Privilege Management Console "Events" Report
This report shows information about the different types of events that have been raised over the specified time period. It also shows the time elapsed since a host raised an event.
Events over the last <time period>
A column chart showing the number of the different event types, broken down by the time period.
Clicking the chart takes you to the Events > All report with the Event Category, Range Start Time, and Range End Time filters applied.
A chart showing how many events have been received, broken down by the event type.
Clicking the chart takes you to the Events > All report with the Event Number filter applied.
A chart breaking down the events received, split by category.
Clicking the chart takes you to the Events > All report with the Event Category filter applied.
Time since last endpoint event
A chart showing the number of endpoints in each time group since the last event category.
Clicking the chart takes you to more detailed information about the host.
Privilege Management sends events to the local application event log, depending on the audit and privilege monitoring settings within the Privilege Management policy.
The following events are logged by Privilege Management:
|0||Service Control Success|
|100||Process has started with admin rights added to token.|
|101||Process has been started from the shell context menu with admin rights added to token.|
|103||Process has started with admin rights dropped from token.|
|104||Process has been started from the shell context menu with admin rights dropped from token.|
|106||Process has started with no change to the access token (passive mode).|
|107||Process has been started from the shell context menu with no change to the access token (passive mode).|
|109||Process has started with user’s default rights enforced.|
|110||Process has started from the shell context menu with user’s default rights enforced.|
|112||Process requires elevated rights to run.|
|113||Process has started with custom token applied.|
|114||Process has started from the shell context menu with user’s custom token applied.|
|116||Process execution was blocked.|
|118||Process started in the context of the authorizing user.|
|119||Process started from the shell menu in the context of the authorizing user.|
|120||Process execution was canceled by the user.|
|130||A Mac application bundle was installed.|
|131||A Mac application bundle was deleted.|
|150||Privilege Management handled service control start action.|
|151||Privilege Management handled service control stop action.|
|152||Privilege Management handled service control pause/resume action.|
|153||Privilege Management handled service control configuration action.|
|154||Privilege Management blocked a service control start action.|
|155||Privilege Management blocked a service control stop action.|
|156||Privilege Management blocked a service control pause/resume action.|
|157||Privilege Management blocked a service control configuration action.|
|158||Privilege Management service control action run in the context of the authorizing user.|
|159||Privilege Management service control start action canceled.|
|160||Privilege Management service control stop action canceled.|
|161||Privilege Management service control pause/resume action canceled.|
|162||Privilege Management service control configuration action canceled.|
|198||Privileged group modification blocked.|
|199||Process execution was blocked, the maximum number of challenge / response failures was exceeded.|
|200||Config Config Load Success|
|201||Config Config Load Warning|
|202||Config Config Load Error|
|210||Config Config Download Success|
|211||Config Config Download Error|
|User / Computer Events|
|300||User User Logon|
Service Privilege Management Service Start
|401||Service Privilege Management Service Stop|
|600||Process Content Has Been Opened (Updated Add Admin)|
|601||Process Content Has Been Updated (Updated Custom)|
|602||Process Content Access Drop Admin (Updated Drop Admin)|
|603||Process Content Access Was Cancelled By The User (Updated Passive)|
|604||Process Content Access Was Enforced With Default Rights (Updated Default)|
|605||Process Content Access Was Blocked|
|606||Process Content Access Was Cancelled|
|607||Process Content Access Was Sandboxed|
|650||Process URL Browse|
|706||Process Passive Audit DLL|
|716||Process Block DLL|
|720||Process Cancel DLL Audit|
Each process event contains the following information:
- Command line for the process
- Process ID for the process (if applicable)
- Parent process ID of the process
- Workstyle that applied
- Application group that contained the process
- End user reason (if applicable)
- Custom access token (if applicable)
- File hash
- Certificate (if applicable)