DocumentationAPI ReferenceRelease Notes
Documentation

Analytics: Filters | EPM-WM Pathfinder

Suggest Edits

There are two types of filtering:

  • Default: The default filters are: Time period, Computer groups, Operating system, Application Type (on the Applications grid only).
  • Optional: There is an extensive selection of filters which can be selected and configured at time of viewing.

The dynamic filtering provides a search-as-you-type feature that helps you to quickly and easily narrow the scope of the data set displayed.

  • Type at least three characters in the dynamic filter box of an optional filter for an auto suggestion to populate.
  • You can then click on an auto suggested field to help you narrow the scope of the data set.

The search as you type filtering is available for the following filter types:

  • App group name
  • App description
  • App Name
  • Application URI
  • Authorization URI
  • Auth request URI
  • Host Name
  • Host Domain
  • Message name
  • Publisher
  • User domain
  • User Name

The search-as-you-type feature is also available for these optional filters (only on the Applications grid):

  • COM Display Name
  • Service Display Name
  • Service Name
  • Store App Name

Default filters

NameDescription
Time PeriodFrom now back to a selected value.
Computer GroupsView All or selected Computer Groups.
Admin users can see data for all groups.
Standard users can see data only from groups for which they have the Analyze Group role.
Operating SystemWindows or macOS.
Application TypeThe type of application as defined in your policy.
Displays options relevant to selected operating system.
Default for Applications tab only (optional for Events tab).

Filters on the Events page

Filters are grouped into the following categories:

  • Event: The action Endpoint Privilege Management took.
  • Application: Properties of the running application.
  • Policy: The Endpoint Privilege Management policy controlling the action.
  • User: The user running the event.
  • Computer: The machine the event is running on.

Windows

The filters listed here are optional.

NameCategoryDescription
Admin RequiredApplicationYes/No
Endpoint Privilege Management detected that the process or application required elevation.
App DescriptionApplicationThe Product Description property of the executable (for applicable event and application types).
App NameApplicationThe Product Name property of the executable (for applicable event and application types).
Application Group NamePolicyThe name of the application group matched as defined in policy.
Application TypeApplicationThe type of application as defined in your policy.
Authorization MethodProcessThe authorization type, includes: AuthRequest, Challenge Response, Password, and Windows Hello.
Command LineApplicationThe command line captured at execution time.
Elevation MethodApplicationFilter by:
  • Auto Elevated: EPM-W elevated it, based on standard application rules
  • On Demand: EPM-W elevated it, based on User selecting Run as Administrator
  • Admin Account: OS elevated, Administrator credentials were used
  • Auto Authorized: EPM-M authorized it, based on standard application rules
  • Manually Authorized: OS authorized, Administrator credentials were used
Event ActionEventFilter by the action that Endpoint Privilege Management took for a process, as instructed by your policy.
For Windows these actions are:
  • Allowed
  • Elevated
  • Elevated - Custom Privileges
  • Blocked
  • Cancelled
  • Self-Elevated
  • Self-Elevated - Custom Privileges
  • Run As Alternate User
Event TypeEventThe type of event that Endpoint Privilege Management has reported or controlled:
  • Process
  • Process with file
  • COM Class
  • Service
  • ActiveX
  • DLL
  • Content
  • Challenge Response Failed
Privileged Account Modification Prevented User Logon
Agent Start
Agent Stop
Unlicensed
Executable PathApplicationThe path of the executable (the process started).
File PathApplicationThe path of any file passed as an argument to a launching process.
Host DomainComputerComputer name on which the event took place.
Host NameComputerComputer domain on which the event took place.
JIT Admin SessionSessionFilters on events related to a JIT Admin session
JIT Admin Ticket NumberSessionFilters on JIT ticket numbers
Matched as Child ProcessPolicyRefines your results to the most significant events for your use case.
Message NamePolicyThe message shown to end user.
On DemandPolicyWhether the rule applied was an Application Rule (ran normally) or an On-Demand Rule (ran via right-click and Run as Administrator).
Yes: On-Demand Rule
No: Application Rule or N/A
Parent Process File NameApplicationThe name of the parent process.
Parent Process IDApplicationThe ID of the parent process.
Policy NamePolicyThe name of the policy applied.
Process IDApplicationThe ID on the running process.
PublisherApplicationThe publisher of the executable.
Publisher ExistsApplicationInclude this filter to ensure applications have an associated publisher linked to it.
User DomainSessionThe domain name for the user where the event occurred.
User EmailSessionThe email address for the user logging on to EPM.
User IdentifierSessionThe ID for the user.
User NameSessionUser name
User ReasonSessionThe reason provided by the user via the Endpoint Privilege Management message (if configured).
Workstyle NamePolicyThe name of the Workstyle applied to this event as defined in policy.

macOS

The filters listed here are optional.

NameCategoryDescription
App DescriptionPolicyThe Product Description property of the executable (for applicable event and application types).
App NameApplicationThe Product Name property of the executable (for applicable event and application types).
Application Group NamePolicyThe name of the application group matched as defined in policy.
Application TypeApplicationThe type of application as defined in your policy.
Application URIApplicationRefines your results to aid in making policy decisions for macOS events.

Options include your organization's application URI properties.
Authorization MethodProcessThe method used to authenticate: Auth request, Challenge /Response, Identity provider, password, or Smart Card.
Authorization RequiredProcessFilters on if authorization is required or not.
Authorization URIProcessThe URL for the event.
Command LineApplicationThe command line captured at execution time.
Elevation MethodApplicationThe elevation type, such as admin account, auto-elevated, or manually authorized.
Event ActionEventFilter by the action that Endpoint Privilege Management took for a process, as instructed by your policy.
For macOS these actions are:
  • Allowed
  • Allowed Deletable
  • Allowed Installable
  • Passive
  • Blocked
  • Cancelled
Event TypeEventThe type of event that Endpoint Privilege Management has reported or controlled:
  • Process
  • Process with file
  • COM Class
  • Service
  • ActiveX
  • DLL
  • Content
  • Challenge Response Failed
Privileged Account Modification Prevented User Logon
Agent Start
Agent Stop
Unlicensed
Executable PathApplicationThe path of the executable (the process started).
File PathApplicationThe path of any file passed as an argument to a launching process.
Host DomainComputerComputer name on which the event took place.
Host NameComputerComputer domain on which the event took place.
JIT Admin SessionSessionFilters on events related to a JIT Admin session
JIT Admin Ticket NumberSessionWhen using JIT, filter on ticket numbers.
Message NamePolicyThe message shown to end user.
On DemandPolicyWhether the rule applied was an Application Rule (ran normally) or an On-Demand Rule (ran via right-click and Run as Administrator).
Yes: On-Demand Rule
No: Application Rule or N/A
Parent Process File NameProcessThe name of the parent process.
Parent Process IDProcessThe ID of the parent process.
Policy NamePolicyThe name of the policy applied.
Policy RevisionPolicyThe revision of the policy applied.
PublisherApplicationThe publisher of the executable.
User DomainSessionUser domain
User EmailSessionThe email address for the user logging on to EPM.
User NameSessionUser name
User ReasonSessionThe reason provided by the user via the Endpoint Privilege Management message (if configured).
Workstyle NamePolicyThe name of the Workstyle applied to this event as defined in policy.

Filters on the Applications page

Windows

The filters listed here are optional.

NameCategoryDescription
Admin RequiredApplicationEndpoint Privilege Management detected that the process or application required elevation.
Yes/No
App DescriptionApplicationThe Product Description property of the executable (for applicable event and application types).
App NameApplicationThe Product Name property of the executable (for applicable event and application types).
Application Group NamePolicyThe name of the application group matched as defined in policy.
DownloadedApplicationWas the file downloaded? (has the mark of the web)
Yes / No
Drive TypeApplicationThe type of drive an application or file was run or loaded.
  • Fixed Disk
  • CDROM Drive
  • Network Drive
  • USB Drive
  • RAM Drive
  • eSATA Drive
  • Unknown Drive
Elevation MethodApplicationHow the application gained elevated rights.
Possible values Windows:
  • Admin Account
  • On-Demand
  • Auto-Elevated
  • Not Elevated
Event ActionEventFilter by the action that Endpoint Privilege Management took for a process, as instructed by your policy.
For Windows these actions are:
  • Allowed
  • Elevated
  • Elevated - Custom Privileges
  • Blocked
  • Cancelled
  • Self-Elevated
  • Self-Elevated - Custom Privileges
  • Run As Alternate User
Message NamePolicyThe message shown to the end user.
On DemandPolicyWhether the rule applied was an Application Rule (ran normally) or an On Demand Rule (ran via right click and Run as Administrator)
Yes: On Demand Rule
No: Application Rule or N/A
Policy NamePolicyThe name of the policy applied.
PublisherApplicationThe publisher of the executable.
Publisher ExistsApplicationInclude this filter to ensure applications have an associated publisher linked to it.
Workstyle NamePolicyThe name of the Workstyle applied to this event as defined in policy.

macOS

The filters listed here are optional.

NameCategoryDescription
App DescriptionApplicationThe Product Description property of the executable (for applicable event and application types).
App NameApplicationThe Product Name property of the executable (for applicable event and application types).
Application Group NamePolicyThe name of the application group matched as defined in policy.
Authorization RequiredApplicationEndpoint Privilege Management detected that the process or application required Authorization
macOS only
Yes/No
DownloadedApplicationWas the file downloaded? (has the mark of the web)
Yes / No
Drive TypeApplicationThe type of drive an application or file was run or loaded.
  • Fixed Disk
  • CDROM Drive
  • Network Drive
  • USB Drive
  • RAM Drive
  • eSATA Drive
  • Unknown Drive
Elevation MethodApplicationHow the application gained elevated rights.
Possible values:
  • Manually-Authorized
  • Auto-Authorized
  • Not Elevated
Event ActionEventFilter by the action that Endpoint Privilege Management took for a process, as instructed by your policy.
For macOS these actions are:
  • Allowed
  • Passive
  • Blocked
  • Cancelled
Message NamePolicyThe message shown to the end user.
On DemandPolicyWhether the rule applied was an Application Rule (ran normally) or an On Demand Rule (ran via right click and Run as Administrator)
Yes: On Demand Rule
No: Application Rule or N/A
PublisherApplicationThe publisher of the executable.
Publisher ExistsApplicationInclude this filter to ensure applications have an associated publisher linked to it.
Workstyle NamePolicyThe name of the Workstyle applied to this event as defined in policy.

Application type specific filters and columns

In the Applications grid there are some filters and columns specific to the selected application type. These are available automatically when you select the appropriate application type.

Application TypeNameFilter/Column/BothDescription
COM ClassCOM Display NameBothThe display name for the COM class object.
COM ClassCLSIDColumnThe globally unique identifier that identifies a COM class object.
COM ClassApp IDColumnThe globally unique identifier that represents a server process for one or more COM classes.
Management ConsoleFile PathColumnThe path of the Management Console snap-in
Windows ServiceService Display NameBothThe Display Name of the Windows Service
Windows ServiceService NameBothThe underlying name of the Windows Service
Windows ServiceService ActionColumnThe action which Endpoint Privilege Management controlled for that service:
  • Start
  • Stop
  • Pause
  • Configure
Windows Store ApplicationStore App NameBothThe Name property of the store app.
BinaryFile PathColumnThe path of the macOS binary.

📘

For more information about the Elasticsearch events in EPM, see EPM Elastic events.

Updated 2 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.