EPOLICY ORCHESTRATOR (ePO) USER GUIDE

Overview

EPM combines privilege management and application control technology in a single, lightweight agent. This scalable solution allows global organizations to eliminate admin rights across the entire business.

Actionable intelligence is provided by an enterprise class reporting solution with endpoint analysis, dashboards, and trend data for auditing and compliance.

Define user roles

Before deploying EPM, prepare suitable Workstyles for your users. Implementing least privilege may require Workstyles to be tailored to users’ roles.

The table below shows three typical user roles, but we recommend that you create roles that are tailored to your environment.

EPM can cater to all types of users, including the most demanding technical users, such as system administrators and developers.

Educate your users on what they can expect from a least privilege experience, before transferring them to standard user accounts. This ensures that they report any problems they encounter during the process of moving to least privilege.

ℹ️

Note

Contact your solution provider or BeyondTrust to gain access to templates for more complex use case scenarios.

Implement least privilege

The first step is to identify the applications that require admin privileges for each of the roles you’ve defined. These can fall into one of three categories:

1. Known Admin Applications: You already have a definitive list of applications that require admin rights to run.
2. Unknown Admin Applications: You are not sure of the applications that require admin rights to run.
3. Flexible Elevation: The user requires flexibility and can’t be restricted to a list of applications.

Known applications

For this category you should add the relevant applications to the Endpoint Privilege Management for Windows Application Groups for the users. This automatically elevates these applications when they are launched. You can then remove admin rights from these accounts.

Unknown applications

For this category you have two choices to help you discover the applications that require admin rights:

• Set up Endpoint Privilege Management Workstyles to monitor privileged application behavior. The Endpoint Privilege Management for Windows audit logs highlight all of the applications that require admin rights to run.
• Set up Endpoint Privilege Management Workstyles to give the user the on-demand elevation facility, and instruct the user to use this facility for any applications that fail to run once you have taken the user’s admin rights away. The Endpoint Privilege Management for Windows audit logs highlight all the applications that the user has launched with elevated rights.

You can use the audit logs to determine the relevant set of applications that you want to give admin rights to for these users.

Flexible elevation

For this category, you should set up Endpoint Privilege Management Workstyles that give the user an on-demand elevation facility, which allows the user to elevate any applications from a standard user account. All elevated applications can be audited, to discourage users from making inappropriate use of this facility.

About Trellix ePolicy Orchestrator

Trellix ePO software, the foundation of the Trellix Security Management solution, unifies management of endpoints, networks, data, and compliance solutions. More than 45,000 organizations use Trellix ePO software on nearly 60 million nodes to manage security, streamline and automate compliance processes, and increase overall visibility across security management activities. With its scalable architecture, fast time to deployment, and ability to support enterprise systems, Trellix ePO software is the most advanced security management software available.

Only Trellix ePO offers:

End-to-end visibility: Get a unified view of your security posture. Drillable, drag-and-drop dashboards provide security intelligence across endpoints, data, mobile, and networks for immediate insight and faster response times.

Simplified security operations: Streamline workflows for proven efficiencies. Independent studies show ePO software helps organizations of every size streamline administrative tasks, ease audit fatigue, and reduce security management-related hardware costs.

An open, extensible architecture: Leverage your existing IT infrastructure. Trellix ePO software connects management of both Trellix and third-party security solutions to your LDAP, IT operations, and configuration management tools. LDAP Servers can be made available via the built-in registered servers in ePO.

ℹ️

Note

For more information, see Trellix ePolicy Orchestrator.

Endpoint Privilege Management and Trellix

Endpoint Privilege Management is implemented as a server extension to Trellix ePolicy Orchestrator, enabling Workstyles to be managed through the ePO Policy Catalog. Granular auditing and reporting of Endpoint Privilege Management activity is available using ePO integrated dashboards and query editor, as well as the reporting module.

The BeyondTrust Endpoint Privilege Management Reporting module uses the Endpoint Privilege Management Reporting database to store Endpoint Privilege Management audit data for reporting.

Endpoint Privilege Management is deployed to endpoints as a client task through the ePO System Tree.

If you do not want to use Trellix ePO for deployment of the client package, the Endpoint Privilege Management client is available as a standalone MSI (Windows only) or executable package, which can be deployed using any suitable third-party deployment solution.

Endpoint Privilege Management policies are deployed to endpoints through ePO Policy Assignments, which are automatically applied by the Endpoint Privilege Management client.

ℹ️

Note

If you do not want to use Trellix ePO for deployment of Workstyles, then you may import or export Workstyles as an XML file, and use any suitable deployment solution to deploy the XML file to a set location on each client computer.

BeyondTrust Endpoint Privilege Management app

Starting in version 23.10, we are updating and enhancing the policy editing and reporting experience for our Endpoint Privilege Management for Windows and Mac solution deployed via Trellix ePolicy Orchestrator (ePO).

This new experience will mean policy editing and reporting will happen outside of the ePO extension and will instead be delivered via a new Electron-based application called the BeyondTrust Endpoint Privilege Management App, published by BeyondTrust.

ℹ️

Note

For more information, see:

• BeyondTrust Endpoint Privilege Management App User Guide
• BeyondTrust Endpoint Privilege Management App Frequently Asked Questions

Install, uninstall, and upgrade EPM

For more information, see E-Policy Orchestrator Installation Guide

Frequently asked questions

Can I install the 32-bit client on a 64-bit endpoint?

No. The 32-bit client can only be installed on 32-bit endpoints.

What distribution mechanisms do you support?

ePO is one of many options for deploying the Endpoint Privilege Management for Windows client. It can also be deployed using any third party software that supports the deployment of MSI and/or executable files, such as Microsoft Active Directory, and Microsoft SMS / SCCM.

If using alternative third party deployment software to install the Endpoint Privilege Management for Windows client, it must support the use of command line options, and must be passed the EPOMODE = true flag to install the client in ePO mode to allow it to interface with the Trellix agent to receive policies, and send audit events.

Deploy EPM policy

Certain types of deployment methods may be enabled or disabled. By default, all deployment types are enabled. To include or exclude a method of deployment from evaluation, edit the entries in the registry value below. If this key does not already exist, then the default behavior is to include all methods:

HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Client

REG_SZ PolicyEnabled = "EPO,WEBSERVER,GPO,LOCAL"

Where EPO,WEBSERVER,GPO,LOCAL are the available deployment methods.

Registry settings may be deployed using Advanced Agent Settings. To apply a configuration deployment method, the setting must be applied to a type of configuration that is already part of the configuration precedence order.

Policy management

Starting in version 23.10, EPM policy in ePO is managed using the BeyondTrust Endpoint Privilege Management App.

Using the Policy Editor, you can:

• Use QuickStart templates to create a policy with predefined configuration
• Create application rules and on-demand application rules
• Create QuickStart templates

ℹ️

Note

For more information about the app, see BeyondTrust Endpoint Privilege Management App.

Audits and reports

The Endpoint Privilege Management Trellix ePO Integration Pack includes a set of rich preconfigured dashboards, built in ePO Queries and Reports, which summarize Endpoint Privilege Management event data collected from Trellix ePO managed computers.

We also provide an enterprise level, scalable reporting solution in Endpoint Privilege Management Reporting. Endpoint Privilege Management Reporting includes a rich set of dashboards and reports designed to simplify the centralized management and auditing of Endpoint Privilege Managementactivity throughout the desktop and server estate. Each dashboard provides detailed and summarized information regarding Application, User, Host, and Workstyle usage.

Dashboards

The Trellix ePO integration includes the following dashboards.

To access the dashboards, click on the Dashboards icon and then select one of the Endpoint Privilege Management for Windows dashboards from the Dashboard dropdown menu. The dashboards show Windows and macOS events.

ℹ️

Note

To add, remove, or amend any of the default monitors for any of the dashboards below, you can do so in Trellix ePO Queries and Reports. We recommend that only advanced Trellix ePO administrators do this. Refer to Trellix ePO documentation for details on managing dashboards, queries, and reports.

BeyondTrust Endpoint Privilege Management: blocked

The BeyondTrust Endpoint Privilege Management: Blocked dashboard contains all events raised by Endpoint Privilege Management for Windows relating to applications that were blocked by Endpoint Privilege Management for Windows policy.

The BeyondTrust Endpoint Privilege Management: Blocked dashboard includes the following monitors:

• BeyondTrust Endpoint Privilege Management: Top 10 Blocked Apps
• BeyondTrust Endpoint Privilege Management: Top 10 Blocked by Publisher
• BeyondTrust Endpoint Privilege Management: Blocked over Last 7 Days

Each chart element in the monitors can be hovered over to display a count of how many blocked applications make up that element. To view the details of blocked applications for a particular element, click on the element to drill down.

BeyondTrust Endpoint Privilege Management: elevated

The BeyondTrustEndpoint Privilege Management: Elevated dashboard contains all events raised by Endpoint Privilege Management for Windows relating to applications that were elevated by Endpoint Privilege Management for Windows policy. These events include:

• Auto-Elevated: Applications elevated by Application Privileges policy
• User-Elevated: Applications elevated by On-Demand shell elevation policy

The BeyondTrust Endpoint Privilege Management : Elevated dashboard includes the following monitors:

• BeyondTrust Endpoint Privilege Management: Top 10 Elevated Apps
• BeyondTrust Endpoint Privilege Management: Top 10 Elevated by Publisher
• BeyondTrust Endpoint Privilege Management: Elevated over Last 7 Days

Each chart element in the monitors can be hovered over to display a count of how many elevated applications make up that element. To view the details of elevated applications for a particular element, click on the element to drill down.

Endpoint Privilege Management: executed

The BeyondTrust Endpoint Privilege Management: Executed dashboard contains all events raised by Endpoint Privilege Management for Windows relating to applications that were allowed to execute under Endpoint Privilege Management for Windows control. These events include:

Auto-Elevated: Applications elevated by Application Privileges policy.

User-Elevated: Applications elevated by On-Demand shell elevation policy.

Passive: Applications granted a passive access token.

Drop-Admin: Applications which have had admin rights removed.

Default-Rights: Applications which have had standard user rights enforced.

Custom-Token: Applications granted a custom created access token.

Admin-required: Applications which require admin rights to run (Privilege Monitoring).

The BeyondTrust Endpoint Privilege Management: Executed dashboard includes the following monitors:

• BeyondTrust Endpoint Privilege Management: Top 10 Executed Apps
• BeyondTrust Endpoint Privilege Management: Top 10 Executed by Publisher
• BeyondTrust Endpoint Privilege Management: Executed over Last 7 Days

Each chart element in the monitors can be hovered over to display a count of how many executed applications make up that element. To view the details of executed applications for a particular element, click on the element to drill down.

BeyondTrust Endpoint Privilege Management: monitoring

The BeyondTrust Endpoint Privilege Management: Monitoring dashboard contains all events raised by Endpoint Privilege Management for Windows , relating to applications detected by Endpoint Privilege Management for Windows , requiring elevated rights to run.

The BeyondTrust Endpoint Privilege Management: Monitoring dashboard includes the following monitors:

• BeyondTrust Endpoint Privilege Management: Top 10 Apps Requiring Elevated Rights
• BeyondTrust Endpoint Privilege Management: Top 10 Requiring Elevated Rights by Publisher
• BeyondTrust Endpoint Privilege Management: Elevated Rights over Last 7 Days

Each chart element in the monitors can be hovered over to display a count of how many monitored applications make up that element. To view the details of monitored applications for a particular element, click on the element to drill down.

Events

Endpoint Privilege Management sends events to ePO using the Trellix Agent, and also to the local application event log, depending on the audit and privilege monitoring settings within the Endpoint Privilege Management policy.

The following events are logged by Endpoint Privilege Management.

Windows process events

ePO ID (Event ID)	Description
202299 (1)	Service Error - unlicensed or invalid license code.
202250 (100)	Process has started with admin rights added to token.
202251 (101)	Process has been started from the shell context menu with admin rights added to token.
202253 (103)	Process has started with admin rights dropped from token.
202254 (104)	Process has been started from the shell context menu with admin rights dropped from token.
202256 (106)	Process has started with no change to the access token (passive mode).
202257 (107)	Process has been started from the shell context menu with no change to the access token (passive mode).
202259 (109)	Process has started with user’s default rights enforced.
202260 (110)	Process has started from the shell context menu with user’s default rights enforced.
202262 (112)	Process requires elevated rights to run.
202263 (113)	Process has started with Custom Token applied.
202264 (114)	Process has started from the shell context menu with user’s Custom Token applied.
202266 (116)	Process execution was blocked.
202268 (118)	Process started in the context of the authorizing user.
202269 (119)	Process started from the shell menu in the context of the authorizing user.
202270 (120)	Process execution was canceled by the user.
202275 (150)	Endpoint Privilege Management handled service control start action.
202276 (151)	Endpoint Privilege Management handled service control stop action.
202277 (152)	Endpoint Privilege Management handled service control pause/resume action.
202278 (153)	Endpoint Privilege Management handled service control configuration action.
202279 (154)	Endpoint Privilege Management blocked a service control start action.
202280 (155)	Endpoint Privilege Management blocked a service control stop action.
202281 (156)	Endpoint Privilege Management blocked a service control pause/resume action
202282 (157)	Endpoint Privilege Management blocked a service control configuration action
202283 (158)	Endpoint Privilege Management service control action run in the context of the authorizing user
202284 (159)	Endpoint Privilege Management service control start action canceled
202285 (160)	Endpoint Privilege Management service control stop action canceled
202286 (161)	Endpoint Privilege Management service control pause/resume action canceled
202287 (162)	Endpoint Privilege Management service control configuration action canceled
202297 (199)	Windows only - Process execution was blocked, the maximum number of challenge / response failures was exceeded
Configuration Events All events with a value of 200 - 299 ID are not sent to ePO Dashboards.
(200)	Config Config Load Success
(201)	Config Config Load Warning
(202)	Config Config Load Error
(210)	Config Config Download Success
(211)	Config Config Download Error
User / Computer Events These events are not sent to ePO Dashboards.
(300)	User User Logon
(400)	Service Endpoint Privilege Management Service Start
(401)	Service Endpoint Privilege Management Service Stop
Content Events
203050 (600)	Process Content Has Been Opened (Updated Add Admin)
203050 (601)	Process Content Has Been Updated (Updated Custom)
203050 (602)	Process Content Access Drop Admin (Updated Drop Admin)
203050 (603)	Process Content Access Was Canceled By The User (Updated Passive)
203050 (604)	Process Content Access Was Enforced With Default Rights (Updated Default)
203050 (605)	Process Content Access Was Blocked
203050 (606)	Process Content Access Was Canceled
203050 (607)	Process Content Access Was Sandboxed
203050 (650)	Process URL Browse
203050 (706)	Process Passive Audit DLL
203050 (716)	Process Block DLL
203050 (720)	Process Cancel DLL Audit

Mac process events

ePO ID (Event ID)	Description
202250 (100)	Process has started with admin rights added to token.
202256 (106)	Process has started with no change to the access token (passive mode).
202266 (116)	Process execution was blocked.
202270 (120)	Process execution was canceled by the user
203051 (130)	A bundle was installed.
203052 (131)	A bundle was deleted.

Each process event contains the following information:

• Command line for the process
• Process ID for the process (if applicable)
• Parent process ID of the process
• Workstyle that applied
• Application group that contained the process
• End user reason (if applicable)
• Custom access token (if applicable)
• File hash
• Certificate (if applicable)

ℹ️

Note

Each process event also contains product properties, where applicable, but these can only be viewed in the Endpoint Privilege Management Reporting Console.

Custom script auditing

When an application is allowed, elevated, or blocked, Endpoint Privilege Management logs an event to the Application Eventlog to record details of the action. If you want to record the action in a bespoke or third-party tracking system that supports PowerShell, VBScript, or JScript based submissions, you can use the Run a Script setting within an Application Rule.

To add an existing auditing script to an Application Rule:

1. Create a new or edit an existing Application Rule within a Workstyle.
2. In Run a Script, click on the dropdown menu, and select your custom script. If you can't change this value you need to create a custom script first.
3. Click OK to save the Application Rule.

ℹ️

Note

If you have any existing scripts, you can select them in the dropdown menu.

The auditing script supports the use of parameters within the script. Parameters are expanded using the COM interface PGScript:

strUserName = PGScript.GetParameter("[PG_USER_NAME]")
strCommandLine = PGScript.GetParameter("[PG_PROG_CMD_LINE]")
strAgentVersion = PGScript.GetParameter("[PG_AGENT_VERSION]")

ℹ️

Note

Scripts created in the script editor can be reused in multiple Application Rules and On-Demand Application Rules. Any modification to an existing script affects all Workstyle rules that have been configured to execute that script.

Set up ePO server tasks

There are two BeyondTrust ePO server tasks that you can set up for Endpoint Privilege Management Reporting:

Create the reporting event staging server task

The Reporting Event Staging server task takes report events from the ePO database and inserts them into the BeyondTrust Endpoint Privilege Management Reporting database. You need to create this task to view BeyondTrust reports.

1. Navigate to Menu > Automation > Server Tasks and select New Task.

2. Enter an appropriate name (BeyondTrust Event Staging, for example), leave the Schedule status as Enabled, and click Next.

3. Select BeyondTrust Endpoint Privilege Management Reporting Event Staging from the Actions dropdown menu and click Next.

4. Adjust the times to check for events to suit your environment and click Next.

   • Time in minutes to check for staging events: The recommended value is 55 minutes.
   • Number of events to transfer for each transaction (batch size): The default value is 1. Only increase the value if there is a lag in performance throughput between ePO to Endpoint Privilege Management Reporting.
   • Time in seconds to sleep when there are no events: The recommended value is 60 seconds.
   • Time in milliseconds to pause between reading each event: The default and recommended value is 0.
   • Time in minutes between polling the queue lengths: The recommended value is 5 minutes.
   • Verbose logging: By default, verbose logging is turned off. Only use verbose logging when you need more details about the events being collected.

5. On the Schedule page, set the Schedule type to your preference.

6. Select the Start date and End date if required. By default, No end date is selected.

7. Adjust the time that you want the schedule to run. This is the time of the machine running the ePO server. Click Next. You are presented with a summary of the server task.

8. Select Save to finish creating the server task.

Create the enterprise reporting purge server task

To manage the size of your database, create a server task to purge events older than a defined period.

1. Navigate to Menu > Automation > Server Tasks and select New Task.

2. Enter an appropriate name (BeyondTrust Purge, for example), leave Schedule status as Enabled, and click Next.

3. Select BeyondTrust Endpoint Privilege Management Reporting Purge from the Actions dropdown menu.

4. Choose the number of months to purge events older than.

5. On the Schedule page set the Schedule type to your preference.

6. Select the Start date and End date, if required. By default, No end date is selected.

7. Adjust the time that you want the schedule to run. This is the time of the machine running the ePO server. Click Next. You are presented with a summary of the server task.

8. Click Save.

There is an additional server task that you can create if you have a business need to purge the events from the BeyondTrust table in the ePO database only.

We recommend you use the built-in ePO server task called Purge Rolled up Data rather than this server task. This will remove all the events from the BeyondTrust table in the ePO database and the Reporting database.

Manage databases

Use EPM events to build queries

Endpoint Privilege Management collects and stores a broad set of information about every executed application, which is stored in the Trellix ePO Database. This information can be used in the Trellix ePO Queries and Reports console to create custom dashboard widgets.

Event properties

Property	Description
Application Group	The name of the Application Group for the matched application definition
Application Hash	The SHA-1 Hash of the file executed
Application Type	The type of application: APPX - Windows Store ApplicationBAT - Batch FileCOM - COM Class CONT - Content ControlCPL - Control Panel AppletDLL - Dynamic Link LibraryEXE - ExecutableMSC - Management Console Snapin MSI - Installer PackageOCX - ActiveX Control PS1 - PowerShell ScriptREG - Registry SettingsRPSS - Remote PowerShell CommandSVC - ServiceUNIN - Uninstaller (EXE or MSI)URL - URLXbin - macOS BinaryXapp - macOS BundleXpkg - macOS PackageXsys - macOS System Preference Xsud - macOS Sudo Control
Authorization Challenge	If Challenge/Response Authorization is enabled, the challenge code presented to the user is collected. Otherwise this property remains blank.
Authorization Response	If Challenge/Response Authorization is enabled, the valid shared key entered by the user is collected. Otherwise this property remains blank.
Authorizing Domain User	If Run As Other User is enabled, the domain name of the authorizing user is collected.
Authorizing User SID	If Run As Other User is enabled, the Secure Identifier (SID) of the authorizing user is collected.
Client IP Address	If the user was logged on via a remote session to the computer where Endpoint Privilege Management performed an action, the IPv4 Address of the remote computer is collected.
Client Name	If the user was logged on via a remote session to the computer where Endpoint Privilege Management performed an action, the name of the remote computer is collected.
COM Application ID	The AppID of the COM elevated application.
COM Class ID	The CLSID of the COM elevated application.
COM Display Name	The common name of the COM elevated application.
Command Line	The command line of the executed application.
Computer Name	The name of the computer where Endpoint Privilege Management for Windows performed an action.
File Name	The full path of the file executed.
File Owner Domain User	The name of the account which owns the executed application.
File Owner User SID	The Secure Identifier (SID) of the account which owns the executed application.
File Version	The file version of the executed application.
Group Description	The description of the Application Group for the matched application definition.
Host SID	The Secure Identifier (SID) of the computer where Endpoint Privilege Management performed an action.
Is Shell	Determines if the application was launched from an On Demand shell menu option. If blank, then a shell menu was not used.
Message Description	The description for the End User Message displayed to the user.
Message Name	The name of the End User Message displayed to the user.
Parent Process File Name	The full path of the parent process that spawned the audited application.
Parent Process ID	The Process Identifier (PID) of the parent process that spawned the audited application.
Parent Process Unique ID	A GUID used to uniquely identify a Process relationships.
PG Event ID	Endpoint Privilege ManagementEvent Log Event ID.
Policy Description	The description of the policy that matched the executed application.
Policy Name	The name of the policy that matched the executed application.
Process ID	The Process Identifier (PID) of the executed application.
Product Code	The Product Code for an executed MSI, MSU or MSP package.
Product Description	A friendly description for the executed application.
Product Name	The Product Name of the executed application.
Product Version	The product version of the executed application.
Reason	If End User Reason was enabled for an End User Message, the reason entered by the user is collected. If blank, then End User Reason was disabled in the message.
Source URL	If the application was downloaded, then the full URL of where the application was downloaded from is collected.
Start Time	The time the process was started.
Stop Time	This is a deprecated field and no longer used.
Token Description	The description of the access token applied to the executed application.
Token Name	The name of the access token applied to the executed application.
UAC Triggered	Determines if the application triggered User Account Control (UAC). If blank, then UAC was not triggered.
Upgrade Code	The Upgrade Code for an executed MSI, MSU, or MSP package.
User Name	The name of the user who executed an application.
User SID	The Secure Identifier (SID) of the user who executed an application.
Vendor	The Display Name of the Publisher Certificate who signed the application.
Windows Store App Name	The common name of the Windows Store Application.
Windows Store App Publisher	The Display Name of the Publisher Certificate who signed the Windows Store Application.
Windows Store App Version	The version number of the Windows Store Application.

There are also a number of threat event properties set as part of an Endpoint Privilege Management event:

Property	Description
Action Taken	Friendly name used to identify the type of action performed by Privilege Guard: Auto-Elevated User-Elevated Drop-Admin Passive Discovery Default-Rights Admin-Required Custom-Token Blocked
Event ID	Trellix ePO standardized Privilege Guard Event ID.
Threat Name	Internal name used to identify the type of action performed by Endpoint Privilege Management: ADD_ADMINSHELL_ADD_ADIMDROP_ADMINPASSIVEDEFAULT_RIGHTSAPPLICATION_RIGHTSCUSTOM PROCESS_BLOCKED

Database sizing and resource consumption

Data retention

The Audit Event and Microsoft SQL Server Reporting Services databases used to support BeyondTrust Endpoint Privilege Management Reporting may be hosted and scaled independently.

It's important to identify the length of time that Endpoint Privilege Management audit event data must be retained, as it drives resource utilization projections and initial allocation.

Endpoint Privilege Management Reporting is designed to report on activity in recent time, not as a long term archival data storage solution.

• BeyondTrust provides a database purge utility that may be used to purge data manually, or automatically on a configured period to ensure database growth is capped.
• Unlimited database growth inevitably reduces query execution performance, and increases resource utilization for queries.

ℹ️

Note

Prior to purging large sets of data, please ensure your SQL Transaction logs are able to grow to accommodate. It may be necessary to delete data in stages when setting this up for the first time.

To facilitate your decision making regarding retention time in the Endpoint Privilege Management database, please refer to the following sections in our standard documentation:

• Description of the views of data exposed in Endpoint Privilege Management Reporting. 
• Description of the events audited by Endpoint Privilege Management in the Endpoint Privilege Management for Windows Administration Guide.
• Description of the Workstyle parameters. You may consider these as the fields that are collected in the audit events, eventually stored in the Endpoint Privilege Management Audit Events database.

Database sizes

The Audit Event database must be sized to accommodate substantial data volume, matching the number of clients generating audit data and the desired retention period.

Database storage requirements may be estimated roughly using the following calculation:

Number of hosts× Number of events per host per day × 5Kb per event
× Number of retention days

✅

Example

An organization of 10,000 hosts, with each host generating an average of 15 events per day, requiring a 30 day retention would require a database capacity of:

10,000 × 15 × 5 × 30 = 22,500,000Kb, or 21.5Gb

A typical event volume is 10-20 events per host per day and varies based on auditing configuration, user job function (role/Workstyle), and user activity patterns.

Database resource utilization (CPU, memory) is highly variable depending on the hardware platform.

Example use case volumes

✅

Example

Based on an organization of 10,000 hosts requiring a 42 day (six weeks) retention.

Discovery: Between 40 – 60 events per machine per day

(4.6K per event (based on real world data))

Average total: 67.06GB

✅

Example

Production: Between 2 – 10 events per machine per day

(4.6K per event (based on real world data))

Average total: 5.66GB

ℹ️

Note

If the number of events "per machine per day" is raised to 15, then the average total increases to 16.99GB

Key considerations

Volume of inbound audit event records

As seen above, the number of events per hour may be estimated following simple calculations.

Queries triggered from MSFT SQL reporting services reports

As the database grows in size, the resource impact of the reporting platform queries becomes important.

The volume of data maintained in the audit event database affects the duration and resource cost of these queries.

To maintain good performance, we recommend using the Reporting Purge Utility to limit the timespan of audit event data retained in the database.

More finely grained audit data management and cleanup is possible using the Reporting Database Administration Dashboard. Using the dashboard, purge audits related to specific applications and suppress incoming items related to those applications.

Prior to purging large sets of data, please ensure your SQL Transaction logs can grow to accommodate. It may be necessary to delete data in stages when setting this up for the first time.

ePO Endpoint Privilege Management database events

ℹ️

Note

No individual event returns values in all fields, so it is expected behavior to have NULL values in task specific columns.

Create the ePO Event Purge Server Task

We recommend you use the default ePO server task for this called Purge Rolled-up Data. This removes threat events from the ePO database and the corresponding Reporting events from the BeyondTrust table.

If you have a business need to delete the report events from the BeyondTrust table in only the ePO database, follow these instructions:

1. Navigate to Menu > Automation > Server Tasks and select New Task.
2. Enter an appropriate name (BeyondTrust ePO Threat Purge, for example), leave the Schedule status as Enabled, and click Next.
3. Select BeyondTrust Endpoint Privilege Management ePO Event Purge from the Actions dropdown menu.
4. Depending on your data size and requirements, enter the number of days after which events should be purged and click Next.

ePO scripts

ePolicy Orchestrator server scripts

ePO Core Commands are all available in the core.help file and are listed here:

https://[ePO Server]:8443/remote/core.help
avecto.challengeResponse keyType key challenge [duration] - BeyondTrust Privilege Management Challenge Response

Parameter descriptions

keyType=Key Type [key|name|id]
key=[Key Value|Policy Name|Policy ID]
challenge=Challenge Code
duration=Duration [once(default)|session]
avecto.createPolicy policyName filePath - BeyondTrust Privilege Management Create New Policy
avecto.exportPolicy policyID - BeyondTrust Privilege Management Export Policy XML
avecto.importPolicy policyID filePath - BeyondTrust Privilege Management Import Policy XML
avecto.listPolicies - rcmd.listPolicies.shortDescKey

ℹ️

Note

For more information, see Explanation of ePO Web API and where to find Web API documentation.

Referenced libraries

Two libraries are referenced in these scripts:

• McAfee python Support Library
• URL Encoder Support Library

Challenge response scripting

import mcafee
import sys
mc = mcafee.client('[ePOServerAddress]','8443','[username]','[password]')
mc.help('avecto.challengeResponse')
print '\nKey based generation'
response = mc.avecto.challengeResponse('key','test','12345678')
print 'response for one use - test/12345678: %s' % (response)
response = mc.avecto.challengeResponse('key','test','98765432X','once')
print 'response for once    - test/98765432X: %s' % (response)
response = mc.avecto.challengeResponse('key','test','98765432X','session')
print 'response for session - test/98765432X: %s' % (response)

policies = mc.avecto.listPolicies()
id = 0
print '\nAll Policies...'
for policy in policies:
print 'name: %s ID: %d' % (policy['name'],policy['id'])
if (policy['name'] == 'NewSimpleCR'):
id = policy['id']
print '\nNamed Policy generation'
response = mc.avecto.challengeResponse('name','NewSimpleCR','12345678')
print 'response for one use - 12345678: %s' % (response)
response = mc.avecto.challengeResponse('name','NewSimpleCR','98765432X','once')
print 'response for once    - 98765432X: %s' % (response)
response = mc.avecto.challengeResponse('name','NewSimpleCR','98765432X','session')
print 'response for session - 98765432X: %s' % (response)

print '\nID Policy generation for id %d' % id
response = mc.avecto.challengeResponse('id',id,'12345678')
print 'response for one use - 12345678: %s' % (response)
response = mc.avecto.challengeResponse('id',id,'98765432X','once')
print 'response for once    - 98765432X: %s' % (response)
response = mc.avecto.challengeResponse('id',id,'98765432X','session')
print 'response for session - 98765432X: %s' % (response)

ePO create policy

import mcafee
import sys
mc = mcafee.client('[ePOServerAddress]','8443','[username]','[password]')
mc.help('avecto.createPolicy')
print '\nCreate New Policy called NewSimpleCR'
#resp = mc.avecto.createPolicy('NewSimpleCR','file:///path-to-policy/policy.xml')
resp = mc.avecto.createPolicy('NewSimpleCR','file:///policy.xml')
print '\nPolicy Create Response: %s' % resp
policies = mc.avecto.listPolicies()
print '\nAll Policies...'
for policy in policies:
print 'name: %s ID: %d' % (policy['name'],policy['id'])

ePO import policy

import mcafee
import sys
mc = mcafee.client('[ePOServerAddress]','8443','[username]','[password]')
mc.help('avecto.listPolicies')
policies = mc.avecto.listPolicies()
print '\nJSON %s' % (policies)
id = 0
print '\nAll Policies...'
for policy in policies:
print 'name: %s ID: %d' % (policy['name'],policy['id'])
if (policy['name'] == 'My Default'):
id = policy['id']
resp = mc.avecto.importPolicy(id,'file:///policy.xml')
print '\nPolicy Import Response: %s' % resp

ePO export policy

import mcafee
import sys
mc = mcafee.client('[ePOServerAddress]','8443','[username]','[password]')
mc.help('avecto.listPolicies')
policies = mc.avecto.listPolicies()
print '\nJSON %s' % (policies)
id = 0
print '\nAll Policies...'
for policy in policies:
print 'name: %s ID: %d' % (policy['name'],policy['id'])
if (policy['name'] == 'My Default'):
id = policy['id']
xml = mc.avecto.exportPolicy(id)
print '\nPolicy XML:\n%s' % xml

Exported views

Indexes are indicated by numbers. If the number applies to more than one column, it is a composite index. If an index has an asterisk (*) then this is an index based on an ID, which is used to retrieve the indicated columns. This means the index may be usable depending on how the query is formed. Descriptions in italics refer to one of the following data types:

Application types

Certificate modes

Endpoint Privilege Management verifies that an optionally signed Endpoint Privilege Management configuration has been signed using a certificate trusted for the purpose on any signed settings that it loads.

The Endpoint Privilege Management ePO extension does not support the distribution of signed Endpoint Privilege Management configuration. The Endpoint Privilege Management ePO extension must be installed in certificate mode 0, if used.

Chassis types

Custom data types

Device types (drive type)

Message types

OS product type

OS version

Taken from https://docs.microsoft.com/en-us/windows/win32/sysinfo/operating-system-version.

Policy audit modes

ExportLogons

ExportPrivilegedAccountProtection

ExportDefendpointStarts

ExportProcesses