Disclosed herein are embodiments of systems, methods, and products comprises a server for monitoring and tracking user activities based on different events in a security log. The server may retrieve the security log and parse the security log to identify a set of predetermined events for a user based on the event IDs, including logon events, logoff events, and privileged events. Based on the time point when privileged events occur at least partially during the pattern of having more logon events than logoff events, the server may determine when the user starts to work. Based on the time point when the logoff events and logon event starts to show the pattern that there are more logoff events than logon events and the difference increasing into a threshold, the server may determine when the user stops working. The server may generate a heat map indicating different users' work time length.