Manage the Privilege Management Database

Use Privilege Management for Mac Events to Build Queries

Privilege Management for Mac collects and stores a broad set of information about every executed application, which is stored in the McAfee ePO Database. This information may then be used in the McAfee ePO Queries and Reports console to create custom dashboard widgets.

Below is a table showing all event properties that are available, and a description of their purpose.

Property	Description
Application Group	The name of the Application Group for the matched application definition
Application Hash	The SHA-1 Hash of the file executed
Application Type	The type of application: APPX - Windows Store Application BAT - Batch File COM - COM Class CONT - Content Control CPL - Control Panel Applet DLL - Dynamic Link Library EXE - Executable MSC - Management Console Snapin MSI - Installer Package OCX - ActiveX Control PS1 - PowerShell Script REG - Registry Settings RPSS - Remote PowerShell Command SVC - Service UNIN - Uninstaller (EXE or MSI) URL - URL Xbin - macOS Binary Xapp - macOS Bundle Xpkg - macOS Package Xsys - macOS System Preference Xsud - macOS Sudo Control
Authorization Challenge	If Challenge/Response Authorization is enabled, the challenge code presented to the user is collected. Otherwise this property remains blank.
Authorization Response	If Challenge/Response Authorization is enabled, the valid shared key entered by the user is collected. Otherwise this property remains blank.
Authorizing Domain User	If Run As Other User is enabled, the domain name of the authorizing user is collected.
Authorizing User SID	If Run As Other User is enabled, the Secure Identifier (SID) of the authorizing user is collected.
Client IP Address	If the user was logged on via a remote session to the computer where Privilege Management performed an action, the IPv4 Address of the remote computer is collected.
Client Name	If the user was logged on via a remote session to the computer where Privilege Management for Mac performed an action, the name of the remote computer is collected.
COM Application ID	The AppID of the COM elevated application.
COM Class ID	The CLSID of the COM elevated application.
COM Display Name	The common name of the COM elevated application.
Command Line	The command line of the executed application.
Computer Name	The name of the computer where Privilege Management for Mac performed an action.
File Name	The full path of the file executed.
File Owner Domain User	The name of the account which owns the executed application.
File Owner User SID	The Secure Identifier (SID) of the account which owns the executed application.
File Version	The file version of the executed application.
Group Description	The description of the Application Group for the matched application definition.
Host SID	The Secure Identifier (SID) of the computer where Privilege Management for Mac performed an action.
Is Shell	Determines if the application was launched from an On Demand shell menu option. If blank, then a shell menu was not used.
Message Description	The description for the End User Message displayed to the user.
Message Name	The name of the End User Message displayed to the user.
Parent Process File Name	The full path of the parent process that spawned the audited application.
Parent Process ID	The Process Identifier (PID) of the parent process that spawned the audited application.
Parent Process Unique ID	A GUID used to uniquely identify a Process relationships.
PG Event ID	Privilege Management for Mac Event Log Event ID.
Policy Description	The description of the Privilege Management for Mac policy that matched the executed application.
Policy Name	The name of the Privilege Management for Mac policy that matched the executed application.
Process ID	The Process Identifier (PID) of the executed application.
Product Code	The Product Code for an executed MSI, MSU or MSP package.
Product Description	A friendly description for the executed application.
Product Name	The Product Name of the executed application.
Product Version	The product version of the executed application.
Reason	If End User Reason was enabled for an End User Message, the reason entered by the user is collected. If blank, then End User Reason was disabled in the message.
Source URL	If the application was downloaded, then the full URL of where the application was downloaded from is collected.
Start Time	The time the process was started.
Stop Time	This is a deprecated field and no longer used.
Token Description	The description of the access token applied to the executed application.
Token Name	The name of the access token applied to the executed application.
UAC Triggered	Determines if the application triggered User Account Control (UAC). If blank, then UAC was not triggered.
Upgrade Code	The Upgrade Code for an executed MSI, MSU, or MSP package.
User Name	The name of the user who executed an application.
User SID	The Secure Identifier (SID) of the user who executed an application.
Vendor	The Display Name of the Publisher Certificate who signed the application.
Windows Store App Name	The common name of the Windows Store Application.
Windows Store App Publisher	The Display Name of the Publisher Certificate who signed the Windows Store Application.
Windows Store App Version	The version number of the Windows Store Application.

In addition to the event properties relating to Privilege Management for Mac, there are also a number of threat event properties set as part of a Privilege Management for Mac event:

Property	Description
Action Taken	Friendly name used to identify the type of action performed by Privilege Guard: Auto-Elevated User-Elevated Drop-Admin Passive Discovery Default-Rights Admin-Required Custom-Token Blocked
Event ID	McAfee ePO standardized Privilege Guard Event ID.
Threat Name	Internal name used to identify the type of action performed by Privilege Management for Mac: ADD_ADMIN SHELL_ADD_ADIM DROP_ADMIN PASSIVE DEFAULT_RIGHTS APPLICATION_RIGHTS CUSTOM PROCESS_BLOCKED

For more information, please see Events in Privilege Management for macOS.