DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Export views

Suggest Edits

There are four denormalized views to import BeyondTrust audit data into SIEM systems. Each view has a rising column allowing the SIEM system to track the data already imported.

ExportDefendpointStarts

Returns the Endpoint Privilege Management started events in the database.

The columns include:

  • SessionStartTime
  • HostName
  • AgentVersion
  • OS

SessionID is the rising column and SessionStartTime is the timestamp.

ExportLogons

Returns the Logon events in the database.

  • LogonTime
  • UserName
  • HostName
  • WorkstyleName

LogonID is the rising column and LogonTime is the timestamp.

ExportProcesses

Returns the Process Control events such as elevating or blocking applications.

The columns include:

  • ApplicationDescription
  • Publisher
  • ProductVersion
  • UserName
  • HostName
  • WorkstyleName

Also includes event action flags:

  • Elevated
  • Blocked
  • Passive

ProcessID is the rising column and ProcessStartTime is the timestamp.

ExportPrivilegedAccountProtection

Returns the Endpoint Privilege Management events in the database.

The columns include:

  • TimeGenerated
  • Access
  • WorkstyleName
  • UserName
  • HostName
  • ApplicationDescription

ID is the rising column and TimeGenerated is the timestamp.

Export view tables

Each of the views can be queried in your SIEM tool. For each view, the following data is sent to your SIEM. These export views are correct as of Endpoint Privilege Management Reporting 4.5.

ExportDefendpointStarts
Column_nameTypeLengthIndexDescriptionExample
SessionIDbigint 3Ascending Identity1
SessionGUIDuniqueidentifier  UUID of the session5CD221E9-CEB5-441D-B380-CB266400B320
SessionStartTimedatetime  Time session started2017-01-03 10:24:00.000
SessionEndTimedatetime  Always NULL (not used)NULL
HostSIDnvarchar2001Host SIDS-1-21-123456789-123456789-1635717638-390614945
AgentVersionnvarchar20 Endpoint Privilege Management Client Version4.0.384.0
ePOModeint  1 if DP client is in ePO mode. 0 otherwise.1
CertificateModeint  Certificate Mode0
PolicyAuditModeint  Policy Audit Mode7
DefaultUILanguageint  Locale Identifier of UI Language2057
DefaultLocaleint  Locale Identifier of Locale2057
SystemDefaultTimezoneint  Not set so always 00
ChassisTypenvarchar40 Chassis TypeOther
HostNamenvarchar10242*Host nameEGHostWin1
HostNameNETBIOSnvarchar152*Host NETBIOSEGHOSTWIN1
OSnvarchar20 OS Version6.3
OSProductTypeint4 OS Product Type.1
PlatformTypenvarchar10 Platform TypeWindows
HostDomainSIDnvarchar200 Host Domain SIDS-1-21-123456789-123456789-1635717638
HostDomainNamenvarchar1024 Host DomainEGDomain
HostDomainNameNETBIOSnvarchar15 Host Domain NETBIOSEGDOMAIN
ExportDefendpointLogons
Column_nameTypeLengthIndexDescriptionExample
LogonIDbigint 3Ascending Identity1
LogonGUIDuniqueidentifier  UUID of the logon819EF606-F9B6-40BE-9C0C-A033A34EC4F8
HostSIDnvarchar2001Host SIDS-1-21-123456789-123456789-1635717638-390614945
UserSIDnvarchar200 User SIDS-1-21-123456789-123456789-1635717638-1072059836
LogonTimedatetime  Logon Date/Time2017-01-03 10:24:00.000
IsAdminbit  1 if an admin, 0 otherwise0
IsPowerUserbit  1 if a power user, 0 otherwise0
UILanguageint  Locale Identifier of the UI Language1033
Localeint  Locale Identifier of the Locale2057
UserNamenvarchar1024 User nameEGUser1
UserDomainSIDnvarchar200 User Domain SIDS-1-21-123456789-123456789-1635717638
UserDomainNamenvarchar1024 User DomainEGDomain
UserNameNETBIOSnvarchar15 User NETBIOSEGDOMAIN
ChassisTypenvarchar40 Chassis TypeDocking Station
HostNamenvarchar10242*Host nameEGHostWin1
HostNameNETBIOSnvarchar152*Host NETBIOSEGHOSTWIN1
OSnvarchar20 OS Version6.3
OSProductTypeint  OS Product Type1
PlatformTypenvarchar10 Platform TypeWindows
HostDomainSIDnvarchar200 Host Domain SIDS-1-21-123456789-123456789-1635717638
HostDomainNamenvarchar1024 Host DomainEGDomain
HostDomainNameNETBIOSnvarchar15 Host Domain NETBIOSEGDOMAIN
PolicyNamenvarchar1024 Policy NameEventGen Test Policy
WorkstyleNamenvarchar1024 Workstyle nameEventGen Test Workstyle
ExportPrivilegedAccountProtection
Column_nameTypeLengthIndexDescriptionExample
IDbigint 1Ascending Identity1
TimeGenerateddatetime  Event Generation Date/Time 
CommandLinenvarchar1024 Command Line
PrivilegedGroupNamenvarchar200 Privileged Group NameAdministrators
PrivilegedGroupRIDnvarchar10 Privileged Group Relative Identifier544
Accessnvarchar200 Group Access DetailsAdd Member, Remove Member, List Members, Read Information
PolicyGUIDuniqueidentifier  Policy UUIDE7654321-AAAA-5AD2-B954-12342918D604
PolicyNamenvarchar1024 Policy NameEventGen Test Policy
WorkstyleNamenvarchar1024 Workstyle nameEventGen Test Workstyle
FileNamenvarchar255 File name
ApplicationHashnvarchar40 Application SHA1921CA2B3293F3FCB905B24A9536D8525461DE2A3
ProductCodenvarchar1024 Product Code
UpgradeCodenvarchar1024 Upgrade Code
FileVersionnvarchar1024 File Version
MD5nvarchar32 MD5 Hash3279476E39DE235B426D69CFE8DEBF55
UserSIDnvarchar200 User SIDS-1-21-123456789-123456789-1635717638-1072059836
UserNamenvarchar1024 User NameEGUser1
UserDomainSIDnvarchar200 User Domain SIDS-1-21-123456789-123456789-1635717638
UserDomainNamenvarchar1024 User DomainEGDomain
UserNameNETBIOSnvarchar15 User Domain NETBIOSEGDOMAIN
ChassisTypenvarchar40 Chassis TypeOther
HostSIDnvarchar200 Host SIDS-1-21-123456789-123456789-1635717638-390614945
HostNamenvarchar1024 Host NameEGHostWin1
HostNameNETBIOSnvarchar15 Host NETBIOSEGHOSTWIN1
OSnvarchar20 OS Version6.3
OSProductTypeint  OS Product Type1
HostDomainSIDnvarchar200 Host Domain SIDS-1-21-123456789-123456789-1635717638
HostDomainNamenvarchar1024 Host DomainEGDomain
HostDomainNameNETBIOSnvarchar15 Host domain NETBIOSEGDOMAIN
FileOwnerUserSIDnvarchar200 File Owner SIDS-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
FileOwnerUserNamenvarchar1024 File OwnerNT SERVICE\TrustedInstaller
FileOwnerDomainNamenvarchar1024 File Owner DomainNT SERVICE
ApplicationURInvarchar1024 URI of a macOS applicationcom.apple.preference.datetime
ApplicationDescriptionnvarchar2048 Application descriptionlusrmgr.msc
FirstDiscovereddatetime  First time app was seen2017-01-03 10:25:50.110
FirstExecuteddatetime  First time app was executed2017-01-03 10:24:00.000
PlatformTypenvarchar10 Platform TypeWindows
ProductNamenvarchar1024 Product name
ProductVersionnvarchar1024 Product version
Publishernvarchar1024 PublisherMicrosoft Windows
TrustedOwnerbit  1 if a trusted owner, 0 otherwise1
ExportProcesses
Column_nameTypeLengthIndexDescriptionExample
ProcessIDbigint 4Ascending Identity1
ProcessGUIDuniqueidentifier 2UUID of the process98C99D96-6DFA-4C95-9A87-C8665C166286
EventNumberint  Event Number. See List of Events section.153
TimeGenerateddatetime  Event generation date/time2017-02-20 13:11:11.217
TimeReceiveddatetime  Event received at ER date/time2017-02-20 13:16:28.047
EventGUIDuniqueidentifier  Event UUID9F8EB86C-AA0D-42B9-8720-166FAB91F1ED
PIDint  Process ID8723
ParentPIDint  Parent Process ID142916
CommandLinenvarchar 1024Command Line"C:\cygwin64\bin\sh.exe"
FileNamenvarchar 255File Namec:\cygwin64\bin\sh.exe
ProcessStartTimedatetime 1Date/Time Process Started2017-02-20 13:11:11.217
Reasonnvarchar 1024Reason entered by user
ClientIPV4nvarchar 15Client IP Address10.0.9.58
ClientNamenvarchar 1024Client NameL-CNU410DJJ7
UACTriggeredbit  1 if UAC shown0
ParentProcessUniqueIDuniqueidentifier  Parent process UUIDC404C7F5-3A93-4C0E-81BC-9902D220C21E
COMCLSIDuniqueidentifier  COM CLSIDNULL
COMAppIDuniqueidentifier  COM Application IDNULL
COMDisplayNamenvarchar1024 COM Display Name
ApplicationTypenvarchar4 Application Typesvc
TokenGUIDuniqueidentifier  UUID of token in policyF30A3824-27AF-4D69-9125-C78E44764AC1
Executedbit  1 if executed, 0 otherwise1
Elevatedbit  1 if elevated, 0 otherwise1
Blockedbit  1 if blocked, 0 otherwise0
Passivebit  1 if passive, 0 otherwise0
Cancelledbit  1 if cancelled, 0 otherwise0
DropAdminbit  1 if admin rights dropped, 0 otherwise0
EnforceUsersDefaultbit  1 if user default permissions were enforced, 0 otherwise0
Custombit  1 if Custom Token, 0 otherwise0
SourceURLnvarchar2048 Source URL
AuthorizationChallengenvarchar9 Challenge Response authorization code
WindowsStoreAppNamenvarchar200 Windows Store application name (appx app type only)
WindowsStoreAppPublishernvarchar200 Windows Store application publisher (appx app type only)
WindowsStoreAppVersionnvarchar200 Window Store application version (appx app type only)
DeviceTypenvarchar40 Device TypeFixed Disk
ServiceNamenvarchar1024 Service name (svc events only)
ServiceDisplayNamenvarchar1024 Service Display Name (svc app type only)
PowerShellCommandnvarchar1024 PowerShell Command (ps1/rpsc/rpss app types only)
ApplicationPolicyDescriptionnvarchar1024 Policy Description
SandboxGUIDuniqueidentifier  Sandbox UUID (sandbox events only)NULL
SandboxNamenvarchar1024 Sandbox Name (sandbox events only)NULL
BrowseSourceURLnvarchar2048 Sandbox browse source (sandbox events only)
BrowseDestinationURLnvarchar2048 Sandbox destination source (sandbox events only)
Classificationnvarchar200 Sandbox classification (sandbox events only)Private (Local)
IEZoneTagnvarchar200 IE Zone Tag
OriginSandboxnvarchar40 Origin Sandbox
OriginIEZonenvarchar40 Origin IE Zone
TargetSandboxnvarchar40 Target Sandbox
TargetIEZonenvarchar40 Target IE Zone
AuthRequestURInvarchar1024 Authorization request URL (osx challenge/response only)
PlatformVersionnvarchar10 Platform Version
ControlAuthorizationbit  1 is Endpoint Privilege Management authorized this macOS application0
TrustedApplicationNamenvarchar1024 Name of the trusted applicationMicrosoft Word
TrustedApplicationVersionnvarchar1024 Version of the trusted application11.1715.14393.0
ParentProcessFileNamenvarchar1024 Parent process file nameGoogle Chrome
ApplicationHashnvarchar40 SHA1 of the applicationC22FF10511ECCEA1824A8DE64B678619C21B4BEE
ProductCodenvarchar1024 Product Code
UpgradeCodenvarchar1024 Upgrade Code
FileVersionnvarchar1024 File Version
MD5nvarchar32 MD5 hash of the app6E641CAE42A2A7C89442AF99613FE6D6
TokenAssignmentGUIDuniqueidentifier  UUID of the token assignment in the policyE7654321-BBBB-5AD2-B954-1234DDC7A89D
TokenAssignmentIsShellbit  Token assignment is for shell1
UserSIDnvarchar200 User SIDS-1-21-123456789-123456789-16357176381125883508
UserNamenvarchar1024 User NameEGUser18
UserDomainSIDnvarchar200 User Domain SIDS-1-21-123456789-123456789-1635717638
UserDomainNamenvarchar1024 User DomainEGDomain
UserDomain NameNETBIOSnvarchar15 User Domain NETBIOSEGDOMAIN
ChassisTypenvarchar40 Chassis TypeLaptop
HostSIDnvarchar200 Host SIDS-1-21-123456789-123456789-1635717638775838649
HostNamenvarchar10243*Host NameEGHostWin18
HostNameNETBIOSnvarchar153*Host NETBIOSEGHOSTWIN18
OSnvarchar  OS Version10.0
OSProductTypeint  OS Product Type 
HostDomainSIDnvarchar200 Host Domain SIDS-1-21-123456789-123456789-1635717638
HostDomainNamenvarchar1024 Host DomainEGDomain
HostDomain NameNETBIOSnvarchar15 Host Domain NETBIOSEGDOMAIN
AuthUserSIDnvarchar200 Authorizing User SID
AuthUserNamenvarchar1024 Authorizing User
AuthUserDomainSIDnvarchar200 Authorizing User Domain SID
AuthUserDomainNamenvarchar1024 Authorizing User Domain
AuthUserDomain NameNETBIOSnvarchar15 Authorizing User Domain NETBIOS
FileOwnerUserSIDnvarchar200 File Owner SIDS-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
FileOwnerUserNamenvarchar1024 File OwnerNT SERVICE\TrustedInstaller
FileOwnerDomainSIDnvarchar200 File Owner Domain SIDS-1-5-80
FileOwnerDomainNamenvarchar1024 File Owner DomainNT SERVICE
FileOwnerDomain NameNETBIOSnvarchar15 File Owner Domain NETBIOS
ApplicationURInvarchar1024 URI of the macOS Applicationcom.apple.preference.datetime
ApplicationDescriptionnvarchar2048 Application Descriptionc:\cygwin64\bin\sh.exe
FirstDiscovereddatetime  Time application first seen2017-02-07 09:14:39.413
FirstExecuteddatetime  Time application first executed2017-02-07 09:07:00.000
PlatformTypenvarchar10 Platform TypeWindows
ProductNamenvarchar1024 Product NameADelRCP Dynamic Link Library
ProductVersionnvarchar1024 Product Version15.10.20056.167417
Publishernvarchar1024 PublisherAdobe Systems, Incorporated
TrustedOwnerbit  1 if a trusted owner, 0 otherwise0
MessageGUIDuniqueidentifier  UUID of the message in the policy00000000-0000-0000-0000-000000000000
MessageNamenvarchar1024 Name of the message in the policyBlock Message
MessageTypenvarchar40 Message TypePrompt
AppGroupGUIDuniqueidentifier  UUID of the Application Group in the Policy47E4A204-FC06-428B-8E73-1E36E3A65430
AppGroupNamenvarchar1024 Application Group Name in the PolicyTest Policy.test
PolicyIDbigint  Internal ID of the Policy2
PolicyGUIDuniqueidentifier  UUID of the PolicyE7654321-AAAA-5AD2-B954-12342918D604
PolicyNamenvarchar1024 Policy NameEventGen Test Policy
WorkstyleNamenvarchar1024 Workstyle NameEventGen Test Workstyle
ContentFileNamenvarchar255 Content File Namec:\users\user.wp-epo-win7-64\downloads\con29 selectable feestable (1).pdf
ContentFileDescriptionnvarchar1024 Content File Description
ContentFileVersionnvarchar1024 Content File Version
ContentOwnerSIDnvarchar200 Content Owner SIDS-1-21-123456789-123456789-1635717638-1072059836
ContentOwnerNamenvarchar1024 Content OwnerEGUser1
ContentOwnerDomainSIDnvarchar200 Content Owner Domain SIDS-1-5-21-2217285736-120021366-3854014904
ContentOwnerDomainNamenvarchar1024 Content Owner DomainBEYONDTRUSTTEST58\BEYONDTRUSTTEST58.QA
ContentOwnerDomain NameNetBIOSnvarchar15 Content Owner Domain NETBIOSBEYONDTRUSTTEST58
UninstallActionnvarchar20 The uninstall action carried outChange/Modify
TokenNamenvarchar20 The name of the event actionBlocked
TieStatusint  Threat Intelligence Exchange status for the reputation of this application0
TieScoreint  Threat Intelligence Exchange score for the application 
VtStatusint  VirusTotal status for the reputation of this application 
RuleScriptFileNamenvarchar200 The name in config of the script associated with the ruleGet-McAfeeGTIReputation
RuleScriptNamenvarchar200 The name of the script set by interfaceGet-McAfeeGTIReputation
RuleScriptVersionnvarchar20 Version number of the script.1.1.0
RuleScriptPublishernvarchar200 Publisher that signed the scriptBeyondTrust
RuleScriptRuleAffectedbit  True when the script has set all settable rule properties; otherwise falseTrue
RuleScriptStatusnvarchar100 Success OR Why the configured script didn't run or set rule propertiesSuccess
RuleScriptResultnvarchar1024 Result of the script runScript ran successfully
RuleScriptOutputnvarchar1024 The output of the script 
AuthorizationSourcenvarchar200 The Authorizing User Credential Source 
AuthMethodsnvarchar1024 The type of authentication method selected in the Policy Editor.Possible values: Identity Provider, Password, Challenge Response, Smart Card and User Request. Multiple values can be present and will be comma separated.
IdPAuthenticationnvarchar400 The credential provided when adding an Identity Provider authorization message in the Policy Editor. 

Updated 11 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.