PMR USER GUIDE

What is PMR?

Endpoint Privilege Management Reporting (PMR) includes a rich set of dashboards and reports designed to simplify the centralized management and auditing of Endpoint Privilege Management activity throughout the desktop and server estate.

A dashboard is a report, that at the top level, presents you with a series of charts and summarized data. Some dashboards have sub-reports that are presented as charts or tabular data.

This documentation supports reporting implementations with the Endpoint Privilege Management GPO platform.

Reporting concepts

There are several concepts in Reporting that are described here.

Dashboards, tables, and reports

A dashboard is anything in Reporting where visual charts are displayed.
A table is anything in Reporting that has a tabular format.
A report is a dashboard or a table. It is a generic term used to describe any form of data displayed in Reporting.

Drilldown

Drilldown is a user action in a report in which you click on a link to see the data at a greater level of granularity.

Permalink

Permalink refers to a link at the bottom of most reports that generates a unique URL that allows someone else to view that exact page once they login.

Operating systems

All dashboards have a Microsoft Windows view to display events from Windows endpoints. Some dashboards and reports also have a macOS view.

Naming conventions and navigation

This section covers the Endpoint Privilege Management Reporting interface elements and how to export and link to a specific report.

Interface

The Endpoint Privilege Management Reporting interface allows you to switch between dashboards and reports and to filter data as required.

There is a permalink at the bottom of each report that creates a static link to that report with your choice of filters applied.

Navigation panel

The side navigation panel takes you to each top-level dashboard and the reports in that dashboard. Reports that are post-fixed with All indicate the data is in tabular form.

Dashboard and reports panel

This is the area where dashboards and reports are displayed. A dashboard is a report with multiple charts covering a wide range of data. A report is a summary table or a page focused on a particular entity.

The graphical elements of a dashboard or report are interactive. You can click on a chart to view the data at an additional level of granularity.

Quick filter panel

The quick panel on the left pane displays a set of predefined filters relevant to the current dashboard or report to refine the data.

Filters

Filter name	Description
Platform	Windows Filters by endpoints running a Windows operating system. macOS Filters by endpoints running a Mac operating system.
Time Range	This is the time range that the actions are audited. For example, you can filter by the number of elevated actions in the last 24 hours in the Actions > Elevated report. You can choose from: 24 Hours 7 Days 30 Days 12 Months
First Reported	This is the time range filtered by the date the application was first entered in the database. For example, you can filter on the new Windows applications by publisher that were first reported in the last 7 days in the Discovery > By Publisher report. You can choose from: 24 Hours 7 Days 30 Days 6 Months 12 Months
First Executed	This is the time range the application was first executed. For example, you can filter on the new Windows applications, by type, that were first executed in the last 30 days in the Discovery > By Type report. You can choose from: 24 Hours 7 Days 30 Days 6 Months 12 Months
Filter by Target Type	This filter allows you to filter by a type of target. For example, you can filter on the applications canceled in the time range in the Actions > Canceled report. You can choose from: All Applications Services COM Remote PowerShell ActiveX URL Content
Filter by Action	This filter allows you to filter by a type of action. For example, you can filter on the services elevated in the time range in the Target Types > Services report. You can choose from: All Elevated Blocked Passive Sandboxed Canceled
Filter by App Type	This filter allows you to filter by application type. For example, you can filter by applications that are executables used in the time range in Target Types > Applications. You can choose from: All Executable Control Panel Applet Management Console Installer Package Uninstaller Windows Script PowerShell Script Batch File Registry Settings Windows Store Binary Bundle Package System Preference Sudo Control Script
Filter by Event Category	This filter allows you to filter by the category of the event. For example, you can filter by process events only that occur in the time range in the Events > All report. You can choose from: All Process DLL Control Content URL Privileged Account Protection Agent Start User Logon Services
Elevate Method	Allows you to filter by the elevation method used. For example, in the Discovery > Requiring Elevation report, you can filter by new applications which were accessed using on-demand elevation within the time range. You can choose from: All Admin account used Auto-elevated On-demand
Path	Allows you to filter by the path. For example, to filter on applications that were launched from the System path. You can choose from: All System Program Files User Profiles
Source	The media source of the application. For example, was the application downloaded from the internet or is it from removable media? You can choose from: All Any external source Downloaded from internet Removable media
Challenge / Response	Allows you to filter by challenge/response events. For example, you can filter the application that required elevation on those applications launched following a completed challenge/response message. You can choose from: All Only C/R
Admin Rights	Allows you to filter by the admin rights token. You can choose from: All Detected Not Detected
Authorization	Allows you to filter by authorization. You can choose from: All Required Not Required
Group By	You can choose from: All Publisher Application Group Message Workstyle
Ownership	Allows you to group by the type of owner. You can choose from: All Trusted owner Untrusted owner
Matched	Allows you to filter on the type of matching. You can choose from: All Matched directly Matched as child
Other Actions	Allows you to filter by other actions. You can choose from: Custom Drop Admin Rights Enforce Default Rights
Details	Process Details

Advanced filter panel

The Filter Panel dropdown bar is located above the Toolbar. Click the bar to toggle the filter panel.

The Filter Panel is available from most dashboards and reports, and allows you to filter data based on a number of event properties. To access the Filter Panel at any time, click the filter dropdown button.

For example, to filter the Summary report to only include a specific Workstyle:

Open the report to filter.
Open the Filter Panel by clicking the filter dropdown list.
Select the Workstyle from the Workstyle dropdown list.
Click View Report.
Close the Filter Panel.

The report then shows information from the Developers Workstyle only.

The filter options match text on substrings; partial or complete words can match on a filter.

Certain filter options support comma-separated values so you can specify a list of filter values. For example, to restrict the results to three users, enter user1,user2,user3 in the User Name field.

📘
Multiple ! strings are accepted. For example, !L-CZC13127L30l,!L-CNU410DJJ7

Any text field supports wildcards, comma-separated values (CSV) and the Does Not Match(!) options:

Filtering Effect	Filter Panel Operator	Effect
List separator	Comma (,)	Value1,value2,value3
Wildcard	%	part% part%part2,part3%part4
Negation or "Not"	!	!value !value1,!value2

📘
When filtering tabular reports such as the Users > All table, an applied filter is displayed at the top of the relevant column. To remove a filter, click on the x next to the filter text.

Top toolbar

You can use the toolbar to navigate between report pages, change the magnification, search, export, refresh, print, and export to a data feed.

The Toolbar and the Filter Panel are standard Microsoft SSRS components. See What is SQL Server Reporting Services (SSRS).

Export reports

Dashboards and reports can be exported to any of the following formats using the Export dropdown menu on the toolbar:

XML file with report data
CSV (comma delimited)
PDF
MHTML (web archive)
Excel
TIFF file
Word

Exported data is based on the data currently displayed in the dashboard or report.

Discovery dashboard

Summarizes all the unique applications discovered. It differentiates between those that used elevated privileges and those that ran with standard privileges. The Discovery reports display the data from different angles such as by the location of the executable or the type of the executable.

These dashboards only show new application items in the chosen time interval. For example, the Discovery dashboard can answer the question what’s new this week and how is it affecting my users?

The report displays information about applications discovered by the reporting database for the first time. An application is first discovered when an event is received by the reporting database.

Operating systems terminology

The Discovery dashboard displays events from Windows and macOS operating systems. The terminology differences are:

Windows: Admin Rights Required
macOS: Authorization

The terminology is shown when you switch operating systems using the Platform filter.

Discovery Dashboard charts

Applications first reported in the specified time frame: A chart showing the number of applications discovered filtered by the types of rights detected:

Admin Rights Detected
Admin Rights Not Detected
Click the Admin rights detected or Admin rights not detected lines in the graph to open the Discovery Dashboard report with the Admin Rights Required filter applied.

Types of newly discovered applications: Click the chart to open the Discovery Dashboard report with the Admin Rights Required filter applied.

Discovery Dashboard tables

New applications with admin rights (top 10): A list of discovered applications that are running with admin rights. This list is ordered by the number of users. Click View all to see the full list. Click any of the applications in the list to open the Discovery Dashboard report with the Admin Rights Required and Matched filter applied.
New applications with standard rights (top 10): A list of discovered applications that are running with standard, not admin rights. This list is ordered by the number of users. Click View all to see the full list. Click any of the applications in the list to open the Discovery Dashboard report with the Admin Rights Required and Matched filter applied.
New applications with admin rights (by type): A list of the types of applications that required admin rights that were newly discovered within the time interval. They are ordered by the total number of applications for each type. Click View all to see the full list. Click any of the applications in the list to open the Discovery Dashboard report with the Admin Rights Required and Matched filter applied.
New applications with standard rights (by type): The types of applications that did not require admin rights that were newly discovered within the time interval. They are ordered by the total number of applications for each type. Click any of the applications in the list to open the Discovery Dashboard report with the Admin Rights Required and Matched filter applied.

Discovery By Path

Displays all distinct applications installed in certain locations that are discovered during the specified time frame.

System: C:\Windows
Program Files: C:\Program Files, C:\Program Files (x86)
User Profiles: C:\Users

The paths can be changed using the filter panel.

Columns

Path: The Path category that the application was installed in. You can click the + icon to expand the row and see each application.
#Users: The number of users.
Median # processes / user: The median number of processes per user.
#Hosts: The number of hosts. Drill down to view a list of hosts the application events came from.
# Processes: The number of processes. Drill down to see the Events All table and lists the events received in the time period for the selected application.
# Applications: The number of applications.
Date first reported: The date the application was first entered in the database.
Date first executed: The first known date the application was executed.

Discovery By Publisher

The table displays the discovered applications grouped by publisher. Where there is more than one application per publisher, click + to expand the entry to examine each application.

Columns

Publisher: The publisher of the applications.
Description: The description of the application.
Name: The product name of the application.
Type: The type of application.
Version: The version number of a specific application.
# Users: The number of users.
Median # processes / user: The median number of processes per user.
# Hosts: The number of hosts.
# Processes: The number of processes.
# Applications: The number of applications.
Date first reported: The date the application was first entered in the database.
Date first executed: The first known date the application was executed.
Name: The product name. This is hidden by default but you can select it from the Actions > Choose Columns menu.

Some of these columns allow you to drill down to additional information:

i icon: Opens the Applications report for that application.
# Users: Displays a list of users the application events came from.
# Hosts: Displays a list of hosts the application events came from.
# Processes: Displays the Events All table and lists the events received in the time period for the selected application.

Discovery By Type

The table displays applications filtered by type. When there is more than one application per type, click + to expand the entry to see each application.

Columns

Type: The type of application.
# Users: The number of users.
Median # processes / user: The median number of processes per user.
# Hosts: The number of hosts.
# Processes: The number of processes.
Applications: The number of applications.
Date first reported: The date the application was first entered in the database.
Date first executed: The first known date the application was executed.

Some of these allow you to drill down to additional information:

i icon: Opens the Target Types > Applications report which is filtered to that application.
# Users: Displays a list of users the application events came from.
# Hosts: Displays a list of hosts the application events came from.
# Processes: Displays the Events All table and lists the events received in the time period for the selected application.

Discovery Requiring Elevation

The table displays the applications that were elevated or required admin rights.

Columns

Description: The description of the application.
Publisher: The publisher of the application.
Name: The product name of the application.
Type: The type of application.
# Users: The number of users.
Median # processes / user: The median number of processes per user.
# Hosts: The number of hosts.
# Processes: The number of processes.
Version: The version number of a specific application.
Elevate Method: The type of method used to elevate the application: All, Admin account used, Auto-elevated, or on-demand.
Date first reported: The date the application was first entered in the database.
Date first executed: The first known date the application was executed.

Some of these allow you to drill down to additional information:

i icon: Opens the Target Types > Applications report filtered to that application.
# Users: Displays a list of users the application events came from.
# Hosts: Displays a list of hosts the application events came from.
# Processes: Displays the Events All table and lists the events received in the time period for the selected application.
Elevate Method: Displays the Events All table with an extra Elevate Method column.

Discovery From External Sources

The table displays all applications that originated from an external source such as the internet or an external drive.

Columns

Description: The description of the application.
Publisher: The publisher of the application.
Name: The product name of the application.
Type: The type of application.
Source: The source of the application.
# Users: The number of users.
Median # processes / user: The median number of processes per user.
# Hosts: The number of hosts.
# Processes: The number of processes.
Version: The version number of the application.
Date first reported: The date the application was first entered in the database.
Date first executed: The first known date the application was executed.

Some of these allow you to drill down to additional information:

i icon: Opens the Applications report for that application.
# Users: Displays a list of users the application events came from.
# Hosts: Displays a list of hosts the application events came from.
# Processes: Opens the Events All table and lists the events received in the time period for the selected application.

Actions dashboard

Summarizes audited items categorized by the type of action taken. This allows you to focus on the topic of interest. For example, elevation or blocking. The Actions reports show audits only of the selected type (Elevated, Blocked, Passive, Canceled, Other).

The Actions dashboard breaks down the application activity by the type of action. It also lists the most active targets.

Actions dashboard charts

All actions over the specified time frame: A chart showing the number of targets filtered by the type of action for each time frame. Click the chart to open the Target Types All report with the Filter by Action filter applied. The types of action are:
- Enforce default rights
- Drop admin rights
- Canceled
- Passive
- Sandboxed
- Blocked
- Elevated
- Custom
Distinct target count by action: A chart showing the target count filtered by the type of action. Click the chart to open the Target Types All report with the Filter by Action filter applied. The types of action are:
- Enforce default rights
- Drop admin rights
- Canceled
- Passive
- Sandboxed
- Blocked
- Elevated
- Custom
Top 10 targets: A chart showing the ten most used targets by process count. Click the chart to open the Events All report with the Target Description filter applied.

Actions Elevated

The Actions Elevated report shows three charts for the Elevated action.

Elevated actions filtered by the target type per time period: Click an area in the chart to open the Target Types > All report with the Filter By Target Type and Filter by Action filters applied.
Distinct target count by the target type for the duration of the time period: Click an area in the chart or the URLs in the legend to open the Target Types > All report with the Filter By Target Type and Filter by Action filters applied.
The top 10 Targets: Click an area in the chart opens the Events > All table with the Action and Target Description filters applied.

Target types

All
Application
Services
COM
Remote PowerShell
ActiveX
URL
Content

Actions Blocked

The Actions Blocked report shows three charts for the blocked action:

Blocked actions filtered by the target type per time period: Clicking an area in the chart opens the Target Types > All report with the Filter by Action and Filter By Target Type applied.
Distinct target count by the target type for the duration of the time period: Clicking an area in the chart or the URLs in the legend opens the Target Types > All report with the Filter by Action and Filter By Target Type applied.
The top 10 targets: Clicking an area in the chart opens the Events > All table with the Target Description filter applied.

Target types

All, Application
Services
COM
Remote PowerShell
ActiveX
URL
Content

Actions Passive

The Actions Passive report shows three charts for the passive action:

Passive actions filtered by the target type per time period: Click an area in the chart to open the Target Types > All report with the Filter by Action and Filter By Target Type applied.
Distinct target count by the target type for the duration of the time period: Click an area in the chart or the URLs in the legend to open the Target Types > All report with the Filter by Action and Filter By Target Type applied.
The Top 10 Targets: Click an area in the chart to open the Events > All table with the Target Description filter applied.

Target types

All
Application
Services
COM
Remote PowerShell
ActiveX
URL
Content

Actions Canceled

The Actions Canceled report shows three charts for the canceled action:

Canceled actions filtered by the target type per time period: Click an area in the chart to open the Target Types > All report with the Filter by Action and Filter By Target Type applied.
Distinct target count by the target type for the duration of the time period: Click an area in the chart or the URLs in the legend to open the Target Types > All report with the Filter by Action and Filter By Target Type applied.
The top 10 Targets: Click an area in the chart to open the Events > All table with the Target Description filter applied.

Target types

All
Application
Services
COM
Remote PowerShell
ActiveX
URL
Content

Actions Other

The Other report is similar to the Action report but shows the less common action types. The default token type in this view is Custom.

The Actions Other report shows three charts for the other action:

Actions with a Custom Token applied filtered by the target type per time period: Click an area in the chart to open the Target Types > All report with the Filter by Action and Filter By Target Type applied.
Actions with a Custom Token applied filtered by the target type for the duration of the time period: Click an area in the chart or the URLs in the legend to open the Target Types > All report with the Filter by Action and Filter By Target Type applied.
The top 10 actions with a Custom Token applied: Click an area in the chart to open the Events > All table with the Target Description filter applied.

Target types

All
Application
Services
COM
Remote PowerShell
ActiveX
URL
Content

Actions Custom

The Actions Custom report shows three charts for the custom action:

Custom actions filtered by the target type per time period: Click an area in the chart to open the Target Types > All report with the Filter by Action and Filter By Target Type applied.
Distinct target count by the target type for the duration of the time period: Click an area in the chart or the URLs in the legend to open the Target Types > All report with the Filter by Action and Filter By Target Type applied.
The top 10 Targets: Click an area in the chart to open the Events > All table with the Target Description filter applied.

Target type

All
Application
Services
COM
Remote PowerShell
ActiveX
URL
Content

Target Types dashboard

Shows all the Endpoint Privilege Management activity over the specified time interval by target type. The Target Types > All report lists the targets in tabular form sorted by user count. The subheadings below the Target Types dashboard link filter the dashboard to show audits only of the selected type (Applications, Services, COM, Remote PowerShell, ActiveX, All).

The Targets Types dashboard breaks down the target activity by the type of target.

Charts

All activity over the last (time interval): A chart showing the target count filtered by target type across the specified time period. Click the chart to open the Target Types All report with the Filter by Target Type filter applied.
Target types
ActiveX
Application
Content Control
URL
Remote PowerShell
COM
Service Control
By type: A chart and table showing the total target count by target type. lick the chart to open the Target Types All report with the Filter by Target Type filter applied.
Target types
ActiveX
Application
Content Control
URL
Remote PowerShell
COM
Service Control
Top 10 activities: A chart showing the 10 most common activities by process count. A unique activity is defined by the type of action and the target name. Click the chart to open the Target Types All report with the Filter by Target Type filter applied.

Target Types Applications

The Target Types Applications report shows three charts for the application target type:

Applications activity over the time period: Click an area in the chart to open the Target Types > All report with the Filter By Target Type and Application Type filters applied.
Applications filtered by the application type active during the time period: Click an area in the chart or the URLs in the legend to open the Target Types > All Report with the Filter By Target Type and Application Type filters applied.
The top 10 application activities: Click an area in the chart to open the Events > All table.

Application types

Windows Store Application
PowerShell Script
Installer Package
Uninstaller
Control Panel Applets
Registry Settings
Windows Script
Management Console Snapin
Executable
Uninstaller
Batch File
Binary
Bundle
Package
System Preference
Sudo Control
Script

Target Types COM

The Target Types COM (Component Object Model) report shows three charts for the COM target type:

COM target types filtered by type of action over the time period: Click an area in the chart to open the Target Types > All report with the Filter By Action and Filter by Target Type filters applied.
COM target types filtered by the type of action for the duration of the time period: Click an area in the chart or the URLs in the legend to open the Target Types > All report with the Filter By Action and Filter by Target Type filters applied.
The top 10 COM target types: Click an area in the chart to open the Events > All table with the Filter by Action and Filter by Target Type filters applied.

Target Types Remote PowerShell

The Target Types Remote PowerShell report shows three charts for the Remote PowerShell target type:

Remote PowerShell target types filtered by type of action over the time period: Click an area in the chart to open the Target Types > All report with the Filter By Action and Filter by Target Type filters applied.
Remote PowerShell target types filtered by the type of action for the duration of the time period. Click an area in the chart or the URLs in the legend to open the Target Types > All with the Filter By Action and Filter by Target Type filters applied.
The top 10 Remote PowerShell activities. Click an area in the chart to open the Events > All table with the Target Type and Activity ID filters applied.

Target Types All

The table lists all applications active in the time period, grouped by the application description and ordered by user count descending.

Columns

Description: The description of the application.
Platform: The platform the events came from.
Publisher: The publisher of the application.
Product Name: The product name of the application.
Application Type: The type of application.
Product Version: The version number of the application.
# Process Count: The number of processes.
# User Count: The number of users.
# Host Count: The number of hosts.

Some of these columns allow you to drill down to additional information:

i icon: Opens the Application report with the Application Desc and Publisher filters applied.
Process Count: Opens the Events > All table with the Distinct Application ID filter applied.
User Count: Displays a list of users who generated events with that application within the time period.
Host Count: Displays a list of hosts that generated events with that application within the time period.

To see only applications controlled automatically or only applications launched using the shell menu, you can use the Shell or Auto filter. The values can be useful in discovering how many times applications are automatically elevated in comparison to deliberately elevated by the user through shell elevation.

Trusted Application Protection dashboard

Summarizes all the Trusted Application Protection incidents. Incidents are defined as a child process blocked from running because it matched the rules in the Trusted Application Protection policy or a DLL blocked from loading by a Trusted Application because it did not have a trusted owner or trusted publisher.

There are no advanced filters for the Trusted Application Protection dashboard.

Charts

Trusted Application Protection incidents over the time period: A column chart showing the number of incidents filtered by the trusted application. Click the chart to open the Process Details table with the Trusted Application Protection Dashboard with time range filters applied.
Trusted Application Protection incidents, by application: A table listing each trusted application, the number of TAP incidents, the number of Targets, the number of Users, and the number of Hosts affected.
Click the Incidents number to open the Process Details report with the Trusted Application Name filter applied.
Click the Targets number to open the Targets > All table with the Trusted Application Name filter applied.
Top 10 targets (top # of total #): The top 10 targets for TAP incidents.
Click the Target to open the Application report with the Application Type and Distinct Application ID filters applied.
Click the Incident number to open the Process Details report with the Distinct Application ID filter applied. Clicking the Users or Hosts number opens the Users or Hosts list respectively.

Workstyles dashboard

The Workstyles report displays how the Workstyles you deployed are used within the specified time period.

Charts

All Workstyles over the time period: A table showing the number of Workstyles that matched, the number of hosts, the number of users, and the applications affected by those Workstyles. Workstyles are shown as a percentage of the total in the database, irrespective of any filters apart from Time Range.
Click the count for Workstyles, users, or hosts to display a list of the entities. Click the count of applications affected to open the Target Types > All table.
Summary by process activity (top 10): Shows the top 10 most active Workstyles filtered by the type of action.
The types of actions are:
- Elevated
- Blocked
- Enforce default token
- Custom
- Canceled
- Sandboxed
- Passive
- Drop admin Rights
  Click the chart to open the Events All report with the Action and Workstyle (may include wildcard match) filters applied.
% Coverage by Workstyle (Top 10): A chart showing the percentage of users and hosts that the most active Workstyles cover. The Workstyles are ordered by the total number of users and hosts affected.
Click this chart to display a list of users or hosts affected by the Workstyle.
Process Coverage by Workstyle: A chart showing the process activity by Workstyle.
Click this chart to open the Events All report with the Filter by Event Category and Workstyle filters applied.
Process Coverage by Group Policy Object: A chart showing the process activity filtered by policy.
Click this chart to open the Events All report with the Filter by Event Category and GPO Name filters applied.
Top 10 Elevating Workstyles: A chart showing the Workstyles responsible for the most individual applications being elevated.
Click the chart to open the Target Types All report with the Filter by Action filter applied.
Top 10 Blocking Workstyles: A chart showing the Workstyles responsible for the most individual applications being blocked.
Click the chart to open the Target Types all report with the Filter by Action filter applied.
Top 10 Passive Workstyles: A chart showing the Workstyles responsible for the most individual applications being passively audited.
Click the chart to open the Target Types All report with the Filter by Action filter applied.
Top 10 Custom Token Workstyles: A chart showing the Workstyles responsible for the most individual applications having a Custom Token applied.
Click the chart to open the Target Types All report with the Filter by Action filter applied.

Users dashboard

The Users report links to the User Experience report.

User Experience report

The report shows how users interacted with Messages, Challenge/Response dialog boxes, and the Shell (On-Demand) menu.

User Experience over the time period: A chart showing the percentage of users that experienced each interaction type filtered by the specified time period.
Click the chart to display a list of users presented with that interaction.
Message Distribution: A chart showing how many users are in the defined categories of messages per time period.
Click the chart to display a list of users in that category.
Messages per action type: A table showing message types displayed for Allowed and Blocked actions.
Click the Prompts, Notifications or counts, or table to open the Events All report with the Action and Message Type filters applied.

Privileged Logons report

The Privileged Logon report shows you how many accounts with Standard rights, Power User rights and Administrator rights generated logon events filtered by the time frame.

Privileged Logons over the last (time interval): A chart and table showing the number of logons by the account types over time.
Click the chart to open the User Logons table with the Show Administrator Logons, Show Power User Logons and Show Standard User Logons filters applied.
Logons by Account Privilege: A chart showing the total number of logons filtered by the different account types.
Click the chart to open the User Logons table with the Show Administrator Logons, Show Power User Logons and Show Standard User Logons filters applied.
Logons by Account Type: A chart showing the total number of logons filtered by Domain Accounts and Local Accounts. Click the chart to open the User Logons table with the Account Authority filter applied.
Top 10 Logons by Chassis Type: A chart showing the total number of logons filtered by the top 10 Chassis types.
Click the chart to open the User Logons table with the Chassis Type filter applied.
Top 10 Logons by host Operating System: A chart showing the total number of logons filtered the top 10 host operating systems.
Click the chart to open the User Logons table with the OS filter applied.
Top 10 Accounts with Admin Rights: A chart showing the top 10 accounts with Admin rights that have logged into the most host machines.
Click the chart to open the User Logons table with the User Domain and User Name filter applied.
Top 10 hosts with Admin Rights: A chart showing the top 10 host machines logged on to by the most users with Admin Rights
Click the chart to open the User Logons table with the Host Name, Show Administrator Logons filter applied.

Privileged Account Management

The Privileged Account Management report shows any blocked attempts to modify Privileged Accounts over the specified time interval.

Privileged Account Management over the last (time interval): A chart breaking down the PAM events by time period.
Click the chart to display the Privileged Account Management table with the Range Start Time and Range End Time filters applied.
Table showing users blocked, hosts blocked, applications blocked and total blocked modifications: A table showing the number of Users blocked, the number of Hosts blocked, the number of Applications blocked, and the Total number of blocked events within the specified time frame.
Click the count numbers to open the Privileged Account Management table.
By Privileged Group: A chart showing the Privileged Account Modification activity blocked by Windows group name.
Click the chart to open the Privileged Account Protection table with the Group Name filter applied.
Top 10 applications attempting account modifications: A chart showing the Privileged Account Modification activity that was blocked broken down by the Application Description.
Click the chart to open the Privileged Account Management table with the Application Description filter applied.
Top 10 users attempting account modifications: A chart showing the top 10 users who attempted modifications.
Click the chart to open the Privileged Account Management table with the User Name filter applied.
Top 10 hosts attempting account modifications: A chart showing the top 10 Hosts attempting privileged account modifications.
Click the chart to open the Privileged Account Management table with the Host Name filter applied.

Deployments dashboard

The Deployments dashboard shows you the versions of Endpoint Privilege Management that are currently installed in your organization. The dashboard filters the deployments by operating system, default language, chassis type, and operating system type.

Charts

By Endpoint Privilege Management Client Version: A chart showing the versions of the Endpoint Privilege Management agents that are deployed filtered by the number of deployments. Click the chart to display the Deployments table with the Agent Version filter applied.
By Operating System: A chart showing the number of deployments filtered by the operating system. Click the chart to display the Deployments table with the Operating System filter applied.
By Default Language: A chart showing the number of deployments filtered by the default language. Click the chart to display the Deployments table with the Default UI Language filter applied.
By Chassis Type: A chart showing the number of deployments filtered by chassis type. Clicking the chart displays the Deployments table with the Chassis filter applied.
By Operating System Type: A chart showing the number of deployments filtered by the type of operating system. Click the chart to display the Deployments table with the Operating System Type filter applied.

Requests dashboard

This report shows information about user requests raised over the specified time frame. A Blocked message with a reason entered or a canceled Challenge/Response message are requests.

Charts

All Requests over the last (time interval): A column chart showing the number of the different request types filtered by the time period. Click the chart to open the Requests All report with the Request Type filter applied for the date range.
Requests by Workstyle: A chart showing the number of different request types filtered by the Workstyle. Click the chart to open the Requests All report with the Request Type and Workstyle (may include wildcard match) filters applied.
Requests by Target Type: A chart showing the number of the different request types filtered by the Target Type. Click the chart to open the Requests All report with the Request Type filter applied for the date range.
Top 10 Activities Requested: A chart showing the number of the different request types filtered by the Target Name. Click the chart to open the Requests All report with the Request Type and Application Desc filters applied.

Requests All

This report lists all the requests over the specified time period. Filters can be added using the dropdown Filter Panel and the table can be sorted by a specific column by clicking on the vertical arrows next to each column name.

The following columns are available for the Windows Requests All table:

Start Time: The start time of the event.
Description: The description of the application.
Workstyle: The name of the Workstyle that triggered the event.
User Name: The user name of the user who triggered the event.
Host Name: The host name where the event was triggered.
User Reason: The reason the user provided for the request.
Request Type: The type of request.
Reputation: The reputation of the application.

Some of these allow you to drill down to additional information:

The i icon opens the Event report for that request.

Events dashboard

This report shows information about the types of events raised over the specified time period. It also shows the time elapsed since a host raised an event.

Charts

Events over the last (time interval): A column chart showing the number of the different Event Types filtered by the time period. Click the chart to open the Events All report with the Filter by Event Category filter applied.
Event Types: A chart showing the number of events received filtered by the Event Type. Click the chart to open the Events All report with the Event Number filter applied.
By Category: A chart displaying the events received filtered by Category. Click the chart to open the Events All report with the Filter by Event Category filter applied.
Time since last endpoint event: A chart showing the number of endpoints in each time since last event category.

Database Administration report

The Database Administration report is an optional feature and will only be available if you check the Install audit database administration report box during the Reporting Pack installation.

To view the report, navigate to it from the Reporting root directory.

In your web browser, go to the URL https://hostname/ReportServer. If you are using a named SSRS instance, the URL is https://hostname/ReportServer_InstanceName:

Click the BeyondTrust Endpoint Privilege Management link where Reporting or Avecto Privilege Guard is the name of your Reporting database.
From the top of the list, click the Admin link.
Click the ErpEventsAdmin link.

The Database Administration report provides application event purge and exclusion functions. In some situations applications create an audit data volume that exhausts capacity. These functions allow you to respond to excess event data quickly.

Charts

Events generated over the last 12 months: Displays the number of events across all your applications for the last 12 months.
Events totals (over all time): Displays the number of events in the database filtered by processes, events, user sessions, and host sessions.
Purging options: Purging data removes the data from the database using the Purging Options available from the report:
- Purge data older than 6 months
- Purge data older than 3 months
- Purge data older than 1 month
- Purge all data
Top 20 applications in database: The table displays the top 20 applications in the database by the number of events they generate.
Click Purge to purge the events from that application. Future events will still be captured.
Click Purge & Exclude to purge the events from that application and stop future events from being collected. Excluded applications appear in the table at the bottom and can be removed from the exclusion list.