Analytics
In this section,
- Learn more about the applications data and filters available in the views.
- In the walkthrough, see the end-to-end high-level steps on managing your policy on-the-fly using the views in analytics.
- Create and save views using your favorite filters.
- Add events and applications discovered in Analytics to your policies in the Policy Editor.
In the situation of excess endpoint audit event generation (as determined by the policy configuration), which is deemed likely to have a severe impact on overall performance and availability of the EPM console, BeyondTrust will take measures to ensure ongoing availability and functionality of the EPM console.
An EPM SaaS instance is capable of supporting event ingestion at the rate of approximately 720,000 events per hour, or 17.28m per day. Beyond this, if server performance is degraded, your instance will automatically begin refusing events. Those events are queued on each endpoint, up to a maximum of 25,000 queued events. Events generated beyond 25,000 are lost permanently.
To minimize the potential of queued and/or lost events, event generation should be configured in policy to be within the range outlined above. Analytics in the EPM Windows and Mac SaaS console will be able to provide you with event generation insight.
Should BeyondTrust need to take further non-automated action to maintain server availability and stability, a support ticket will be raised on your behalf, and a representative from our Support organization will reach out to make you aware of the situation and to work with you to make any recommended policy changes, if required.
Overview
The following views are available:
- Events: Shows all activity from Endpoint Privilege Management that you have chosen to log to EPM.
- Applications: An application is a grouping of events with the same application type. On this tab, see how different applications are used and controlled across all your machines, by all your users in a single row of data.
- Users: Shows user logon information.
A standard user requires delegated access to the Analytics page. For more information, see Review EPM Roles
Applications Data
The following application types are shown in the Applications tab. From here you can easily make policy amendments, using our recommended matching criteria for applications.
Applications are aggregated using the most appropriate criteria for each application type as shown below.
Windows Application Types
| Application Type | Aggregation Criteria |
|---|---|
|
Executable (exe) |
|
| COM Class (com) |
|
| Installer Package (msi) |
|
| Uninstaller (unin/unex) |
|
| Store App (appx) |
|
| Windows Service (svc) |
|
| Control Panel Applet (cpl) |
|
| Management Console (msc) |
|
macOS Application Types
| Application Type | Aggregation Criteria |
|---|---|
| Binary (bin) |
|
| Bundle (bund) |
|
| Package (pkg) | |
| System Preference Pane (pref) |
Use Filters to Display Relevant Data
There are two types of filtering:
- Default: The default filters are: Time period, Computer groups, Operating system, Application Type (on the Applications grid only).
- Optional: There is an extensive selection of filters which can be selected and configured at time of viewing.
Select the data you want to view by choosing the time period, a computer group, and operating system. Select and set filters to further refine the data displayed in the view.
The dynamic filtering provides a search-as-you-type feature that helps you to quickly and easily narrow the scope of the data set displayed. You must type at least three characters in the dynamic filter box of an optional filter for an auto suggestion to populate. You can then click on an auto suggested field to help you narrow the scope of the data set. The search as you type filtering is available for the following filter types:
- App description
- App Name
- Host Name
- Host Domain
- Publisher
- User Name
The search-as-you-type feature is also available for these optional filters (only on the Applications grid):
- COM Display Name
- Service Display Name
- Service Name
- Store App Name
The following optional filters require a minimum of five characters. Matches are displayed in the grid.
- Command line
- File Path
- Executable Path
- User Reason
Filters List
Default Filters
| Name | Description |
|---|---|
| Time Period | From now back to a selected value. |
| Computer Groups |
View All or selected Computer Groups. Admin users can see data for all groups. Standard users can see data only from groups for which they have the Analyze Group role. |
| Operating System | Windows or macOS. |
| Application Type |
The type of application as defined in your policy. Displays options relevant to selected operating system. Default for Applications tab only (optional for Events tab). |
For more information about roles, see Review EPM Roles.
Event Filters
The filters are grouped into the following categories:
- Event: The action Endpoint Privilege Management took.
- Application: Properties of the running application.
- Policy: The Endpoint Privilege Management policy controlling the action.
- User: The user running the event.
- Computer: The machine the event is running on.
The filters listed here are optional.
| Name | Category | Description |
|---|---|---|
| Event Action | Event |
Filter by the action that Endpoint Privilege Management took for a process, as instructed by your policy. For Windows these actions are:
Run As Alternate User For macOS these actions are:
|
| Event Type | Event |
The type of event that Endpoint Privilege Management has reported or controlled:
Privileged Account Modification Prevented User Logon Agent Start Agent Stop Unlicensed |
|
Admin Required (Windows) |
Application |
Yes/No Endpoint Privilege Management detected that the process or application required elevation. |
| Application Type | Application | The type of application as defined in your policy. |
| App Name | Application | The Product Name property of the executable (for applicable event and application types). |
| App Description | Application | The Product Description property of the executable (for applicable event and application types). |
| Command Line | Application | The command line captured at execution time. |
| Executable Path | Application | The path of the executable (the process started). |
| File Path | Application | The path of any file passed as an argument to a launching process. |
| Publisher | Application | The publisher of the executable. |
| Application Group Name | Policy | The name of the application group matched as defined in policy. |
| Message Name | Policy | The message shown to end user. |
| On Demand | Policy |
Whether the rule applied was an Application Rule (ran normally) or an On-Demand Rule (ran via right-click and Run as Administrator). Yes: On-Demand Rule No: Application Rule or N/A |
| Policy Name | Policy | The name of the policy applied. |
| Policy Revision | Policy | The revision of the policy applied. |
| Workstyle Name | Policy | The name of the Workstyle applied to this event as defined in policy. |
| User Name | User | User name |
| User Domain | User | User domain |
| User Reason | User | The reason provided by the user via the Endpoint Privilege Management message (if configured). |
| Host Name | Computer | Computer name on which the event took place. |
| Host Domain | Computer | Computer domain on which the event took place. |
Application Filters
The filters listed here are optional.
| Name | Category | Description |
|---|---|---|
| Event Action | Event |
Filter by the action that Endpoint Privilege Management took for a process, as instructed by your policy. For Windows these actions are:
For macOS these actions are:
|
|
Admin Required (Windows) |
Application |
Endpoint Privilege Management detected that the process or application required elevation. Yes/No |
| Authorization Required (macOS) | Application |
Endpoint Privilege Management detected that the process or application required Authorization macOS only Yes/No |
| App Name | Application | The Product Name property of the executable (for applicable event and application types). |
| App Description | Application | The Product Description property of the executable (for applicable event and application types). |
| Downloaded | Application |
Was the file downloaded? (has the mark of the web) Yes / No |
| Drive Type | Application |
The type of drive an application or file was run or loaded.
|
| Publisher | Application | The publisher of the executable. |
| Application Group Name | Policy | The name of the application group matched as defined in policy. |
| Message Name | Policy | The message shown to the end user. |
| On Demand | Policy |
Whether the rule applied was an Application Rule (ran normally) or an On Demand Rule (ran via right click and Run as Administrator) Yes: On Demand Rule No: Application Rule or N/A |
| Elevation Method |
How the application gained elevated rights. Possible values Windows:
Possible values macOS:
|
Application Type Specific Filters and Columns
In the Applications grid there are some filters and columns specific to the selected application type. These are available automatically when you select the appropriate application type.
| Application Type | Name | Filter/Column/Both | Description |
|---|---|---|---|
| COM Class | COM Display Name | Both | The display name for the COM class object. |
| COM Class | CLSID | Column | The globally unique identifier that identifies a COM class object. |
| COM Class | App ID | Column | The globally unique identifier that represents a server process for one or more COM classes. |
| Management Console | File Path | Column | The path of the Management Console snap-in |
| Windows Service | Service Display Name | Both | The Display Name of the Windows Service |
| Windows Service | Service Name | Both | The underlying name of the Windows Service |
| Windows Service | Service Action | Column |
The action which Endpoint Privilege Management controlled for that service:
|
| Windows Store Application | Store App Name | Both | The Name property of the store app. |
| Binary | File Path | Column | The path of the macOS binary. |
For more information about the Elasticsearch events in EPM, see EPM ECS Event Reference.
