Sessions

Seeing what's happening in your infrastructure

:mag: Every connection through Border0 is authenticated, and each request is continuously authorized. These connections are what we call sessions. A session has various properties, including:

  • Identity (Who?)
  • Resources (what resource, socket, was accessed
  • Location (from Where)
  • Time (When), i.e., date and time
  • Recording (what happened). Showing you a video of what happened, i.e., what commands were executed.

👍

Advanced Flow logs

If you're familiar with VPC flow logs or Netflow. Thinks of Border0 session as flow logs, but with significantly more context. I.e. not just IP addresses and port numbers but also valuable context such as identity, what resource (not what IP) was accessed, and what exactly happened during the session ( a recording).

Listing sessions

As an administrator, you can request all sessions from the portal using the "Session Logs" link in the left-hand menu or using this URL: https://portal.border0.com/sessions

From there, you will find a list of all Sessions; these are network connections going to your various Sockets.
This overview gives you a quick overview of who accessed what resources when. By clicking on the "Replay session" link under Actions, you'll be able to watch a recording of the session or a text dump of all the commands executed.

33243324

👍

Advanced Firewall logs

Think of this view of a modern Firewall log. Instead of just seeing IP addresses and Port numbers, administrators have access to far more context. Including the actual identity of the user, the resources that was accessed and the ability to watch back a video replay of the session.

Terminating a session

From the Session log view, administrators can terminate a live session. To terminate a session, click on the three dots in the action column on the right, and click "terminate session"

27962796

Terminate Session

📘

Kill sessions that are out of compliance

There are various reasons why an administrator may decide to kill a session. One reason could be an indictor of compromise for the user, or perhaps the user is engaged in suspicious behavior.

Interacting with Session using the API

We can use our API to ingest session logs by 3rd party systems such as a SIEM.

📘

API Admin Token

Note: to use the API. You need an admin token. To retrieve an admin token execute border0 login; this will write the token to ~/.border0/token.

Below is a simple example. This will request the 100 most recent session logs

curl -X "GET" \
  "https://api.border0.com/api/v1/sessions?page=1&page_size=100" \
  -H "x-access-token: $(cat ~/.border0/token)" 

Session Details

By clicking on the "replay session" link, you'll be able to see all the details for this session, including the ability to replay the recording for a session (assuming recording is enabled for the Socket).

27882788

Session Replay

To watch the session details and recording, click on "Replay Session." Note that there are two tabs, "Text" and "Video". The text tab will show a text dump of the session, whereas the video tab will show a movie-like recording of the session.

19201920

Session recording

Session Details using the API

Use the example below to request the details of an individual session using the API.

$ curl -s -X "GET" \
  "https://api.border0.com/api/v1/sessions?page=1&page_size=1" \
  -H "x-access-token: $(cat ~/.border0/token)" 
{
  "pagination": {
    "current_page": 1,
    "next_page": 2,
    "total_records": 1509,
    "total_pages": 1509
  },
  "session_logs": [
    {
      "session_id": "93227a7e-8724-4be5-a5c5-2729f615ac50",
      "socket_id": "432b9498-7762-45b9-8bb7-92f16158ff4a",
      "start_time": "2022-10-10T04:46:50Z",
      "last_seen": "2022-10-10T04:46:51Z",
      "user_email": "[email protected]",
      "server_name": "my-http-service3-acme.border0.io",
      "server_port": "443",
      "client_ip": "192.0.1.202",
      "client_port": "62593",
      "audit_log": false,
      "name": "Andree Toonk",
      "picture": "https://lh3.googleusercontent.com/a/ALm5wQSGWCa0NU3SKscuSvsYxhp-TmRR06_wrS=s96-c",
      "sub": "xyx-bcb6-4997-89d3-xxxx",
      "nickname": "",
      "killed": false,
      "session_type": "http",
      "sshuser": null
    }
  ]
}

📘

Pagination

Note how we requested the first page and only one item per page. We also get back some additional information for pagination, such as how many other items are available.

This API endpoint can feed data into your log system or SIEM.
Similarly, you may request the session replay like this:

curl -X "GET" \
  "https://api.border0.com/api/v1/session/<socket_id>/<session_id>/session_log" \
  -H "x-access-token: $(cat ~/.border0/token)" 

To kill a session using the API use:

curl -X PUT \
  "https://api.border0.com/api/v1/session/<socket_id>/<session_id>" \
  -H "accept: application/json" \
  -H "x-access-token: $(cat~/.border0/token)" \
  -H "Content-Type: application/json" \
  -d '{
  "killed": true
}'