaction.
-
-  type: group
-
-  fields:
+|session.id               | session id provided by server or custom fingerprint of discrete identifiers
 
-    - name: kind
-      level: extended
-      type: keyword
-      short: Kind of session
-      description: > Session kind can be local (console, on the keyboard), remote (ssh, vdi, web, ftp), or network (802.1x, wpa, NAC)
-      Additional fields will be dependent on the specifics of the session reported.
+See detailed field descriptions in [rfcs/text/0004/session.yml](0004/session.yml).
 
-      example: network
-
-    - name: authorization
-      level: extended
-      type: keyword
-      description: Authorization scope of the session. Initial values will include general user level access (e.g. user vdi/vda, vpn, or web sessions, network access, etc), administrative sessions (root, VMWare Host access, router cli, etc.) or service (network to network VPN, non-user verified services sessions e.g. micro-service backend architectures).
-
-      example: user
-
-    - name: type
-      level: extended
-      type: Logical session type
-      description: Session type describes the interaction/access provided.  Initial values include system (shell or desktop), virtual (VDI), application (web, ftp, etc.), wired (nac, 802.1x), wireless (wpa/.1x), or vpn (ipsec, ssl, etc). Note that actual aaa mechanism (system, domain, wpa, 802.1x) does not indicate a specific session type.
-
-      example: wireless
-
-    - name: name
-      level: extended
-      type: Session Name
-      description: The name field is meant to contain a locally significant identifier for the session as configured. This could represent a VPN group name, a wireless network name (ssid), a wired network segment, VDI service name, or application identifier.
-
-      example: HQ-Wireless
-
-    - name: id
-      level: extended
-      type: Session id
-      description: The id field is meant to contain a locally significant identifier for the session as provided by the observer or host reporting the session.  If no id is provided this field can remain blank, or a hash function similar to network.community_id can be used to discretely identify sessions from unique values.
-
-      example: 7635344
-```
 <!--
 Stage: 1: Describe at a high level how this change affects fields. Which fieldsets will be impacted? How many fields overall? Are we primarily adding fields, removing fields, or changing existing fields? The goal here is to understand the fundamental technical implications and likely extent of these changes. ~2-5 sentences.
 -->
@@ -88,62 +38,85 @@ Stage 3: Add or update all remaining field definitions. The list should now be e
 
 ## Usage
 
-Session fields are used to describe the sesison attributes of:
- - Client VPN Sessions
- - Network to Network VPN Sessions
- - Network Access Sessions (NAC, WPA, EAP, etc.)
- - Local or remote device login sessions (RDP, ICA, xWindows)
+Session fields are used to describe and track a discrete grouping of interactions, typically bounded by
+authentication or authorization events and tied to a specific user, application, or system component.
+
+For example:
+ - Network Access Sessions (NAC or Wireless LAN)
+ - Local or remote device login sessions (tty, console, ssh, RDP, ICA, xWindows, etc.)
+ - VPN Sessions (network to network, or client to network)
+ - Local or remote device login sessions (console, tty, RDP, ICA, xWindows, ssh, etc.)
  - Administrative sessions on infrastructure devices
  - Administrative sessions on cloud or application management portals
- - Applications sessions (e.g. sql server odbc session, application access session)
+ - Applications sessions (e.g. sql server odbc session, web cookie based session, application access session)
+ - Cloud API access sessions
 
 
 ## Source data
 Source data expectations include:
  - Wireless Lan Controllers
- - Security appliances
+ - Security appliances (e.g. fw, waf)
  - Network admission control devices
- - Radius / tacacs servers
- - Application server logs
+ - Radius / tacacs servers (802.1x EAP/PEAP aaa)
+ - Application server logs (FTP, MySQL)
+ - Web Server, WAF, or ADC logs (USer or cookie based web ession control)
+ - APM telemetry
 
-Example 1: Meraki 802.1x Logs (WLC)
-* EAP session start)
-    * `<134>1 1580551704.928047208 my_AP events type=8021x_eap_success radio='1' vap='2' client_mac='12:34:56:78:9A:BC' client_ip='192.168.1.100' identity='JohnDoe' aid='1687088497’
+### Example 1: Meraki 802.1x Logs (WLC)
+
+EAP session start
+
+`<134>1 1580551704.928047208 my_AP events type=8021x_eap_success radio='1' vap='2' client_mac='12:34:56:78:9A:BC' client_ip='192.168.1.100' identity='JohnDoe' aid='1687088497'`
 
 802.1x EAP De-association Message
-* EAP session end
-    * `<134>1 1580551705.928047208 my_AP events type=8021x_deauth radio='1' vap='2' identity='JohnDoe' aid='1687088497’'
 
-* Note, while there is an association id (session.id) created prior to wpa/802.1x authentication, building the session event from the eap success message allows for easier integration of fields like username, client.ip, etc. in an 802.1x or WPA environment
+EAP session end
+
+`<134>1 1580551705.928047208 my_AP events type=8021x_deauth radio='1' vap='2' identity='JohnDoe' aid='1687088497'`
+
+Note, while there is an association id (session.id) created prior to wpa/802.1x authentication, building the session event from the eap success message allows for easier integration of fields like username, client.ip, etc. in an 802.1x or WPA environment.
+
+Base 802.11 Association:  (802.11 session start)
+
+`<134>1 1380653443.857790533 MR18 events type=association radio='1' vap='1' channel='2' rssi='23' aid='1687088497'`
+
+Base 802.11 Deassociation Message  (802.11 session end)
+
+`1380653443.857790533 my_AP events type=disassociation radio='1' vap='2' channel='6' reason='8' instigator='2' duration='11979.728000' auth_neg_dur='1380653443.85779053324000' last_auth_ago='5.074000' is_wpa='1' full_conn='1.597000' ip_resp='1.597000' ip_src='192.168.111.251' arp_resp='1.265000' arp_src='192.168.111.251' dns_server='192.168.111.1' dns_req_rtt='1380653443.85779053335000' dns_resp='1.316000' aid='1813578850'`
+
 
-    * Base 802.11 Association:  (802.11 session start)
-        * `<134>1 1380653443.857790533 MR18 events type=association radio='1' vap='1' channel='2' rssi='23' aid='1687088497’
+### Example 2: ASA Admin Login
 
-    * Base 802.11 Deassociation Message  (802.11 session end)
-        * `1380653443.857790533 my_AP events type=disassociation radio='1' vap='2' channel='6' reason='8' instigator='2' duration='11979.728000' auth_neg_dur='1380653443.85779053324000' last_auth_ago='5.074000' is_wpa='1' full_conn='1.597000' ip_resp='1.597000' ip_src='192.168.111.251' arp_resp='1.265000' arp_src='192.168.111.251' dns_server='192.168.111.1' dns_req_rtt='1380653443.85779053335000' dns_resp='1.316000' aid='1813578850'
+Session start
 
+`<166>Feb 03 2020 11:27:05 5508x-1_9.12(3): %ASA-6-605005: Login permitted from 192.168.1.250/59277 to management:192.168.1.10/ssh for user "JohnDoe"`
 
-Example 2: ASA Admin Login
-* Session start
-    * `<166>Feb 03 2020 11:27:05 5508x-1_9.12(3): %ASA-6-605005: Login permitted from 192.168.1.250/59277 to management:192.168.1.10/ssh for user "JohnDoe"
-* Session End
-    * `<166>Feb 03 2020 11:27:05 5508x-1_9.12(3): %ASA-6-315011: SSH session from 192.168.1.250 on interface management for user JohnDoe disconnected by SSH server, reason: timeout
+Session End
 
-Example 3: ASA Web VPN
-* Session Start
-    * `<166>Feb 03 2020 11:27:05 5508x-1_9.12(3): %ASA-6-721016: WebVPN session for client user JohnDoe , 192.168.1.100 has been created.
+`<166>Feb 03 2020 11:27:05 5508x-1_9.12(3): %ASA-6-315011: SSH session from 192.168.1.250 on interface management for user JohnDoe disconnected by SSH server, reason: timeout`
 
-* Session End:
-    * `<166>Feb 03 2020 11:27:05 5508x-1_9.12(3):%ASA-6-721018: WebVPN session for client user JohnDoe , IP 192.168.1.100 has been deleted.
+### Example 3: ASA Web VPN
+
+Session Start
+
+`<166>Feb 03 2020 11:27:05 5508x-1_9.12(3): %ASA-6-721016: WebVPN session for client user JohnDoe , 192.168.1.100 has been created.`
+
+Session End
+
+`<166>Feb 03 2020 11:27:05 5508x-1_9.12(3):%ASA-6-721018: WebVPN session for client user JohnDoe , IP 192.168.1.100 has been deleted.`
+
+### Example 4: (DB Connection?)
 
-Example 4: (DB Connection?)
 * TBD
 
-Example 5: (Web Session?)
+### Example 5: (Web Session?)
+
 * TBD
 
-Example 6: (Cloud Admin Session?)
+# Example 6: (Cloud Admin Session?)
+
 * TBD
+
 <!--
 Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
 -->
@@ -200,6 +173,10 @@ Stage 4: Identify at least one real-world, production-ready implementation that
 The following are the people that consulted on the contents of this RFC.
 
 * @DainPerkins | Author
+* @rw-access | Subject matter expert
+* @jonathan-buttner | Sponsor (Security)
+* @cyrille-leclerc | Stakeholder (Observability)
+* @webmat | Editor
 
 <!--
 Who will be or has consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
@@ -223,6 +200,7 @@ e.g.:
 <!-- An RFC should link to the PRs for each of it stage advancements. -->
 
 * Stage 0: https://github.com/elastic/ecs/pull/879
+* Stage 2: https://github.com/elastic/ecs/pull/935
 
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN
diff --git a/rfcs/text/0004/session.yml b/rfcs/text/0004/session.yml
new file mode 100644
index 0000000000..f292ace015
--- /dev/null
+++ b/rfcs/text/0004/session.yml
@@ -0,0 +1,85 @@
+---
+- name: session
+  title: Session
+  group: 2
+  type: group
+  short: User, admin, application, network, or service sessions
+  description: |-
+    These fields are used to track an entity's interaction with various assets, services, and applications in an enterprise.  Sessions will typically include a start event, often a login / authorization event performed locally or via network based mechanisms, and an end event indicating a logoff or session termination.  Related events during the scope of the session will typically be associated via tuples of user, source and or destination ip/port, or cookies.
+
+    When available, event start/end or duration fields should be populated, as well as iam, user, network, host, observer, process, source, destination, client, and server fields as appropriate to describe the specifics of the interaction.
+
+  fields:
+
+    - name: kind
+      level: extended
+      type: keyword
+      short: Session kind (system, application or network).
+      description: >
+        Session kind describes the type of access represented. Acceptable values are:
+        "application", "system", and "network".
+
+        "application" is relevant for application-level sessions such as web, ftp, database.
+
+        "system" is relevant for sessions initiated by computer systems rather than humans.
+
+        "network" is relevant to describe various kinds of network-level sessions
+        (VPN, 802.1x, wireless WPA sessions, NAC access to network).
+
+      example: network
+
+    - name: type
+      level: extended
+      type: keyword
+      normalize:
+        - array
+      short: 'Session type (array of: local, remote, virtual, wired, wireless and/or vpn).'
+      description: >
+        Session type provides additional details on the scope of the interactions being tracked. Acceptable values are: "local", "remote", "virtual", "wired", "wireless", "vpn".
+
+        "local" is relevant e.g. for serial connections, physical sessions (hands on keyboard).
+
+        "remote" is relevant for any remote connection: direct system access via remote desktop, ssh, etc.
+
+        "virtual" is for VDI, VDA, etc.
+
+        (missing clarifications for: wired, wireless and vpn network connections?)
+
+        Session type is an array field, to provide the ability to capture multiple applicable values for a given session.
+
+      example: '["wireless"]'
+
+    - name: authorization
+      level: extended
+      type: keyword
+      short: Authorization scope of the session (user, admin or service).
+      description: >
+        Authorization scope of the session. Acceptable values are: "user", "admin" and "service".
+
+        "user" should be used for web sessions, network access, user vdi/vda, vpn, wired/wireless/vpn, etc.
+
+        "admin" should be used for administrative activity: root user, VMWare Host access, router "enable" level cli, etc.
+
+        "service" should be used for network to network VPN, non-user verified application service sessions, etc.
+
+      example: user
+
+    - name: name
+      level: extended
+      type: keyword
+      short: Session name as specified by this source.
+      description: The `session.name` field is meant to contain a locally significant textual identifier for the session as configured. This could represent a VPN group name, a wireless network name (ssid), a wired network segment, VDI service name, service or application identifier.
+
+      example: HQ-Wireless
+
+    - name: id
+      level: extended
+      type: keyword
+      short: Session id or fingerprint.
+      description: >
+        The id field is a locally significant identifier for the session as provided by the observer or host reporting the session.
+
+        If no id is provided, this field can remain blank, or a fingerprint function similar to network.community_id can be used to discretely identify sessions from unique values.
+
+      example: 7635344
+