Troubleshooting Software Usage Data with ACCSummary<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Using ACC-V and SAM together can help optimize software spend with software data collection and software last accessed time and usage data. ACC-V has policies that run and collect installed software data and populate the Software Asset Management (SAM) Software Installations [cmdb_sam_sw_install] table when the SAM plugin is installed. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Instance enabled with ACC-VC and SAM plugins Instructions<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } ACC-VC and SAM offer these capabilities: https://www.servicenow.com/docs/bundle/zurich-it-operations-management/page/product/agent-client-collector/concept/using-enhanced-discovery-and-sam-together.html SAM basic metering compares software from the payload with the Software Discovery Model [cmdb_sam_sw_discovery_model] to find matching products and publishers. If matched, it checks for an enabled reclamation rule to save last used data in the Software Usage [samp_sw_usage] table. SAM total usage metrics track total usage time and count for applications with enabled reclamation rules. To capture only last_used data (SAM basic metering), Osquery installation is not required. For tracking usage (SAM total usage metrics), Osqueryd must be installed: https://osquery.io/downloads/official/5.3.0 For SAM basic metering the ACC-V agent gets data from “UserAssist” key with the following schema: 1table_name("userassist") 2description("UserAssist Registry Key tracks when a user executes an application from Windows Explorer.") 3schema([ 4Column("path", TEXT, "Application file path."), 5Column("last_execution_time", BIGINT, "Most recent time application was executed."), 6Column("count", INTEGER, "Number of times the application has been executed."), 7Column("sid", TEXT, "User SID."), 8 ]) 9implementation("userassist@genUserAssist") 10examples([ 11"select * from userassist;", 12 ]) UserAssist KEY IN WINDOWS Microsoft Windows OS implements various logging and error reporting mechanisms to have a record of how system is being used. This information is logged at numerous hidden locations on hard drive to make OS more interactive and user-friendly. These logs can serve as forensic “nuggets” to analysts to exploit. The UserAssist key, a part of Windows registry, was first introduced in Windows NT4 and continued in later versions of Windows including Windows 10. The UserAssist key is maintained by Microsoft in each user’s NTUSER.DAT hive file at the following file path (on all versions of Windows): Software\Microsoft\Windows\CurrentVersion \Explorer\UserAssist or, on live computer system, at \HKCU\Software\Microsoft \Windows\CurrentVersion\Explorer \UserAssist. IMPORTANT There are two registry key that must be set to “1” to make UserAssist collection effective: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Start_TrackProgs"=dword:00000001 "Start_TrackEnabled"=dword:00000001 The query used by ACC-V agent to get usage data is based on osqueryi.exe utility https://osquery.readthedocs.io/en/stable/introduction/using-osqueryi/ SYNTAX QUERY: select p.path, p.last_execution_time, p.count, u.username from users u CROSS JOIN userassist p on p.sid=u.uuid WHERE last_execution_time > 0 ; It’s possible to check data after ACC-V installation, running the following command: C:\ProgramData\ServiceNow\agent-client-collector\cache\osquery\bin\osqueryi.exe and then run the query: Next step is the creation of “reclamation rule” on ServiceNow platform: EXAMPLES: After ACC-V collection, if the data collected match with “reclamation rule” above (example), data are stored in Software Usage table [samp_sw_usage] on the platform. Then data are used by SAM processes to generate relamation candidate. SAM total usage metrics For this use case you need to install Osqueryd https://osquery.io/downloads/official/5.3.0 to capure and manage usage data over the time. The following link walk though the configuration: https://docs.servicenow.com/bundle/tokyo-it- operations-management/page/product/agent-client-collector/task/import-external-pack-file- for-sam-total-usage-metrics.html After the configuration, osqueryd process create several snapshot based on the query defined in the configuration file osquery.conf stored in C:\Program Files\osquery directory. Snapshot files are stored in C:\Program Files\osquery\logs Next step is the creation of “reclamation rule” on ServiceNow platform: EXAMPLES: ACC-V agent using SAM background policy, check if the collected data match with reclamation rule If data match, usage data are stored in Software Usage Staging (sn_acc_visibility_sam_software_usage_staging) table: A scheduled job called SAM - Update Software Total Usage Metric runs every beginning of each month to store data in Software Usage table [samp_sw_usage] on the platform. then data are used by SAM processes to generate reclamation candidate.