Live Sessions

Three-Tab Diagnostic Modal

Live Sessions provide real-time, interactive diagnostics with a single agent. Click Live Session on any online agent to open the modal, which automatically starts ETW collection and establishes an SSE (Server-Sent Events) connection.

Query Tab

Natural language chat interface for AI-powered diagnostics:

  • Type questions in the input box and press Enter to send (Shift+Enter for new line)
  • Before answering, the agent runs an AI-driven dynamic ETW investigation against the target host: the AI picks ETW providers per round, captures evidence in a separate diagnostic session, and folds the counts-only findings into the answer prompt. See AI Diagnostics for the architecture — the short version is that the AI orchestrates which providers are listening, so the answer is grounded in evidence it actively gathered rather than a fixed always-on snapshot.
  • At the end of each round, a local rule engine on the agent scans the captured events for known failure patterns (Azure AD Conditional Access denials, TLS untrusted-root chains, Kerberos SPN failures, and others). Any verdicts that fire travel back with the round's counts summary so the AI planner sees them as authoritative findings. When a verdict already explains the symptom, the investigation often concludes in fewer rounds than the default cap of 5 — you'll see this as a faster time to answer for the common failure patterns.
  • You'll see streamed "thinking" messages while the investigation runs ("Starting live AI-driven ETW investigation…", "Round 2 of 3: capturing network-connections for 30s", etc.) so the wait is visible rather than opaque.
  • Responses include diagnostic findings, root cause analysis, and actionable recommendations. When the conclusion lends itself to an automated fix, a remediation script is proposed at the end of the session and submitted to the org's Process Automations approval flow — see the section below.
  • Conversation history supports up to 10 turns of context
  • Each question consumes 1 query from your organization pool, plus 1 query per round of the dynamic investigation (capped at 5 rounds default / 10 hard ceiling) and 1 more if a remediation script is generated.

Shell Tab

Remote command-line interface for direct execution on the agent:

  • Shell Type Toggle: Switch between PowerShell and CMD via dropdown
  • Press Enter to execute; ↑/↓ arrow keys for command history
  • Saved Scripts: Dropdown of pre-saved scripts with one-click execution. Script Manager to create, edit, delete.
  • Terminal-style output with exit codes, stdout, and stderr
  • Limits: 5-minute timeout per command, max 3 concurrent commands
  • Runs under: Agent service account (Local System for managed agents)

Files Tab

Bidirectional file transfers between your browser and the agent:

  • Push File: Upload from browser with a destination path on the agent
  • Pull File: Download from agent by specifying a source path
  • Transferred in 1 MB chunks with MD5 verification
  • Real-time progress bars with percentage and byte count
  • Completed pulls show a Download button
  • Limits: Max 2 concurrent transfers; status refreshes every 5 seconds

Session Lifecycle

Starting

  1. Click Live Session on an online agent
  2. ETW collection initiates on the agent
  3. SSE connection establishes with QueryResponse, QueryFailed, and SessionEnded event handlers
  4. Three-tab modal opens — ready for queries

Ending

  1. Click End Session
  2. ETW collection stops on the agent
  3. SSE stream closes; agent returns to previous mode

Only one live session per agent at a time. Session history is not retained after closing.

Post-Session Remediation Offer

When a guided troubleshooting question concludes with a known fix, the AI generates a remediation script (PowerShell on Windows, Bash on Linux) and submits it to your org's Process Automations repository for review. You'll see a notice in the session stream when this happens (“Remediation script created and submitted for review (ticket #…)”) and the saved report's JSON will carry a remediation block with the script id, review ticket id, language, and an auto_run_eligible flag.

Auto-run eligibility distinguishes how the operator can execute the script after the org admin approves:

  • Live session, operator attendingauto_run_eligible = true. After approval, the operator can run the script in-session through the existing automations execution path.
  • Background / scheduled investigation, no operatorauto_run_eligible = false. Analysis-only; a human picks it up, reviews, and decides whether to run.

Either way, no remediation runs until an organization administrator approves the script. AI-generated remediations carry Origin = "process_automation" and a CreatedBy = "dynamic-etw:<jobId>" marker for the audit trail. See the Automations documentation for the full approval flow.

Effective Query Tips

  • Be Specific: “Why can't user John access \\server\share?” beats “Why doesn't this work?”
  • Include Context: Mention app names, file paths, service names, user accounts
  • Start Broad, Then Narrow: Overview first, then drill down
  • One Issue at a Time: Focus on a single problem for best correlation
  • Processing Time: Most queries return in 3–10 seconds