Events Reports
The Events Summary dashboard shows information about the different types of events that have been raised over the specified time period. It also shows the time elapsed since a host raised an event.
- Events over the last <time period>: A chart showing the number of the different event types, broken down by the time period.
- Event Types: A chart showing how many events have been received, broken down by the event type. Clicking the chart takes you to the Events > All report with the Event Number filter applied.
- Time since last endpoint event: A chart showing the number of computers in each time group since the last event category.
- By Category: A chart breaking down the events received, split by category.
Event Types
Endpoint Privilege Management sends events to the local Application event log, depending on the audit and privilege monitoring settings within the Endpoint Privilege Management policy.
The following events are logged by Endpoint Privilege Management:
| Event ID | Description |
|---|---|
| 100 | Process has started with admin rights added to token. |
| 101 | Process has been started from the shell context menu with admin rights added to token. |
| 103 | Process has started with admin rights dropped from token. |
| 104 | Process has been started from the shell context menu with admin rights dropped from token. |
| 106 | Process has started with no change to the access token (passive mode). |
| 107 | Process has been started from the shell context menu with no change to the access token (passive mode). |
| 109 | Process has started with user’s default rights enforced. |
| 110 | Process has started from the shell context menu with user’s default rights enforced. |
| 112 | Process requires elevated rights to run. |
| 113 | Process has started with Custom Token applied. |
| 114 | Process has started from the shell context menu with user’s Custom Token applied. |
| 116 | Process execution was blocked. |
| 118 | Process started in the context of the authorizing user. |
| 119 | Process started from the shell menu in the context of the authorizing user. |
| 120 | Process execution was canceled by the user. |
| 199 | Process execution was blocked, the maximum number of challenge / response failures was exceeded. |
With our SIEM Integration, we only support a subset of all event types.
Each process event contains the following information:
- Command line for the process
- Process ID for the process (if applicable)
- Parent process ID of the process
- Workstyle that applied
- Application Group that contained the process
- End user reason (if applicable)
- Custom access token (if applicable)
- File hash
- Certificate (if applicable)
