Go to Cmd
The 'Sessions' page
An overview of 'sessions', where you can view Cmd data and live sessions
Ben Ironside avatar
Written by Ben Ironside. Updated over a week ago

The 'Sessions' page shows your Cmd-enabled servers, displays the data collected from them, and allows you to monitor live sessions. It looks like this:

The 'Sessions' page. See below to learn more about each labeled section.
 

Table of contents:

1 - Server groups

2 - The search bar

3 - The timeline chart

4 - Session data

5 - Saved searches

6 - Live sessions

 

 
1 — Server groups

By default, the 'Sessions' page will show all servers in the current project. To view the servers in a particular server group, click the group's name on the left-hand menu.
Note: For more information on assigning servers to groups, see Managing servers.
          For more information on creating server groups, see Managing server groups.
 
 

2 — The search bar

At the top of the page is a query field for quickly filtering available data:

  • Click in the field or on the query builder icon to its left to start building your custom query. For more information about the Cmd Query Language, see the CQL glossary

 

  • For example, you can use a simple query to isolate human activity from automated activity: 

        It works the other way too: replacing both "true"s with "false"s would isolate
        automated activity.
 

  • The chart defaults to showing data from the last 24 hours. To adjust this setting, simply click the duration on the right side of the query field and select a different duration.
     

  • Click the history icon (between the time setting and the search button) to view your previous search queries. Select one from the dropdown list to run it again.
     

  • Click the X icon to clear the current search.
     

  • To save a search query, double-click the word UNTITLED in the top left to name the it, then click Save. To open a new search tab, click the plus icon + .

 

 
3 — The timeline chart

If you'd like to quickly adjust the chart's time range, use one of these shortcuts:

  • Click a specific spot on the timeline to zoom in.
     

  • Click and drag across the timeline chart to focus on the highlighted range:

  • In the top-right corner of the timeline, click the zoom out or zoom in icons (magnifying glasses with + or - ).

 

4 — Session data 

On the bottom half of the page, you'll find your Cmd data, organized by session.

  • To reorder columns, click and drag their headings to the left or right.
     

  • To add or remove columns, click the button to the right of the column titles, and toggle the active fields.
     

  • Hover over linked text to see a summary of information related to the server, session, or user, and the number of alerts associated with it:

  • If a server summary display is red (as in the above screenshot), there are unresolved alerts related to the server. If it is green, there are no unresolved alerts.
     

  • If a session summary display is red, there was a failed 2-factor authentication attempt. If it is green, 2FA was successful. If it is grey, the user was not prompted for 2FA.
     

  • In a summary display, click any of the linked text to see more details, click Run in Sessions to see the command in context in the Commands tab, and click Run in Reports to create a new report about the summarized item.
     

  • To view details about a particular session, click its row to expand the Cmd data terminal, which will show the commands from that session. 

  • To export a copy of the listed items in .CSV or JSON format, open the menu in the top-right corner of the table and click Download.
    - In the following dialog, select an export format.
    - Enter the number of rows to export.
    - Select the CQL values to include in the export.
    - Click Export.
    - In the following dialog, right-click the bar and save the linked file.
    - When the download finishes, click OK to close the dialog.

 

5 — Saved searches

You can make a new search tab by clicking the new tab button (plus), and save searches for later (or send them to the Reports page) by clicking the three-dot menu near the top right of the page:

 
 

6 — Live sessions

To access the Live sessions page, click ‘Live sessions’ in the top right of the ‘Sessions’ page:

On the left of each session's row,  you can see the session ID, user name, IP address, and server name. On the right you can see the session duration. If any alerts occur during the live session, the alert risk level icon also appears, showing the highest alert level for any alert from that session.

Click any of the sessions to open it in terminal view:

To immediately terminate a session and log the user out of the server, click Stop session.

 

Next:

Explore the Agent deployment guides collection to learn how to install the Cmd agent on various server architectures.


 
 
 

Did this answer your question?