Monitor user sessions

This topic describes the session monitoring functionality in the Audit service.


Auditors, SOCs, and service administrators need a consolidated view of session information from all CyberArk service components that create sessions. The CyberArk Audit service centralizes session monitoring across all CyberArk services on the Shared Services platform to provide a comprehensive display of all sessions as a unified view. This enables enhanced auditing as well as incident-response investigation.

Session monitoring currently supports DPA and SCA.

Main session monitoring view

The following information is available for each session in the main view:

User session general information




The session status:

  • Active - live session that is currently in progress.

  • Ended - closed session that ended as expected.

  • Error - session that was terminated with an error.

Start date and time

The start date and time of the session, adjusted to the time zone of the user that performed the session.

Session length

Session length from start time to end time.


The service that sent the event.


The username that was used to connect to the target.


The target address where the session was established.

Access method

The method or protocol used to establish the session (for example SSH, RDP, or HTTPS).

To refresh the view, click the refresh icon above the table on the right.

Filter and search

You can filter the session monitoring view by the parameters described below.

Session monitoring filter options

To filter by

Select from the following

Time range

  • Last 24 hours

  • Last 7 days

  • Last 30 days

  • Custom - define a date and time range


  • All

  • Active

  • Ended

  • Failed


  • DPA
  • SCA


  • SSH


  • RDP

  • CLI

You can search according to the parameters described in the table below. You must begin typing the exact term in the search field (partial search from the middle of a word isn't currently supported). Begin the search by clicking the search icon or pressing Enter on your keyboard.

Session monitoring search options

To search for

Begin typing the exact value


Username of the entity that performed the session.


IP address or hostname of the entity that's the target of the session.

Session ID

ID of the session.

User on target

Username of the entity that performed the session.

Session length

Define the length of the session to search for. Time is in HH:MM:SS format, supporting from 00:00:00 to 99:59:59.

  • Longer than

  • Shorter than

  • Range - define a more specific session length using the From and To fields


IP address or hostname of the entity where the session originated.


Command typed by the user during a session.

Drill down to session information

To drill down and see additional details for a specific session, click the row in the table. A split screen view appears with Session details and Activities tabs.

Session details

In this tab, you can view the following additional session details:

User session details



Session ID

A unique session identifier, in GUID syntax.


The hostname of the source where the session was initiated.

End reason

The reason that the session ended. If the session ended unexpectedly, the error description is provided.

Source IP address

The source IP address from which the session was initiated.

User on target

The username that was used to connect to the target.


The platform that was used in the session. For example, AWS, Microsoft Azure, Google Cloud, or on-premises.

Custom data

There may be additional fields in this tab, depending on the service. This data is dynamic.


In this tab, you can see all the session commands in a timeline view (the time of each event and the command that triggered the event).

Customize your view

You can show and hide most of the columns in the session monitoring view, and you can add additional columns.

To select the columns you want to see in your view, click the Settings icon in the table header row. A list of the available columns appears, where you can toggle the show/hide status for each individual column. You can also drag a column directly to the table, and change the order of the columns in the table.

  • The Status and Start date and time columns can't be hidden.

  • Columns that aren't shown by default in the main view can also be seen in the Session details tab for each session.