Get session metadata by session id.

One of the following roles is required to read the user’s own sessions details.

  • RTR Read Only Analyst.
  • RTR Active Responder.
  • RTR Administrator.

To read all users sessions, the following role is required:

  • Falcon Administrator.

Parameters

ParameterDescription
Sessions IDsThe session IDs to get details of. You can obtain the session IDs by running the List RTR Sessions in the “resources” field.

Example Output

{
	"meta": {
		"query_time": 2,
		"powered_by": "<string>",
		"trace_id": "<string>"
	},
	"resources": [
		{
			"id": "<string>",
			"created_at": "2010-05-17T08:00:15.321Z",
			"updated_at": "2006-07-10T10:19:38.460Z",
			"deleted_at": null,
			"cloud_request_ids": [
				"<string>"
			],
			"cid": "<string>",
			"device_id": "<string>",
			"hostname": "<string>",
			"user_id": "<string>",
			"user_uuid": "<string>",
			"duration": 1,
			"origin": "<string>",
			"logs": [
				{
					"id": 0,
					"created_at": "2022-10-11T14:11:33.213Z",
					"updated_at": "2022-10-11T14:11:33.213Z",
					"session_id": "<string>",
					"command_string": "<string>",
					"current_directory": "<string>",
					"base_command": "<string>",
					"cloud_request_id": "<string>"
				}
			],
			"offline_queued": false,
			"commands_queued": false
		}
	],
	"errors": []
}

Workflow Library Example

Get Rtr Sessions Details with Crowdstrike and Send Results Via Email

Preview this Workflow on desktop