Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Sessions

Sessions are a series of collated Events. Our proprietary algorithm joins these Events using a variety of metrics and behavioral patterns. These Sessions represent a contiguous block of interaction with the customer application. Sessions are related across time by their Spec ID.

Sessions Events & Elements Sessions Events & Elements

Sessions, the top row, contain Events!

Data

Sessions contain metadata about behaviors observed during interaction with the customer application. The rules engine, which determines the risk rating of the Session, also contributes to the Session metadata. Each Session has an individual ID, and related Sessions are also joined by a unique Spec ID. Spec ID collates Sessions that occur over time.

Sessions are composed of an ordered sequence of Events. These Events contain Elements that describe the data points observed within a single Event. Each Event will have an ID, several mapped entities, and any Session Labels that were applied as a result of the rules engine. Session Labels can be observed by any Event occurring after they are applied. These labels can be informational, can identify risky behaviors, and can correlate behaviors into Signatures.

Spec ID

The Spec ID for a Session will unite this Session with other Sessions across time. In the introduction, we mentioned that Sessions represent a contiguous block of interaction with the customer application. Spec ID joins these blocks together into a series and allows us to identify users over time.

An example can help interpret exactly what we mean by this. Imagine we have User A who visits an application to buy shoes. The user logs in on day 1, searches for the shoes they would like to purchase, and then buys that pair of shoes. This is a contiguous block of interaction: the user came to the application, navigated through it, and purchased something. Five days later, this user returns and attempts to return these shoes, and this is recorded in the Spec Platform as a new Session.

important

Spec ID is responsible for recognizing that these two disjoint interactions with the customer application are performed by a single user!

Risk Rating

The Session Risk Rating is an assessment of the trustworthiness of the Session. Sessions can have ratings of Normal, Suspicious, or Malicious. A Session's risk rating is assessed and continuously reassessed with every new event that is recorded during the Session. The models that produce the Risk Rating are tuned over time as new behavioral patterns emerge in the application landscape.

Many behaviors and metrics can contribute to a Risk Rating for a given Session. As the Session accumulates more Events over time, the Risk Rating may change. If a Session reaches a malicious Risk Rating, and Spec is in Active mode, Spec will instantly mitigate the risk, using your preferred mitigation method.

Analysis and Querying

Session Search provides investigators with the ability to search through all Sessions collected. Investigators can drill down further into Sessions through the User Session Assessment page to find patterns and links between malicious actors. When Sessions share an entity they are considered linked, and these connections help identify malicious behavior across Sessions.

Insights provide visualizations that describe the behavior of Sessions in the customer application. These graphs provide quick feedback about the application landscape and offer further investigation on Sessions that occur.