Analytics v2 (Beta)

The Analytics v2 beta provides a preview of the next generation reporting and analytics for PM Cloud. The next-gen analytics uses Elasticsearch as the back-end technology for collecting and searching the PM Cloud event data.

PM Cloud analytics can display up to 10,000 events at a time in the grid view.

The beta preview includes:

  • Events tab
  • Applications tab
  • Save View
  • Load View
  • Event Details
  • Add to Policy(only on the Events page at this time)

Please take this opportunity to try out the features in Analytics v2 beta and provide feedback via the in-product feedback tool.

Overview

Starting in PM Cloud 23.4, there are two views available to help you manage policies deployed in your PM Cloud estate:

  • Events: Events are derived from the matching criteria configured in application rules.
  • Applications: An application is a grouping of events with the same application type. Application types are added and defined as part of the application group.

Applications Data

The PM Cloud 23.4 Analytics beta supports the following application types.

Windows Application Types

Application Type Aggregation Criteria

Executable (exe)
  • Application name
  • Application description
  • Publisher
  • Admin required
Installer Package (msi)
  • Application description
  • Upgrade code
  • Publisher
  • Admin Required
Uninstaller (unin/unex)
  • App Description
  • ParentProcessFileName
  • Publisher
  • Admin Required

macOS Application Types

Application Type Aggregation Criteria
Bundle (bund)
  • Publisher
  • Authorization Required
  • Application Name
  • Application Description
Package (pkg)
System Preference Pane (pref)

Use Filters to Display Relevant Data

In Analytics, there are two types of filtering:

  • Persistent: The persistent filters are: Time period, Computer groups, Operating system, Application Type (on the Applications grid only).
  • Dynamic: There is an extensive selection of filters which can be selected and configured at time of viewing.

Select the data you want to view by choosing the time period, a computer group, and operating system. Select and set filters to further refine the data displayed in the view.

The dynamic filtering provides a search as you type feature that helps you to quickly and easily narrow the scope of the data set displayed. You must type at least three characters in the dynamic filter box for an auto suggestion to populate. You can then click on an auto suggested field to help you narrow the scope of the data set. The search as you type filtering is available for the following filter types:

  • App description
  • Command line
  • Executable path
  • File path
  • Host domain
  • Hostname
  • Publisher
  • Path name
  • User name
  • User reason

For more information about the Elasticsearch events in PM Cloud, please see PM Cloud ECS Event Reference.

Export to CSV

Click the Download all icon to export all analytics data results in the currently filtered result set, not just the results which are displayed on the current page. The CSV download can include up to 10,000 records.

Create and Add Users to Computer Groups

As a PM Cloud administrator, use role-based access control (RBAC) when you want your policy administrators to see events only for the computer groups they manage.

When creating a user, select a Standard user account type. From the Computer Groups Roles list, select Analyze Groups.

For more information, please see Role-Based Access Control.

Build Data Sets

All PM Cloud users with Analyze Group permissions can create and save a set of filters and columns so that the same set of filters does not have to be selected every time Analytics is accessed. Saving viewing preferences provides an easy way to return to views of data used frequently to monitor Privilege Management activity in the estate.

Save and Load View Preferences

You can load and save data sets from either the Events page or the Applications page.

The Save View pane in PM Cloud Analytics v2

  1. After selecting filters, you can select Save View to retain those preferences for viewing later. Preferences are saved locally.
  2. If a view name already exists, select Overwrite existing view, and then select the view you want to replace.

 

PM Cloud Analytics v2 page showing the Load Event View pane

  1. The next time you access Analytics v2, your view settings are preserved. Click Load View to select and load a view.
  2. On the Load Event View pane, you can delete and refresh views.

 

Add an Application to Policy from the Events Page

You might want to add an application to a policy from the Events page in the following scenarios:

  • An application rule might have matched on a new or unknown application. Add that application to your policy or create a policy for that application.
  • Find applications that are elevated by on-demand application rules.
  • Find all elevated applications. If they are higher risk applications, then add to a block rule.

Add to policy feature will be available from the Application grid in a future PM Cloud release.

To add an application to a policy:

Add applications to a policy in Privilege Management Cloud

  1. Go to the Events page in Analytics v2.
  2. Click the Add to Policy icon for an application event that you want to add to policy.

    The Add to Policy icon is not displayed for unsupported applications and event types.

 

Select a policy when adding an application from the Events page in PM Cloud

  1. Click the Add to Policy icon for the selected event to display an Add to Policy panel.
  2. On the Add to Policy panel, select a policy and application group to add the selected application to.
  3. Click Add and Edit Policy to open the Policy Editor to edit the application.
  4. The policy opens to the Application Groups > Applications page where you can edit the application settings. If you are adding one application, then you are directed to the application matching criteria page as shown. After you edit the application, save the changes to add the application to the selected Application Group.

 

View Event Details for an Application

Event Details panel in PM Cloud Analytics v2

On the Events page, click an event to drill down to more information about the application on the Event Details page.

 

Update VirusTotal Scores

If you are using VirusTotal, update the reputation score on the Events page or the Event Details panel. A valid reputation for an application can help you make an informed decision on how to manage that application in your policy.

VirusTotal scores on the Events page in Privilege Management Cloud.

To see the latest VirusTotal score:

Click the score or the VirusTotal icon to open the VT Augment widget for additional insights on the reputation of the file.

On the Events page, the following information helps you evaluate the reputation score on a file:

  • VirusTotal score for applications with hash.
  • Integrated with VT augment widget, which returns the HTML content of the widget report for a given observable.
  • VirusTotal icon next to the score ensures row level refresh for events with VirusTotal support.
  • A Timestamp column with last lookup time of the VT augment.

Additionaly, the Event Details panel provides the VirusTotal score and last lookup time.

For more information about setting up VirusTotal, please see Set Up Reputation Integration.