McAfee ePO Privilege Management for Windows Database Events

Table Column Name Description
AppGroupDescription Description of the Privilege Management for Windows Application Group that matched the process referenced in the event.
AppGroupName Name of the Privilege Management for Windows Application Group that matched the process referenced in the event.
ApplicationHash The SHA-1 hash of the process referenced in the event.
ApplicationType File extension of the process referenced in the event.
ApplicationPolicyDescription Description of the Application Rule which matched the process referenced in the event.
ApplicationPolicyId Unique identifier of the Application Rule which matched the process referenced in the event.
AppxName Name of the Windows Store application referenced in the event.
AppxPublisher Digital signature of the Windows Store application referenced in the event.
AppxVersion Vendor assigned version number assigned to the Windows Store application referenced in the event.
AuthorizationChallenge If available, the 8 digit challenge code presented to the user.
AuthorizingDomainUser The name of the user that satisfied the Designated User requirement of the event.
AuthorizingUserSID The Security Identifier (SID) of the user that satisfied the Designated User requirement of the event.
AutoID Unique reference assigned to the event entry in the table.
ClientName Name of endpoint which connected using a remote session.
ClientPV4 V4 IP address of client who connected using a remote session.
CommandLine The command line of the process referenced in the event.
COMAppID The unique identifier of the application associated to the COM CLSID.
COMCLSID The unique identifier of the COM class object referenced in the event.
COMDisplayName The name of the COM class object referenced in the event.
DomainUser The username of the user session who started the process.
DriveType The type of drive from which the process was being executed.
EventID The Privilege Management for Windows ID for the event type.
FileName FileName
FileOwnerDomainUser The name of the user that is the NTFS owner of the process referenced in the event.
FileOwnerUserSID The Security Identifier (SID) of the user that is the NTFS owner of the process referenced in the event.
FileVersion File version of the process referenced in the event.
HostName The name of the host upon which the process referenced in the event executed.
HostID The Security Identifier (SID) of the host upon which the process referenced in the event executed.
MessageDescription Description of the Privilege Management for Windows message that matched the process referenced in the event.
MessageName Name of the Privilege Management for Windows message that matched the process referenced in the event.
ParentID Unique ID assigned by Windows to the parent process of the process referenced in the event.
ParentProcessFileName Name of the parent process of the process referenced in the event.
ParentProcessGUID Unique reference assigned by Privilege Management for Windows to the parent process of the process referenced in the event.
PID Unique ID assigned by Windows to the process referenced in the event.
PolicyDescription Description of the Privilege Management for Windows policy that matched the process referenced in the event.
PolicyName Name of the Privilege Management for Windows policy that matched the process referenced in the event.
PowerShellCommand If available, the PowerShell cmdlet referenced in the event.
ProcessGUID Unique reference assigned by Privilege Management for Windows to the process referenced in the event.
ProcessStartTime Time that the process referenced in the event started.
ProductCode Product Code assigned to the process referenced in the event.
ProductDescription Product Description assigned by the vendor to the process referenced in the event.
ProductName Product Name assigned by the vendor to the process referenced in the event.
ProductVersion Product Version assigned by the vendor to the process referenced in the event.
Publisher Digital signature assigned by the vendor to the process referenced in the event.
Reason Details of the reason provided by the user for using the process referenced in the event.
ServiceDisplayName The Display name of the Windows service referenced in the event.
ServiceName The Service name of the Windows service referenced in the event.
SourceURL If available, the URL from which the process referenced in the event was downloaded.
TokenAssignmentIsShell Binary flag to indicate if the process was launched using the shell integration feature.
TokenDescription Description of the token applied by Privilege Management for Windows to the process referenced in the event.
TokenName Name of the token applied by Privilege Management for Windows to the process referenced in the event.
TrustedApplicationName Name of the trusted application that triggered the rule.
TrustedApplicationVersion Version of the trusted applicaiton that triggered the rule.
UACTriggered Flag to indicate if the process matched on a UACTriggered rule.
UpgradeCode Upgrade Code assigned to process referenced in the event.
UserSID The Security Identifier (SID) of the user who started the process.

No individual event returns values in all fields, so it is expected behavior to have NULL values in task specific columns.