Events Reports in Privilege Management Console

This report shows information about the different types of events that have been raised over the specified time period. It also shows the time elapsed since a host raised an event.

Chart Description

Events over the last <time period>

A column chart showing the number of the different event types, broken down by the time period.

Clicking the chart takes you to the Events > All report with the Event Category, Range Start Time, and Range End Time filters applied.

Event Types

A chart showing how many events have been received, broken down by the event type.

Clicking the chart takes you to the Events > All report with the Event Number filter applied.

By Category

A chart breaking down the events received, split by category.

Clicking the chart takes you to the Events > All report with the Event Category filter applied.

Time since last endpoint event

A chart showing the number of computers in each time group since the last event category.

Clicking the chart takes you to more detailed information about the host.

Event Types

Privilege Management sends events to the local Application event log, depending on the audit and privilege monitoring settings within the Privilege Management policy.

The following events are logged by Privilege Management:

Event ID Description
100 Process has started with admin rights added to token.
101 Process has been started from the shell context menu with admin rights added to token.
103 Process has started with admin rights dropped from token.
104 Process has been started from the shell context menu with admin rights dropped from token.
106 Process has started with no change to the access token (passive mode).
107 Process has been started from the shell context menu with no change to the access token (passive mode).
109 Process has started with user’s default rights enforced.
110 Process has started from the shell context menu with user’s default rights enforced.
112 Process requires elevated rights to run.
113 Process has started with Custom Token applied.
114 Process has started from the shell context menu with user’s Custom Token applied.
116 Process execution was blocked.
118 Process started in the context of the authorizing user.
119 Process started from the shell menu in the context of the authorizing user.
120 Process execution was canceled by the user.
199 Process execution was blocked, the maximum number of challenge / response failures was exceeded.

 

With our SIEM Integration, we only support a subset of all event types.

Each process event contains the following information:

  • Command line for the process
  • Process ID for the process (if applicable)
  • Parent process ID of the process
  • Workstyle that applied
  • Application Group that contained the process
  • End user reason (if applicable)
  • Custom access token (if applicable)
  • File hash
  • Certificate (if applicable)