Reporting
Endpoint Privilege Management (EPM) Reporting includes a rich set of dashboards and reports designed to simplify the centralized management and auditing of EPM activity throughout the desktop and server estate.
- A report is a dashboard or a table, and is a generic term used to describe any form of data displayed in EPM Reporting.
- The graphical elements of a dashboard or report are interactive. Click on links in reports to see the data at greater levels of granularity.
- A dashboard is a report, which at the top level, presents a series of charts and summarized data. Some dashboards have sub-reports that are presented as charts or tabular data.
- All dashboards have a Microsoft Windows view to display events from Windows endpoints. Some dashboards and reports have a macOS view.
Note
Endpoint Privilege Management Reporting is not installed out of the box in BeyondInsight. For BeyondInsight releases prior to 23.1, contact your BeyondTrust representative for assistance with installing the reporting feature in your BeyondInsight environment.
Navigate the reporting interface
The reporting interface allows you to switch between dashboards and reports and to filter data.
Navigation panel
The side navigation panel takes you to each top-level dashboard and the reports in that dashboard. Reports that are post-fixed with All indicate the data is in tabular form.
Dashboard and reports panel
This is the area where dashboards and reports are displayed. A dashboard is a report with multiple charts covering a wide range of data. A report is a summary table or a page focused on a particular entity.
Filter panel
Each dashboard and report has a panel above its table, chart, or graph area that displays the applied filters and a Filters dropdown.
- When you select the Filters dropdown, a Filters box appears where you can select filters to filter data based on various event properties.
- The Filters box provides a link to select Advanced Filters, allowing for more granular report data. The filters displayed in the box are unique to the specific dashboard and report.
For example, to filter the Summary report to include only a specific Workstyle:
- From the Summary dashboard, click the link to open the report to filter.
- Click the Filters dropdown.
- Click the Advanced Filters link.
- Select the Workstyle you are interested in from the dropdown.
- Click Apply Filters.
- The report data for that specific Workstyle displays in the table.
The filter options match text on substrings; partial or complete words can match on a filter.
Certain filter options support comma-separated values so you can specify a list of filter values. For example, to restrict the results to three users, enter user1,user2,user3 in the User Name field.
Note
Multiple "!" strings are accepted. For example, "!L-CZC13127L30l,!L-CNU410DJJ7"
Any text field supports wildcards, comma-separated values (CSV), and the Does Not Match(!) options:
| Filtering Effect | Filter Panel Operator | Effect |
|---|---|---|
| List separator | Comma (,) | Value1,value2,value3 |
| Wildcard | % | part% part%part2,part3%part4 |
| Negation or "Not" | ! | !value !value1,!value2 |
Note
When filtering tabular reports such as the Users > All table, an applied filter is displayed at the top of the table. To remove a filter, click on the x next to the filter text.
Quick filters and advanced filters
Quick filters
The quick panel on the left pane displays a set of predefined filters relevant to the current dashboard or report.
| Name | Description |
|---|---|
| Platform |
|
| Time Range | This is the time range in which the actions are audited. For example, you can filter by the number of elevated actions in the last 24 hours in the Actions > Elevated report. You can choose from:
|
| Time First Reported | This is the time range filtered by the date the application was first entered in the database. For example, you can filter on the new Windows applications by publisher that were first reported in the last 7 days in the Discovery > By Publisher report. You can choose from:
|
| Time First Executed | This is the time range the application was first executed. For example, you can filter on the new Windows applications, by type, that were first executed in the last 30 days in the Discovery > By Type report. You can choose from:
|
| Target Type | This filter allows you to filter by a type of target. For example, you can filter on the applications canceled in the time range in the Actions > Canceled report. You can choose from:
|
| Action | This filter allows you to filter by a type of action. For example, you can filter on the services elevated in the time range in the Target Types > Services report. You can choose from:
|
| Application Type | This filter allows you to filter by application type. For example, you can filter by applications that are executables used in the time range in Target Types > Applications. You can choose from:
|
| Event Category | This filter allows you to filter by the category of the event. For example, you can filter by process events only that occur in the time range in the Events > All report. You can choose from:
|
| Elevate Method | Allows you to filter by the elevation method used. For example, in the Discovery > Requiring Elevation report, you can filter by new applications which were accessed using on-demand elevation within the time range. You can choose from:
|
| Path | Allows you to filter by the path. For example, to filter on applications that were launched from the System path. You can choose from:
|
| Source | The media source of the application. For example, was the application downloaded from the internet or is it from removable media? You can choose from:
|
| Challenge / Response | Allows you to filter by challenge/response events. For example, you can filter the application that required elevation on those applications launched following a completed challenge/response message. You can choose from:
|
| Admin Rights | Allows you to filter by the admin rights token. You can choose from:
|
| Authorization | Allows you to filter by authorization. You can choose from:
|
| Ownership | Allows you to group by the type of owner. You can choose from:
|
| Rule Match Type | Allows you to filter on the type of matching. You can choose from:
|
Advanced filters
Below are descriptions of commonly used filter options available from the Advanced Filters link in the Filters box.
| Name | Description |
|---|---|
| Action |
There are nine actions to choose from:
|
|
Activity ID |
Each Activity Type in Endpoint Privilege Management has a unique ID. This is generated in the database as required. For example, if you are in the Target Types dashboard and drill down in the Top 10 Activities chart, the Events > All report opens. If you look in the top advanced filter you will see that the Activity ID is populated. |
|
Admin Rights Required |
There are three options to choose from:
Allows you to filter if Admin Rights are required, not required, or both. For example, if you are in the Discovery > All report and set the side quick filter to Admin Rights, only applications that required admin rights are listed. |
| Agent Version | The version of the Endpoint Privilege Management agent. |
|
Application Desc |
A text field that allows you to filter on the application name. For example, in the Discovery report you can filter by paint in the Application Desc field. This filters applications that contain the string paint in the description. |
|
Application Group |
A text field that allows you to filter by Application Group. You can obtain the Application Group from the Policy Editor. It is also available in some reports such as Process Detail, which is accessed from Events All. |
|
Application Type |
A text field that allows you to filter by application type. You can obtain the application type from the Policy Editor. It's also available in some reports such as Process Detail, which is accessed from Events All. |
| Auth Methods | The type of authentication method selected in the Policy Editor. Multiple values can be present and are comma separated. Possible values: Identity Provider, Password, Challenge Response, Smart Card, and User Request. |
| Auth User Name | The name of the user that authorized the message. |
| Browse Source URL | The source URL of the sandbox. |
| Browse Destination URL | The destination URL of the sandbox. |
| Chassis | The physical form of the endpoint. Other is a virtual machine. |
|
Command Line |
A text field that allows you to filter on the command line. It is also available in some reports such as Process Detail that is accessed from Events > All. |
| Context |
This field is used by Reporting. You do not need to edit it. |
|
Date Field to filter on |
There are three options to choose from:
|
| Default UI Language | The default language of the endpoint. |
| Device Type |
The type of device that the application file was stored on. You can select from:
|
|
Distinct Application ID |
This field is used by Reporting. You do not need to edit it. |
|
Elevation Method |
There are five options to choose from:
These allow you to filter events by the type of elevation used. |
| Event Number |
This field is used by Reporting. You do not need to edit it. This number assigned to the event type. |
|
External Source |
There are four options to choose from:
These allow you to filter by the type of external source that the application file came from. |
|
File Name |
You can filter by a partial file name string if required. For example, in the Process Detail report. |
|
File Version |
You can filter on the file version in the Advanced View of the Process Detail report. |
|
GPO Name |
You can filter on the Group Policy Object (GPO) name in some of the advanced reports such as Process Detail. |
|
Host Name |
This field allows you to filter by the name of the endpoint the event came from. |
| Idp Authentication user name | The credential provided when adding an Identity Provider authorization message in the Policy Editor. |
| BeyondTrust Zone Identifier | The BeyondTrust Zone Identifier. This tag persists, to allow you to filter on it even if the ADS tag applied by the browser is removed. |
|
Ignore "Admin Required" Events |
This field is used by Reporting. You do not need to edit it. |
|
Just Discovery Events |
This field is used by Reporting. You do not need to edit it. |
|
Message Name |
The name of the message that was used. |
| Message Type |
The type of Message:
|
|
Number to Get |
The number of rows to get from the database. |
| Operating System Type |
The type of operating system:
|
| Operating System | The operating system of the client machine. |
|
Parent PID |
The operating system process identifier of the parent process. |
| PID | The operating system process identifier. |
|
Product Name |
The product name of the application. |
|
Product Version |
The product version of the application. |
|
Program Files Path |
Sets the Program Files path used by the Discovery > By Path report. |
|
Publisher |
The publisher of the application. |
|
Range End Time |
The end time of the range being displayed. |
|
Range Start Time |
The start time of the range being displayed. |
|
Request Type |
The type of request:
|
|
Row Limit |
The maximum number of rows to be retrieved from the database. |
|
Rule Match Type |
Rule Match Type:
|
|
Sandbox |
The sandboxed setting:
|
| Rule Script Affected Rule |
True when the Rule Script (Power Rule) changes one or more of the Default Endpoint Privilege Management rules, otherwise false. |
| Rule Script File Name | The Rule Script (Power Rule) file name on disk if applicable. |
| Rule Script Name | The name of the assigned Rule Script (Power Rule). |
| Rule Script Output | The output of the Rule Script (Power Rule). |
| Rule Script Publisher | The publisher of the Rule Script (Power Rule). |
| Rule Script Result |
The result of the Rule Script (Power Rule). This can be: <None> Script ran successfully [Exception Message] Script timeout exceeded: <X> seconds Script execution canceled Set Rule Properties failed validation: <reason> Script execution skipped: Challenge Response Authenticated Script executed previously for the parent process: Matched as a child process so cached result applied Script execution skipped: <app type> not supported Script execution skipped: PRInterface module failed signature check Set RunAs Properties failed validation: <reason> |
|
Rule Script Status |
The status of the Rule Script (Power Rule). This can be: <None> Success Timeout Exception Skipped ValidationFailure |
| Rule Script Version | The version of the assigned Rule Script (Power Rule). |
|
Shell or Auto |
Whether the process was launched using the shell Run with Endpoint Privilege Management option or by normal means (opening an application):
|
| Source URL | The source URL (where the file was downloaded from). |
|
System Path |
Sets the system path used by the Discovery > By Path report. |
| Target Description | This field allows you to filter by the target description. |
|
Target Type |
The type of target that triggered the event:
|
| Trusted Application Name |
The trusted application that triggered the event. |
| Trusted Application Version | The trusted application version number. |
|
Trusted File Owner |
Whether the file owner of the target file is trusted. To be a trusted owner the user must be in one of the following Windows groups:
|
|
UAC Triggered |
Whether or not Windows UAC was triggered:
|
|
User Name |
The user name of the user who triggered the event. |
|
User Profiles Path |
Sets the User Profiles path used by the Discovery > By Path report. |
| Workstyle | The name of the Workstyle that contained the rule that matched the application. |
Export reports
You can export reports to a CSV file by clicking the Export to CSV button in the filter panel above the report.
Exported data is based on the data currently displayed in the report.
Reporting dashboards
Reporting includes several high level dashboards that summarize Endpoint Privilege Management events. You can access the following from the side navigation panel.
Summary
The Summary dashboard displays bar charts for the most important activity that has occurred in the time period defined by the quick filter. The legends to the right of the charts display totals for the shown activities. You can use this information to inform Workstyle development or to show anomalous user behavior in your organization.
A warning message might display on the Summary page if there is a backlog of event processing. Verify your database configuration is set up to manage processing a large number of events.
The Summary dashboard tables:
| Table | Description |
|---|---|
| Applications Discovered | The total number of newly discovered Applications filtered by the type of user rights required:
|
| User Requests | The total number of User Requests filtered by the type of request:
|
| Admin logons, by users, on endpoints | Summarizes the number of admin logons, the number of users, and the number of endpoints used. Admin Logons are shown in the Administration table. Click the number next to the OS icon to show details. |
| Trusted Application Protection | The number of Trusted Application (TAP) incidents, how many users, and how many endpoints were affected. TAP events are shown in the Incidents table. Click the number next to the OS icon to show details. |
| Attempts to modify privileged groups | The number of blocked attempts to modify privileged groups. Attempts to modify privileged groups are shown in the Administration table. Click the number next to the OS icon to show details. |
| Application run from external sources | The number of applications run from external sources. Applications Run from external sources are shown in the Applications table. Click the number next to the OS icon to show details. |
| Activities blocked | The number of applications blocked. Click the chart or legend to open the Target Types All report with the Filter by Action filter applied. |
| Applications used On-Demand privileges | The number of applications launched using on-demand privileges. Click the chart or legend to open the Target Types All report with the Shell or Auto filter applied. Shell indicates that on-demand privileges were used. |
| UAC matches | The number of applications that triggered User Account Control (UAC). UAC events are shown in the Incidents table. Click the number next to the OS icon to show details. |
Events
Displays information about the types of events raised over the specified time period
| Chart | Description |
|---|---|
| Events over the last (time interval) | A column chart showing the number of the different Event types filtered by the time period. Clicking the chart opens the Events All report with the Filter by Event Category filter applied. |
| Event Types | A chart showing the number of events received filtered by the Event type. Clicking the chart opens the Events All report with the Event Number filter applied. |
| By Category | A chart displaying the events received filtered by category. Clicking the chart opens the Events All report with the Filter by Event Category filter applied. |
| Time since last endpoint event | A chart showing the number of endpoints in each time since last event category. |
Events all report
Columns for the Windows and macOS Events All table:
- Event Time: The time of the event.
- Event Category: The category of the event.
- Platform: The platform where the event occurred.
- Description: The description of the event.
- User Name: The user name of the user who triggered the event.
- Host Name: The host name where the event was triggered.
- Workstyle: The Workstyle containing the rule that triggered the event.
- Event Type: The type of event.
Some of these columns allow you to drill down to additional information:
- Event Time: opens the event report listing all of the fields for that event.
- Description: opens the Applications Report.
- User Name: opens the User Report.
- Host Name: opens the Host Report.
- Workstyle: opens the Workstyle Report.
Process detail report
The Process Detail report provides a higher level of detail for Process events than the Events > All table. Other event categories are not shown in this table.
Columns for the Windows and macOS Process Details table:
- Start Time: The start time of the event.
- Platform: The platform where the event occurred.
- Description: The description of the application.
- Publisher: The publisher of the application.
- Application Type: The type of application.
- File Name: The name of the file.
- Command Line: The command line of the process that triggered the event.
- Product Name: The product name of the application.
- Product Version: The product version of the application.
- Trusted Application: The name of the trusted application.
- Trusted Application Version: The version of the trusted application.
- Group Policy Object: The name of the Endpoint Privilege Management policy (Windows only).
- Workstyle: The name of the Workstyle that the event was triggered from.
- Message: The message name if the event triggered a message.
- Action: The action associated with the event.
- Application Group: The Application Group the application assignment rule belongs to.
- PID: The process identifier of the process.
- Parent PID: The parent process identifier.
- Parent Process File Name: The parent process file name.
- Shell / Auto: Whether the process was triggered on-demand or automatically (Windows only).
- UAC Triggered: Whether user account control was triggered (Windows only).
- Admin Rights Required: Whether or not admin rights were required (Windows only).
- Authorization Required: Whether or not authorization rights were required (macOS only).
- User Name: The name of the user who triggered the event.
- Host Name: The name of the host where the event was triggered.
- Rule Script File Name: The name of the Rule Script (Power Rule).
- Rule Script Affected Rule: True when the Rule Script (Power Rule) changed one or more of the Default Endpoint Privilege Management rules, otherwise false.
- User Reason: The reason given by the user if applicable.
- COM Display Name: The COM name if applicable (Windows only).
- Source URL: The URL of the event if applicable (Windows only).
- BeyondTrust Zone Identifier: The BeyondTrust Zone Identifier if present.
- Uninstall Action: This can be None, Uninstall, Change/Modify, or Repair.
- Auth Methods: The type of authentication method selected in the Policy Editor. Multiple values can be present and are comma separated. Possible values: Identity Provider, Password, Challenge Response, Smart Card, and User Request.
- Idp Authentication User Name: The credential provided when adding an Identity Provider authorization message in the Policy Editor.
Discovery
- Displays information about applications discovered for the first time. An application is first discovered when an event is received by the Endpoint Privilege Management Reporting database.
- Differentiates between applications that used elevated privileges and those that ran with standard privileges.
- Only shows new application items in the chosen time interval. For example, the Discovery dashboard can answer the question what’s new this week and how is it affecting my users?
- The Discovery reports listed below the Discovery dashboard display the data from different angles such as by the location or publisher of the executable or the type of the executable.
- Displays events from Windows and macOS operating systems.
Note
Windows uses the terminology of Admin Rights and macOS uses the terminology of Authorization.
Discovery dashboard charts
| Chart | Description |
|---|---|
| Applications first reported in the specified time frame | A chart showing the number of applications discovered, filtered by the types of rights or authorization detected: For Windows:
For macOS:
|
| Types of newly discovered applications | A chart showing the number of applications discovered by the type of application. The types are different for Windows and macOS operating systems. Click the chart to open the Discovery dashboard report with the Admin Rights Required filter applied. |
Discovery dashboard tables
| Table | Description |
|---|---|
| New applications with admin rights detected | A list of discovered applications that are running with admin rights. This list is ordered by the number of users. Click View all to see the full list. Click any of the applications in the list to open the Discovery dashboard report with the Admin Rights Required and Matched filter applied. |
| New applications with admin rights not detected (top 10) | A list of discovered applications that are running with standard, not admin rights. This list is ordered by the number of users. Click View all to see the full list. Click any of the applications in the list to open the Discovery dashboard report with the Admin Rights Required and Matched filter applied. |
| New applications with admin rights detected (by type) | A list of the types of applications that required admin rights that were newly discovered within the time interval. They are ordered by the total number of applications for each type. Click View all to see the full list. Click any of the applications in the list to open the Discovery dashboard report with the Admin Rights Required and Matched filter applied. |
| New applications with admin rights not detected (by type) | The types of applications that did not require admin rights that were newly discovered within the time interval. They are ordered by the total number of applications for each type. Click any of the applications in the list to open the Discovery dashboard report with the Admin Rights Required and Matched filter applied. |
Discovery reports
The following reports are available from the navigation panel, under the Discovery dashboard.
Discovery by path
This table displays the discovered applications grouped by path. Where there is more than one application per path, click + to expand the entry to examine each application.
The following columns are available for the Windows and macOS Discovery By Path table:
- Path: The path of the applications.
- Description: The description of the application.
- Publisher: The publisher of the applications.
- Name: The product name of the application.
- Type: The type of application.
- Version: The version number of a specific application.
- # Users: The number of users.
- Median # Processes / User: The median number of processes per user.
- # Hosts: The number of hosts.
- # Processes: The number of processes.
- # Applications: The number of applications.
- Date first Reported: The date the application was first entered in the database.
- Date first Executed: The first known date the application was executed.
Some of these columns allow you to drill down to additional information:
- Description: Opens the Applications report for that application.
- # Users: Displays a list of users the application events came from.
- # Hosts: Displays a list of hosts the application events came from.
- # Processes: Displays the Events All table and lists the events received in the time period for the selected application.
Discovery by publisher
This table displays the discovered applications grouped by publisher. Where there is more than one application per publisher, click + to expand the entry to examine each application.
The following columns are available for the Windows and macOS Discovery By Publisher table:
- Publisher: The publisher of the applications.
- Description: The description of the application.
- Name: The product name of the application.
- Type: The type of application.
- Version: The version number of a specific application.
- # Users: The number of users.
- Median # Processes / User: The median number of processes per user.
- # Hosts: The number of hosts.
- # Processes: The number of processes.
- # Applications: The number of applications.
- Date first Reported: The date the application was first entered in the database.
- Date first Executed: The first known date the application was executed.
Some of these columns allow you to drill down to additional information:
- Description: Opens the Applications report for that application.
- # Users: Displays a list of users the application events came from.
- # Hosts: Displays a list of hosts the application events came from.
- # Processes: Displays the Events All table and lists the events received in the time period for the selected application.
Discovery by type
This table displays applications filtered by type. When there is more than one application per type, click + to expand the entry to see each application.
The following columns are available for the Windows and macOS Discovery By Type table:
- Type: The type of application.
- # Users: The number of users.
- Median # processes / user: The median number of processes per user.
- # Hosts: The number of hosts.
- # Processes: The number of processes.
- Applications: The number of applications.
- Date first reported: The date the application was first entered in the database.
- Date first executed: The first known date the application was executed.
Expanding the application type in the table, displays the following columns:
- Description: The description of the application.
- Publisher: The publisher of the applications.
- Name: The product name of the application.
Some of these allow you to drill down to additional information:
- Description: Opens the Target Types > Applications report which is filtered to that application.
- # Users: Displays a list of users the application events came from.
- # Hosts: Displays a list of hosts the application events came from.
- # Processes: Displays the Events All table and lists the events received in the time period for the selected application.
Discovery requiring elevation
This table displays the applications that were elevated or required admin rights.
The following columns are available for the Windows and macOS Discovery Requiring Elevation table:
- Description: The description of the application.
- Publisher: The publisher of the application.
- Name: The product name of the application.
- Type: The type of application.
- # Users: The number of users.
- Median # Processes / User: The median number of processes per user.
- # Hosts: The number of hosts.
- # Processes: The number of processes.
- Version: The version number of a specific application.
- Elevate Method: The type of method used to elevate the application: All, Admin account used, Auto-elevated, or on-demand.
- Date First Reported: The date the application was first entered in the database.
- Date First Executed: The first known date the application was executed.
Some of these allow you to drill down to additional information:
- Description: Opens the Target Types > Applications report filtered to that application.
- # Users: Displays a list of users the application events came from.
- # Hosts: Displays a list of hosts the application events came from.
- # Processes: Displays the Events All table and lists the events received in the time period for the selected application.
- Elevate Method: Displays the Events All table with an extra Elevate Method column.
Discovery from external sources
This table displays all applications that originated from an external source such as the internet or an external drive.
The following columns are available for the Windows Discovery from External Sources table:
- Description: The description of the application.
- Publisher: The publisher of the application.
- Name: The product name of the application.
- Type: The type of application.
- Source: The source of the application.
- # Users: The number of users.
- Median # Processes / User: The median number of processes per user.
- # Hosts: The number of hosts.
- # Processes: The number of processes.
- Version: The version number of the application.
- Date First Reported: The date the application was first entered in the database.
- Date First Executed: The first known date the application was executed.
Some of these allow you to drill down to additional information:
- Description: Opens the Applications report for that application.
- # Users: Displays a list of users the application events came from.
- # Hosts: Displays a list of hosts the application events came from.
- # Processes: Opens the Events All table and lists the events received in the time period for the selected application.
Discovery all
This table lists all applications discovered in the time period, grouped by the application description so that if multiple versions of the same application exist, they are grouped on the same line. Click + in the Version column to expand the list.
The following columns are available for the Windows and macOS Discovery All table:
- Description: The description of the application.
- Publisher: The publisher of the application.
- Name: The product name of the application.
- Type: The type of application.
- Version: The version number of the application.
- # Users: The number of users.
- Median # Processes / User: The median number of processes per user.
- # Hosts: The number of hosts.
- # Processes: The number of processes.
- Date First Reported: The date the application was first entered in the database.
- Date First Executed: The first known date the application was executed.
- Name: The product name. This is hidden by default but you can select it from the Actions > Choose Columns menu.
Some of these columns allow you to drill down to additional information:
- Description: Opens the Applications report for that specific application.
- # Users: Displays a list of users the application events came from.
- # Hosts: Displays a list of hosts the application events came from.
- # Processes: Displays the Events All table.
Actions
Summarizes audited items categorized by the type of action taken. For example, elevation or blocking. The Actions reports show audits only of the selected type (Elevated, Blocked, Passive, Canceled, Other).
The Actions dashboard has the following charts:
| Chart | Description |
|---|---|
| All actions over the specified time frame | A chart showing the number of targets filtered by the type of action for each time frame for all target types. The types of action are:
|
| Distinct target count by target type | A chart showing the target count for each target type, filtered by the type of action. The targets types are:
|
| Top 10 targets | A chart showing the ten most used targets by process count. Click the chart to open the Events All report with the Action and Target Description filters applied. |
Target types
Lists all Endpoint Privilege Management activity over the specified time interval by target type. The report lists the targets in tabular form sorted by user count. You can click the targets in the list to view dashboard charts showing Users, Hosts, and Process activities and actions over a specified period of time.
| Chart | Description |
|---|---|
| Actions over the last (time interval) | A chart showing the number of processes for each action for the target. The actions are listed in the legend to the right of the chart. Click the action to open the Events / All report to view the events for that action and target. |
| Top 10 Users | A chart showing the 10 most common activities by process count for users. Click the chart to open the Events / All report to view the events for that user, action, and target. |
| Top 10 Hosts | A chart showing the 10 most common activities by process count for hosts. Click the chart to open the Events / All report to view the events for that host, action, and target. |
| Run Method | A chart showing the count and percentage for activities by run method (Shell or Automatic) count for hosts. Click the chart to open the Events / All report to view the specific events by run method. |
| Discovery - Admin Rights | A chart showing the count and percentage for activities that did not require admin rights. Click the chart to open the Events / All report to view the specific events that did not require admin rights. |
Trusted application protection
You can access this dashboard from the Summary dashboard. Click the number listed in the Incidents table, under TAP. This dashboard shows information about Trusted Application Protection (TAP) incidents. A TAP incident occurs when a child process of a trusted application is blocked due to a trusted application policy or when a DLL is prevented from loading by a trusted application because it lacks a trusted owner or publisher.
Note
There are no advanced filters for the Trusted Application Protection dashboard.
| Chart | Description |
|---|---|
| Trusted Application Protection incidents over the time period. | A column chart showing the number of incidents filtered by the trusted application. Click the chart to open the Process Details report with Time Range filter applied. |
| Trusted Application Protection incidents, by application | A table listing each trusted application, the number of TAP incidents, the number of targets, the number of users, and the number of hosts affected. Click the Incidents number to open the Process Details report with the Trusted Application Name filter applied. Click the Targets number to open the Targets > All table with the Trusted Application Name filter applied. |
| Top 10 targets | The top 10 targets for TAP incidents. Click the Target to open the Application report with the Application Type and Distinct Application ID filters applied. Click the Incident number to open the Process Details report with the Distinct Application ID filter applied. Clicking the Users or Hosts number opens the Users or Hosts list, respectively. |
Users
The following dashboards are available from the navigation panel under Users.
User experience
This dashboard shows how users interacted with Messages, Challenge/Response dialog boxes, and the Shell (On-Demand) menu.
| Chart | Description |
|---|---|
| User Experience over the time period | A chart showing the percentage of users that experienced each interaction type filtered by the specified time period. Click the chart to display a list of users presented with that interaction. |
| Message Distribution | A chart showing how many users are in the defined categories of messages per time period. Click the chart to display a list of users in that category. |
| Messages per action type | A table showing message types displayed for Allowed and Blocked actions. Click the prompts, notifications or counts, or table to open the Events All report with the Action and Message Type filters applied. |
Privileged logons
This dashboard shows how many accounts with Standard rights, Power User rights and Administrator rights generated logon events filtered by the time frame.
| Chart | Description |
|---|---|
| Privileged Logons over the last (time interval) | A chart and table showing the number of logons by the account types over time. Click the chart to open the User Logons table with the Show Administrator Logons, Show Power User Logons and Show Standard User Logons filters applied. |
| Logons by Account Privilege | A chart showing the total number of logons filtered by the different account types. Click the chart to open the User Logons table with the Show Administrator Logons, Show Power User Logons and Show Standard User Logons filters applied. |
| Logons by Account Type | A chart showing the total number of logons filtered by domain accounts and local accounts. Click the chart to open the User Logons table with the Account Authority filter applied. |
| Top 10 Logons by Chassis Type | A chart showing the total number of logons filtered by the top 10 chassis types. Click the chart to open the User Logons table with the Chassis Type filter applied. |
| Top 10 Logons by host Operating System | A chart showing the total number of logons filtered the top 10 host operating systems. Click the chart to open the User Logons table with the OS filter applied. |
| Top 10 Accounts with Admin Rights | A chart showing the top 10 accounts with admin rights that have logged into the most host machines. Click the chart to open the User Logons table with the User Domain and User Name filter applied. |
| Top 10 hosts with Admin Rights | A chart showing the top 10 host machines logged on to by the most users with admin rights. Click the chart to open the User Logons table with the Host Name, Show Administrator Logons filter applied. |
Privileged account management
This dashboard shows any blocked attempts to modify privileged accounts over the specified time interval.
| Chart | Description |
|---|---|
| Privileged Account Management over the last (time interval) | A chart breaking down the privileged account management events by time period. Click the chart to display the Privileged Account Management table with the Time Range filter applied. |
| Table showing users blocked, hosts blocked, applications blocked, and total blocked modifications | A table showing the number of users, hosts, applications blocked, and the total number of blocked events within the specified time frame. Click the count numbers to open the Privileged Account Management table. |
| By Privileged Group | A chart showing the privileged account modification activity blocked by Windows group name. Click the chart to open the Privileged Account Management table with the Group Name filter applied. |
| Top 10 applications attempting account modifications | A chart showing the privileged account modification activity that was blocked, broken down by the Application Description. Click the chart to open the Privileged Account Management table with the Application Description filter applied. |
| Top 10 users attempting account modifications | A chart showing the top 10 users who attempted modifications. Click the chart to open the Privileged Account Management table with the User Name filter applied. |
| Top 10 hosts attempting account modifications | A chart showing the top 10 hosts attempting privileged account modifications. Click the chart to open the Privileged Account Management table with the Host Name filter applied. |
Export events to CSV file
The number of items that can be displayed at one time might be limited by the browser display. Click Export to CSV to enter the number of rows to export to the CSV file.
All event filters are saved to the file.
Add applications to a policy
If Endpoint Privilege Management Reporting UI 23.4 or a later version is installed and configured, you can add applications to an Endpoint Privilege Management policy directly from the Events dashboard, using the Add to Policy feature.
To add an application from an event to an Endpoint Privilege Management policy:
- Select the event or multiple events, and then click Add to Policy above the grid.
- You are taken to the Endpoint Privilege Management Policy Editor. Select the policy and application group from the dropdowns, and then click Add and Edit or Add and Close.
Events
You can view Endpoint Privilege Management events on the Endpoint Privilege Management Events page.
Note
This feature is available only when an Endpoint Privilege Management license is detected.
- View and download all events for monitored systems.
- Select an event to view more details about that specific event.
- Generate rules and create exclusions from listed events.
To view events, generate rules, create exclusions, and download events:
- From the left menu in the BeyondInsight console, click Endpoint Privilege Management.
- By default, displayed events are filtered by the Discovery Scanners Smart Group. Select a Smart Group from the Smart Group filter dropdown to view events for that Smart Group.
- To further filter the displayed events, use the Create Date filter, or Filter by criteria.
- For additional details about an event, click the vertical ellipsis for the event, and then select View Details. A window opens displaying details related to Endpoint Privilege Management, the rule, and the application.
- To create an exclusion or generate a rule from an event, click the vertical ellipsis for the event, and then select the appropriate exclusion or rule type to generate.
- Click the Download all (down arrow) button above the grid to download the events to a CSV file.
Note
- Depending on the configuration of your grid and selected columns, not all event details may be visible.
- Exclusions can also be created from the Exclusions page.
Exclude events
Create exclusions to prevent recording unnecessary endpoint events. Create and manage exclusions on the Endpoint Privilege Management Exclusions page or from selected events on the Events page.
Create an exclusion
- In the BeyondInsight console, go to Configuration > Privileged Desktop Management > Endpoint Privilege Management Exclusions.
- Click Create Exclusion above the grid.
- Select the Exclusion Type.
- Enter the Exclusion Details.
- Click Create Exclusion.
Manage exclusions
- Use the filters above the grid to filter the list of exclusions by the date they were created, the exclusion details, and type of exclusion.
- To edit or delete an exclusion, click the vertical ellipsis for the exclusion, and then select Edit Exclusion or Delete Exclusion.
Updated about 1 month ago