Privilege Management Reporting Top Advanced Filter Details

Name Description
Action

There are nine actions to choose from:

  • Elevated
  • Blocked
  • Passive
  • Custom
  • Drop Admin Rights
  • Enforce Admin Rights
  • Canceled
  • Sandboxed
  • Allowed

Activity ID

Each Activity Type in Privilege Management has a unique ID. This is generated in the database as required.

For example, if you are in the Target Types Dashboard and drill down in the Top 10 Activities chart, the EventsAll report opens. If you look in the top advanced filter you will see that the Activity ID is populated.

Admin Rights Required

There are three options to choose from:

  • All
  • Detected
  • Not Detected

Allows you to filter if Admin Rights are required, not required or both. For example, if you are in the DiscoveryAll report and set the side quick filter to Admin Rights, only applications that required admin rights are listed.

Agent Version The version of the Privilege Management agent.

Application Desc

A text field that allows you to filter on the application name.

For example, in the Discovery report you can filter by paint in the Application Desc field. This filters applications that contain the string paint in the description.

Application Group

A text field that allows you to filter on the Application Group. You can obtain the Application Group from the policy editor. It is also available in some reports such as Process Detail that is accessed from Events All.

Application Type

A text field that allows you to filter on the application type. You can obtain the application type from the policy editor. It's also available in some reports such as Process Detail that is accessed from Events All.
Auth User Name The name of the user that authorized the message.
Browse Source URL The source URL of the sandbox.
Browse Destination URL The destination URL of the sandbox.
Chassis The physical form of the endpoint. Other is a virtual machine.

Command Line

A text field that allows you to filter on the command line. It is also available in some reports such as Process Detail that is accessed from Events > All.
Context

This field is used by Reporting. You do not need to edit it.

Date Field to filter on

There are three options to choose from:

  • Time Generated: This is the time that the event was generated. One application can have multiple events. Each event has a Time Generated attribute.
  • Time App First Discovered: This is the time that the first event for a single application was entered into the database. This can be delayed if the user is working offline.
  • Time App First Executed: This is the first known execution time of events for that application.
Default UI Language The default language of the endpoint.
Device Type

The type of device that the application file was stored on. You can select from:

  • Any
  • Removeable Media
  • USB Drive
  • Fixed Drive
  • Network Drive
  • CDROM Drive
  • RAM Drive
  • eSATA Drive
  • Any Removeable Drive or Media

Distinct Application ID 

This field is used by Reporting. You do not need to edit it.

Elevation Method

There are five options to choose from:

  • Not Set
  • All
  • Admin account
  • Auto-elevated
  • On-demand

These allow you to filter events by the type of elevation used.

Event Number

This field is used by Reporting. You do not need to edit it.

This number assigned to the event type.

External Source

There are four options to choose from:

  • Not Set
  • Downloaded over the internet
  • Removeable media
  • Any external source

These allow you to filter by the type of external source that the application file came from.

File Name

You can filter by a partial file name string if required. For example, in the Process Detail report.

File Version

You can filter on the file version in the Advanced View of the Process Detail report.

GPO Name

You can filter on the Group Policy Object (GPO) name in some of the advanced reports such as Process Detail.

Host Name

This field allows you to filter by the name of the endpoint the event came from.
BeyondTrust Zone Identifier The BeyondTrust Zone Identifier. This tag will persist to allow you to filter on it even if the ADS tag applied by the browser is removed.

Ignore "Admin Required" Events

This field is used by Reporting. You do not need to edit it.

Just Discovery Events

This field is used by Reporting. You do not need to edit it.

Message Name

The name of the message that was used.
Message Type

The type of Message:

  • Any
  • Prompt
  • Notification
  • None

Number to Get

The number of rows to get from the database.
Operating System Type

The type of operating system:

  • Server
  • Workstation
Operating System The operating system of the client machine.

Parent PID

The operating system process identifier of the parent process.
PID The operating system process identifier.

Product Name

The product name of the application.

Product Version

The product version of the application.

Program Files Path

Sets the Program Files path used by the Discovery > By Path report.

Publisher

The publisher of the application.

Range End Time

The end time of the range being displayed.

Range Start Time

The start time of the range being displayed.

Request Type

The type of request:

  • Blocked with reason
  • Canceled challenge

Row Limit

The maximum number of rows to be retrieved from the database.

Rule Match Type

Rule Match Type:

  • Any
  • Direct match
  • Matched on parent

Sandbox

The sandboxed setting:

  • Not Set
  • Any Sandbox
  • Not Sandboxed
Rule Script Affected Rule

True when the Rule Script (Power Rule) changes one or more of the Default Privilege Management rules, otherwise false.

Rule Script File Name The Rule Script (Power Rule) file name on disk if applicable.
Rule Script Name The name of the assigned Rule Script (Power Rule).
Rule Script Output The output of the Rule Script (Power Rule).
Rule Script Publisher The publisher of the Rule Script (Power Rule).
Rule Script Result

The result of the Rule Script (Power Rule). This can be:

<None>
Script ran successfully
[Exception Message]
Script timeout exceeded: <X> seconds
Script execution canceled
Set Rule Properties failed validation: <reason>
Script execution skipped: Challenge Response Authenticated
Script executed previously for the parent process: Matched as a child process so cached result applied
Script execution skipped: <app type> not supported
Script execution skipped: PRInterface module failed signature check
Set RunAs Properties failed validation: <reason>

Rule Script Status

The status of the Rule Script (Power Rule). This can be:

<None>
Success
Timeout
Exception
Skipped
ValidationFailure

Rule Script Version The version of the assigned Rule Script (Power Rule).

Shell or Auto

Whether the process was launched using the shell Run with Privilege Management option or by normal means (opening an application):

  • Any
  • Shell
  • Auto
Source URL The source URL (where the file was downloaded from).

System Path

Sets the system path used by the Discovery > By Path report.
Target Description This field allows you to filter by the target description.

Target Type

The type of target that triggered the event:

  • Any
  • Application
  • URL
  • Services
  • COM
  • Remote PowerShell
  • ActiveX
  • Content
Trusted Application Name

The trusted application that triggered the event.

Trusted Application Version The trusted application version number.

Trusted File Owner

Whether the file owner of the target file is trusted. To be a trusted owner the user must be in one of the following Windows groups:

  • TrustedInstaller
  • System
  • Administrator

UAC Triggered

Whether or not Windows UAC was triggered:

  • Not Set
  • Triggered UAC
  • Did not trigger UAC

User Name

The user name of the user who triggered the event.

User Profiles Path

Sets the User Profiles path used by the DiscoveryBy Path report.

Workstyle The name of the Workstyle that contained the rule that matched the application.