EPM Report Filters

Report Filters

Filters and advanced filters are available from the Filters dropdown.

The reports retrieve data and sort it using Javascript. If the volume of data exceeds the row limit, you may get misleading results due to this restriction.

Name	Description
Action	This filter allows you to filter by a type of action. All Elevated Blocked Passive Sandboxed Custom Drop Admin Rights Enforce Default Rights Canceled Allowed Keep Privileges – Enhanced token
Activity ID	Each activity type in Endpoint Privilege Management has a unique ID. This is generated in the database as required.
Admin Required	This allows you to filter on whether admin rights were required, not required, or both. Filter options: All True False
Authorization Required	This allows you to filter on whether authorization was required, not required, or both. Filter options: All True False
Admin Rights	Allows you to filter by the admin rights token. Filter options: All Detected Not Detected
Application Description	A text field that allows you to filter on the application description.
Application Group	A text field that allows you to filter on the Application Group. You can obtain the Application Group from the policy editor.
Application Hash	This field is used by Reporting. You do not need to edit it.
Application Type	A text field that allows you to filter on the application type. You can obtain the application type from the policy editor.
Auth Methods	The type of authentication method selected in the Policy Editor. Multiple values can be present and will be comma separated. Possible values: Identity Provider, Password, Challenge Response, Smart Card, and User Request
Authorizing User Name	The name of the user that authorized the message.
Browse Destination URL	The destination URL of the sandbox.
Challenge/Response	Allows you to filter by challenge/response events. For example, you can filter the application that required elevation on those applications that were launched following a completed challenge/response message. Filter options: All Only C/R
Client IPV4	This field is used by Reporting. You do not need to edit it.
Client Name	This field is used by Reporting. You do not need to edit it.
COM Application ID	This field is used by Reporting. You do not need to edit it.
COM Display Name	This field is used by Reporting. You do not need to edit it.
COM CLSID	This field is used by Reporting. You do not need to edit it.
Command Line	A text field that allows you to filter on the command line.
Date Field	This allows you to filter by the time the event was first generated, discovered, or executed. Filter options: Time Generated This is the time that the event was generated. One application can have multiple events. Each event has a Time Generated attribute. Time App First Discovered This is the time that the first event for a single application was entered into the database. This can be delayed if the user is working offline. Time App First Executed This is the first known execution time of events for that application.
Device Type	The type of device that the application file was stored on. Filter options: Any Removeable Media USB Drive Fixed Drive Network Drive CDROM Drive RAM Drive eSATA Drive Any Removeable Drive or Media
Distinct Application ID	This field is used by Reporting. You do not need to edit it.
Elevate Method	Allows you to filter by the elevation method used. Filter options: All Admin account used Auto-elevated On-demand
Event Category	This filter allows you to filter by the category of the event. Filter options: All Process Content DLL Control URL Control Privileged Account Protection Agent Start User Logon Services
Event Number	This field is used by Reporting. You do not need to edit it. The number assigned to the event type.
File Owner	The owner of the file.
File Version	You can filter on the file version in the Advanced View of the Process Detail report.
GPO Name	You can filter on the Group Policy Object (GPO) name in some of the advanced reports, such as Process Detail.
Host Name	This field allows you to filter by the name of the computer the event came from.
Idp Authentication user name	The credential provided when adding an Identity Provider authorization message in the Policy Editor.
Ignore Admin Required Events	This field is used by Reporting. You do not need to edit it.
Just Discovery Events	This field is used by Reporting. You do not need to edit it.
Matched	Allows you to filter on the type of matching. Filter options: All Matched as child Matched directly
Message Name	The name of the message that was used.
Message Type	The type of message that was used. Filter options: Any Prompt Notification None
Ownership	Allows you to group by the type of owner. Filter options: All Trusted owner Untrusted owner
Parent PID	The operating system process identifier of the parent process.
Parent Process File Name	The file name of the parent process.
Path	Allows you to filter by the path. For example, to filter on applications that were launched from the System path. Filter options: All System Program Files User Profiles
PID	The operating system process identifier.
Platform	Filters by the type of operating system. Windows: Filters by endpoints running a Windows operating system. macOS: Filters by endpoints running a Mac operating system.
Process Unique ID	The unique identification of the process.
Product Code	This field is used by Reporting. You do not need to edit it.
Product Name	The product name of the application.
Product Version	The product version of the application.
Program Files Path	Sets the Program Files path used by the Discovery > Path report.
Publisher	The publisher of the application.
Range End Time	The end time of the range being displayed.
Range Start Time	The start time of the range being displayed.
Row Limit	The maximum number of rows to be retrieved from the database.
Rule Script Affected Rule	True when the Rule Script (Power Rule) changed one or more of the default Endpoint Privilege Management rules; otherwise, false.
Rule Script File Name	The Rule Script (Power Rule) file name on disk, if applicable.
Rule Script Name	The name of the assigned Rule Script (Power Rule).
Rule Script Output	The output of the Rule Script (Power Rule).
Rule Script Publisher	The publisher of the Rule Script (Power Rule).
Rule Script Result	The result of the Rule Script (Power Rule). This can be: <None> Script ran successfully [Exception Message] Script timeout exceeded: <X> seconds Script execution canceled Set Rule Properties failed validation: <reason> Script execution skipped: Challenge Response Authenticated Script executed previously for the parent process: Matched as a child process so cached result applied Script execution skipped: <app type> not supported Script execution skipped: PRInterface module failed signature check Set RunAs Properties failed validation: <reason>
Rule Script Status	The status of the Rule Script (Power Rule). This can be: <None> Success Timeout Exception Skipped ValidationFailure
Rule Script Version	The version of the assigned Rule Script (Power Rule).
Rule Match Type	Rule Match Type: Any Direct match Matched on parent
Sandbox	The sandboxed setting. Filter options: Not Set Any Sandbox Not Sandboxed
Shell or Auto	Whether the process was launched using the shell Run with Endpoint Privilege Management option or by normal means (opening an application): Filter options: Any Shell Auto
Show Discovery Events	Whether or not you want to show Discovery events. An event is a Discovery event if it has been inserted into the database in the filtered time period.
Source	The media source of the application. For example, whether the application was downloaded from the Internet or removable media. Filter options: All Downloaded over the internet Removable media Any external source
System Path	Sets the system path.
Target Description	This field allows you to filter by the target description.
Target Type	This filter allows you to filter by a type of target. For example, you can filter by the applications that have been canceled across your time range in the Actions > Canceled report. Filter options: All Applications Services COM Remote PowerShell ActiveX URL DLL Content
Time First Executed	This is the time range over which the application was first executed. Filter options: 24 Hours 7 Days 30 Days 6 Months 12 Months
Time First Reported	This is the time range filtered by the date the application was first entered into the database. Filter options: 24 Hours 7 Days 30 Days 6 Months 12 Months
Time Range	This is the time range over which the actions are displayed. Filter options: 24 Hours 7 Days 30 Days 6 Months 12 Months
Token Type	The type of Endpoint Privilege Management token that was applied to the trusted application protection event. Filter options: All Blocked Passive Canceled
Trusted Application Name	The trusted application that triggered the event.
Trusted Application Version	The trusted application version number.
Trusted File Owner	Whether the file owner of the target file is considered trusted. To be a trusted owner, the user must be in one of the following Windows groups: TrustedInstaller, System, or Administrator.
UAC Triggered	Whether or not Windows UAC was triggered. Filter option: Not Set Triggered UAC Did not trigger UAC
Uninstall Action	The type of uninstall action. Filter options: Any Change/Modify Repair Uninstall
Upgrade Code	This field is used by Reporting. You do not need to edit it.
User Name	The user name of the user who triggered the event.
User Profiles Path	Sets the User Profiles path.
Workstyle	A dropdown of Workstyles in use.
Workstyle Name	The name of the Workstyle that contains the rule that matched the application.
Zone Identifier	The BeyondTrust Zone Identifier. This tag will persist to allow you to filter on it even if the ADS tag applied by the browser is removed.