Privilege Management Console Report Filters

Filters and advanced filters are available from the Filters dropdown.

The reports retrieve data and sort it using Javascript. If the volume of data exceeds the row limit, you may get misleading results due to this restriction.

Name Description
Action This filter allows you to filter by a type of action.
  • All
  • Elevated
  • Blocked
  • Passive
  • Sandboxed
  • Custom
  • Drop Admin Rights
  • Enforce Default Rights
  • Canceled
  • Allowed
Activity ID Each activity type in Privilege Management has a unique ID. This is generated in the database as required.
Admin Required

This allows you to filter on whether admin rights were required, not required, or both.

Filter options:

  • All
  • True
  • False
 Authorization Required

This allows you to filter on whether authorization was required, not required, or both.

Filter options:

  • All
  • True
  • False
Admin Rights

Allows you to filter by the admin rights token.

Filter options:

  • All
  • Detected
  • Not Detected
Application Description A text field that allows you to filter on the application description.
Application Group A text field that allows you to filter on the application group. You can obtain the application group from the policy editor.
Application Hash

This field is used by Reporting. You do not need to edit it.

Application Type A text field that allows you to filter on the application type. You can obtain the application type from the policy editor.
Authorizing User Name The name of the user that authorized the message.
Browse Destination URL The destination URL of the sandbox.
Challenge/Response

Allows you to filter by challenge/response events. For example, you can filter the application that required elevation on those applications that were launched following a completed challenge/response message.

Filter options:

  • All
  • Only C/R
Client IPV4

This field is used by Reporting. You do not need to edit it.

Client Name

This field is used by Reporting. You do not need to edit it.

COM Application ID

This field is used by Reporting. You do not need to edit it.

COM Display Name

This field is used by Reporting. You do not need to edit it.

COM CLSID

This field is used by Reporting. You do not need to edit it.

Command Line A text field that allows you to filter on the command line.
Date Field

This allows you to filter by the time the event was first generated, discovered, or executed.

Filter options:

  • Time Generated

    This is the time that the event was generated. One application can have multiple events. Each event has a Time Generated attribute.

  • Time App First Discovered

    This is the time that the first event for a single application was entered into the database. This can be delayed if the user is working offline.

  • Time App First Executed

    This is the first known execution time of events for that application.

Device Type

The type of device that the application file was stored on.

Filter options:

  • Any
  • Removeable Media
  • USB Drive
  • Fixed Drive
  • Network Drive
  • CDROM Drive
  • RAM Drive
  • eSATA Drive
  • Any Removeable Drive or Media
Distinct Application ID

This field is used by Reporting. You do not need to edit it.

Elevate Method

Allows you to filter by the elevation method used.

Filter options:

  • All
  • Admin account used
  • Auto-elevated
  • On-demand
Event Category

This filter allows you to filter by the category of the event.

Filter options:

  • All
  • Process
  • Content
  • DLL Control
  • URL Control
  • Privileged Account Protection
  • Agent Start
  • User Logon
  • Services
Event Number

This field is used by Reporting. You do not need to edit it.

The number assigned to the event type.

File Owner The owner of the file.
File Version You can filter on the file version in the Advanced View of the Process Detail report.
GPO Name You can filter on the Group Policy Object (GPO) name in some of the advanced reports, such as Process Detail.
Host Name This field allows you to filter by the name of the endpoint the event came from.
Ignore Admin Required Events

This field is used by Reporting. You do not need to edit it.

Just Discovery Events

This field is used by Reporting. You do not need to edit it.

Matched

Allows you to filter on the type of matching.

Filter options:

  • All
  • Matched as child
  • Matched directly
Message Name The name of the message that was used.
Message Type

The type of message that was used:

Filter options:

  • Any
  • Prompt
  • Notification
  • None
Ownership

Allows you to group by the type of owner.

Filter options:

  • All
  • Trusted owner
  • Untrusted owner
Parent PID The operating system process identifier of the parent process.
Parent Process File Name The file name of the parent process.
Path

Allows you to filter by the path. For example, to filter on applications that were launched from the System path.

Filter options:

  • All
  • System
  • Program Files
  • User Profiles
PID The operating system process identifier.
Platform

Filters by the type of operating system.

  • Windows
  • Filters by endpoints running a Windows operating system.

  • macOS
  • Filters by endpoints running a Mac operating system.

Process Unique ID The unique identification of the process.
Product Code

This field is used by Reporting. You do not need to edit it.

Product Name The product name of the application.
Product Version The product version of the application.
Program Files Path Sets the Program Files path used by the Discovery > Path report.
Publisher The publisher of the application.
Range End Time The end time of the range being displayed.
Range Start Time The start time of the range being displayed.
Row Limit The maximum number of rows to be retrieved from the database.
Rule Script Affected Rule

True when the Rule Script (Power Rule) changed one or more of the default Privilege Management rules; otherwise, false.

Rule Script File Name The Rule Script (Power Rule) file name on disk, if applicable.
Rule Script Name The name of the assigned Rule Script (Power Rule).
Rule Script Output The output of the Rule Script (Power Rule).
Rule Script Publisher The publisher of the Rule Script (Power Rule).
Rule Script Result

The result of the Rule Script (Power Rule). This can be:

  • <None>
  • Script ran successfully
  • [Exception Message]
  • Script timeout exceeded: <X> seconds
  • Script execution canceled
  • Set Rule Properties failed validation: <reason>
  • Script execution skipped: Challenge Response Authenticated
  • Script executed previously for the parent process: Matched as a child process so cached result applied
  • Script execution skipped: <app type> not supported
  • Script execution skipped: PRInterface module failed signature check
  • Set RunAs Properties failed validation: <reason>

Rule Script Status

The status of the Rule Script (Power Rule). This can be:

  • <None>
  • Success
  • Timeout
  • Exception
  • Skipped
  • ValidationFailure
Rule Script Version The version of the assigned Rule Script (Power Rule).

Rule Match Type

Rule Match Type:

  • Any
  • Direct match
  • Matched on parent
Sandbox

The sandboxed setting.

Filter options:

  • Not Set
  • Any  Sandbox
  • Not Sandboxed
Shell or Auto

Whether the process was launched using the shell Run with Privilege Management option or by normal means (opening an application):

Filter options:

  • Any
  • Shell
  • Auto
Show Discovery Events Whether or not you want to show Discovery events. An event is a Discovery event if it's been inserted into the database in the filtered time period.
Source

The media source of the application. For example, whether the application was downloaded from the Internet or removable media.

Filter options:

  • All
  • Downloaded over the internet
  • Removable media
  • Any external source
System Path Sets the system path.
Target Description This field allows you to filter by the target description.
Target Type

This filter allows you to filter by a type of target. For example, you can filter by the applications that have been canceled across your time range in the Actions > Canceled report.

Filter options:

  • All
  • Applications
  • Services
  • COM
  • Remote PowerShell
  • ActiveX
  • URL
  • DLL
  • Content
Time First Executed

This is the time range over which the application was first executed.

Filter options:

  • 24 Hours
  • 7 Days
  • 30 Days
  • 6 Months
  • 12 Months
Time First Reported

This is the time range filtered by the date the application was first entered into the database.

Filter options:

  • 24 Hours
  • 7 Days
  • 30 Days
  • 6 Months
  • 12 Months
Time Range

This is the time range over which the actions are displayed.

Filter options:

  • 24 Hours
  • 7 Days
  • 30 Days
  • 6 Months
  • 12 Months
Token Type

The type of Privilege Management token that was applied to the trusted application protection event.

Filter options:

  • All
  • Blocked
  • Passive
  • Canceled
Trusted Application Name

The trusted application that triggered the event.

Trusted Application Version The trusted application version number.
Trusted File Owner

Whether the file owner of the target file is considered trusted. To be a trusted owner, the user must be in one of the following Windows groups: TrustedInstaller, System, or Administrator.

UAC Triggered

Whether or not Windows UAC was triggered.

 

Filter option:

  • Not Set
  • Triggered UAC
  • Did not trigger UAC
Uninstall Action

The type of uninstall action.

Filter options:

  • Any
  • Change/Modify
  • Repair
  • Uninstall
Upgrade Code

This field is used by Reporting. You do not need to edit it.

User Name

The user name of the user who triggered the event.

User Profiles Path

Sets the User Profiles path.

Workstyle A dropdown of Workstyles in use.
Workstyle Name The name of the Workstyle that contains the rule that matched the application.
Zone Identifier The BeyondTrust Zone Identifier. This tag will persist to allow you to filter on it even if the ADS tag applied by the browser is removed.