Insert Applications from Events

The Event Import wizard allows you to search from within any Privilege Management for Windows event source, and create application definitions based on the properties collected by an audit event. The wizard provides a simple and convenient way to find specific applications based on any or all of the following search criteria:

  • Event Source: Where the event is collected (Local or remote event log, Forwarded event log, or Enterprise reporting Pack database).
  • Event Type: The type of event you are interested in. Choose Any application or choose from one of the following:
    • Applications that performed privileged operations
      • Event number 100
    • Applications that triggered UAC
      • If the UACTriggered flag on the event was set to 1
    • Applications that were blocked
      • Event number 116
    • Applications that were launched by the Shell Menu
      • Event numbers 101, 104, 107, 110, 114, and 119
  • Timeframe: The period of time to search for applications. Choose from one of the following:
    • From: Pick a range starting from a predefined time period. From here you can also choose Anytime, to include all events.
    • Specific period: Pick an optional From and To date to include events collected during that period of time.

Once the search criteria is entered, the wizard returns a list of unique applications that were audited, matching the criteria you specified. From here you can browse the list (which is grouped by Publisher), or to find a particular application you can type into the Search publisher\Description field to instantly filter the list based on the text you enter.

Applications that are already members of the Application Group are highlighted and displayed with a check mark.

After you find an application or applications, select (or multi-select by holding down the Control or Shift key while selecting) and then click OK to create new application definitions from your selection.

Once the definitions are created, you can edit the definition and modify the matching criteria. All matching criteria are prepopulated with values collected from the application.

A unique application is based on the product description of the application. So if two or more audited applications share the same product description, they are displayed as a single application.