DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Reporting

Suggest Edits

Analytics provides detailed activity information for computers in your environment. Areas covered include:

  • Summary dashboard
  • Events
  • Discovery
  • Actions
  • Target types
  • Users

The Analytics UI offers an interactive experience. View high-level data points or drill down to see more detail.

  • Bar charts and graphs provide a big picture view of the data. You can drill down on a particular data point to see more detail.
  • Filters help to refine the scope of data displayed when you want to focus in on certain data points.
  • Links on certain data points that lead to additional event detail

Event data caching

Event data is cached to reduce load times. The data is cached only for the following reports: Events > All, Events > Process Detail, Target Types and Discovery reports.

The expiry of the cache depends on the Time Range filter set for the report:

  • 24 hours is live
  • 7 days expires after 1 hour
  • 30 days or higher expires after 24 hours

Export to a CSV file

The number of items that can be displayed at one time might be limited by the browser display. Use Export to CSV to save the items to a CSV file.

On a report page where Export to CSV is available, you must select the filter Row Count for Export (Max 5M), and then enter the number of rows to include in the CSV file.

All filters are saved to the file.

Summary dashboard

The bar charts on the dashboard represent the most important activity that has occurred in the time period defined by the quick filter.

The Administration, Applications, and Incidents tables provide information to help inform Workstyle development or to show anomalous user behavior in your organization.

When available, drill down to see more details.

Events reporting

The Events Summary dashboard shows information about the different types of events that have been raised over the specified time period. It also shows the time elapsed since a host raised an event.

Event reporting includes:

  • Events All Reports:
  • Process Detail Report: Provides information about a specific process control event. Only processes that match rules in Workstyles are displayed.

Event types

Endpoint Privilege Management sends events to the local Application event log, depending on the audit and privilege monitoring settings in the Endpoint Privilege Management policy.

The following events are logged by Endpoint Privilege Management:

Event IDDescription
100Process has started with admin rights added to token.
101Process has been started from the shell context menu with admin rights added to token.
103Process has started with admin rights dropped from token.
104Process has been started from the shell context menu with admin rights dropped from token.
106Process has started with no change to the access token (passive mode).
107Process has been started from the shell context menu with no change to the access token (passive mode).
109Process has started with user’s default rights enforced.
110Process has started from the shell context menu with user’s default rights enforced.
112Process requires elevated rights to run.
113Process has started with Custom Token applied.
114Process has started from the shell context menu with user’s Custom Token applied.
116Process execution was blocked.
118Process started in the context of the authorizing user.
119Process started from the shell menu in the context of the authorizing user.
120Process execution was canceled by the user.
199Process execution was blocked, the maximum number of challenge / response failures was exceeded.

ℹ️

Note

With our SIEM Integration, we only support a subset of all event types.

Discovery reporting

The following discovery reports are available:

  • Dashboard: Displays information about applications discovered for the first time. An application is first discovered when an event is received by the Reporting database.
  • Discovery by Path: Displays all distinct applications installed in certain locations that are discovered during the selected time frame.
  • Discovery by Publisher: Displays the discovered applications grouped by publisher. Where there is more than one application per publisher, click + to expand the entry to examine each application.
  • Discovery by Type: Displays applications filtered by type. When there is more than one application per type, click the link in the Type column to see more information about each application.
  • Discovery Requiring Elevation: Displays the applications that were elevated or required admin rights.
  • Discovery from External Sources: Displays all applications that have originated from an external source, such as the internet or an external drive.
  • Discovery All: Lists all applications discovered in the time period, grouped by the application description. If multiple versions of the same application exist, they are grouped on the same line. Click the plus (+) icon to view the different versions.

Actions reporting

Data is collected for the following actions:

  • Elevated: Shows the elevated application activity by target type.
  • Blocked: Shows the blocked application activity by target type.
  • Passive: Shows the passive application activity by target type.
  • Canceled: Shows the canceled application activity by target type.
  • Custom: Shows the custom application activity by the type of action.
  • Drop Admin Rights: Shows the drop admin application activity by target type.

When viewing the data, use the interactive graphs to see high-level metrics and drill down to see more information on the collected data.

Target types reporting

The Target Types report lists all applications active in the time period, grouped by the application description ordered by user count descending.

When a specific platform is selected from the Platform list, then the Action list populates with actions only available to that platform.

Users reporting

There are three reports for users:

  • User Experience: Shows the number of users that interacted with EPM events, and is broken down over the selected time frame.
  • Users Privileged Logons: Shows the number of accounts with standard user rights, power user rights, and administrator rights have generated logon events broken down over the selected time frame. On the User Session report, accessed from the Privileged Logons report, view more details about the privileged logon account sessions. The details include the user name, logon time, account type, and domain, etc.
  • Users Privileged Account Management: Shows any blocked attempts to modify privileged accounts over the selected time interval.

Updated 3 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.