Endpoint Privilege Management Reporting Top Advanced Filter Details

Name	Description
Action	There are nine actions to choose from: Elevated Blocked Passive Custom Drop Admin Rights Enforce Admin Rights Canceled Sandboxed Allowed
Activity ID	Each Activity Type in Endpoint Privilege Management has a unique ID. This is generated in the database as required. For example, if you are in the Target Types Dashboard and drill down in the Top 10 Activities chart, the Events > All report opens. If you look in the top advanced filter you will see that the Activity ID is populated.
Admin Rights Required	There are three options to choose from: All Detected Not Detected Allows you to filter if Admin Rights are required, not required or both. For example, if you are in the Discovery > All report and set the side quick filter to Admin Rights, only applications that required admin rights are listed.
Agent Version	The version of the Endpoint Privilege Management agent.
Application Desc	A text field that allows you to filter on the application name. For example, in the Discovery report you can filter by paint in the Application Desc field. This filters applications that contain the string paint in the description.
Application Group	A text field that allows you to filter on the Application Group. You can obtain the Application Group from the policy editor. It is also available in some reports such as Process Detail that is accessed from Events All.
Application Type	A text field that allows you to filter on the application type. You can obtain the application type from the policy editor. It's also available in some reports such as Process Detail that is accessed from Events All.
Auth Methods	The type of authentication method selected in the Policy Editor. Multiple values can be present and will be comma separated. Possible values: Identity Provider, Password, Challenge Response, Smart Card, and User Request
Auth User Name	The name of the user that authorized the message.
Browse Source URL	The source URL of the sandbox.
Browse Destination URL	The destination URL of the sandbox.
Chassis	The physical form of the endpoint. Other is a virtual machine.
Command Line	A text field that allows you to filter on the command line. It is also available in some reports such as Process Detail that is accessed from Events > All.
Context	This field is used by Reporting. You do not need to edit it.
Date Field to filter on	There are three options to choose from: Time Generated: This is the time that the event was generated. One application can have multiple events. Each event has a Time Generated attribute. Time App First Discovered: This is the time that the first event for a single application was entered into the database. This can be delayed if the user is working offline. Time App First Executed: This is the first known execution time of events for that application.
Default UI Language	The default language of the endpoint.
Device Type	The type of device that the application file was stored on. You can select from: Any Removeable Media USB Drive Fixed Drive Network Drive CDROM Drive RAM Drive eSATA Drive Any Removeable Drive or Media
Distinct Application ID	This field is used by Reporting. You do not need to edit it.
Elevation Method	There are five options to choose from: Not Set All Admin account Auto-elevated On-demand These allow you to filter events by the type of elevation used.
Event Number	This field is used by Reporting. You do not need to edit it. This number assigned to the event type.
External Source	There are four options to choose from: Not Set Downloaded over the internet Removeable media Any external source These allow you to filter by the type of external source that the application file came from.
File Name	You can filter by a partial file name string if required. For example, in the Process Detail report.
File Version	You can filter on the file version in the Advanced View of the Process Detail report.
GPO Name	You can filter on the Group Policy Object (GPO) name in some of the advanced reports such as Process Detail.
Host Name	This field allows you to filter by the name of the endpoint the event came from.
Idp Authentication user name	The credential provided when adding an Identity Provider authorization message in the Policy Editor.
BeyondTrust Zone Identifier	The BeyondTrust Zone Identifier. This tag will persist to allow you to filter on it even if the ADS tag applied by the browser is removed.
Ignore "Admin Required" Events	This field is used by Reporting. You do not need to edit it.
Just Discovery Events	This field is used by Reporting. You do not need to edit it.
Message Name	The name of the message that was used.
Message Type	The type of Message: Any Prompt Notification None
Number to Get	The number of rows to get from the database.
Operating System Type	The type of operating system: Server Workstation
Operating System	The operating system of the client machine.
Parent PID	The operating system process identifier of the parent process.
PID	The operating system process identifier.
Product Name	The product name of the application.
Product Version	The product version of the application.
Program Files Path	Sets the Program Files path used by the Discovery > By Path report.
Publisher	The publisher of the application.
Range End Time	The end time of the range being displayed.
Range Start Time	The start time of the range being displayed.
Request Type	The type of request: Blocked with reason Canceled challenge
Row Limit	The maximum number of rows to be retrieved from the database.
Rule Match Type	Rule Match Type: Any Direct match Matched on parent
Sandbox	The sandboxed setting: Not Set Any Sandbox Not Sandboxed
Rule Script Affected Rule	True when the Rule Script (Power Rule) changes one or more of the Default Endpoint Privilege Management rules, otherwise false.
Rule Script File Name	The Rule Script (Power Rule) file name on disk if applicable.
Rule Script Name	The name of the assigned Rule Script (Power Rule).
Rule Script Output	The output of the Rule Script (Power Rule).
Rule Script Publisher	The publisher of the Rule Script (Power Rule).
Rule Script Result	The result of the Rule Script (Power Rule). This can be: <None> Script ran successfully [Exception Message] Script timeout exceeded: <X> seconds Script execution canceled Set Rule Properties failed validation: <reason> Script execution skipped: Challenge Response Authenticated Script executed previously for the parent process: Matched as a child process so cached result applied Script execution skipped: <app type> not supported Script execution skipped: PRInterface module failed signature check Set RunAs Properties failed validation: <reason>
Rule Script Status	The status of the Rule Script (Power Rule). This can be: <None> Success Timeout Exception Skipped ValidationFailure
Rule Script Version	The version of the assigned Rule Script (Power Rule).
Shell or Auto	Whether the process was launched using the shell Run with Endpoint Privilege Management option or by normal means (opening an application): Any Shell Auto
Source URL	The source URL (where the file was downloaded from).
System Path	Sets the system path used by the Discovery > By Path report.
Target Description	This field allows you to filter by the target description.
Target Type	The type of target that triggered the event: Any Application URL Services COM Remote PowerShell ActiveX Content
Trusted Application Name	The trusted application that triggered the event.
Trusted Application Version	The trusted application version number.
Trusted File Owner	Whether the file owner of the target file is trusted. To be a trusted owner the user must be in one of the following Windows groups: TrustedInstaller System Administrator
UAC Triggered	Whether or not Windows UAC was triggered: Not Set Triggered UAC Did not trigger UAC
User Name	The user name of the user who triggered the event.
User Profiles Path	Sets the User Profiles path used by the Discovery > By Path report.
Workstyle	The name of the Workstyle that contained the rule that matched the application.