Skip to main content

Get RTR Sessions Details

Get session metadata by session id.

One of the following roles is required to read the user's own sessions details.

  • RTR Read Only Analyst.
  • RTR Active Responder.
  • RTR Administrator.

To read all users sessions, the following role is required:

  • Falcon Administrator.

Parameters

ParameterDescription
Sessions IDsThe session IDs to get details of. You can obtain the session IDs by running the List RTR Sessions in the "resources" field.

Example Output

{
    "errors": [
        {
            "code": 0,
            "id": "string",
            "message": "string"
        }
    ],
    "meta": {
        "pagination": {
            "limit": 0,
            "offset": 0,
            "total": 0
        },
        "powered_by": "string",
        "query_time": 0,
        "trace_id": "string",
        "writes": {
            "resources_affected": 0
        }
    },
    "resources": [
        {
            "cid": "string",
            "cloud_request_ids": [
                "string"
            ],
            "commands": {},
            "commands_queued": false,
            "created_at": "date-time",
            "deleted_at": "date-time",
            "device_details": {
                "PlatformIDNumeric": 0,
                "agent_version": "string",
                "config_id_base": "string",
                "config_id_build": "string",
                "config_id_platform": "string",
                "device_id": "string",
                "external_ip": "string",
                "first_login_timestamp": "string",
                "first_login_user": "string",
                "first_seen": "string",
                "hostname": "string",
                "last_login_timestamp": "string",
                "last_login_user": "string",
                "last_seen": "string",
                "last_seen_ago_seconds": 0,
                "local_ip": "string",
                "mac_address": "string",
                "machine_domain": "string",
                "major_version": "string",
                "minor_version": "string",
                "modified_timestamp": "string",
                "notes": [
                    "string"
                ],
                "os_version": "string",
                "ou": [
                    "string"
                ],
                "platform_id": "string",
                "platform_name": "string",
                "product_type": "string",
                "product_type_desc": "string",
                "release_group": "string",
                "site_name": "string",
                "status": "string",
                "system_manufacturer": "string",
                "system_product_name": "string",
                "tags": [
                    "string"
                ]
            },
            "device_id": "string",
            "duration": 0,
            "hostname": "string",
            "id": "string",
            "logs": [
                {
                    "base_command": "string",
                    "cloud_request_id": "string",
                    "command_string": "string",
                    "created_at": "date-time",
                    "current_directory": "string",
                    "id": 0,
                    "session_id": "string",
                    "updated_at": "date-time"
                }
            ],
            "offline_queued": false,
            "origin": "string",
            "platform_id": 0,
            "platform_name": "string",
            "pwd": "string",
            "updated_at": "date-time",
            "user_id": "string",
            "user_uuid": "string"
        }
    ]
}

Workflow Library Example

Get Rtr Sessions Details with Crowdstrike and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop