Manage the Endpoint Privilege Management Database
Use Events to Build Queries
Endpoint Privilege Management collects and stores a broad set of information about every executed application, which is stored in the Trellix ePO Database. This information can be used in the Trellix ePO Queries and Reports console to create custom dashboard widgets.
Below is a table of all event properties available, and a description of their purpose.
| Property | Description |
|---|---|
| Application Group | The name of the Application Group for the matched application definition |
| Application Hash | The SHA-1 Hash of the file executed |
| Application Type |
The type of application:
|
| Authorization Challenge | If Challenge/Response Authorization is enabled, the challenge code presented to the user is collected. Otherwise this property remains blank. |
| Authorization Response | If Challenge/Response Authorization is enabled, the valid shared key entered by the user is collected. Otherwise this property remains blank. |
| Authorizing Domain User | If Run As Other User is enabled, the domain name of the authorizing user is collected. |
| Authorizing User SID | If Run As Other User is enabled, the Secure Identifier (SID) of the authorizing user is collected. |
| Client IP Address | If the user was logged on via a remote session to the computer where Endpoint Privilege Management performed an action, the IPv4 Address of the remote computer is collected. |
| Client Name | If the user was logged on via a remote session to the computer where Endpoint Privilege Management |
| COM Application ID | The AppID of the COM elevated application. |
| COM Class ID | The CLSID of the COM elevated application. |
| COM Display Name | The common name of the COM elevated application. |
| Command Line | The command line of the executed application. |
| Computer Name | The name of the computer where Endpoint Privilege Management |
| File Name | The full path of the file executed. |
| File Owner Domain User | The name of the account which owns the executed application. |
| File Owner User SID | The Secure Identifier (SID) of the account which owns the executed application. |
| File Version | The file version of the executed application. |
| Group Description | The description of the Application Group for the matched application definition. |
| Host SID | The Secure Identifier (SID) of the computer where Endpoint Privilege Management performed an action. |
| Is Shell | Determines if the application was launched from an On Demand shell menu option. If blank, then a shell menu was not used. |
| Message Description | The description for the End User Message displayed to the user. |
| Message Name | The name of the End User Message displayed to the user. |
| Parent Process File Name | The full path of the parent process that spawned the audited application. |
| Parent Process ID | The Process Identifier (PID) of the parent process that spawned the audited application. |
| Parent Process Unique ID | A GUID used to uniquely identify a Process relationships. |
| PG Event ID |
Endpoint Privilege Management |
| Policy Description | The description of the policy that matched the executed application. |
| Policy Name | The name of the policy that matched the executed application. |
| Process ID | The Process Identifier (PID) of the executed application. |
| Product Code | The Product Code for an executed MSI, MSU or MSP package. |
| Product Description | A friendly description for the executed application. |
| Product Name | The Product Name of the executed application. |
| Product Version | The product version of the executed application. |
| Reason | If End User Reason was enabled for an End User Message, the reason entered by the user is collected. If blank, then End User Reason was disabled in the message. |
| Source URL | If the application was downloaded, then the full URL of where the application was downloaded from is collected. |
| Start Time | The time the process was started. |
| Stop Time | This is a deprecated field and no longer used. |
| Token Description | The description of the access token applied to the executed application. |
| Token Name | The name of the access token applied to the executed application. |
| UAC Triggered | Determines if the application triggered User Account Control (UAC). If blank, then UAC was not triggered. |
| Upgrade Code | The Upgrade Code for an executed MSI, MSU, or MSP package. |
| User Name | The name of the user who executed an application. |
| User SID | The Secure Identifier (SID) of the user who executed an application. |
| Vendor | The Display Name of the Publisher Certificate who signed the application. |
| Windows Store App Name | The common name of the Windows Store Application. |
| Windows Store App Publisher | The Display Name of the Publisher Certificate who signed the Windows Store Application. |
| Windows Store App Version | The version number of the Windows Store Application. |
There are also a number of threat event properties set as part of an Endpoint Privilege Management event:
| Property | Description |
|---|---|
| Action Taken | Friendly name used to identify the type of action performed by Privilege Guard:
Auto-Elevated User-Elevated Drop-Admin Passive Discovery Default-Rights Admin-Required Custom-Token Blocked |
| Event ID | Trellix ePO standardized Privilege Guard Event ID. |
| Threat Name |
Internal name used to identify the type of action performed by Endpoint Privilege Management:
|
For more information, see Events in Endpoint Privilege Management for MacOS.
