Monitoring User Session Activity With uberAgent
The other day I got a question from a customer if it is possible to monitor session activity with uberAgent. Of course, I thought! One has to just look at the session connection state, which can be active, disconnected, etc. That is monitored by uberAgent very well. But when I thought about it further, I noticed that the situation is not so trivial. Read below how I solved it with a custom search.
Customer’s Requirements
Our customer is a service provider and wants to know if users are actively working in their sessions and to what percentage. “Actively working” means users are logged in and are doing something in the session. Non-active time means the users are logged in but not working. The latter is the case when:
- the session is disconnected
- the session is locked
- the screensaver is active
How to Solve That With uberAgent
Disconnected and Idle Sessions
The first point was easy to solve; you just have to search for sessions that are in the state active so all others are ignored.
| pivot `uA_DM_Session_SessionDetail_Users` Session_SessionDetail_Users
latest(SessionUserLower) as User
splitrow
SessionGUID
filter host in (*)
filter SessionConnectionState is "active"Locked Sessions
Points two and three took me a while to figure out. uberAgent’s capability to collect the foreground application brought me to my goal. Let us start with locked sessions.
Want to know more about uberAgent’s capability to collect the foreground application? Read more here.
If the desktop is locked, the foreground process is LockApp.exe. The lock screen appears before you have to enter your credentials. Mine looks like this:
uberAgent’s application identification groups LockApp.exe into the application Microsoft Windows OS. To identify the process uniquely, I have overwritten the identification in uberAgent’s configuration file:
[ProcessToApplicationMapping]
# Lock App
^C:\\Windows\\SystemApps\\Microsoft.LockApp_cw5n1h2txyewy\\LockApp\.exe$ = Lock AppWhile this upstream lock screen looks nice on physical PCs, it makes no sense in virtual environments and is typically disabled. In virtual environments, users are taken directly to the “real” login screen, where they have to put in their credentials. That is a secure shell and cannot be accessed by uberAgent. Hence the foreground application field is empty – which is good for us as it is empty only in this case!
By the way, if a user is just looking at the desktop with all applications closed, the foreground application identified by uberAgent is Microsoft Windows OS (foreground process is explorer.exe).
To conclude, uberAgent is able to identify if a desktop is locked either with Microsoft’s Lock App or without.
Active Screensaver
After I found out how to recognize the lock screen with uberAgent, the screensaver was a breeze. The foreground application is empty when the screensaver is active, too.
The Final Search
So the logic to see if a session is not active is as follows. One statement has to be true.
- the session connection state is not active
- the session is active and the foreground app is Lock App
- the session is active, and there is no foreground app
That translates into this easy-peasy Splunk eval command: | eval Active = case(SessionConnectionState != "active",0, (SessionConnectionState = "active" and SessionFgAppName = "Lock App"),0,(SessionConnectionState = "active" and isnull(SessionFgAppName)),0,1=1,1)
Here is the final search I ended up with:
| pivot `uA_DM_Session_SessionDetail_Users` Session_SessionDetail_Users
count(Session_SessionDetail_Users) as EventCount
latest(SessionConnectionState) as SessionConnectionState
latest(SessionFgAppName) as SessionFgAppName
latest(SessionUserLower) as User
splitrow
_time
period second
splitrow
SessionGUID
filter host in (*)
| eval Active = case(SessionConnectionState != "active",0, (SessionConnectionState = "active" and SessionFgAppName = "Lock App"),0,(SessionConnectionState = "active" and isnull(SessionFgAppName)),0,1=1,1)
| stats
sum(Active) as Active
sum(EventCount) as EventCount
latest(User) as User
by
SessionGUID
| eval "Active time (%)" = round(Active / EventCount * 100,1)
| eval sortfield='Active time (%)'
| sort limit=0 -sortfield 'Active time (%)'
| table
User
"Active time (%)"
And the result:
Alternative Method
While the above works per session, uberAgent also collects idleness in percent per machine. 100% means the system is completely idle. This metric is used by Windows to determine whether to start the screen saver or turn off the display. Details are available in our documentation.
Test Setup
- Microsoft Windows 10 Enterprise 1809 x64
- uberAgent 5.2
- Splunk 7.2.5
About uberAgent
The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.
uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.
uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.
About vast limits
vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.
