Manage the Privilege Management Database
Use Privilege Management for Mac Events to Build Queries
Privilege Management
Below is a table showing all event properties that are available, and a description of their purpose.
Property | Description |
---|---|
Application Group | The name of the Application Group for the matched application definition |
Application Hash | The SHA-1 Hash of the file executed |
Application Type |
The type of application:
|
Authorization Challenge | If Challenge/Response Authorization is enabled, the challenge code presented to the user is collected. Otherwise this property remains blank. |
Authorization Response | If Challenge/Response Authorization is enabled, the valid shared key entered by the user is collected. Otherwise this property remains blank. |
Authorizing Domain User | If Run As Other User is enabled, the domain name of the authorizing user is collected. |
Authorizing User SID | If Run As Other User is enabled, the Secure Identifier (SID) of the authorizing user is collected. |
Client IP Address | If the user was logged on via a remote session to the computer where Privilege Management performed an action, the IPv4 Address of the remote computer is collected. |
Client Name | If the user was logged on via a remote session to the computer where Privilege Management |
COM Application ID | The AppID of the COM elevated application. |
COM Class ID | The CLSID of the COM elevated application. |
COM Display Name | The common name of the COM elevated application. |
Command Line | The command line of the executed application. |
Computer Name | The name of the computer where Privilege Management |
File Name | The full path of the file executed. |
File Owner Domain User | The name of the account which owns the executed application. |
File Owner User SID | The Secure Identifier (SID) of the account which owns the executed application. |
File Version | The file version of the executed application. |
Group Description | The description of the Application Group for the matched application definition. |
Host SID | The Secure Identifier (SID) of the computer where Privilege Management |
Is Shell | Determines if the application was launched from an On Demand shell menu option. If blank, then a shell menu was not used. |
Message Description | The description for the End User Message displayed to the user. |
Message Name | The name of the End User Message displayed to the user. |
Parent Process File Name | The full path of the parent process that spawned the audited application. |
Parent Process ID | The Process Identifier (PID) of the parent process that spawned the audited application. |
Parent Process Unique ID | A GUID used to uniquely identify a Process relationships. |
PG Event ID |
Privilege Management |
Policy Description | The description of the Privilege Management |
Policy Name | The name of the Privilege Management |
Process ID | The Process Identifier (PID) of the executed application. |
Product Code | The Product Code for an executed MSI, MSU or MSP package. |
Product Description | A friendly description for the executed application. |
Product Name | The Product Name of the executed application. |
Product Version | The product version of the executed application. |
Reason | If End User Reason was enabled for an End User Message, the reason entered by the user is collected. If blank, then End User Reason was disabled in the message. |
Source URL | If the application was downloaded, then the full URL of where the application was downloaded from is collected. |
Start Time | The time the process was started. |
Stop Time | This is a deprecated field and no longer used. |
Token Description | The description of the access token applied to the executed application. |
Token Name | The name of the access token applied to the executed application. |
UAC Triggered | Determines if the application triggered User Account Control (UAC). If blank, then UAC was not triggered. |
Upgrade Code | The Upgrade Code for an executed MSI, MSU, or MSP package. |
User Name | The name of the user who executed an application. |
User SID | The Secure Identifier (SID) of the user who executed an application. |
Vendor | The Display Name of the Publisher Certificate who signed the application. |
Windows Store App Name | The common name of the Windows Store Application. |
Windows Store App Publisher | The Display Name of the Publisher Certificate who signed the Windows Store Application. |
Windows Store App Version | The version number of the Windows Store Application. |
In addition to the event properties relating to Privilege Management
Property | Description |
---|---|
Action Taken | Friendly name used to identify the type of action performed by Privilege Guard:
Auto-Elevated User-Elevated Drop-Admin Passive Discovery Default-Rights Admin-Required Custom-Token Blocked |
Event ID | McAfee ePO standardized Privilege Guard Event ID. |
Threat Name |
Internal name used to identify the type of action performed by Privilege Management |
For more information, please see Events in Privilege Management for macOS.