Privilege Management Console "Events" Report

This report shows information about the different types of events that have been raised over the specified time period. It also shows the time elapsed since a host raised an event.

Chart Description

Events over the last <time period>

A column chart showing the number of the different event types, broken down by the time period.

Clicking the chart takes you to the Events > All report with the Event Category, Range Start Time, and Range End Time filters applied.

Event Types

A chart showing how many events have been received, broken down by the event type.

Clicking the chart takes you to the Events > All report with the Event Number filter applied.

By Category

A chart breaking down the events received, split by category.

Clicking the chart takes you to the Events > All report with the Event Category filter applied.

Time since last endpoint event

A chart showing the number of endpoints in each time group since the last event category.

Clicking the chart takes you to more detailed information about the host.

Event Types

Privilege Management sends events to the local application event log, depending on the audit and privilege monitoring settings within the Privilege Management policy.

The following events are logged by Privilege Management:

Event ID Description
0 Service Control Success
1 Service Error
2 Service Warning
100 Process has started with admin rights added to token.
101 Process has been started from the shell context menu with admin rights added to token.
103 Process has started with admin rights dropped from token.
104 Process has been started from the shell context menu with admin rights dropped from token.
106 Process has started with no change to the access token (passive mode).
107 Process has been started from the shell context menu with no change to the access token (passive mode).
109 Process has started with user’s default rights enforced.
110 Process has started from the shell context menu with user’s default rights enforced.
112 Process requires elevated rights to run.
113 Process has started with custom token applied.
114 Process has started from the shell context menu with user’s custom token applied.
116 Process execution was blocked.
118 Process started in the context of the authorizing user.
119 Process started from the shell menu in the context of the authorizing user.
120 Process execution was canceled by the user.
130 A Mac application bundle was installed.
131 A Mac application bundle was deleted.
150 Privilege Management handled service control start action.
151 Privilege Management handled service control stop action.
152 Privilege Management handled service control pause/resume action.
153 Privilege Management handled service control configuration action.
154 Privilege Management blocked a service control start action.
155 Privilege Management blocked a service control stop action.
156 Privilege Management blocked a service control pause/resume action.
157 Privilege Management blocked a service control configuration action.
158 Privilege Management service control action run in the context of the authorizing user.
159 Privilege Management service control start action canceled.
160 Privilege Management service control stop action canceled.
161 Privilege Management service control pause/resume action canceled.
162 Privilege Management service control configuration action canceled.
198 Privileged group modification blocked.
199 Process execution was blocked, the maximum number of challenge / response failures was exceeded.
Configuration Events
10 License Error
200 Config Config Load Success
201 Config Config Load Warning
202 Config Config Load Error
210 Config Config Download Success
211 Config Config Download Error
User / Computer Events
300 User User Logon
400

Service Privilege Management Service Start

401 Service Privilege Management Service Stop
Content Events
600 Process Content Has Been Opened (Updated Add Admin)
601 Process Content Has Been Updated (Updated Custom)
602 Process Content Access Drop Admin (Updated Drop Admin)
603 Process Content Access Was Cancelled By The User (Updated Passive)
604 Process Content Access Was Enforced With Default Rights (Updated Default)
605 Process Content Access Was Blocked
606 Process Content Access Was Cancelled
607 Process Content Access Was Sandboxed
650 Process URL Browse
706 Process Passive Audit DLL
716 Process Block DLL
720 Process Cancel DLL Audit

Each process event contains the following information:

  • Command line for the process
  • Process ID for the process (if applicable)
  • Parent process ID of the process
  • Workstyle that applied
  • Application group that contained the process
  • End user reason (if applicable)
  • Custom access token (if applicable)
  • File hash
  • Certificate (if applicable)