Events in Endpoint Privilege Management for MacOS

Endpoint Privilege Management for Mac sends events to ePO using the Trellix Agent, and also to the local application event log, depending on the audit and privilege monitoring settings within the Endpoint Privilege Management for Mac policy.

The following events are logged by Endpoint Privilege Management for Mac :

Mac Process Events

ePO ID (Event ID)	Description
202250 (100)	Process has started with admin rights added to token.
202256 (106)	Process has started with no change to the access token (passive mode).
202266 (116)	Process execution was blocked.
202270 (120)	Process execution was canceled by the user
203051 (130)	A bundle was installed.
203052 (131)	A bundle was deleted.

Each process event contains the following information:

Command line for the process
Process ID for the process (if applicable)
Parent process ID of the process
Workstyle that applied
Application group that contained the process
End user reason (if applicable)
Custom access token (if applicable)
File hash
Certificate (if applicable)

Each process event also contains product properties, where applicable, but these can only be viewed in the Endpoint Privilege Management Reporting Console.