DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Event analytics

Suggest Edits

What are events?

Events are processes that have occurred in your EPM for Windows and Mac-managed applications.

How is the Events page useful?

Use the Events page to easily find all elevated applications, applications that are newly-matched to an application rule, or applications that are elevated by on-demand application rules.

Best practices

  • When an application rule matches on a new or unknown application, we recommend you add that application to an existing policy, or create a new policy specifically for that application.
  • For elevated applications, if they are higher risk applications or unwanted, we recommend you add them to a block rule.

The Events page

  1. Analytics tabs: Access the Dashboard, Events, Applications, and Users pages.
  1. Filters: Select a filter to refine your results. Click Clear Filters to remove all filters from your results.

    👍

    Available filters
    Event Time
    Event Type
    Event Action
    Application Type
    Publisher
    App name
    App description
    Executable Path
    File Path
    Admin Required
    Computer Groups
    Operating System
    Host Name
    Host Domain
    User Name
    User Domain
    User ID
    User Domain ID
    Policy Name
    Policy Revision
    Operating System
    Host Name
    Host Domain
    User Name
    User Domain
    User ID
    User Domain ID
    Policy Name
    Policy Revision
    Message Name
    Workstyle Name
    Application Group
    Application Description
    Rule Action
    User Reason    		On Demand
    Token
    Token Description
    Command Line
    Process ID
    Application Group
    Application Description
    Rule Action
    User Reason
    On Demand
    Token
    Token Description
    Command Line
    Process ID
    Parent Process ID
    App Version
    Drive Type
    Host ID
    Host Domain ID
    Authorizing User Domain ID
    Authorizing User Name
    IP Addresses
    File Owner ID
    File Owner Name
    File Owner Domain Name
    Parent Process File Name
    Download URL
    Authorization Challenge Code
    Unique Process ID
    Product Code
    Upgrade Code
    Authorization Method
    JIT Admin Session
    JIT Admin Ticket Number
    Elevation Method
  2. Save View and Load View: Save your filter preferences and load the view later for quick access to your most frequently-used preferences.
  3. Add To Policy: Select events to add to your policy.
  4. List options: Click to refresh the list, Download icon in [%=Products.PMAb%] SaaS. to download the list to a .csv file, to select which columns to display on the page, and Download icon in [%=Products.PMAb%] SaaS. to configure your page display.
  5. Columns: At-a-glance details for each event.

View an event's details

  1. From the left menu, click .
    The Analytics page displays.
  2. Click Events.
    The Events page displays.
  1. Locate the event you want to view.
  2. Click the Event Time.
    The Event Details panel displays, where you can review the event's application, policy, process, rule script, and session data.
  3. Optionally, click to open the Event Details page, which displays additional data, including COM, process hierarchy, Trusted Application Protection status, and more.

Add an event's application to a policy

📘

Note

You can only add an event's application to an unlocked policy.

  1. From the left menu, click .
    The Analytics page displays.
  2. Locate the event that contains an application you want to add to a policy.
  3. In the event row, click .
    The Add to Policy panel displays.
  4. Select an unlocked policy and available application group from the drop-down list.
  5. Click Add and Edit Policy.
    The Policy Editor opens and the Applications Group page displays.
  6. Edit the application settings.
  7. Click Save Changes.
    The policy saves.

Look up VirusTotal score

If you are using VirusTotal, update the reputation score on the Events page or the Event Details panel. A valid reputation for an application can help you make an informed decision on how to manage that application in your policy.

EPM caches the VirusTotal score and the URL. The URLs expire after 3 days. Click the VirusTotal icon to retrieve the latest value from VirusTotal.

To see the latest VirusTotal score:

Click the score or the VirusTotal icon to open the VT Augment widget for additional insights on the reputation of the file.

On the Events page, the following information helps you evaluate the reputation score on a file:

  • VirusTotal score for applications with hash.
  • Integrated with VT augment widget, which returns the HTML content of the widget report for a given observable.
  • VirusTotal icon next to the score ensures row level refresh for events with VirusTotal support.
  • A Timestamp column with last lookup time of the VT augment.

Additionally, the Event Details panel provides the VirusTotal score and last lookup time.

ℹ️

Note

For more information about setting up VirusTotal, see VirusTotal Settings.

Export to CSV

Click the Download all icon to export all analytics data results in the currently filtered result set. The CSV download can include up to 5 million records when downloading from the Events page.

When saving an export file for events, you can set the number of records to download, the columns to include, and a file name.

Click the Notifications icon when the file is ready to download. Notifications only apply to the Events page.

Updated 3 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.