Privilege Management for Mac Reports

Filters

Filters and advanced filters are available from the Filters dropdown.

The reports retrieve data and sort it using Javascript. If the volume of data exceeds the row limit, you may get misleading results due to this restriction.

Name Description
Action This filter allows you to filter by a type of action.
  • All
  • Elevated
  • Blocked
  • Passive
  • Sandboxed
  • Custom
  • Drop Admin Rights
  • Enforce Default Rights
  • Canceled
  • Allowed
Activity ID Each Activity Type in Privilege Management for Mac has a unique ID. This is generated in the database as required.
Admin Required

This allows you to filter on if admin rights were required, not required or both.

Filter options:

  • All
  • True
  • False
 Authorization Required

This allows you to filter on if authorization was required, not required or both.

Filter options:

  • All
  • True
  • False
Admin Rights

Allows you to filter by the admin rights token.

Filter options:

  • All
  • Detected
  • Not Detected
Application Description A text field that allows you to filter on the application description.
Application Group A text field that allows you to filter on the Application Group. You can obtain the Application Group from the policy editor.
Application Hash

This field is used by Reporting. You do not need to edit it.

Application Type A text field that allows you to filter on the application type. You can obtain the application type from the policy editor.
Authorizing User Name The name of the user that authorized the message.
Browse Destination URL The destination URL of the sandbox.
Challenge/Response

Allows you to filter by challenge/response events. For example, you can filter the application that required elevation on those applications that were launched following a completed challenge/response message.

Filter options:

  • All
  • Only C/R
Client IPV4

This field is used by Reporting. You do not need to edit it.

Client Name

This field is used by Reporting. You do not need to edit it.

COM Application ID

This field is used by Reporting. You do not need to edit it.

COM Display Name

This field is used by Reporting. You do not need to edit it.

COM CLSID

This field is used by Reporting. You do not need to edit it.

Command Line A text field that allows you to filter on the command line.
Date Field

This allows you to filter by the time the event was generated, the application was first discovered or the time the application was first executed.

Filter options:

  • Time Generated
    • This is the time that the event was generated. One application can have multiple events. Each event has a Time Generated attribute.
  • Time App First Discovered
    • This is the time that the first event for a single application was entered into the database. This can be delayed if the user is working offline.
  • Time App First Executed
    • This is the first known execution time of events for that application.
Device Type

The type of device that the application file was stored on.

Filter options:

  • Any
  • Removeable Media
  • USB Drive
  • Fixed Drive
  • Network Drive
  • CDROM Drive
  • RAM Drive
  • eSATA Drive
  • Any Removeable Drive or Media
Distinct Application ID

This field is used by Reporting. You do not need to edit it.

Elevate Method

Allows you to filter by the elevation method used.

Filter options:

  • All
  • Admin account used
  • Auto-elevated
  • On-demand
Event Category

This filter allows you to filter by the category of the event.

Filter options:

  • All
  • Process
  • Content
  • DLL Control
  • URL Control
  • Privileged Account Protection
  • Agent Start
  • User Logon
  • Services
Event Number

This field is used by Reporting. You do not need to edit it.

The number assigned to the event type.

File Owner The owner of the file.
File Version You can filter on the file version in the Advanced View of the Process Detail report.
GPO Name You can filter on the Group Policy Object (GPO) name in some of the advanced reports such as Process Detail.
Host Name This field allows you to filter by the name of the endpoint the event came from.
Ignore Admin Required Events

This field is used by Reporting. You do not need to edit it.

Just Discovery Events

This field is used by Reporting. You do not need to edit it.

Matched

Allows you to filter on the type of matching.

Filter options:

  • All
  • Matched as child
  • Matched directly
Message Name The name of the message that was used.
Message Type

The type of message that was used:

Filter options:

  • Any
  • Prompt
  • Notification
  • None
Ownership

Allows you to group by the type of owner.

Filter options:

  • All
  • Trusted owner
  • Untrusted owner
Parent PID The operating system process identifier of the parent process.
Parent Process File Name The file name of the parent process.
Path

Allows you to filter by the path. For example, to filter on applications that were launched from the System path.

Filter options:

  • All
  • System
  • Program Files
  • User Profiles
PID The operating system process identifier.
Platform

Filters by the type of operating system.

Windows

  • Filters by endpoints running a Windows operating system.

macOS

  • Filters by endpoints running a Mac operating system.
Process Unique ID The unique identification of the process.
Product Code

This field is used by Reporting. You do not need to edit it.

Product Name The product name of the application.
Product Version The product version of the application.
Program Files Path Sets the Program Files path used by the Discovery > By Path report.
Publisher The publisher of the application.
Range End Time The end time of the range being displayed.
Range Start Time The start time of the range being displayed.
Row Limit The maximum number of rows to be retrieved from the database.
Rule Script Affected Rule

True when the Rule Script (Power Rule) changed one or more of the default Privilege Management for Mac rules, otherwise false.

Rule Script File Name The Rule Script (Power Rule) file name on disk if applicable.
Rule Script Name The name of the assigned Rule Script (Power Rule).
Rule Script Output The output of the Rule Script (Power Rule).
Rule Script Publisher The publisher of the Rule Script (Power Rule).
Rule Script Result

The result of the Rule Script (Power Rule). This can be:

<None>
Script ran successfully
[Exception Message]
Script timeout exceeded: <X> seconds
Script execution canceled
Set Rule Properties failed validation: <reason>
Script execution skipped: Challenge Response Authenticated
Script executed previously for the parent process: Matched as a child process so cached result applied
Script execution skipped: <app type> not supported
Script execution skipped: PRInterface module failed signature check
Set RunAs Properties failed validation: <reason>

Rule Script Status

The status of the Rule Script (Power Rule). This can be:

<None>
Success
Timeout
Exception
Skipped
ValidationFailure

Rule Script Version The version of the assigned Rule Script (Power Rule).

Rule Match Type

Rule Match Type:

  • Any
  • Direct match
  • Matched on parent
Sandbox

The sandboxed setting.

Filter options:

  • Not Set
  • Any  Sandbox
  • Not Sandboxed
Shell or Auto

Whether the process was launched using the shell Run with Privilege Management option or by normal means (opening an application):

Filter options:

  • Any
  • Shell
  • Auto
Show Discovery Events Whether or not you want to show Discovery events. An event is a Discovery event if it's been inserted into the database in the filtered time period.
Source

The media source of the application. For example, was the application downloaded from the Internet or removable media.

Filter options:

  • All
  • Downloaded over the internet
  • Removable media
  • Any external source
System Path Sets the system path.
Target Description This field allows you to filter by the target description.
Target Type

This filter allows you to filter by a type of target. For example, you can filter to the applications that have been canceled across your time range in the Actions > Canceled report.

Filter options:

  • All
  • Applications
  • Services
  • COM
  • Remote PowerShell
  • ActiveX
  • URL
  • DLL
  • Content
Time First Executed

This is the time range over which the application was first executed.

Filter options:

  • 24 Hours
  • 7 Days
  • 30 Days
  • 6 Months
  • 12 Months
Time First Reported

This is the time range filtered by the date the application was first entered into the database.

Filter optons:

  • 24 Hours
  • 7 Days
  • 30 Days
  • 6 Months
  • 12 Months
Time Range

This is the time range that the actions are displayed over.

Filter options:

  • 24 Hours
  • 7 Days
  • 30 Days
  • 6 Months
  • 12 Months
Token Type

The type of Privilege Management for Mac token that was applied to the trusted application protection event.

Filter options:

  • All
  • Blocked
  • Passive
  • Canceled
Trusted Application Name

The trusted application that triggered the event.

Trusted Application Version The trusted application version number.
Trusted File Owner

Whether the file owner of the target file is considered trusted. To be a trusted owner the user must be in one of the following Windows groups; TrustedInstaller, System, Administrator.

UAC Triggered

Whether or not Windows UAC was triggered.

 

Filter option:

  • Not Set
  • Triggered UAC
  • Did not trigger UAC
Uninstall Action

The type of uninstall action.

Filter options:

  • Any
  • Change/Modify
  • Repair
  • Uninstall
Upgrade Code

This field is used by Reporting. You do not need to edit it.

User Name

The user name of the user who triggered the event.

User Profiles Path

Sets the User Profiles path.

Workstyle A dropdown of Workstyles in use.
Workstyle Name The name of the Workstyle that contained the rule that matched the application.
Zone Identifier The BeyondTrust Zone Identifier. This tag persists to allow you to filter on it even if the ADS tag applied by the browser is removed.

Summary

The bar charts on the Summary dashboard summarize the most important activity that has occurred in the time period defined by the quick filter. The legends to the right of the bar charts display totals for the shown activities. Click on the legend or on a chart to show details of an action type. The Administration, Applications, and Incidents tables provide additional information to help inform Workstyle development or to show anomalous user behavior in your organization.

The Summary dashboard includes the following tables:

Table Description

Applications discovered

The total number of newly discovered Applications split by the type of user rights required:

  • Admin rights required
  • Standard rights required

Discovered applications are shown in the Applications table. Click the number next to the OS icon to show details.

Admin logons, by users, on endpoints

Summarizes the number of admin logons, how many users carried them out, and how many endpoints were used.

Admin Logons are shown in the Administration table. Click the number next to the OS icon to show details.

Applications run from external sources

The number of applications that were run from external sources.

Applications Run from external sources are shown in the Applications table. Click the number next to the OS icon to show details.

Trusted Application Protection

The number of Trusted Application (TAP) incidents, how many users, and how many endpoints were affected.

TAP events are shown in the Incidents table. Click the number next to the OS icon to show details.

Attempts to modify privileged groups

The number of blocked attempts to modify privileged groups.

Attempts to modify privileged groups are shown in the Administration table. Click the number next to the OS icon to show details.

UAC matches

The number of applications that triggered User Account Control (UAC).

UAC events are shown in the Incidents table. Click the number next to the OS icon to show details.