ePO Endpoint Privilege Management Database Events
Table Column Name | Description |
---|---|
AppGroupDescription | Description of the Endpoint Privilege Management |
AppGroupName | Name of the Endpoint Privilege Management |
ApplicationHash | The SHA-1 hash of the process referenced in the event. |
ApplicationType | File extension of the process referenced in the event. |
ApplicationPolicyDescription | Description of the Application Rule which matched the process referenced in the event. |
ApplicationPolicyId | Unique identifier of the Application Rule which matched the process referenced in the event. |
AppxName | Name of the Windows Store application referenced in the event. |
AppxPublisher | Digital signature of the Windows Store application referenced in the event. |
AppxVersion | Vendor assigned version number assigned to the Windows Store application referenced in the event. |
AuthorizationChallenge | If available, the 8 digit challenge code presented to the user. |
AuthorizingDomainUser | The name of the user that satisfied the Designated User requirement of the event. |
AuthorizingUserSID | The Security Identifier (SID) of the user that satisfied the Designated User requirement of the event. |
AutoID | Unique reference assigned to the event entry in the table. |
ClientName | Name of endpoint which connected using a remote session. |
ClientPV4 | V4 IP address of client who connected using a remote session. |
CommandLine | The command line of the process referenced in the event. |
COMAppID | The unique identifier of the application associated to the COM CLSID. |
COMCLSID | The unique identifier of the COM class object referenced in the event. |
COMDisplayName | The name of the COM class object referenced in the event. |
DomainUser | The username of the user session who started the process. |
DriveType | The type of drive from which the process was being executed. |
EventID | The Endpoint Privilege Management |
FileName | FileName |
FileOwnerDomainUser | The name of the user that is the NTFS owner of the process referenced in the event. |
FileOwnerUserSID | The Security Identifier (SID) of the user that is the NTFS owner of the process referenced in the event. |
FileVersion | File version of the process referenced in the event. |
HostName | The name of the host upon which the process referenced in the event executed. |
HostID | The Security Identifier (SID) of the host upon which the process referenced in the event executed. |
MessageDescription | Description of the Endpoint Privilege Management |
MessageName | Name of the Endpoint Privilege Management |
ParentID | Unique ID assigned by Windows to the parent process of the process referenced in the event. |
ParentProcessFileName | Name of the parent process of the process referenced in the event. |
ParentProcessGUID | Unique reference assigned by Endpoint Privilege Management |
PID | Unique ID assigned by Windows to the process referenced in the event. |
PolicyDescription | Description of the Endpoint Privilege Management |
PolicyName | Name of the Endpoint Privilege Management |
PowerShellCommand | If available, the PowerShell cmdlet referenced in the event. |
ProcessGUID | Unique reference assigned by Endpoint Privilege Management |
ProcessStartTime | Time that the process referenced in the event started. |
ProductCode | Product Code assigned to the process referenced in the event. |
ProductDescription | Product Description assigned by the vendor to the process referenced in the event. |
ProductName | Product Name assigned by the vendor to the process referenced in the event. |
ProductVersion | Product Version assigned by the vendor to the process referenced in the event. |
Publisher | Digital signature assigned by the vendor to the process referenced in the event. |
Reason | Details of the reason provided by the user for using the process referenced in the event. |
ServiceDisplayName | The Display name of the Windows service referenced in the event. |
ServiceName | The Service name of the Windows service referenced in the event. |
SourceURL | If available, the URL from which the process referenced in the event was downloaded. |
TokenAssignmentIsShell | Binary flag to indicate if the process was launched using the shell integration feature. |
TokenDescription | Description of the token applied by Endpoint Privilege Management |
TokenName | Name of the token applied by Endpoint Privilege Management |
TrustedApplicationName | Name of the trusted application that triggered the rule. |
TrustedApplicationVersion | Version of the trusted applicaiton that triggered the rule. |
UACTriggered | Flag to indicate if the process matched on a UACTriggered rule. |
UpgradeCode | Upgrade Code assigned to process referenced in the event. |
UserSID | The Security Identifier (SID) of the user who started the process. |
No individual event returns values in all fields, so it is expected behavior to have NULL values in task specific columns.