Session Lists are similar to Active Lists, with the following major differences:
Session Lists always have Start Time, End Time, and Creation Time fields.
Session Lists partition data into weekly partitions because the lists can grow very large over a period of time.
Session Lists do not have to fit entirely in memory.
Session Lists are optimized for efficient time-based queries.
Session Lists can monitor activity based on any Rules-driven combination of Events attributes or set of custom fields. For example, session lists are very useful for tracking suspicious or hostile IP addresses as well as targets of attacks that may be compromised.
While you can populate session lists "manually" (adding entries from grid views or the Session List Editor), you should use session lists in conjunction with rules specifically tailored to work with them. Rules can dynamically add and remove entries on lists, thereby making them a flexible information-gathering tool.
You can open and edit session lists in grid views.
Session lists are not continuously re‑evaluated and are not time-window constrained. Session lists draw from the event stream on the basis of their event or field/rule definitions and any rules designed to affect them.
Caution: Be careful about using large session lists in filters. This may severely impact system performance.
In addition to their integral definitions, you can apply temporary (not saved) filters to session list grid views. Click the status description in the Filter line in the view header to use theCommon Conditions Editor (CCE).
Use the set of default items in the Session Lists resource tree for templates or for operational monitoring with minor modifications. For example, use the ArcSight User Sessions list to watch activity related to logins.
If you have Administrator access you will have another group named All Session Lists that contains all session list groups and lists.
See also Session Correlation.