Skip to main content

Request SaaS Deployment

Contact Sales

Employee Monitoring

How to Track User Activity with Ekran System [Hands-on Guide]

Share:

You may trust the people you work and partner with, but you never know how they really behave and handle your sensitive data within your organization’s network. Each user in your IT infrastructure brings their own security risks. Tracking user activity helps mitigate those risks and enhance your organization’s security.

This article will show you how to set up an efficient user activity monitoring (UAM) process with Ekran System. You’ll learn how to:

  • Monitor and view user sessions
  • Filter user activity monitoring for relevant results
  • Configure and view alerts on suspicious activity
  • Monitor and block USB devices
  • Investigate security incidents

Why monitor user activity?

Your organization may have regular and privileged users, in-office and remote workers, vendors, and third-party service providers with access to your critical endpoints. These may include servers, desktop computers, virtual machines, and embedded devices. Therefore, it may be challenging to detect malicious actions or other insider risks on those endpoints.

Establishing visibility and control over user activity can help your organization manage insider risks and maintain compliance with relevant laws and regulations. Implementing a thorough UAM process with dedicated user activity monitoring software allows you to observe, track, and record user actions within your organization’s infrastructure. Thus, UAM provides visibility into how users interact with sensitive data and systems.

Let’s take a closer look at the benefits of UAM.

Benefits of user activity tracking for organizations

Protect sensitive information. Thorough UAM helps detect data leaks and data processing violations. By implementing UAM, you can clearly understand who interacts with sensitive data and for what purposes. For instance, UAM solutions can help you notice a user entering sensitive information into generative AI chatbots, thus, putting it at risk of data leakage.

Swiftly detect and respond to security threats. You can significantly increase your chances of detecting potential signs of security threats and responding to them in a timely manner. For example, user activity tracking software can notify your security team about a user accessing the organization’s systems outside of normal working hours. Upon receiving the notification, security officers can review the user’s actions and act immediately if they recognize a threat.

Simplify incident investigation. UAM ensures thorough documentation of a security incident, which is critical for forensic analysis. By examining user activity logs, session recordings, and reports, you can reconstruct the incident’s timeline and understand its root causes.

Comply with cybersecurity regulations. Many regulations, laws, and standards worldwide require organizations to track user activity to ensure data security and privacy. By implementing UAM, you can meet the requirements of PCI DSS, HIPAA, GDPR, and others, reducing the risk of non-compliance penalties for your organization.

Improve employee productivity. UAM allows you to track employee performance. Detailed insight into how employees spend their work time enables managers to give accurate feedback and advise employees on how to manage time better. In addition, when employees know they’re being monitored, they are less likely to spend time on non-work-related activities.

Streamline workflows. With UAM, you can detect hitches in your organization’s or specific teams’ workflows and inefficient practices. Understanding which applications or tasks consume too much time can help you optimize processes and allocate resources more effectively.

Read on to see how Ekran System can help you reap the benefits of user activity tracking with the functionality it offers.

About Ekran System

Ekran System is a comprehensive insider risk management platform with robust UAM capabilities that enables organizations to deter, detect, and disrupt security threats coming from within.

You can deploy Ekran System software agents to monitor user activity on any type of desktop or server:

01

Infrastructure servers

02

Terminal servers

03

Jump servers

04

Physical and virtual desktops

Ekran System supports an extensive list of operating systems and virtual environments:

Platforms supported by Ekran System

Operating systems

Virtual environments

  • Windows 
  • Linux 
  • macOS 
  • UNIX 
  • X Window System 
  • Citrix
  • VMware Horizon 
  • Microsoft Hyper-V 
  • Citrix 
  • Amazon WorkSpaces 
  • AWS (Amazon Web Services) 
  • Azure Windows Virtual Desktops

Ekran System’s software agents are lightweight, non-intrusive, and quick to install. Ekran System offers a flexible licensing scheme, letting you transfer any license from one endpoint to another in just a couple clicks.

Ekran System’s extensive list of features can help your organization establish a thorough yet ethical user activity monitoring process. In the next section, we’ll show you exactly how to track user activity with Ekran System.

Leverage Ekran System for user activity monitoring

Unlike many legacy solutions, Ekran System enables non-intrusive, discreet, and continuous user activity monitoring. Ekran System’s software agents work seamlessly without affecting other programs. The platform uses highly optimized formats for storing data and won’t overload your systems.

Ekran System addresses user privacy concerns by pseudonymizing user data. The platform replaces user logins, device names, and other personal data, making it impossible to identify a specific user even if the monitoring data becomes compromised.

Ekran System has an offline monitoring mode to ensure uninterrupted monitoring. Thus, whenever the Internet connection is lost, Ekran System agents continue to collect user activity data and send it to central storage once the connection is restored.

Ultimately, Ekran System allows you to capture user activity data, enhancing your security posture without disrupting systems or workflows and compromising users’ privacy or personal data.

Monitoring and viewing user sessions

Ekran System monitors all user sessions on endpoints with the Ekran System software agents installed. It collects the following information:

  • screen capture recordings of on-screen user activity
  • visited URLs
  • launched applications
  • titles of active windows
  • typed keystrokes
  • clipboard text data
  • executed commands & scripts
  • connected USB devices

On the Monitoring Results page, you can view all monitored user sessions. You can filter them using parameters such as operating system, target workstation, user name, IP address, and remote hostname.

Let’s suppose that you want to watch a specific user’s most recent session. Under the Client Sessions tab, click Who in the filtering options, start entering the username, and select the checkbox in front of the required username.

Searching for user sessions

You will see a list displayed with all of the user’s sessions. Open the latest one by clicking on the Play icon or simply double-clicking it.

Opening a user session

When the Session Viewer opens, you can view screen capture recordings on the left side. The right side displays the accompanying metadata on user actions. You can use the Search field in the upper right to search for specific actions.

Viewing a user session

If the session is still active, you can watch it in real time by clicking the Live button.

Filter user activity monitoring for relevant results

Users within your network might perform thousands of actions daily. Ekran System allows you to make user activity monitoring more focused with its filtering functions.

You can configure filtering for specific computers, servers, or their entire groups on the Client Management page.

Filtering user activity monitoring for relevant results

Suppose you want to disable monitoring for user activity in Word and Excel documents on all endpoints in your organization. Instead of configuring filtering parameters for each endpoint separately, you can open the Client Groups tab and choose the All Clients group.

Configuring filtering for specific clients or client groups

To configure the filtering, you need to:

  1. Open the Application Filtering tab in Group Settings
  2. Choose Monitor all activity except from the Filter State drop-down list.
  3. Enter “Word;Excel” in the Application Name Contains field.
  4. Click Finish.
Application filtering

As a result, Ekran System will no longer collect user activity data from applications containing the words “Word” or “Excel” in their name.

In a similar way, you can limit user activity monitoring to specific users, time, and remote host IP addresses by specifying the parameters in the corresponding tabs.

Types of filtering in Ekran System

You can also configure Ekran System to start session monitoring only when users type specific keywords. The recording starts after one of the specified keywords is detected and continues until the session is finished.

To enable this option, open the Keystroke Monitoring tab, check the box for Start monitoring after detecting one of the following keywords, and indicate the keywords in the field below.

Ekran System can also be configured to monitor keystrokes only in specific applications by defining related parameters in the Keystroke Filtering group of options.

Keystroke filtering

Configuring and viewing alerts on suspicious activity

Ekran System allows you to take a proactive approach to threat management by letting you configure real-time alerts. These alerts notify you about any potentially dangerous user actions so you can respond quickly.

Alerts can be configured on the Alert Management page.

Alert management

Ekran System offers a variety of predefined alerts designed to detect the most common signs of malicious user activity. For instance, if you need an alert for detecting when a user tries to upload files to a cloud sharing service, you don’t need to create it from scratch. All you need to do to use it is find it in the list of default alerts and tailor it to your needs.

Searching for default alerts

You will need to specify:

  • Which endpoints to enable the alert for
  • The email address to send notifications to
  • Necessary automated actions, if needed

In response to user actions that trigger an alert, you can choose to display a warning message to a user, block a user, or kill an application process.

Configuring automated response actions

To add a custom alert, click Add in the top right corner and start by filling in the Properties of the alert:

  1. Select the Enabled checkbox 
  2. Enter a unique name for the alert
  3. Provide a description of the alert (optionally)
  4. Specify the risk level (Normal, High, or Critical)
Adding a custom alert

In the Rules section, specify the cases when the alert should be triggered. For this, you need to indicate:

  1. A parameter for the rule. You can apply the rule to applications, activity titles, usernames, Linux commands and parameters, users or computers belonging to Domain Group, keystrokes, URLs, and clipboard operations.
  2. A comparison operator. The alert can be triggered when the parameter equals or is like the value you’re comparing it to. Alternatively, it can also be triggered when it doesn’t equal or is not like the specified value.
  3. A value (to which the parameter will be compared). Here, you can add any value you want to compare the parameter against.
Specifying rules of an alert

In the Assigned Clients and Assigned Client Groups sections, click Add to select the clients you want to apply the alert to.

Assigning clients to apply an alert to

Afterward, you can configure Actions in the same way as in predefined Ekran System alerts and click Finish to save the alert.

You can view all triggered alerts on the Alerts tab of the Monitoring Results page and find specific ones by using the Search bar.

Checking alerts

Double-clicking a session or clicking the Play button will open the Session Viewer and start replaying the session from the moment the alert was triggered. Potentially harmful activities are marked with an Alert icon on the video progress bar and highlighted in the user activity tracking log.

Viewing sessions with potentially harmful activity

If the session is still active and you find the user’s actions dangerous to your organization’s security, you can block the user directly from the Session Viewer by clicking the Block User button above the Session Player.

Blocking a user

Monitoring and blocking USB devices

Ekran System supports two types of USB device monitoring. The first type is automatic. As the name implies, it works automatically without additional configurations. The information related to monitored USB devices is displayed in the Session Viewer.

The second type is non-automatic or rule-based USB device monitoring. In contrast to automatic, rule-based USB device monitoring not only monitors USB devices in the network but can also be configured to notify you about new USB connections or block USB devices.

You can add and edit USB monitoring rules on the USB Monitoring page. 

USB device monitoring and blocking

Suppose you need an alert rule for detecting mass storage devices. First, click the USB Monitoring navigation link and click Add in the right-hand corner of the opened page. Then, on the USB Rule Properties tab, select the Enable USB rule option and define properties (name, description, and risk level). Click Next to proceed.

Adding a USB rule

On the Rule Conditions tab, choose the types of devices to monitor by selecting the corresponding checkboxes. If there are any devices you don’t wish to monitor, you can create exceptions for them by clicking Add in the corresponding section.

Specifying USB rule conditions

In the Additional Actions tab, you can configure email notifications upon the connection of mass storage devices. Ekran System also enables you to completely block mass storage USB devices automatically upon their connection or until a connection request is approved by an administrator.

Configuring additional action for USB rules

Lastly, you’ll need to indicate the clients (endpoints) to which the rule should be applied on the Assigned Clients tab and click Finish to save the rule.

Assigning client to apply a USB rule to

Investigating security events

When a security incident is detected, Ekran System can help you understand its context by offering various user activity reports. On the Reports page, you can generate more than 30 different types of reports depending on what insights you’re looking for.

Types of user activity reports

Let’s say you want a report with all security alerts for the specific time period during which a certain incident took place. On the Report Generator tab, you’ll be required to choose a report type from a drop-down list, select the desired file format, and specify the time frame.

Choose the clients (endpoints) or client groups you want to look into. You can then select the users whose data will be included in the report and who can download it. Click Generate Report and then download your report on the Generated Reports tab.

Generating user activity tracking reports

The Alert Grid Report provides information about all alert events in the form of a grid.

While reports can help you get a general understanding of what was going on around the time of the incident, user session recordings can help see exactly how it all happened. Even more conveniently, Ekran System allows you to export sessions in a tamper-proof format and use them as evidence in forensic investigations.

To export a specific session, locate it on the Monitoring Results page, open the session, and click the Tools icon at the top right of the Session Player. Then click Forensic Export.

Exporting user sessions for incident investigation

In an opened window, you can choose to export a fragment of a session or an entire session with or without text metadata. If needed, you can even secure it with a password.

Forensic export

Note: To view the exported session, Ekran Forensic Player is required.

Conclusion

Keeping track of user activity is crucial for ensuring IT security and meeting the requirements of cybersecurity regulations, laws, and standards. Ekran System is a comprehensive insider risk management solution with many powerful monitoring features to meet your cybersecurity needs.

In addition to providing traditional UAM capabilities, Ekran System enhances the monitoring experience with real-time alerts and automated incident response, thus optimizing your security team’s efficiency and reducing potential damage.

Want to try Ekran
System? Request access
to the online demo!

See why clients from 70+ countries already use Ekran System.

Share:

Content

See how Ekran System can enhance your data protection from insider risks.