Sessions
Seeing what's happening in your infrastructure
🔍 Every connection through Border0 is authenticated, and each request is continuously authorized. These connections are what we call sessions. A session has various properties, including:
- Identity (Who?)
- Resources (what resource, socket, was accessed
- Location (from Where)
- Time (When), i.e., date and time
- Recording (what happened). Showing you a video of what happened, i.e., what commands were executed.
Advanced Flow logs
If you're familiar with VPC flow logs or Netflow. Thinks of Border0 session as flow logs, but with significantly more context. I.e. not just IP addresses and port numbers but also valuable context such as identity, what resource (not what IP) was accessed, and what exactly happened during the session ( a recording).
Listing sessions
As an administrator, you can request all sessions from the portal using the "Session Logs" link in the left-hand menu or using this URL: https://portal.border0.com/sessions
From there, you will find a list of all Sessions; these are network connections going to your various Sockets.
This overview gives you a quick overview of who accessed what resources when. By clicking on the "Replay session" link under Actions, you'll be able to watch a recording of the session or a text dump of all the commands executed.
Advanced Firewall logs
Think of this view of a modern Firewall log. Instead of just seeing IP addresses and Port numbers, administrators have access to far more context. Including the actual identity of the user, the resources that was accessed and the ability to watch back a video replay of the session.
Terminating a session
From the Session log view, administrators can terminate a live session. To terminate a session, click on the three dots in the action column on the right, and click "terminate session"
Kill sessions that are out of compliance
There are various reasons why an administrator may decide to kill a session. One reason could be an indictor of compromise for the user, or perhaps the user is engaged in suspicious behavior.
Interacting with Session using the API
We can use our API to ingest session logs by 3rd party systems such as a SIEM.
API Admin Token
Note: to use the API. You need an admin token. To retrieve an admin token execute
border0 login
; this will write the token to~/.border0/token
.
Below is a simple example. This will request the 100 most recent session logs
curl -X "GET" \
"https://api.border0.com/api/v1/sessions?page=1&page_size=100" \
-H "x-access-token: $(cat ~/.border0/token)"
Session Details
By clicking on the "replay session" link, you'll be able to see all the details for this session, including the ability to replay the recording for a session (assuming recording is enabled for the Socket).
To watch the session details and recording, click on "Replay Session." Note that there are two tabs, "Text" and "Video". The text tab will show a text dump of the session, whereas the video tab will show a movie-like recording of the session.
Session Details using the API
Use the example below to request the details of an individual session using the API.
$ curl -s -X "GET" \
"https://api.border0.com/api/v1/sessions?page=1&page_size=1" \
-H "x-access-token: $(cat ~/.border0/token)"
{
"pagination": {
"current_page": 1,
"next_page": 2,
"total_records": 1509,
"total_pages": 1509
},
"session_logs": [
{
"session_id": "93227a7e-8724-4be5-a5c5-2729f615ac50",
"socket_id": "432b9498-7762-45b9-8bb7-92f16158ff4a",
"start_time": "2022-10-10T04:46:50Z",
"last_seen": "2022-10-10T04:46:51Z",
"user_email": "[email protected]",
"server_name": "my-http-service3-acme.border0.io",
"server_port": "443",
"client_ip": "192.0.1.202",
"client_port": "62593",
"audit_log": false,
"name": "Andree Toonk",
"picture": "https://lh3.googleusercontent.com/a/ALm5wQSGWCa0NU3SKscuSvsYxhp-TmRR06_wrS=s96-c",
"sub": "xyx-bcb6-4997-89d3-xxxx",
"nickname": "",
"killed": false,
"session_type": "http",
"sshuser": null
}
]
}
Pagination
Note how we requested the first page and only one item per page. We also get back some additional information for pagination, such as how many other items are available.
This API endpoint can feed data into your log system or SIEM.
Similarly, you may request the session replay like this:
curl -X "GET" \
"https://api.border0.com/api/v1/session/<socket_id>/<session_id>/session_log" \
-H "x-access-token: $(cat ~/.border0/token)"
To kill a session using the API use:
curl -X PUT \
"https://api.border0.com/api/v1/session/<socket_id>/<session_id>" \
-H "accept: application/json" \
-H "x-access-token: $(cat~/.border0/token)" \
-H "Content-Type: application/json" \
-d '{
"killed": true
}'
Updated about 2 years ago