Sessions
The Sessions page allows you to view attributes associated with the TCP sessions recorded by MetaDefender NDR . To begin viewing the TCP sessions, click Analysis. The default Sessions page displays the basic session details in a tabular form. The interface provides both Quick Search and Advanced Search features on the left pane.
Columns available in the Advanced Search menu for the Sessions page are:
- Source IP
- Destination IP
- Source Port
- Destination Port
- VLAN ID
- Workflow
- Collector
- Workflow Owner
- Protocol
- File: MD5
- File: SHA1
- File: SHA256
- File: SHA512
- File: Entropy
- File: Signature Name
Select the column(s) and specify their criteria. You can also specify the session time from the Time Interval drop-down menu or select a date range from the built-in calendars by clicking the From/To option. Click Search. Results appear in the right pane and display sessions matching the specified criteria. Information on each session that includes the session time when the PCAPs were captured off the sessions, source and destination IP addresses, protocol, VLAN, collector host name, and a link to view the session details are displayed.
Viewing Session Details
Details of a session can be viewed by clicking View in the Actions column corresponding to that session. This page displays the TCP session ID, instance when the PCAPs were captured off the sessions, session score, source and destination IP address of the session, protocol involved, VLAN, files transferred, details on the protocol header and the transferred files along with the option to view the file(s) content and download them as raw or encrypted file(s).
On the right pane of this page, you can view the collector host name and information on the number of session events. Click the Threat Score Contributors panel to view details on the threat score contributors on the top section of this page.
