Endpoint Privilege Management Reporting Top Advanced Filter Details
Name | Description |
---|---|
Action |
There are nine actions to choose from:
|
Activity ID |
Each Activity Type in Endpoint Privilege Management has a unique ID. This is generated in the database as required. For example, if you are in the Target Types Dashboard and drill down in the Top 10 Activities chart, the Events > All report opens. If you look in the top advanced filter you will see that the Activity ID is populated. |
Admin Rights Required |
There are three options to choose from:
Allows you to filter if Admin Rights are required, not required or both. For example, if you are in the Discovery > All report and set the side quick filter to Admin Rights, only applications that required admin rights are listed. |
Agent Version | The version of the Endpoint Privilege Management agent. |
Application Desc |
A text field that allows you to filter on the application name. For example, in the Discovery report you can filter by paint in the Application Desc field. This filters applications that contain the string paint in the description. |
Application Group |
A text field that allows you to filter on the Application Group. You can obtain the Application Group from the policy editor. It is also available in some reports such as Process Detail that is accessed from Events All. |
Application Type |
A text field that allows you to filter on the application type. You can obtain the application type from the policy editor. It's also available in some reports such as Process Detail that is accessed from Events All. |
Auth Methods | The type of authentication method selected in the Policy Editor. Multiple values can be present and will be comma separated. Possible values: Identity Provider, Password, Challenge Response, Smart Card, and User Request |
Auth User Name | The name of the user that authorized the message. |
Browse Source URL | The source URL of the sandbox. |
Browse Destination URL | The destination URL of the sandbox. |
Chassis | The physical form of the endpoint. Other is a virtual machine. |
Command Line |
A text field that allows you to filter on the command line. It is also available in some reports such as Process Detail that is accessed from Events > All. |
Context |
This field is used by Reporting. You do not need to edit it. |
Date Field to filter on |
There are three options to choose from:
|
Default UI Language | The default language of the endpoint. |
Device Type |
The type of device that the application file was stored on. You can select from:
|
Distinct Application ID |
This field is used by Reporting. You do not need to edit it. |
Elevation Method |
There are five options to choose from:
These allow you to filter events by the type of elevation used. |
Event Number |
This field is used by Reporting. You do not need to edit it. This number assigned to the event type. |
External Source |
There are four options to choose from:
These allow you to filter by the type of external source that the application file came from. |
File Name |
You can filter by a partial file name string if required. For example, in the Process Detail report. |
File Version |
You can filter on the file version in the Advanced View of the Process Detail report. |
GPO Name |
You can filter on the Group Policy Object (GPO) name in some of the advanced reports such as Process Detail. |
Host Name |
This field allows you to filter by the name of the endpoint the event came from. |
Idp Authentication user name | The credential provided when adding an Identity Provider authorization message in the Policy Editor. |
BeyondTrust Zone Identifier | The BeyondTrust Zone Identifier. This tag will persist to allow you to filter on it even if the ADS tag applied by the browser is removed. |
Ignore "Admin Required" Events |
This field is used by Reporting. You do not need to edit it. |
Just Discovery Events |
This field is used by Reporting. You do not need to edit it. |
Message Name |
The name of the message that was used. |
Message Type |
The type of Message:
|
Number to Get |
The number of rows to get from the database. |
Operating System Type |
The type of operating system:
|
Operating System | The operating system of the client machine. |
Parent PID |
The operating system process identifier of the parent process. |
PID | The operating system process identifier. |
Product Name |
The product name of the application. |
Product Version |
The product version of the application. |
Program Files Path |
Sets the Program Files path used by the Discovery > By Path report. |
Publisher |
The publisher of the application. |
Range End Time |
The end time of the range being displayed. |
Range Start Time |
The start time of the range being displayed. |
Request Type |
The type of request:
|
Row Limit |
The maximum number of rows to be retrieved from the database. |
Rule Match Type |
Rule Match Type:
|
Sandbox |
The sandboxed setting:
|
Rule Script Affected Rule |
True when the Rule Script (Power Rule) changes one or more of the Default Endpoint Privilege Management rules, otherwise false. |
Rule Script File Name | The Rule Script (Power Rule) file name on disk if applicable. |
Rule Script Name | The name of the assigned Rule Script (Power Rule). |
Rule Script Output | The output of the Rule Script (Power Rule). |
Rule Script Publisher | The publisher of the Rule Script (Power Rule). |
Rule Script Result |
The result of the Rule Script (Power Rule). This can be: <None> |
Rule Script Status |
The status of the Rule Script (Power Rule). This can be: <None> |
Rule Script Version | The version of the assigned Rule Script (Power Rule). |
Shell or Auto |
Whether the process was launched using the shell Run with Endpoint Privilege Management option or by normal means (opening an application):
|
Source URL | The source URL (where the file was downloaded from). |
System Path |
Sets the system path used by the Discovery > By Path report. |
Target Description | This field allows you to filter by the target description. |
Target Type |
The type of target that triggered the event:
|
Trusted Application Name |
The trusted application that triggered the event. |
Trusted Application Version | The trusted application version number. |
Trusted File Owner |
Whether the file owner of the target file is trusted. To be a trusted owner the user must be in one of the following Windows groups:
|
UAC Triggered |
Whether or not Windows UAC was triggered:
|
User Name |
The user name of the user who triggered the event. |
User Profiles Path |
Sets the User Profiles path used by the Discovery > By Path report. |
Workstyle | The name of the Workstyle that contained the rule that matched the application. |