Audits and Reports
Endpoint Privilege Management for Windows sends events to the local Application event log, depending on the audit and privilege monitoring settings within the Endpoint Privilege Management for Windows policy.
Additionally, BeyondTrust provides an enterprise level, scalable reporting solution in Endpoint Privilege Management Reporting. Endpoint Privilege Management Reporting includes a rich set of dashboards and reports designed to simplify the centralized management and auditing of Endpoint Privilege Management for Windows activity throughout the desktop and server estate. Each dashboard provides detailed and summarized information regarding Application, User, Host, and Workstyle usage.
Events
The following events are logged by Endpoint Privilege Management for Windows:
| Event ID | Description |
|---|---|
| 0 | Service Control Success. |
| 1 | Service Error. |
| 2 | Service Warning. |
| 100 | Process has started with admin rights added to token. |
| 101 | Process has been started from the shell context menu with admin rights added to token. |
| 103 | Process has started with admin rights dropped from token. |
| 104 | Process has been started from the shell context menu with admin rights dropped from token. |
| 106 | Process has started with no change to the access token (passive mode). |
| 107 | Process has been started from the shell context menu with no change to the access token (passive mode). |
| 109 | Process has started with user’s default rights enforced. |
| 110 | Process has started from the shell context menu with user’s default rights enforced. |
| 112 | Process requires elevated rights to run. |
| 113 | Process has started with custom token applied. |
| 114 | Process has started from the shell context menu with user’s custom token applied. |
| 116 | Process execution was blocked. |
| 118 | Process started in the context of the authorizing user. |
| 119 | Process started from the shell menu in the context of the authorizing user. |
| 120 | Process execution was canceled by the user. |
| 150 | Endpoint Privilege Management for Windows handled service control start action. |
| 151 | Endpoint Privilege Management for Windows handled service control stop action. |
| 152 | Endpoint Privilege Management for Windows handled service control pause/resume action. |
| 153 | Endpoint Privilege Management for Windows handled service control configuration action. |
| 154 | Endpoint Privilege Management for Windows blocked a service control start action. |
| 155 | Endpoint Privilege Management for Windows blocked a service control stop action. |
| 156 | Endpoint Privilege Management for Windows blocked a service control pause/resume action. |
| 157 | Endpoint Privilege Management for Windows blocked a service control configuration action. |
| 158 | Endpoint Privilege Management for Windows service control action run in the context of the authorizing user. |
| 159 | Endpoint Privilege Management for Windows service control start action canceled. |
| 160 | Endpoint Privilege Management for Windows service control stop action canceled. |
| 161 | Endpoint Privilege Management for Windows service control pause/resume action canceled. |
| 162 | Endpoint Privilege Management for Windows service control configuration action canceled. |
| 198 | Privileged group modification blocked. |
| 199 | Process execution was blocked, the maximum number of challenge / response failures was exceeded. |
| Configuration Events | |
| 10 | License Error. |
| 200 | Config Config Load Success. |
| 201 | Config Config Load Warning. |
| 202 | Config Config Load Error. |
| 210 | Config Config Download Success. |
| 211 | Config Config Download Error. |
| User / Computer Events | |
| 300 | User User Logon. |
| 400 |
Service Endpoint Privilege Management for Windows Service Start. |
| 401 | Service Endpoint Privilege Management for Windows Service Stop. |
| Content Events | |
| 600 | Content has been updated with Add Admin Rights token. |
| 601 | Content has been updated with a custom token. |
| 602 | Content has been updated with Drop Admin Rights token. |
| 603 | Content has been updated with Passive token. |
| 604 | Content has been updated with Enforce User's Default Rights token. |
| 605 | Content access was blocked. |
| 606 | Content access was canceled by the user. |
| 706 | Process Passive Audit DLL. |
| 716 | Process Block DLL. |
| 720 | Process Cancel DLL Audit. |
| 801 | Rule Script Failure. |
| 802 | Password Safe Integration Error. |
Each process event contains the following information:
- Command line for the process
- Process ID for the process (if applicable)
- Parent process ID of the process
- Workstyle that applied
- Application Group that contained the process
- End user reason (if applicable)
- Custom access token (if applicable)
- File hash
- Certificate (if applicable)
Each process event also contains product properties, where applicable, but these can only be viewed in the Endpoint Privilege Management Reporting Console.
Audit with Custom Scripts
When an application is allowed, elevated, or blocked, Endpoint Privilege Management for Windows logs an event to the Application event log to record details of the action. If you want to record the action in a bespoke or third-party tracking system that supports PowerShell, VBScript, or JScript based submissions, you can use the Run a Script setting within an Application Rule.
To add a new auditing script:
- Create a new or edit an existing Application Rule within a Workstyle.
- In Run a Script, click on the Off value and in the dropdown menu, select Manage Scripts to open the Script Manager.
- In the Script Manager, click New in the left tree view. A new script is added to the tree. Click the name New Script once to rename the script.
- In the right script editor, enter your script code either manually, by copy and paste, or you can import a script from file by clicking Import.
- In the Script Language dropdown menu, select either PowerShell, VM Script, or Javascript, depending on the code format you entered.
PowerShell audit scripts can only be run in the system context.
- Select a Timeout for how long the script will be allowed to execute, before it is terminated. By default, this is set to Infinite.
- Select whether the script should be executed in the System context or the current User context from the Script Context dropdown menu.
- Click OK to finish.
The new script is automatically selected in the Run a Script setting.
If you have any existing scripts, these can be selected in the dropdown menu.
The auditing script supports the use of parameters within the script. Parameters are expanded using the COM interface PGScript.
strUserName = PGScript.GetParameter("[PG_USER_NAME]")
strCommandLine = PGScript.GetParameter("[PG_PROG_CMD_LINE]")
strAgentVersion = PGScript.GetParameter("[PG_AGENT_VERSION]")
Scripts created in the script editor can be reused in multiple Application Rules and On-Demand Application Rules. Any modification to an existing script affects all Workstyle rules that have been configured to execute that script.
For a list of available parameters, see Windows QuickStart Policy Summary.
