Monitoring User Session Activity With uberAgent
The other day I got a question from a customer if it is possible to monitor session activity with uberAgent. Of course, I thought! One has to just look at the session connection state which can be active, disconnected, etc. That is monitored by uberAgent very well. But when I thought about it further, I noticed that the situation is not so trivial. Read below how I solved it with a custom search.
Our customer is a service provider and wants to know if users are actively working in their sessions and to what percentage. “Actively working” means users are logged in and are doing something in the session. Non-active time means the users are logged in but not working. The latter is the case when:
- the session is disconnected
- the session is locked
- the screensaver is active
How to Solve That With uberAgent
Disconnected and Idle Sessions
The first point was easy to solve, you just have to search for sessions which are in the state active so all others are sorted out.
| pivot `uA_DM_Session_SessionDetail_Users` Session_SessionDetail_Users latest(SessionUserLower) as User splitrow SessionGUID filter host in (*) filter SessionConnectionState is "active"
Points two and three took me a while to figure out. uberAgent’s capability to collect the foreground application brought me to my goal. Let us start with locked sessions.
Want to know more about uberAgent’s capability to collect the foreground application? Read more here.
If the desktop is locked, the foreground process is LockApp.exe. That is the screen which appears before you have to enter your credentials. Mine looks like this:
uberAgent’s application identification groups LockApp.exe into the application Microsoft Windows OS. To identify the process uniquely, I have overwritten the identification in uberAgent’s configuration file:
[ProcessToApplicationMapping] # Lock App ^C:\\Windows\\SystemApps\\Microsoft.LockApp_cw5n1h2txyewy\\LockApp\.exe$ = Lock App
While this upstream lock screen looks nice on physical PCs, it makes no sense in virtual environments and is typically disabled. In virtual environments, users are taken directly to the “real” login screen where they have to put in their credentials. That is a secure shell and cannot be accessed by uberAgent, hence the foreground application field is empty – which is good for us as it is empty only in this case!
By the way, if a user is just looking at the desktop with all applications closed the foreground application identified by uberAgent is Microsoft Windows OS (foreground process is explorer.exe).
As a conclusion uberAgent is able to identify if a desktop is locked either with Microsoft’s Lock App or without.
After I found out how to recognize the lock screen with uberAgent, the screensaver was a breeze. The foreground application is empty when the screensaver is active, too.
The Final Search
So the logic to see if a session is not active is as follows. One statement has to be true.
- the session connection state is not active
- the session is active and the foreground app is Lock App
- the session is active and there is no foreground app
That translates into this easy-peasy Splunk eval command:
| eval Active = case(SessionConnectionState != "active",0, (SessionConnectionState = "active" and SessionFgAppName = "Lock App"),0,(SessionConnectionState = "active" and isnull(SessionFgAppName)),0,1=1,1)
Here is the final search I ended up with:
| pivot `uA_DM_Session_SessionDetail_Users` Session_SessionDetail_Users count(Session_SessionDetail_Users) as EventCount latest(SessionConnectionState) as SessionConnectionState latest(SessionFgAppName) as SessionFgAppName latest(SessionUserLower) as User splitrow _time period second splitrow SessionGUID filter host in (*) | eval Active = case(SessionConnectionState != "active",0, (SessionConnectionState = "active" and SessionFgAppName = "Lock App"),0,(SessionConnectionState = "active" and isnull(SessionFgAppName)),0,1=1,1) | stats sum(Active) as Active sum(EventCount) as EventCount latest(User) as User by SessionGUID | eval "Active time (%)" = round(Active / EventCount * 100,1) | eval sortfield='Active time (%)' | sort limit=0 -sortfield 'Active time (%)' | table User "Active time (%)"
And the result:
While the above works per session, uberAgent also collects idleness in percent per machine. 100% means the system is completely idle. This metric is used by Windows to determine whether to start the screen saver or turn off the display. Details are available in our documentation.
- Microsoft Windows 10 Enterprise 1809 x64
- uberAgent 5.2
- Splunk 7.2.5
uberAgent is an innovative Windows and macOS user experience monitoring (UXM) and endpoint security analytics (ESA) product.
uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.
uberAgent ESA excels with a sophisticated activity monitoring engine, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.
About vast limits
vast limits GmbH is the company behind uberAgent, the innovative user experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.