Analytics

In this section,

  • Learn more about the applications data and filters available in the views.
  • In the walkthrough, see the end-to-end high-level steps on managing your policy on-the-fly using the views in analytics.
  • Create and save views using your favorite filters.
  • Add events and applications discovered in Analytics to your policies in the Policy Editor.

 

In the situation of excess endpoint audit event generation (as determined by the policy configuration), which is deemed likely to have a severe impact on overall performance and availability of the EPM console, BeyondTrust will take measures to ensure ongoing availability and functionality of the EPM console.

An EPM SaaS instance is capable of supporting event ingestion at the rate of approximately 720,000 events per hour, or 17.28m per day. Beyond this, if server performance is degraded, your instance will automatically begin refusing events. Those events are queued on each endpoint, up to a maximum of 25,000 queued events. Events generated beyond 25,000 are lost permanently.

To minimize the potential of queued and/or lost events, event generation should be configured in policy to be within the range outlined above. Analytics in the EPM Windows and Mac SaaS console will be able to provide you with event generation insight.

Should BeyondTrust need to take further non-automated action to maintain server availability and stability, a support ticket will be raised on your behalf, and a representative from our Support organization will reach out to make you aware of the situation and to work with you to make any recommended policy changes, if required.

Overview

The following views are available:

  • Events: Shows all activity from Endpoint Privilege Management that you have chosen to log to EPM.
  • Applications: An application is a grouping of events with the same application type. On this tab, see how different applications are used and controlled across all your machines, by all your users in a single row of data.
  • Users: Shows user logon information.

A standard user requires delegated access to the Analytics page. For more information, see Review EPM Roles

Applications Data

The following application types are shown in the Applications tab. From here you can easily make policy amendments, using our recommended matching criteria for applications.

Applications are aggregated using the most appropriate criteria for each application type as shown below.

Windows Application Types

Application Type Aggregation Criteria

Executable (exe)

  • Application name
  • Application description
  • Publisher
  • Admin required
COM Class (com)
  • CLSID
  • COM Display Name
  • Publisher
  • Admin required
Installer Package (msi)
  • Application description
  • Upgrade code
  • Publisher
  • Admin Required
Uninstaller (unin/unex)
  • App Description
  • Product Name
  • Publisher
  • Admin Required
Store App (appx)
  • Publisher
  • Admin Required
  • Store App Name
Windows Service (svc)
  • Service Display Name
  • Service Action
  • Publisher
  • Admin Required
Control Panel Applet (cpl)
  • Publisher
  • Admin Required
  • App Description
Management Console (msc)
  • Publisher
  • Admin Required
  • File Path

macOS Application Types

Application Type Aggregation Criteria
Binary (bin)
  • Publisher
  • Authorization Required
  • File Path
Bundle (bund)
  • Publisher
  • Authorization Required
  • Application Name
  • Application Description
Package (pkg)
System Preference Pane (pref)

Use Filters to Display Relevant Data

There are two types of filtering:

  • Default: The default filters are: Time period, Computer groups, Operating system, Application Type (on the Applications grid only).
  • Optional: There is an extensive selection of filters which can be selected and configured at time of viewing.

Select the data you want to view by choosing the time period, a computer group, and operating system. Select and set filters to further refine the data displayed in the view.

The dynamic filtering provides a search-as-you-type feature that helps you to quickly and easily narrow the scope of the data set displayed. You must type at least three characters in the dynamic filter box of an optional filter for an auto suggestion to populate. You can then click on an auto suggested field to help you narrow the scope of the data set. The search as you type filtering is available for the following filter types:

  • App description
  • App Name
  • Host Name
  • Host Domain
  • Publisher
  • User Name

The search-as-you-type feature is also available for these optional filters (only on the Applications grid):

  • COM Display Name
  • Service Display Name
  • Service Name
  • Store App Name

The following optional filters require a minimum of five characters. Matches are displayed in the grid.

  • Command line
  • File Path
  • Executable Path
  • User Reason

Filters List

Default Filters

Name Description
Time Period From now back to a selected value.
Computer Groups

View All or selected Computer Groups.

Admin users can see data for all groups.

Standard users can see data only from groups for which they have the Analyze Group role.

Operating System Windows or macOS.
Application Type

The type of application as defined in your policy.

Displays options relevant to selected operating system.

Default for Applications tab only (optional for Events tab).

For more information about roles, please see Review EPM Roles.

Event Filters

The filters are grouped into the following categories:

  • Event: The action Endpoint Privilege Management took.
  • Application: Properties of the running application.
  • Policy: The Endpoint Privilege Management policy controlling the action.
  • User: The user running the event.
  • Computer: The machine the event is running on.

The filters listed here are optional.

Name Category Description
Event Action Event

Filter by the action that Endpoint Privilege Management took for a process, as instructed by your policy.

For Windows these actions are:

  • Allowed
  • Elevated
  • Elevated - Custom Privileges
  • Blocked
  • Cancelled
  • Self-Elevated
  • Self-Elevated - Custom Privileges

Run As Alternate User

For macOS these actions are:

  • Allowed
  • Passive
  • Blocked
  • Cancelled
Event Type Event

The type of event that Endpoint Privilege Management has reported or controlled:

  • Process
  • Process with file
  • COM Class
  • Service
  • ActiveX
  • DLL
  • Content
  • Challenge Response Failed

Privileged Account Modification Prevented User Logon

Agent Start

Agent Stop

Unlicensed

Admin Required (Windows)

Application

Yes/No

Endpoint Privilege Management detected that the process or application required elevation.

Application Type Application The type of application as defined in your policy.
App Name Application The Product Name property of the executable (for applicable event and application types).
App Description Application The Product Description property of the executable (for applicable event and application types).
Command Line Application The command line captured at execution time.
Executable Path Application The path of the executable (the process started).
File Path Application The path of any file passed as an argument to a launching process.
Publisher Application The publisher of the executable.
Application Group Name Policy The name of the application group matched as defined in policy.
Message Name Policy The message shown to end user.
On Demand Policy

Whether the rule applied was an Application Rule (ran normally) or an On-Demand Rule (ran via right-click and Run as Administrator).

Yes: On-Demand Rule

No: Application Rule or N/A

Policy Name Policy The name of the policy applied.
Policy Revision Policy The revision of the policy applied.
Workstyle Name Policy The name of the Workstyle applied to this event as defined in policy.
User Name User User name
User Domain User User domain
User Reason User The reason provided by the user via the Endpoint Privilege Management message (if configured).
Host Name Computer Computer name on which the event took place.
Host Domain Computer Computer domain on which the event took place.

Application Filters

The filters listed here are optional.

Name Category Description
Event Action Event

Filter by the action that Endpoint Privilege Management took for a process, as instructed by your policy.

For Windows these actions are:

  • Allowed
  • Elevated
  • Elevated - Custom Privileges
  • Blocked
  • Cancelled
  • Self-Elevated
  • Self-Elevated - Custom Privileges
  • Run As Alternate User

For macOS these actions are:

  • Allowed
  • Passive
  • Blocked
  • Cancelled

Admin Required (Windows)

Application

Endpoint Privilege Management detected that the process or application required elevation.

Yes/No

Authorization Required (macOS) Application

Endpoint Privilege Management detected that the process or application required Authorization

macOS only

Yes/No

App Name Application The Product Name property of the executable (for applicable event and application types).
App Description Application The Product Description property of the executable (for applicable event and application types).
Downloaded Application

Was the file downloaded? (has the mark of the web)

Yes / No

Drive Type Application

The type of drive an application or file was run or loaded.

  • Fixed Disk
  • CDROM Drive
  • Network Drive
  • USB Drive
  • RAM Drive
  • eSATA Drive
  • Unknown Drive
Publisher Application The publisher of the executable.
Application Group Name Policy The name of the application group matched as defined in policy.
Message Name Policy The message shown to the end user.
On Demand Policy

Whether the rule applied was an Application Rule (ran normally) or an On Demand Rule (ran via right click and Run as Administrator)

Yes: On Demand Rule

No: Application Rule or N/A

Elevation Method  

How the application gained elevated rights.

Possible values Windows:

  • Admin Account
  • On-Demand
  • Auto-Elevated
  • Not Elevated

Possible values macOS:

  • Manually-Authorized
  • Auto-Authorized
  • Not Elevated

Application Type Specific Filters and Columns

In the Applications grid there are some filters and columns specific to the selected application type. These are available automatically when you select the appropriate application type.

Application Type Name Filter/Column/Both Description
COM Class COM Display Name Both The display name for the COM class object.
COM Class CLSID Column The globally unique identifier that identifies a COM class object.
COM Class App ID Column The globally unique identifier that represents a server process for one or more COM classes.
Management Console File Path Column The path of the Management Console snap-in
Windows Service Service Display Name Both The Display Name of the Windows Service
Windows Service Service Name Both The underlying name of the Windows Service
Windows Service Service Action Column

The action which Endpoint Privilege Management controlled for that service:

  • Start
  • Stop
  • Pause
  • Configure
Windows Store Application Store App Name Both The Name property of the store app.
Binary File Path Column The path of the macOS binary.

For more information about the Elasticsearch events in EPM, please see EPM ECS Event Reference.