Get session metadata by session id.

One of the following roles is required to read the user’s own sessions details.

  • RTR Read Only Analyst.
  • RTR Active Responder.
  • RTR Administrator.

To read all users sessions, the following role is required:

  • Falcon Administrator.

Parameters

ParameterDescription
Sessions IDsThe session IDs to get details of. You can obtain the session IDs by running the List RTR Sessions in the “resources” field.

Example Output

{
	"errors": [
		{
			"code": 0,
			"id": "string",
			"message": "string"
		}
	],
	"meta": {
		"pagination": {
			"limit": 0,
			"offset": 0,
			"total": 0
		},
		"powered_by": "string",
		"query_time": 0,
		"trace_id": "string",
		"writes": {
			"resources_affected": 0
		}
	},
	"resources": [
		{
			"cid": "string",
			"cloud_request_ids": [
				"string"
			],
			"commands": {},
			"commands_queued": false,
			"created_at": "date-time",
			"deleted_at": "date-time",
			"device_details": {
				"PlatformIDNumeric": 0,
				"agent_version": "string",
				"config_id_base": "string",
				"config_id_build": "string",
				"config_id_platform": "string",
				"device_id": "string",
				"external_ip": "string",
				"first_login_timestamp": "string",
				"first_login_user": "string",
				"first_seen": "string",
				"hostname": "string",
				"last_login_timestamp": "string",
				"last_login_user": "string",
				"last_seen": "string",
				"last_seen_ago_seconds": 0,
				"local_ip": "string",
				"mac_address": "string",
				"machine_domain": "string",
				"major_version": "string",
				"minor_version": "string",
				"modified_timestamp": "string",
				"notes": [
					"string"
				],
				"os_version": "string",
				"ou": [
					"string"
				],
				"platform_id": "string",
				"platform_name": "string",
				"product_type": "string",
				"product_type_desc": "string",
				"release_group": "string",
				"site_name": "string",
				"status": "string",
				"system_manufacturer": "string",
				"system_product_name": "string",
				"tags": [
					"string"
				]
			},
			"device_id": "string",
			"duration": 0,
			"hostname": "string",
			"id": "string",
			"logs": [
				{
					"base_command": "string",
					"cloud_request_id": "string",
					"command_string": "string",
					"created_at": "date-time",
					"current_directory": "string",
					"id": 0,
					"session_id": "string",
					"updated_at": "date-time"
				}
			],
			"offline_queued": false,
			"origin": "string",
			"platform_id": 0,
			"platform_name": "string",
			"pwd": "string",
			"updated_at": "date-time",
			"user_id": "string",
			"user_uuid": "string"
		}
	]
}

Workflow Library Example

Get Rtr Sessions Details with Crowdstrike and Send Results Via Email

Preview this Workflow on desktop