Manage the Privilege Management Databases

Use Privilege Management for Windows Events to Build Queries

Privilege Management for Windows collects and stores a broad set of information about every executed application, which is stored in the McAfee ePO Database. This information may then be used in the McAfee ePO Queries and Reports console to create custom dashboard widgets.

Below is a table showing all event properties that are available, and a description of their purpose.

Property Description
Application Group The name of the Application Group for the matched application definition
Application Hash The SHA-1 Hash of the file executed
Application Type

The type of application:
APPX - Windows Store Application
BAT - Batch File
COM - COM Class
CONT - Content Control
CPL - Control Panel Applet
DLL - Dynamic Link Library
EXE - Executable
MSC - Management Console Snapin
MSI - Installer Package
OCX - ActiveX Control
PS1 - PowerShell Script
REG - Registry Settings
RPSS - Remote PowerShell Command
SVC - Service
UNIN - Uninstaller (EXE or MSI)
URL - URL
Xbin - macOS Binary
Xapp - macOS Bundle
Xpkg - macOS Package
Xsys - macOS System Preference
Xsud - macOS Sudo Control

Authorization Challenge If Challenge/Response Authorization is enabled, the challenge code presented to the user is collected. Otherwise this property remains blank.
Authorization Response If Challenge/Response Authorization is enabled, the valid shared key entered by the user is collected. Otherwise this property remains blank.
Authorizing Domain User If Run As Other User is enabled, the domain name of the authorizing user is collected.
Authorizing User SID If Run As Other User is enabled, the Secure Identifier (SID) of the authorizing user is collected.
Client IP Address If the user was logged on via a remote session to the computer where Privilege Management performed an action, the IPv4 Address of the remote computer is collected.
Client Name If the user was logged on via a remote session to the computer where Privilege Management for Windows performed an action, the name of the remote computer is collected.
COM Application ID The AppID of the COM elevated application.
COM Class ID The CLSID of the COM elevated application.
COM Display Name The common name of the COM elevated application.
Command Line The command line of the executed application.
Computer Name The name of the computer where Privilege Management for Windows performed an action.
File Name The full path of the file executed.
File Owner Domain User The name of the account which owns the executed application.
File Owner User SID The Secure Identifier (SID) of the account which owns the executed application.
File Version The file version of the executed application.
Group Description The description of the Application Group for the matched application definition.
Host SID The Secure Identifier (SID) of the computer where Privilege Management for Windows performed an action.
Is Shell Determines if the application was launched from an On Demand shell menu option. If blank, then a shell menu was not used.
Message Description The description for the End User Message displayed to the user.
Message Name The name of the End User Message displayed to the user.
Parent Process File Name The full path of the parent process that spawned the audited application.
Parent Process ID The Process Identifier (PID) of the parent process that spawned the audited application.
Parent Process Unique ID A GUID used to uniquely identify a Process relationships.
PG Event ID

Privilege Management for Windows Event Log Event ID.

Policy Description The description of the Privilege Management for Windows policy that matched the executed application.
Policy Name The name of the Privilege Management for Windows policy that matched the executed application.
Process ID The Process Identifier (PID) of the executed application.
Product Code The Product Code for an executed MSI, MSU or MSP package.
Product Description A friendly description for the executed application.
Product Name The Product Name of the executed application.
Product Version The product version of the executed application.
Reason If End User Reason was enabled for an End User Message, the reason entered by the user is collected. If blank, then End User Reason was disabled in the message.
Source URL If the application was downloaded, then the full URL of where the application was downloaded from is collected.
Start Time The time the process was started.
Stop Time This is a deprecated field and no longer used.
Token Description The description of the access token applied to the executed application.
Token Name The name of the access token applied to the executed application.
UAC Triggered Determines if the application triggered User Account Control (UAC). If blank, then UAC was not triggered.
Upgrade Code The Upgrade Code for an executed MSI, MSU, or MSP package.
User Name The name of the user who executed an application.
User SID The Secure Identifier (SID) of the user who executed an application.
Vendor The Display Name of the Publisher Certificate who signed the application.
Windows Store App Name The common name of the Windows Store Application.
Windows Store App Publisher The Display Name of the Publisher Certificate who signed the Windows Store Application.
Windows Store App Version The version number of the Windows Store Application.


In addition to the event properties relating to Privilege Management for Windows, there are also a number of threat event properties set as part of a for Windows event:

Property Description
Action Taken Friendly name used to identify the type of action performed by Privilege Guard:
Auto-Elevated
User-Elevated
Drop-Admin
Passive
Discovery
Default-Rights
Admin-Required
Custom-Token
Blocked
Event ID McAfee ePO standardized Privilege Guard Event ID.
Threat Name

Internal name used to identify the type of action performed by Privilege Management for Windows :
ADD_ADMIN
SHELL_ADD_ADIM
DROP_ADMIN
PASSIVE
DEFAULT_RIGHTS
APPLICATION_RIGHTS
CUSTOM
PROCESS_BLOCKED

For more information, please see Events in Privilege Management for Windows.