Monitor user sessions
This topic describes the session monitoring functionality in the Audit service.
Overview
Auditors, SOCs, and service administrators need a consolidated view of session information from all CyberArk service components that create sessions. The CyberArk Audit service centralizes session monitoring across all CyberArk services on the Shared Services platform to provide a comprehensive display of all sessions as a unified view. This enables enhanced auditing as well as incident-response investigation.
Session monitoring currently supports DPA and SCA.
Main session monitoring view
The following information is available for each session in the main view:
|
Item |
Description |
|---|---|
|
Status |
The session status:
|
|
Start date and time |
The start date and time of the session, adjusted to the time zone of the user that performed the session. |
|
Session length |
Session length from start time to end time. |
|
Service |
The service that sent the event. |
|
User |
The username that was used to connect to the target. |
|
Target |
The target address where the session was established. |
|
Access method |
The method or protocol used to establish the session (for example SSH, RDP, or HTTPS). |
To refresh the view, click the refresh icon above the table on the right.
Filter and search
You can filter the session monitoring view by the parameters described below.
|
To filter by |
Select from the following |
|---|---|
|
Time range |
|
|
Status |
|
|
Service |
|
|
Protocol |
|
You can search according to the parameters described in the table below. You must begin typing the exact term in the search field (partial search from the middle of a word isn't currently supported). Begin the search by clicking the search icon or pressing Enter on your keyboard.
|
To search for |
Begin typing the exact value |
|---|---|
|
User |
Username of the entity that performed the session. |
|
Target |
IP address or hostname of the entity that's the target of the session. |
|
Session ID |
ID of the session. |
|
User on target |
Username of the entity that performed the session. |
|
Session length |
Define the length of the session to search for. Time is in HH:MM:SS format, supporting from 00:00:00 to 99:59:59.
|
|
Source |
IP address or hostname of the entity where the session originated. |
|
Command |
Command typed by the user during a session. |
Drill down to session information
To drill down and see additional details for a specific session, click the row in the table. A split screen view appears with Session details and Activities tabs.
Session details
In this tab, you can view the following additional session details:
|
Item |
Description |
|---|---|
|
Session ID |
A unique session identifier, in GUID syntax. |
|
Hostname |
The hostname of the source where the session was initiated. |
|
End reason |
The reason that the session ended. If the session ended unexpectedly, the error description is provided. |
|
Source IP address |
The source IP address from which the session was initiated. |
|
User on target |
The username that was used to connect to the target. |
|
Platform |
The platform that was used in the session. For example, AWS, Microsoft Azure, Google Cloud, or on-premises. |
|
Custom data |
There may be additional fields in this tab, depending on the service. This data is dynamic. |
Activities
In this tab, you can see all the session commands in a timeline view (the time of each event and the command that triggered the event).
Customize your view
You can show and hide most of the columns in the session monitoring view, and you can add additional columns.
To select the columns you want to see in your view, click the Settings icon in the table header row. A list of the available columns appears, where you can toggle the show/hide status for each individual column. You can also drag a column directly to the table, and change the order of the columns in the table.
-
The Status and Start date and time columns can't be hidden.
-
Columns that aren't shown by default in the main view can also be seen in the Session details tab for each session.
