Discovery Reports

The following discovery reports are available:

  • Discovery by Path
  • Discovery by Publisher
  • Discovery by Type
  • Discovery Requiring Elevation
  • Discovery from External Sources
  • Discovery All

When viewing Discovery reports, use the quick filters to narrow the results displayed. The quick filters vary depending on the report.

Discovery Dashboard

The dashboard displays information about applications that have been discovered for the first time. An application is first discovered when an event is received by the Reporting database.

The dashboard displays the following information:

  • New applications with admin rights detected (top 10 of <number>): Click View All to display the Discovery > All report with the Admin Rights / Authorization filter applied.
  • New applications with admin rights not detected (top 10 of <number>): Click View All to display the Discovery > All report with the Admin Rights filter applied.
  • New applications with admin rights detected (by type): Click View All to open the Discovery > All report with the Admin Rights filter applied.
  • New applications with admin rights not detected (by type): Click View All to display the Discovery > All report with the Admin Rights filter applied.
  • Applications first reported over the last x months (number): Grouped by: Admin Rights Detected and Admin Rights Not Detected
  • Types of newly discovered applications: Grouped by: Admin Rights Detected and Admin Rights Not Detected

Discovery by Path

Displays all distinct applications installed in certain locations that are discovered during the specified time frame.

  • User Profiles: /Users?%
  • Applications: /Applications/%, /usr/%
  • Operating System Areas: /System/%, /bin/%, /sbin/%

The following columns are available for the Discovery By Path table:

  • Path: The Path category that the application was installed in. Drill down to learn more information about the application.
  • # Users: The number of users.
  • Median # processes / user: The median number of processes per user.
  • # Hosts: The number of hosts. Drill down to view a list of hosts the application events came from.
  • # Processes: The number of processes. Drill down to see the Events All table and lists the events received in the time period for the selected application.
  • # Applications: The number of applications.

Discovery by Publisher

Displays the discovered applications grouped by publisher. Where there is more than one application per publisher, click + to expand the entry to examine each application.

The following columns are available for the Discovery By Publisher table:

  • Publisher: The publisher of the applications.
  • Description: The description of the application.
  • Product Name: The product name of the application.
  • Type: The type of application.
  • Product Version: The version number of a specific application.
  • # Users: The number of users. Drill down to see more information about the users.
  • # Hosts: The number of hosts. Drill down to see more information about the hosts.
  • # Processes: The number of processes. Drill down to see more information about the processes.
  • # Applications: The number of applications.

Discovery by Type

Displays applications filtered by type. When there is more than one application per type, click the link in the Type column to see more information about each application.

The following columns are available for the Discovery By Type table:

  • Type: The type of application
  • # Users: The number of users
  • Median # processes / user: The median number of processes per user
  • # Hosts: The number of hosts
  • # Processes: The number of processes
  • Applications: The number of applications
  • Date First Reported: The date the application was first entered in the database
  • Date First Executed: The first known date the application was executed

Discovery Requiring Elevation

Displays the applications that were elevated or required admin rights.

The following columns are available for the Discovery Requiring Elevation table:

  • Description: The description of the application.
  • Publisher: The publisher of the application.
  • Name: The product name of the application.
  • Type: The type of application.
  • Elevate Method: The type of method used to elevate the application: All, Admin account used, Auto-elevated, or on-demand. Drill down to see more information about the events.
  • Version: The version number of a specific application.
  • # Users: The number of users. Drill down to see more information about the users.
  • Median # processes / user: The median number of processes per user.
  • # Hosts: The number of hosts. Drill down to see more information about the hosts.
  • # Processes: The number of processes. Drill down to see more information on the Events All page.
  • Date first reported: The date the application was first entered in the database.
  • Date first executed: The first known date the application was executed.

Discovery from External Sources

Displays all applications that have originated from an external source, such as the internet or an external drive.

The following columns are available for the Discovery By Publisher table:

  • Description: The description of a specific application. Drill down to see more detailed information on the application, including the actions over the last 30 days split by the type of token, the top 10 users, the top 10 hosts, the run method, and the portion of those discoveries where admin rights were detected.
  • Publisher: The publisher of the applications
  • Name: The product name of a specific application
  • Type: The type of application
  • Source: The source of the application
  • Version: The version number of a specific application
  • # Users: The number of users
  • Median # processes/user: The median number of processes per user
  • # Hosts: The number of hosts
  • # Processes: The number of processes
  • Date first reported: The date when the application was first entered into the database
  • Date first executed: The first known date that the application was executed

This table groups the applications by type. You can click the plus icon to expand the path to show each individual application. You can view additional information about the application, their type, version, and the number of users using them. You can click the description to see in depth information about the application.

Discovery All

Lists all applications discovered in the time period, grouped by the application description. If multiple versions of the same application exist, they are grouped on the same line. These can be expanded by clicking on the plus (+) symbol in the Version column.

The following columns are available for the Discovery By Publisher table:

  • Description: The description of a specific application. Drill down to see more detailed information on the application, including the actions over the last 30 days split by the type of token, the top 10 users, the top 10 hosts, the run method, and the portion of those discoveries where admin rights was detected.
  • Publisher: The publisher of the applications
  • Name: The product name of a specific application
  • Type: The type of application
  • Version: The version number of a specific application
  • # Users: The number of users
  • Median # processes/user: The median number of processes per user
  • # Hosts: The number of hosts
  • # Processes: The number of processes
  • Date first reported: The date when the application was first entered into the database
  • Date first executed: The first known date that the application was executed

Export to a CSV File

The number of items that can be displayed at one time might be limited by the browser display. Use Export to CSV to save the items to a CSV file.

Enter number of rows to save to the CSV file in EPM.

On a report page where Export to CSV is available, you must select the filter Row Count for Export (Max 5M), and then enter the number of rows to include in the CSV file.

All filters are saved to the file.