Events in Endpoint Privilege Management for Windows
Endpoint Privilege Management
The following events are logged by Endpoint Privilege Management
Windows Process Events
ePO ID (Event ID) | Description |
---|---|
202299 (1) | Service Error - unlicensed or invalid license code. |
202250 (100) | Process has started with admin rights added to token. |
202251 (101) | Process has been started from the shell context menu with admin rights added to token. |
202253 (103) | Process has started with admin rights dropped from token. |
202254 (104) | Process has been started from the shell context menu with admin rights dropped from token. |
202256 (106) | Process has started with no change to the access token (passive mode). |
202257 (107) | Process has been started from the shell context menu with no change to the access token (passive mode). |
202259 (109) | Process has started with user’s default rights enforced. |
202260 (110) | Process has started from the shell context menu with user’s default rights enforced. |
202262 (112) | Process requires elevated rights to run. |
202263 (113) | Process has started with Custom Token applied. |
202264 (114) | Process has started from the shell context menu with user’s Custom Token applied. |
202266 (116) | Process execution was blocked. |
202268 (118) | Process started in the context of the authorizing user. |
202269 (119) | Process started from the shell menu in the context of the authorizing user. |
202270 (120) | Process execution was canceled by the user. |
202275 (150) | Endpoint Privilege Management handled service control start action. |
202276 (151) | Endpoint Privilege Management handled service control stop action. |
202277 (152) | Endpoint Privilege Management handled service control pause/resume action. |
202278 (153) | Endpoint Privilege Management handled service control configuration action. |
202279 (154) | Endpoint Privilege Management blocked a service control start action. |
202280 (155) | Endpoint Privilege Management blocked a service control stop action. |
202281 (156) | Endpoint Privilege Management blocked a service control pause/resume action |
202282 (157) | Endpoint Privilege Management blocked a service control configuration action |
202283 (158) | Endpoint Privilege Management service control action run in the context of the authorizing user |
202284 (159) | Endpoint Privilege Management service control start action canceled |
202285 (160) | Endpoint Privilege Management service control stop action canceled |
202286 (161) | Endpoint Privilege Management service control pause/resume action canceled |
202287 (162) | Endpoint Privilege Management service control configuration action canceled |
202297 (199) | Windows only - Process execution was blocked, the maximum number of challenge / response failures was exceeded |
Configuration Events
All events with a value of 200 - 299 ID are not sent to ePO Dashboards. |
|
(200) | Config Config Load Success |
(201) | Config Config Load Warning |
(202) | Config Config Load Error |
(210) | Config Config Download Success |
(211) | Config Config Download Error |
User / Computer Events
These events are not sent to ePO Dashboards. |
|
(300) | User User Logon |
(400) |
Service Endpoint Privilege Management Service Start |
(401) | Service Endpoint Privilege Management Service Stop |
Content Events | |
203050 (600) | Process Content Has Been Opened (Updated Add Admin) |
203050 (601) | Process Content Has Been Updated (Updated Custom) |
203050 (602) | Process Content Access Drop Admin (Updated Drop Admin) |
203050 (603) | Process Content Access Was Canceled By The User (Updated Passive) |
203050 (604) | Process Content Access Was Enforced With Default Rights (Updated Default) |
203050 (605) | Process Content Access Was Blocked |
203050 (606) | Process Content Access Was Canceled |
203050 (607) | Process Content Access Was Sandboxed |
203050 (650) | Process URL Browse |
203050 (706) | Process Passive Audit DLL |
203050 (716) | Process Block DLL |
203050 (720) | Process Cancel DLL Audit |
Each process event contains the following information:
- Command line for the process
- Process ID for the process (if applicable)
- Parent process ID of the process
- Workstyle that applied
- Application group that contained the process
- End user reason (if applicable)
- Custom access token (if applicable)
- File hash
- Certificate (if applicable)
Each process event also contains product properties, where applicable, but these can only be viewed in the Endpoint Privilege Management Reporting Console.