Audits and Reports
Privilege Management for Windows sends events to the local Application event log, depending on the audit and privilege monitoring settings within the Privilege Management for Windows policy.
Additionally, BeyondTrust provides an enterprise level, scalable reporting solution in Privilege Management Reporting. Privilege Management Reporting includes a rich set of dashboards and reports designed to simplify the centralized management and auditing of Privilege Management for Windows activity throughout the desktop and server estate. Each dashboard provides detailed and summarized information regarding Application, User, Host, and Workstyle usage.
The following events are logged by Privilege Management for Windows:
|0||Service Control Success.|
|100||Process has started with admin rights added to token.|
|101||Process has been started from the shell context menu with admin rights added to token.|
|103||Process has started with admin rights dropped from token.|
|104||Process has been started from the shell context menu with admin rights dropped from token.|
|106||Process has started with no change to the access token (passive mode).|
|107||Process has been started from the shell context menu with no change to the access token (passive mode).|
|109||Process has started with user’s default rights enforced.|
|110||Process has started from the shell context menu with user’s default rights enforced.|
|112||Process requires elevated rights to run.|
|113||Process has started with custom token applied.|
|114||Process has started from the shell context menu with user’s custom token applied.|
|116||Process execution was blocked.|
|118||Process started in the context of the authorizing user.|
|119||Process started from the shell menu in the context of the authorizing user.|
|120||Process execution was canceled by the user.|
|150||Privilege Management for Windows handled service control start action.|
|151||Privilege Management for Windows handled service control stop action.|
|152||Privilege Management for Windows handled service control pause/resume action.|
|153||Privilege Management for Windows handled service control configuration action.|
|154||Privilege Management for Windows blocked a service control start action.|
|155||Privilege Management for Windows blocked a service control stop action.|
|156||Privilege Management for Windows blocked a service control pause/resume action.|
|157||Privilege Management for Windows blocked a service control configuration action.|
|158||Privilege Management for Windows service control action run in the context of the authorizing user.|
|159||Privilege Management for Windows service control start action canceled.|
|160||Privilege Management for Windows service control stop action canceled.|
|161||Privilege Management for Windows service control pause/resume action canceled.|
|162||Privilege Management for Windows service control configuration action canceled.|
|198||Privileged group modification blocked.|
|199||Process execution was blocked, the maximum number of challenge / response failures was exceeded.|
|200||Config Config Load Success.|
|201||Config Config Load Warning.|
|202||Config Config Load Error.|
|210||Config Config Download Success.|
|211||Config Config Download Error.|
|User / Computer Events|
|300||User User Logon.|
Service Privilege Management for Windows Service Start.
|401||Service Privilege Management for Windows Service Stop.|
|600||Process Content Has Been Opened (Updated Add Admin).|
|601||Process Content Has Been Updated (Updated Custom).|
|602||Process Content Access Drop Admin (Updated Drop Admin).|
|603||Process Content Access Was Cancelled By The User (Updated Passive).|
|604||Process Content Access Was Enforced With Default Rights (Updated Default).|
|605||Process Content Access Was Blocked.|
|606||Process Content Access Was Canceled.|
|607||Process Content Access Was Sandboxed.|
|650||Process URL Browse.|
|706||Process Passive Audit DLL.|
|716||Process Block DLL.|
|720||Process Cancel DLL Audit.|
|801||Rule Script Failure.|
|802||Password Safe Integration Error.|
Each process event contains the following information:
- Command line for the process
- Process ID for the process (if applicable)
- Parent process ID of the process
- Workstyle that applied
- Application Group that contained the process
- End user reason (if applicable)
- Custom access token (if applicable)
- File hash
- Certificate (if applicable)
Each process event also contains product properties, where applicable, but these can only be viewed in the Privilege Management Reporting Console.
Audit with Custom Scripts
When an application is allowed, elevated, or blocked, Privilege Management for Windows logs an event to the Application event log to record details of the action. If you want to record the action in a bespoke or third-party tracking system that supports PowerShell, VBScript, or JScript based submissions, you can use the Run a Script setting within an Application Rule.
To add a new auditing script:
- Create a new or edit an existing Application Rule within a Workstyle.
- In Run a Script, click on the Off value and in the dropdown menu, select Manage Scripts to open the Script Manager.
- In the Script Manager, click New in the left tree view. A new script is added to the tree. Click the name New Script once to rename the script.
- In the right script editor, enter your script code either manually, by copy and paste, or you can import a script from file by clicking Import.
PowerShell audit scripts can only be run in the system context.
- Select a Timeout for how long the script will be allowed to execute, before it is terminated. By default, this is set to Infinite.
- Select whether the script should be executed in the System context or the current User context from the Script Context dropdown menu.
- Click OK to finish.
The new script is automatically selected in the Run a Script setting.
If you have any existing scripts, these can be selected in the dropdown menu.
The auditing script supports the use of parameters within the script. Parameters are expanded using the COM interface PGScript.
strUserName = PGScript.GetParameter("[PG_USER_NAME]") strCommandLine = PGScript.GetParameter("[PG_PROG_CMD_LINE]") strAgentVersion = PGScript.GetParameter("[PG_AGENT_VERSION]")
Scripts created in the script editor can be reused in multiple Application Rules and On-Demand Application Rules. Any modification to an existing script affects all Workstyle rules that have been configured to execute that script.
For a list of available parameters, please see Windows QuickStart Policy Summary.