Use Export Views in Privilege Management Reporting

BeyondTrust provides four denormalized export views for Privilege Management events:

  • ExportDefendpointStarts
  • ExportLogons
  • ExportPrivilegedAccountProtection
  • ExportProcesses

For each view, the following data is sent to the Privilege Management Reporting database. These export views are correct as of Privilege Management Reporting 4.5.

ExportDefendpointStarts

Column_name Type Length Index Description Example
SessionID bigint   3 Ascending Identity 1
SessionGUID uniqueidentifier     UUID of the session 5CD221E9-CEB5-441D-B380-CB266400B320
SessionStartTime datetime     Time session started 2017-01-03 10:24:00.000
SessionEndTime datetime     Always NULL (not used) NULL
HostSID nvarchar 200 1 Host SID S-1-21-123456789-123456789-1635717638-390614945
AgentVersion nvarchar 20   Privilege Management Client Version 4.0.384.0
ePOMode int     1 if DP client is in ePO mode. 0 otherwise. 1
CertificateMode int     Certificate Mode 0
PolicyAuditMode int     Policy Audit Mode 7
DefaultUILanguage int     Locale Identifier of UI Language 2057
DefaultLocale int     Locale Identifier of Locale 2057
SystemDefaultTimezone int     Not set so always 0 0
ChassisType nvarchar 40   Chassis Type Other
HostName nvarchar 1024 2* Host name EGHostWin1
HostNameNETBIOS nvarchar 15 2* Host NETBIOS EGHOSTWIN1
OS nvarchar 20   OS Version 6.3
OSProductType int 4   OS Product Type. 1
PlatformType nvarchar 10   Platform Type Windows
HostDomainSID nvarchar 200   Host Domain SID S-1-21-123456789-123456789-1635717638
HostDomainName nvarchar 1024   Host Domain EGDomain
HostDomainNameNETBIOS nvarchar 15   Host Domain NETBIOS EGDOMAIN

ExportLogons

Column_name Type Length Index Description Example
LogonID bigint   3 Ascending Identity 1
LogonGUID uniqueidentifier     UUID of the logon 819EF606-F9B6-40BE-9C0C-A033A34EC4F8
HostSID nvarchar 200 1 Host SID S-1-21-123456789-123456789-1635717638-390614945
UserSID nvarchar 200   User SID S-1-21-123456789-123456789-1635717638-1072059836
LogonTime datetime     Logon Date/Time 2017-01-03 10:24:00.000
IsAdmin bit     1 if an admin, 0 otherwise 0
IsPowerUser bit     1 if a power user, 0 otherwise 0
UILanguage int     Locale Identifier of the UI Language 1033
Locale int     Locale Identifier of the Locale 2057
UserName nvarchar 1024   User name EGUser1
UserDomainSID nvarchar 200   User Domain SID S-1-21-123456789-123456789-1635717638
UserDomainName nvarchar 1024   User Domain EGDomain
UserNameNETBIOS nvarchar 15   User NETBIOS EGDOMAIN
ChassisType nvarchar 40   Chassis Type Docking Station
HostName nvarchar 1024 2* Host name EGHostWin1
HostNameNETBIOS nvarchar 15 2* Host NETBIOS EGHOSTWIN1
OS nvarchar 20   OS Version 6.3
OSProductType int     OS Product Type 1
PlatformType nvarchar 10   Platform Type Windows
HostDomainSID nvarchar 200   Host Domain SID S-1-21-123456789-123456789-1635717638
HostDomainName nvarchar 1024   Host Domain EGDomain
HostDomainNameNETBIOS nvarchar 15   Host Domain NETBIOS EGDOMAIN
PolicyName nvarchar 1024   Policy Name EventGen Test Policy
WorkstyleName nvarchar 1024   Workstyle name EventGen Test Workstyle

ExportPrivilegedAccountProtection

Column_name Type Length Index Description Example
ID bigint   1 Ascending Identity 1
TimeGenerated datetime     Event Generation Date/Time  
CommandLine nvarchar 1024   Command Line <None>
PrivilegedGroupName nvarchar 200   Privileged Group Name Administrators
PrivilegedGroupRID nvarchar 10   Privileged Group Relative Identifier 544
Access nvarchar 200   Group Access Details Add Member&#44; Remove Member&#44; List Members&#44; Read Information
PolicyGUID uniqueidentifier     Policy UUID E7654321-AAAA-5AD2-B954-12342918D604
PolicyName nvarchar 1024   Policy Name EventGen Test Policy
WorkstyleName nvarchar 1024   Workstyle name EventGen Test Workstyle
FileName nvarchar 255   File name <None>
ApplicationHash nvarchar 40   Application SHA1 921CA2B3293F3FCB905B24A9536D8525461DE2A3
ProductCode nvarchar 1024   Product Code <None>
UpgradeCode nvarchar 1024   Upgrade Code <None>
FileVersion nvarchar 1024   File Version <None>
MD5 nvarchar 32   MD5 Hash 3279476E39DE235B426D69CFE8DEBF55
UserSID nvarchar 200   User SID S-1-21-123456789-123456789-1635717638-1072059836
UserName nvarchar 1024   User Name EGUser1
UserDomainSID nvarchar 200   User Domain SID S-1-21-123456789-123456789-1635717638
UserDomainName nvarchar 1024   User Domain EGDomain
UserNameNETBIOS nvarchar 15   User Domain NETBIOS EGDOMAIN
ChassisType nvarchar 40   Chassis Type Other
HostSID nvarchar 200   Host SID S-1-21-123456789-123456789-1635717638-390614945
HostName nvarchar 1024   Host Name EGHostWin1
HostNameNETBIOS nvarchar 15   Host NETBIOS EGHOSTWIN1
OS nvarchar 20   OS Version 6.3
OSProductType int     OS Product Type 1
HostDomainSID nvarchar 200   Host Domain SID S-1-21-123456789-123456789-1635717638
HostDomainName nvarchar 1024   Host Domain EGDomain
HostDomainNameNETBIOS nvarchar 15   Host domain NETBIOS EGDOMAIN
FileOwnerUserSID nvarchar 200   File Owner SID S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
FileOwnerUserName nvarchar 1024   File Owner NT SERVICE\TrustedInstaller
FileOwnerDomainName nvarchar 1024   File Owner Domain NT SERVICE
ApplicationURI nvarchar 1024   URI of a macOS application com.apple.preference.datetime
ApplicationDescription nvarchar 2048   Application description lusrmgr.msc
FirstDiscovered datetime     First time app was seen 2017-01-03 10:25:50.110
FirstExecuted datetime     First time app was executed 2017-01-03 10:24:00.000
PlatformType nvarchar 10   Platform Type Windows
ProductName nvarchar 1024   Product name <None>
ProductVersion nvarchar 1024   Product version <None>
Publisher nvarchar 1024   Publisher Microsoft Windows
TrustedOwner bit     1 if a trusted owner, 0 otherwise 1

ExportProcesses

Column_name Type Length Index Description Example
ProcessID bigint   4 Ascending Identity 1
ProcessGUID uniqueidentifier   2 UUID of the process 98C99D96-6DFA-4C95-9A87-C8665C166286
EventNumber int     Event Number. See List of Events section. 153
TimeGenerated datetime     Event generation date/time 2017-02-20 13:11:11.217
TimeReceived datetime     Event received at ER date/time 2017-02-20 13:16:28.047
EventGUID uniqueidentifier     Event UUID 9F8EB86C-AA0D-42B9-8720-166FAB91F1ED
PID int     Process ID 8723
ParentPID int     Parent Process ID 142916
CommandLine nvarchar   1024 Command Line "C:\cygwin64\bin\sh.exe"
FileName nvarchar   255 File Name c:\cygwin64\bin\sh.exe
ProcessStartTime datetime   1 Date/Time Process Started 2017-02-20 13:11:11.217
Reason nvarchar   1024 Reason entered by user <None>
ClientIPV4 nvarchar   15 Client IP Address 10.0.9.58
ClientName nvarchar   1024 Client Name L-CNU410DJJ7
UACTriggered bit     1 if UAC shown 0
ParentProcessUniqueID uniqueidentifier     Parent process UUID C404C7F5-3A93-4C0E-81BC-9902D220C21E
COMCLSID uniqueidentifier     COM CLSID NULL
COMAppID uniqueidentifier     COM Application ID NULL
COMDisplayName nvarchar 1024   COM Display Name <None>
ApplicationType nvarchar 4   Application Type svc
TokenGUID uniqueidentifier     UUID of token in policy F30A3824-27AF-4D69-9125-C78E44764AC1
Executed bit     1 if executed, 0 otherwise 1
Elevated bit     1 if elevated, 0 otherwise 1
Blocked bit     1 if blocked, 0 otherwise 0
Passive bit     1 if passive, 0 otherwise 0
Can celled bit     1 if cancelled, 0 otherwise 0
DropAdmin bit     1 if admin rights dropped, 0 otherwise 0
EnforceUsersDefault bit     1 if user default permissions were enforced, 0 otherwise 0
Custom bit     1 if Custom Token, 0 otherwise 0
SourceURL nvarchar 2048   Source URL <None>
AuthorizationChallenge nvarchar 9   Challenge Response authorization code <None>
WindowsStoreAppName nvarchar 200   Windows Store application name (appx app type only) <None>
WindowsStoreAppPublisher nvarchar 200   Windows Store application publisher (appx app type only) <None>
WindowsStoreAppVersion nvarchar 200   Window Store application version (appx app type only) <None>
DeviceType nvarchar 40   Device Type Fixed Disk
ServiceName nvarchar 1024   Service name (svc events only) <None>
ServiceDisplayName nvarchar 1024   Service Display Name (svc app type only) <None>
PowerShellCommand nvarchar 1024   PowerShell Command (ps1/rpsc/rpss app types only) <None>
ApplicationPolicyDescription nvarchar 1024   Policy Description <None>
SandboxGUID uniqueidentifier     Sandbox UUID (sandbox events only) NULL
SandboxName nvarchar 1024   Sandbox Name (sandbox events only) NULL
BrowseSourceURL nvarchar 2048   Sandbox browse source (sandbox events only) <None>
BrowseDestinationURL nvarchar 2048   Sandbox destination source (sandbox events only) <None>
Classification nvarchar 200   Sandbox classification (sandbox events only) Private (Local)
IEZoneTag nvarchar 200   IE Zone Tag <None>
OriginSandbox nvarchar 40   Origin Sandbox <None>
OriginIEZone nvarchar 40   Origin IE Zone <None>
TargetSandbox nvarchar 40   Target Sandbox <None>
TargetIEZone nvarchar 40   Target IE Zone <None>
AuthRequestURI nvarchar 1024   Authorization request URL (osx challenge/response only) <None>
PlatformVersion nvarchar 10   Platform Version <None>
ControlAuthorization bit     1 is Privilege Management authorized this macOS application 0
TrustedApplicationName nvarchar 1024   Name of the trusted application Microsoft Word
TrustedApplicationVersion nvarchar 1024   Version of the trusted application 11.1715.14393.0
ParentProcessFileName nvarchar 1024   Parent process file name Google Chrome
ApplicationHash nvarchar 40   SHA1 of the application C22FF10511ECCEA1824A8DE64B678619C21B4BEE
ProductCode nvarchar 1024   Product Code <None>
UpgradeCode nvarchar 1024   Upgrade Code <None>
FileVersion nvarchar 1024   File Version <None>
MD5 nvarchar 32   MD5 hash of the app 6E641CAE42A2A7C89442AF99613FE6D6
TokenAssignmentGUID uniqueidentifier     UUID of the token assignment in the policy E7654321-BBBB-5AD2-B954-1234DDC7A89D
TokenAssignmentIsShell bit     Token assignment is for shell 1
UserSID nvarchar 200   User SID S-1-21-123456789-123456789-16357176381125883508
UserName nvarchar 1024   User Name EGUser18
UserDomainSID nvarchar 200   User Domain SID S-1-21-123456789-123456789-1635717638
UserDomainName nvarchar 1024   User Domain EGDomain
UserDomain NameNETBIOS nvarchar 15   User Domain NETBIOS EGDOMAIN
ChassisType nvarchar 40   Chassis Type Laptop
HostSID nvarchar 200   Host SID S-1-21-123456789-123456789-1635717638775838649
HostName nvarchar 1024 3* Host Name EGHostWin18
HostNameNETBIOS nvarchar 15 3* Host NETBIOS EGHOSTWIN18
OS nvarchar     OS Version 10.0
OSProductType int     OS Product Type  
HostDomainSID nvarchar 200   Host Domain SID S-1-21-123456789-123456789-1635717638
HostDomainName nvarchar 1024   Host Domain EGDomain
HostDomain NameNETBIOS nvarchar 15   Host Domain NETBIOS EGDOMAIN
AuthUserSID nvarchar 200   Authorizing User SID <None>
AuthUserName nvarchar 1024   Authorizing User <None>
AuthUserDomainSID nvarchar 200   Authorizing User Domain SID <None>
AuthUserDomainName nvarchar 1024   Authorizing User Domain <None>
AuthUserDomain NameNETBIOS nvarchar 15   Authorizing User Domain NETBIOS <None>
FileOwnerUserSID nvarchar 200   File Owner SID S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
FileOwnerUserName nvarchar 1024   File Owner NT SERVICE\TrustedInstaller
FileOwnerDomainSID nvarchar 200   File Owner Domain SID S-1-5-80
FileOwnerDomainName nvarchar 1024   File Owner Domain NT SERVICE
FileOwnerDomain NameNETBIOS nvarchar 15   File Owner Domain NETBIOS <None>
ApplicationURI nvarchar 1024   URI of the macOS Application com.apple.preference.datetime
ApplicationDescription nvarchar 2048   Application Description c:\cygwin64\bin\sh.exe
FirstDiscovered datetime     Time application first seen 2017-02-07 09:14:39.413
FirstExecuted datetime     Time application first executed 2017-02-07 09:07:00.000
PlatformType nvarchar 10   Platform Type Windows
ProductName nvarchar 1024   Product Name ADelRCP Dynamic Link Library
ProductVersion nvarchar 1024   Product Version 15.10.20056.167417
Publisher nvarchar 1024   Publisher Adobe Systems, Incorporated
TrustedOwner bit     1 if a trusted owner, 0 otherwise 0
MessageGUID uniqueidentifier     UUID of the message in the policy 00000000-0000-0000-0000-000000000000
MessageName nvarchar 1024   Name of the message in the policy Block Message
MessageType nvarchar 40   Message Type Prompt
AppGroupGUID uniqueidentifier     UUID of the Application Group in the Policy 47E4A204-FC06-428B-8E73-1E36E3A65430
AppGroupName nvarchar 1024   Application Group Name in the Policy Test Policy.test
PolicyID bigint     Internal ID of the Policy 2
PolicyGUID uniqueidentifier     UUID of the Policy E7654321-AAAA-5AD2-B954-12342918D604
PolicyName nvarchar 1024   Policy Name EventGen Test Policy
WorkstyleName nvarchar 1024   Workstyle Name EventGen Test Workstyle
ContentFileName nvarchar 255   Content File Name c:\users\user.wp-epo-win7-64\downloads\con29 selectable feestable (1).pdf
ContentFileDescription nvarchar 1024   Content File Description <None>
ContentFileVersion nvarchar 1024   Content File Version <None>
ContentOwnerSID nvarchar 200   Content Owner SID S-1-21-123456789-123456789-1635717638-1072059836
ContentOwnerName nvarchar 1024   Content Owner EGUser1
ContentOwnerDomainSID nvarchar 200   Content Owner Domain SID S-1-5-21-2217285736-120021366-3854014904
ContentOwnerDomainName nvarchar 1024   Content Owner Domain BEYONDTRUSTTEST58\BEYONDTRUSTTEST58.QA
ContentOwnerDomain NameNetBIOS nvarchar 15   Content Owner Domain NETBIOS BEYONDTRUSTTEST58
UninstallAction nvarchar 20   The uninstall action carried out Change/Modify
TokenName nvarchar 20   The name of the event action Blocked
TieStatus int     Threat Intelligence Exchange status for the reputation of this application 0
TieScore int     Threat Intelligence Exchange score for the application  
VtStatus int     VirusTotal status for the reputation of this application  
RuleScriptFileName nvarchar 200   The name in config of the script associated with the rule Get-McAfeeGTIReputation
RuleScriptName nvarchar 200   The name of the script set by interface Get-McAfeeGTIReputation
RuleScriptVersion nvarchar 20   Version number of the script. 1.1.0
RuleScriptPublisher nvarchar 200   Publisher that signed the script BeyondTrust
RuleScriptRuleAffected bit     True when the script has set all settable rule properties; otherwise false True
RuleScriptStatus nvarchar 100   Success OR Why the configured script didn't run or set rule properties Success
RuleScriptResult nvarchar 1024   Result of the script run Script ran successfully
RuleScriptOutput nvarchar 1024   The output of the script  
AuthorizationSource nvarchar 200   The Authorizing User Credential Source