Report Filters
Filters and advanced filters are available from the Filters dropdown.
The reports retrieve data and sort it using Javascript. If the volume of data exceeds the row limit, you may get misleading results due to this restriction.
Name | Description |
---|---|
Action |
This filter allows you to filter by a type of action.
|
Activity ID | Each activity type in Endpoint Privilege Management has a unique ID. This is generated in the database as required. |
Admin Required |
This allows you to filter on whether admin rights were required, not required, or both. Filter options:
|
Authorization Required |
This allows you to filter on whether authorization was required, not required, or both. Filter options:
|
Admin Rights |
Allows you to filter by the admin rights token. Filter options:
|
Application Description | A text field that allows you to filter on the application description. |
Application Group | A text field that allows you to filter on the Application Group. You can obtain the Application Group from the policy editor. |
Application Hash | This field is used by Reporting. You do not need to edit it. |
Application Type | A text field that allows you to filter on the application type. You can obtain the application type from the policy editor. |
Auth Methods | The type of authentication method selected in the Policy Editor. Multiple values can be present and will be comma separated. Possible values: Identity Provider, Password, Challenge Response, Smart Card, and User Request |
Authorizing User Name | The name of the user that authorized the message. |
Browse Destination URL | The destination URL of the sandbox. |
Challenge/Response |
Allows you to filter by challenge/response events. For example, you can filter the application that required elevation on those applications that were launched following a completed challenge/response message. Filter options:
|
Client IPV4 | This field is used by Reporting. You do not need to edit it. |
Client Name |
This field is used by Reporting. You do not need to edit it. |
COM Application ID |
This field is used by Reporting. You do not need to edit it. |
COM Display Name |
This field is used by Reporting. You do not need to edit it. |
COM CLSID |
This field is used by Reporting. You do not need to edit it. |
Command Line | A text field that allows you to filter on the command line. |
Date Field |
This allows you to filter by the time the event was first generated, discovered, or executed. Filter options:
|
Device Type |
The type of device that the application file was stored on. Filter options:
|
Distinct Application ID |
This field is used by Reporting. You do not need to edit it. |
Elevate Method |
Allows you to filter by the elevation method used. Filter options:
|
Event Category |
This filter allows you to filter by the category of the event. Filter options:
|
Event Number |
This field is used by Reporting. You do not need to edit it. The number assigned to the event type. |
File Owner | The owner of the file. |
File Version | You can filter on the file version in the Advanced View of the Process Detail report. |
GPO Name | You can filter on the Group Policy Object (GPO) name in some of the advanced reports, such as Process Detail. |
Host Name | This field allows you to filter by the name of the computer the event came from. |
Idp Authentication user name | The credential provided when adding an Identity Provider authorization message in the Policy Editor. |
Ignore Admin Required Events | This field is used by Reporting. You do not need to edit it. |
Just Discovery Events | This field is used by Reporting. You do not need to edit it. |
Matched |
Allows you to filter on the type of matching. Filter options:
|
Message Name | The name of the message that was used. |
Message Type |
The type of message that was used. Filter options:
|
Ownership |
Allows you to group by the type of owner. Filter options:
|
Parent PID | The operating system process identifier of the parent process. |
Parent Process File Name | The file name of the parent process. |
Path |
Allows you to filter by the path. For example, to filter on applications that were launched from the System path. Filter options:
|
PID | The operating system process identifier. |
Platform |
Filters by the type of operating system.
|
Process Unique ID | The unique identification of the process. |
Product Code | This field is used by Reporting. You do not need to edit it. |
Product Name | The product name of the application. |
Product Version | The product version of the application. |
Program Files Path | Sets the Program Files path used by the Discovery > Path report. |
Publisher | The publisher of the application. |
Range End Time | The end time of the range being displayed. |
Range Start Time | The start time of the range being displayed. |
Row Limit | The maximum number of rows to be retrieved from the database. |
Rule Script Affected Rule | True when the Rule Script (Power Rule) changed one or more of the default Endpoint Privilege Management rules; otherwise, false. |
Rule Script File Name | The Rule Script (Power Rule) file name on disk, if applicable. |
Rule Script Name | The name of the assigned Rule Script (Power Rule). |
Rule Script Output | The output of the Rule Script (Power Rule). |
Rule Script Publisher | The publisher of the Rule Script (Power Rule). |
Rule Script Result |
The result of the Rule Script (Power Rule). This can be:
|
Rule Script Status |
The status of the Rule Script (Power Rule). This can be:
|
Rule Script Version | The version of the assigned Rule Script (Power Rule). |
Rule Match Type |
Rule Match Type:
|
Sandbox |
The sandboxed setting. Filter options:
|
Shell or Auto |
Whether the process was launched using the shell Run with Endpoint Privilege Management option or by normal means (opening an application): Filter options:
|
Show Discovery Events | Whether or not you want to show Discovery events. An event is a Discovery event if it has been inserted into the database in the filtered time period. |
Source |
The media source of the application. For example, whether the application was downloaded from the Internet or removable media. Filter options:
|
System Path | Sets the system path. |
Target Description | This field allows you to filter by the target description. |
Target Type |
This filter allows you to filter by a type of target. For example, you can filter by the applications that have been canceled across your time range in the Actions > Canceled report. Filter options:
|
Time First Executed |
This is the time range over which the application was first executed. Filter options:
|
Time First Reported |
This is the time range filtered by the date the application was first entered into the database. Filter options:
|
Time Range |
This is the time range over which the actions are displayed. Filter options:
|
Token Type |
The type of Endpoint Privilege Management token that was applied to the trusted application protection event. Filter options:
|
Trusted Application Name | The trusted application that triggered the event. |
Trusted Application Version | The trusted application version number. |
Trusted File Owner | Whether the file owner of the target file is considered trusted. To be a trusted owner, the user must be in one of the following Windows groups: TrustedInstaller, System, or Administrator. |
UAC Triggered |
Whether or not Windows UAC was triggered. Filter option:
|
Uninstall Action |
The type of uninstall action. Filter options:
|
Upgrade Code | This field is used by Reporting. You do not need to edit it. |
User Name | The user name of the user who triggered the event. |
User Profiles Path | Sets the User Profiles path. |
Workstyle | A dropdown of Workstyles in use. |
Workstyle Name | The name of the Workstyle that contains the rule that matched the application. |
Zone Identifier | The BeyondTrust Zone Identifier. This tag will persist to allow you to filter on it even if the ADS tag applied by the browser is removed. |