EUM Monitor (Web UI)
The EUM (End User Monitoring) monitor type executes multi-step user journeys in a real web browser, exactly as an end user would experience them. This page is the full specification of the EUM engine: capabilities, scenario script functions, TOTP/MFA support, and secrets/key-vault integration.
Overview
| Property | Value |
|---|---|
| Engine | Selenium 4 WebDriver + BrowserMob proxy |
| Browsers | Chrome, Firefox, Edge |
| Scenario source | Recorded with MNS IDE (or Selenium IDE) |
| Database | exec.db |
| Runs on | The Monitor probe |
EUM scenarios are executed headless by default on the probe; each run replays the recorded journey, measures every declared transaction, and reports timings, screenshots, video, and HAR data back to the Webserver.
Capabilities
- Multi-step transaction recording (via MNS IDE or Selenium IDE)
- Individual transaction timing with critical/major thresholds, enriched with
window.performancebrowser metrics - Screenshot capture: on error, per transaction, or on every step (photo mode)
- Video recording of the entire execution
- HAR (HTTP Archive) capture of all network traffic through the embedded proxy
- TOTP (Time-based One-Time Password) support for 2FA / MFA
- Encrypted credentials — embedded (AES) or retrieved from an external key vault at runtime
- Corporate proxy configuration
- Visual similarity checking
Scenario Script Functions
Scenario files are generated by the MNS IDE recorder and call the following built-in functions:
| Function | Purpose |
|---|---|
mnsStartTransaction(name, timeout, critical_ms, major_ms) |
Start a named, timed transaction with thresholds |
mnsStopTransaction() |
Stop the current transaction and record its timing + window.performance metrics |
captureScreenshotReport(...) |
Capture a screenshot into the run report |
highlightElement(element) |
Visually highlight an element before interacting with it |
acceptCookie(...) |
Dismiss cookie-consent banners |
waitForWindow(...) |
Wait for and switch to a new browser window/tab |
MNSDecrypt("...") |
Decrypt an embedded encrypted credential at runtime |
Example:
mnsStartTransaction("Login Page", 30, 5000, 3000) // name, timeout, critical_ms, major_ms
driver.findElement(By.id("username")).sendKeys("user")
driver.findElement(By.id("password")).sendKeys(MNSDecrypt("q1hjZXR0ZSBjbGUgZXN0..."))
driver.findElement(By.id("submit")).click()
mnsStopTransaction()
TOTP / MFA Support
The EUM engine can generate TOTP codes during a scenario, allowing monitors to log in to applications protected by two-factor authentication.
Supported specification: RFC 6238
| Parameter | Value |
|---|---|
| Algorithm | HMAC-SHA1 |
| Code length | 6 digits |
| Time step | 30 seconds |
| Shared secret encoding | Base32 |
These are the same parameters used by Google Authenticator, so any identity provider offering a “Google Authenticator”-style TOTP enrollment is compatible — including Okta, Microsoft Entra ID, Google, and Duo.
The TOTP shared secret is stored AES-encrypted and delivered to the engine at runtime through the TOTP_SECRET_<urlTitle> environment variable.
Okta compatibility
| Okta factor | Supported |
|---|---|
| Google Authenticator factor (standard TOTP) | ✅ Exact match with the supported parameters |
| Okta Verify — TOTP mode | ✅ Capture the shared secret at enrollment time |
| Okta Verify — Push | ❌ Proprietary push protocol, not TOTP |
| Custom TOTP factor with non-default parameters (SHA-256/512, 8 digits, time step ≠ 30 s) | ❌ Not currently supported |
Secrets & Key-Vault Integration
EUM scenarios never store passwords in clear text. Two mechanisms are available:
1. Embedded encrypted credentials
Passwords can be embedded directly in the scenario as AES-encrypted strings and decrypted at runtime with MNSDecrypt("..."). Operators generate the encrypted strings with the engine’s password-encrypt mode and paste them into the scenario.
2. External key vaults
Credentials can be retrieved at runtime from an external secrets manager, so they never appear in the scenario at all:
| Provider | vaultType |
|---|---|
| HashiCorp Vault | hashicorp |
| Azure Key Vault | azure |
| CyberArk Conjur | cyberark |
At execution time, the retrieved credentials are delivered to the scenario through per-monitor environment variables:
| Environment variable | Content |
|---|---|
VAULT_USERNAME_<urlTitle> |
Username fetched from the vault |
VAULT_PASSWORD_<urlTitle> |
Password fetched from the vault |
TOTP_SECRET_<urlTitle> |
Encrypted TOTP shared secret |
Vault connection settings (vaultType, URLs, tokens) are configured on the Monitor probe — see Monitor Configuration → Vault Integration.