"Events" Reports in Privilege Management for Windows

This report shows information about the different types of events that have been raised over the specified time period. It also shows the time elapsed since a host raised an event.

Chart Description

Events over the last <time period>

A column chart showing the number of the different event types, broken down by the time period.

Clicking the chart takes you to the Events > All report with the Event Category, Range Start Time, and Range End Time filters applied.

Event Types

A chart showing how many events have been received, broken down by the event type.

Clicking the chart takes you to the Events > All report with the Event Number filter applied.

By Category

A chart breaking down the events received, split by category.

Clicking the chart takes you to the Events > All report with the Event Category filter applied.

Time since last endpoint event

A chart showing the number of computers in each time group since the last event category.

Clicking the chart takes you to more detailed information about the host.

"Events All" Report in Privilege Management for Windows

The following columns are available for the Windows Events > All table:

  • Event Time: The time of the event
  • Reputation: The reputation of the event, where applicable
  • Platform: The platform that the event came from
  • Description: The description of the event
  • User Name: The user name of the user who triggered the event
  • Host Name: The host name where the event was triggered
  • Event Type: The type of event
  • Workstyle: The Workstyle containing the rule that triggered the event
  • Event Category: The category of the event
  • Elevation Method: The method of elevation
  • Authorization Source: The authorization source for a user's credentials.

You can click some of the column data to review additional information on that event.

Add to Policy

Add to Policy allows you to add applications to specific Application Groups in your policy.

If you are using ePO server 5.10, the policy approval workflow is enabled, and you are logged in with a user who doesn't have the permission to approve policies, the Add and Save functionality for Add to Policy is disabled. You can Add and Edit and then click Submit for Review in this instance.

The following application types and event types are not supported in the Events > All report:

  • Application Types
    • Content application types
    • DLL application types
    • URL application types
    • Uninstaller application types
  • Event Types
    • Logon types
    • Privileged Account Management types
    • Host (Privilege Management service) types

To add applications from events to your policy:

  1. Click the gray check mark in the first column next to the row(s) you want to import applications from and click Add to Policy.
  2. If you have selected any unsupported application types or event types, these are displayed and grouped by application type or event type.

Application types of Uninstaller are not supported. These cannot be determined by the EventsAll report at this stage. If you have selected any Uninstaller application types, you are notified at the end of the process that the applications couldn't be added to your policy.

  1. Click Continue to acknowledge the application types and event types that won't be added to your policy. A list of your policies and associated Application Groups is displayed. Select the policy and Application Group that you want to add them to.
  2. Click Add and Save to add them to your policy. You will receive a confirmation when this has been completed. Click Add and Edit to add them to your policy and subsequently open the Policy Catalog. The highlighted lines are the ones you just added to your policy.

The information extracted from the application type or event type is determined by what is available in the event and the most commonly used matching criteria for that application type.

If you receive a message stating your policy is locked, ensure you don't have more than one instance of ePO server open and no other users are accessing the policy.

Export to CSV

This exports all the events into a Comma Separated Value (CSV) file.

"Process Detail" Report in Privilege Management for Windows

This report gives details about a specific process control event. Only processes that match rules in Workstyles are displayed.

There is an Advanced view available with this report which is available from the Filters dropdown. The Advanced view shows you the full set of columns available in the database.

  • Start Time: The start time of the event.
  • Platform: The platform that the events came from.
  • Description: The description of a specific application.
  • Publisher: The publisher of a specific application.
  • Application Type: The type of application.
  • File Name: The name of the file where applicable.
  • Command Line: The command line path of the file if applicable.
  • Product Name: The product name where applicable.
  • Trusted Application Name: The name of the trusted application.
  • Trusted Application Version: The version of the trusted application.
  • Product Version: The version of the product of applicable.
  • Group Policy Object: The Group Policy object, if applicable.
  • Workstyle: The Workstyle containing the rule that triggered the event.
  • Message: Any message associated with the event.
  • Action: Any action associated with the event.
  • Application Group: The Application Group that the application that triggered the event belongs to.
  • PID: The operating system process identifier.
  • Parent PID: The operating system process identifier of the parent process.
  • Parent Process File Name: The name of the parent process.
  • Shell/Auto: Whether the process was launched using the shell Run with Privilege Management option or by normal means (opening an application).
  • UAC Triggered: Whether or not Windows UAC was triggered.
  • Admin Rights Detected: Whether or not admin rights was detected.
  • User Name: The user name that triggered the event.
  • Host Name: The host name where the event was triggered.
  • Rule Script File Name: The name of the Rule Script (Power Rule) that ran.
  • Rule Script Affected Rule: True when the Rule Script (Power Rule) changed one or more of the Default Privilege Management for Windows rule.
  • User Reason: The reason given by the user if applicable.
  • COM Display Name: The display name of the COM if applicable.
  • Source URL: The source URL if applicable.

Add to Policy

Add to Policy allows you to add application types to specific Application Groups in your policy. The following application types are not supported in the Process Details report:

  • Application Types
    • DLL application types
    • Uninstall application types

To add applications from events to your policy:

  1. Click the gray check mark in the first column next to the row(s) you want to import applications from and click Add to Policy.
  2. If you have selected any application types that are unsupported, these are displayed and grouped by application type or event type.

Application types of Uninstaller are not supported. These cannot be determined by the Events > All report at this stage. If you have selected any Uninstaller application types, you are notified at the end of the process that the applications couldn't be added to your policy.

  1. Click Add and Save to add them to your policy. You receive a confirmation when this completes. Click Add and Edit to add them to your policy and subsequently open the Policy Catalog. The highlighted lines are the ones you just added to your policy.

The information that is extracted from the application type is determined by what is available in the event and the most commonly used matching criteria for that application type.

If you receive a message stating your policy is locked, ensure you don't have more than one instance of ePO server open and that no other users are accessing the policy.

Export to CSV

This exports all the events into a Comma Separated Value (CSV) file.