Working with Iris Auditing
Iris Auditing automatically reviews privileged SSH and RDP recordings with computer vision and large language model (LLM) analytics. It turns hours of video into a searchable audit trail, pinpointing elevated commands and risky behavior so PAM, security and audit teams can find answers in seconds.
Session Recording Data and Analysis
The Session Recording page lists every captured session, live or completed and shows which ones have already been analyzed by Iris Auditing. Recordings and analysis are based on three synchronized data streams:
-
Visual frame OCR – High resolution screen shots processed with OCR to read on-screen text (commands, output, file paths, SQL queries, etc.)
-
Keystroke log – Time stamped command input with window focused context
-
Process trace – Background processes spawned during the session for full situational awareness.
Analyzed Sessions
See Delinea Auditing Powered by Iris AI for details regarding analyzing a session.
For analyzed sessions, you’ll see AI-generated labels, and a one paragraph summary. A label filter lets you instantly surface sessions containing specific actions (e.g., Privilege Elevation or IAM).
| Label (Iris Auditing) | Description |
|---|---|
| Administrative | Manage system settings or user roles |
| Authentication | Handle user log in, log out, or credential |
| Backup & Restore |
Back up data or trigger restores |
|
Cloud & Remote Services |
Connect to or administer cloud/remote systems |
|
Data Analysis & Visualization |
Inspect logs or metrics; generate on-screen reports |
|
Development & Compilation |
Build code or privileged scripts |
|
File Operations & Transfer |
Copy, move, delete, or sync files |
|
File Directory Management |
Create, rename, or protect folders; set permissions |
|
IAM |
Provision, modify, or revoke identities and roles |
|
Logging & Auditing |
Read or export security logs |
|
Network Ops & Connectivity |
Configure networks or monitor traffic |
|
Package Management |
Install, update, or remove software packages |
|
Performance Optimization |
Tune system or application performance |
|
Privilege Elevation |
Gain or monitor elevated privileges (e.g., sudo) |
|
SSH Key Management |
Create, rotate, or distribute SSH keys |
|
Security & Encryption |
Configure security controls or encryption |
|
Shell & Script Operations |
Execute or automate shell scripts |
|
Software Build & CI/CD |
Deploy or manage CI/CD pipelines |
|
Storage & Disk Management |
Manage disks, volumes, or storage pools |
|
Suspicious |
Match known attack patterns or risky behavior |
|
System Info & Monitoring |
Gather system-health or status data |
|
System Mgmt & Configuration |
Configure services or OS settings |
|
Text Processing & Search |
Search or manipulate text/log files |
|
Troubleshooting & Diagnostics |
Diagnose and resolve issues |
|
Virtualization & Containers |
Manage VMs, containers, or orchestrators |
Configuring Iris Auditing Automatic Processing
You can configure Iris Auditing to automatically analyze sessions based on predefined policies.
To create an automated analysis policy:
-
From the left navigation, select Policies → Create policy.
-
Select Iris Auditing Analysis as the policy type, then click Select template.
The template provides for the following policy options.
Subjects Defines which sessions to analyze based on the user who initiated the session.
Targets Allows selection of specific computers, servers, or collections to analyze sessions based on the session target
Conditions (Optional) Sets time-based conditions such as date range, day of the week, or time of day to control when analysis occurs
Once the policy is created, Iris Auditing will automatically analyze any session that matches the defined criteria.
Tracking Iris Auditing Consumption
To track your Iris Auditing usage and remaining hours:
From the left navigation, select Marketplace → Subscriptions.
Select AI-Driven Auditing. The following information is provided:
-
Status: Indicates whether the subscription is active
-
Allocated: Shows how many Iris Auditing hours are allocated and how many have been used
Once the allocated hours are fully consumed, Iris Auditing will stop analyzing new sessions.
