Live Sessions
Three-Tab Diagnostic Modal
Live Sessions provide real-time, interactive diagnostics with a single agent. Click Live Session on any online agent to open the modal, which automatically starts ETW collection and establishes an SSE (Server-Sent Events) connection.
Query Tab
Natural language chat interface for AI-powered diagnostics:
- Type questions in the input box and press Enter to send (Shift+Enter for new line)
- Before answering, the agent runs an AI-driven dynamic ETW investigation against the target host: the AI picks ETW providers per round, captures evidence in a separate diagnostic session, and folds the counts-only findings into the answer prompt. See AI Diagnostics for the architecture — the short version is that the AI orchestrates which providers are listening, so the answer is grounded in evidence it actively gathered rather than a fixed always-on snapshot.
- At the end of each round, a local rule engine on the agent scans the captured events for known failure patterns (Azure AD Conditional Access denials, TLS untrusted-root chains, Kerberos SPN failures, and others). Any verdicts that fire travel back with the round's counts summary so the AI planner sees them as authoritative findings. When a verdict already explains the symptom, the investigation often concludes in fewer rounds than the default cap of 5 — you'll see this as a faster time to answer for the common failure patterns.
- You'll see streamed "thinking" messages while the investigation runs ("Starting live AI-driven ETW investigation…", "Round 2 of 3: capturing network-connections for 30s", etc.) so the wait is visible rather than opaque.
- Responses include diagnostic findings, root cause analysis, and actionable recommendations. When the conclusion lends itself to an automated fix, a remediation script is proposed at the end of the session and submitted to the org's Process Automations approval flow — see the section below.
- Conversation history supports up to 10 turns of context
- Each question consumes 1 query from your organization pool, plus 1 query per round of the dynamic investigation (capped at 5 rounds default / 10 hard ceiling) and 1 more if a remediation script is generated.
Shell Tab
Remote command-line interface for direct execution on the agent:
- Shell Type Toggle: Switch between PowerShell and CMD via dropdown
- Press Enter to execute; ↑/↓ arrow keys for command history
- Saved Scripts: Dropdown of pre-saved scripts with one-click execution. Script Manager to create, edit, delete.
- Terminal-style output with exit codes, stdout, and stderr
- Limits: 5-minute timeout per command, max 3 concurrent commands
- Runs under: Agent service account (Local System for managed agents)
Files Tab
Bidirectional file transfers between your browser and the agent:
- Push File: Upload from browser with a destination path on the agent
- Pull File: Download from agent by specifying a source path
- Transferred in 1 MB chunks with MD5 verification
- Real-time progress bars with percentage and byte count
- Completed pulls show a Download button
- Limits: Max 2 concurrent transfers; status refreshes every 5 seconds
Session Lifecycle
Starting
- Click Live Session on an online agent
- ETW collection initiates on the agent
- SSE connection establishes with
QueryResponse,QueryFailed, andSessionEndedevent handlers - Three-tab modal opens — ready for queries
Ending
- Click End Session
- ETW collection stops on the agent
- SSE stream closes; agent returns to previous mode
Only one live session per agent at a time. Session history is not retained after closing.
Post-Session Remediation Offer
When a guided troubleshooting question concludes with a known fix, the AI generates a remediation script (PowerShell on Windows, Bash on Linux) and submits it to your org's Process Automations repository for review. You'll see a notice in the session stream when this happens (“Remediation script created and submitted for review (ticket #…)”) and the saved report's JSON will carry a remediation block with the script id, review ticket id, language, and an auto_run_eligible flag.
Auto-run eligibility distinguishes how the operator can execute the script after the org admin approves:
- Live session, operator attending →
auto_run_eligible = true. After approval, the operator can run the script in-session through the existing automations execution path. - Background / scheduled investigation, no operator →
auto_run_eligible = false. Analysis-only; a human picks it up, reviews, and decides whether to run.
Either way, no remediation runs until an organization administrator approves the script. AI-generated remediations carry Origin = "process_automation" and a CreatedBy = "dynamic-etw:<jobId>" marker for the audit trail. See the Automations documentation for the full approval flow.
Effective Query Tips
- Be Specific: “Why can't user John access \\server\share?” beats “Why doesn't this work?”
- Include Context: Mention app names, file paths, service names, user accounts
- Start Broad, Then Narrow: Overview first, then drill down
- One Issue at a Time: Focus on a single problem for best correlation
- Processing Time: Most queries return in 3–10 seconds