DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Event analytics

Suggest Edits

What are events?

Events are processes that have occurred in your EPM for Windows and Mac-managed applications.

How is the Events page useful?

Use the Events page to easily find all elevated applications, applications that are newly-matched to an application rule, or applications that are elevated by on-demand application rules.

Best practices

  • When an application rule matches on a new or unknown application, we recommend you add that application to an existing policy, or create a new policy specifically for that application.
  • For elevated applications, if they are higher risk applications or unwanted, we recommend you add them to a block rule.

The Events page

  1. Analytics tabs: Access the Dashboard, Events, Applications, and Users pages.
  1. Filters: Select a filter to refine your results. Click Clear Filters to remove all filters from your results.

    👍

    Available filters
    Event Time
    Event Type
    Event Action
    Application Type
    Publisher
    App name
    App description
    Executable Path
    File Path
    Admin Required
    Computer Groups
    Operating System
    Host Name
    Host Domain
    User Name
    User Domain
    User ID
    User Domain ID
    Policy Name
    Policy Revision
    Operating System
    Host Name
    Host Domain
    User Name
    User Domain
    User ID
    User Domain ID
    Policy Name
    Policy Revision
    Message Name
    Workstyle Name
    Application Group
    Application Description
    Rule Action
    User Reason    		On Demand
    Token
    Token Description
    Command Line
    Process ID
    Application Group
    Application Description
    Rule Action
    User Reason
    On Demand
    Token
    Token Description
    Command Line
    Process ID
    Parent Process ID
    App Version
    Drive Type
    Host ID
    Host Domain ID
    Authorizing User Domain ID
    Authorizing User Name
    IP Addresses
    File Owner ID
    File Owner Name
    File Owner Domain Name
    Parent Process File Name
    Parent Process ID
    Download URL
    Authorization Challenge Code
    Unique Process ID
    Product Code
    Upgrade Code
    Authorization Method
    JIT Admin Session
    JIT Admin Ticket Number
    Elevation Method
  2. Save View and Load View: Save your filter preferences and load the view later for quick access to your most frequently-used preferences.
  3. Add To Policy: Select events to add to your policy.
  4. List options: Click to refresh the list, Download icon in [%=Products.PMAb%] SaaS. to download the list to a .csv file, to select which columns to display on the page, and Download icon in [%=Products.PMAb%] SaaS. to configure your page display.
  5. Columns: At-a-glance details for each event.

View an event's details

  1. From the left menu, click .
    The Analytics page displays.
  2. Click Events.
    The Events page displays.
  1. Locate the event you want to view.
  2. Click the Event Time.
    The Event Details panel displays, where you can review the event's application, policy, process, rule script, and session data.
  3. Optionally, click to open the Event Details page, which displays additional data, including COM, process hierarchy, Trusted Application Protection status, and more.

Add an event's application to a policy

📘

Note

You can only add an event's application to an unlocked policy.

  1. From the left menu, click .
    The Analytics page displays.
  2. Locate the event that contains an application you want to add to a policy.
  3. In the event row, click .
    The Add to Policy panel displays.
  4. Select an unlocked policy and available application group from the drop-down list.
  5. Click Add and Edit Policy.
    The Policy Editor opens and the Applications Group page displays.
  6. Edit the application settings.
  7. Click Save Changes.
    The policy saves.

Look up VirusTotal score

If you are using VirusTotal, update the reputation score on the Events page or the Event Details panel. A valid reputation for an application can help you make an informed decision on how to manage that application in your policy.

EPM caches the VirusTotal score and the URL. The URLs expire after 3 days. Click the VirusTotal icon to retrieve the latest value from VirusTotal.

To see the latest VirusTotal score:

Click the score or the VirusTotal icon to open the VT Augment widget for additional insights on the reputation of the file.

On the Events page, the following information helps you evaluate the reputation score on a file:

  • VirusTotal score for applications with hash.
  • Integrated with VT augment widget, which returns the HTML content of the widget report for a given observable.
  • VirusTotal icon next to the score ensures row level refresh for events with VirusTotal support.
  • A Timestamp column with last lookup time of the VT augment.

Additionally, the Event Details panel provides the VirusTotal score and last lookup time.

ℹ️

Note

For more information about setting up VirusTotal, see VirusTotal Settings.

Export to CSV

Click the Download icon to export all analytics data results in the currently filtered result set. The CSV download can include up to 5 million records when downloading from the Events page.

When saving an export file for events, you can set the number of records to download, the columns to include, and a file name.

Click the Notifications icon when the file is ready to download. Notifications only apply to the Events page.

Save and load views

EPM users with Analyze Group permissions can create and save a set of filters and columns so that the same set of filters does not have to be selected every time Analytics is accessed. Saving viewing preferences provides an easy way to return to views of data used frequently to monitor Endpoint Privilege Management activity in the estate.

You can load and save data sets from the Events page, Applications page, and Users page.

Access views on any device regardless of the device the views were created on.

  1. After selecting filters, select Save View to retain those preferences for viewing later. Preferences are saved locally.
  2. If a view name already exists, select Overwrite existing view, and then select the view you want to replace.
  3. The next time you access Analytics, your view settings are preserved. Click Load View to select and load a view.
  4. On the Load Event View pane, you can delete and refresh views.

Recommended views

The recommended views provide a selection of the most useful predetermined views. Use the views to review collected data and make informed decisions around policy editing.

  1. To access the views, go to Analytics.
  2. Click the Events tab.
  3. Click Load View, and then click the Recommended Views tab.

Recommended views for events load with the default filters.

NameDescription
Process DetailsFind every process that EPM is controlling, with flexible filtering options, to zone in on the data of interest.
The report name in legacy reporting: Process Details
User InteractionsOverview of how much friction end users are experiencing, and improve their experiences without jeopardizing security.
The report name in legacy reporting: User Experience
Privileged Group ProtectionShows when EPM has prevented a user modifying a privileged group. For example, adding a user to the Admins group. All events where EPM prevented users from modifying privileged groups.
The report name in legacy reporting: Privileged Account Management

Updated 15 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.