DocumentationAPI ReferenceRelease Notes
Documentation
Start typing to search…

Event analytics | EPM-WM Cloud

What are events?

Events are processes that have occurred in your EPM for Windows and Mac-managed applications.

How is the Events page useful?

Use the Events page to easily find all elevated applications, applications that are newly-matched to an application rule, or applications that are elevated by on-demand application rules.

Best practices

  • When an application rule matches on a new or unknown application, we recommend you add that application to an existing policy, or create a new policy specifically for that application.
  • For elevated applications, if they are higher risk applications or unwanted, we recommend you add them to a block rule.

The Events page

  1. Filters: Select a filter to refine your results. Click Clear Filters to remove all filters from your results. >
Event Time
Event Type
Event Action
Application Type
Publisher
App name
App description
Executable Path
File Path
Admin Required
Computer Groups
Operating System
Host Name
Host Domain
User Name
User Domain
User ID
User Domain ID
User Email
Policy Name
Policy Revision
Operating System
Host Name
Host Domain
User Name
User Domain
User ID
User Domain ID
Policy Name
Policy Revision
Message Name
Workstyle Name
Application Group
Application Description
Rule Action
User Reason
Application URI		On Demand
Token
Token Description
Command Line
Process ID
Application Group
Application Description
Rule Action
User Reason
On Demand
Token
Token Description
Command Line
Process ID
Parent Process ID
App Version
Drive Type
Host ID
Host Domain ID
Authorizing User Domain ID
Authorizing User Name
IP Addresses
File Owner ID
File Owner Name
File Owner Domain Name
Parent Process File Name
Parent Process ID
Download URL
Authorization Challenge Code
Unique Process ID
Product Code
Upgrade Code
Authorization Method
JIT Admin Session
JIT Admin Ticket Number
Elevation Method
Matched as Child Process
Publisher Exists

>

  1. Save View and Load View: Save your filter preferences and load the view later for quick access to your most frequently-used preferences.
  2. Add To Policy: Select events to add to your policy.
  4. Columns: At-a-glance details for each event.
  5. List navigation options: Navigate in the Events list.

View an event's details

  1. Locate the event you want to view.
  2. Click the Event Time.
    The Event Details panel displays, where you can review the event's application, policy, process, rule script, and session data.
  3. Optionally, click to open the Event Details page, which displays additional data, including COM, process hierarchy, Trusted Application Protection status, and more.

Add an event's application to a policy

Look up VirusTotal score

If you are using VirusTotal, update the reputation score on the Events page or the Event Details panel. A valid reputation for an application can help you make an informed decision on how to manage that application in your policy.

EPM caches the VirusTotal score and the URL. The URLs expire after 3 days. Click the VirusTotal icon to retrieve the latest value from VirusTotal.

To see the latest VirusTotal score:

Click the score or the VirusTotal icon to open the VT Augment widget for additional insights on the reputation of the file.

VirusTotal panel on the Events analytics page

On the Events page, the following information helps you evaluate the reputation score on a file:

  • VirusTotal score for applications with hash.
  • Integrated with VT augment widget, which returns the HTML content of the widget report for a given observable.
  • VirusTotal icon next to the score ensures row level refresh for events with VirusTotal support.
  • A Timestamp column with last lookup time of the VT augment.

Additionally, the Event Details panel provides the VirusTotal score and last lookup time.

ℹ️

For more information about setting up VirusTotal, see VirusTotal Settings.

Export to CSV

  1. Clickto export all analytics data results in the currently filtered result set. The CSV download can include up to 5 million records when downloading from the Events page.
  2. When saving an export file:
    1. Select the maximum number of records to download.
    2. Select the columns to include. Select In View to include only the columns currently selected in your view. Select All Available to include all columns even those not currently displayed.
    3. Enter a file name.
    4. Click Prepare Download.
  3. Click the Notifications icon when the file is ready to download. Notifications only apply to the Events page.

Save and load views

Recommended views

The recommended views provide a selection of the most useful predetermined views. Use the views to review collected data and make informed decisions around policy editing.

  1. To access the views, go to Analytics.
  2. Click the Events tab.
  3. Click Load View, and then click the Recommended Views tab.
Recommended view in Events analytics

Recommended views for events load with the default filters.

NameDescription
Process DetailsFind every process that EPM is controlling, with flexible filtering options, to zone in on the data of interest.
The report name in legacy reporting: Process Details
User InteractionsOverview of how much friction end users are experiencing, and improve their experiences without jeopardizing security.
The report name in legacy reporting: User Experience
Privileged Group ProtectionShows when EPM has prevented a user modifying a privileged group. For example, adding a user to the Admins group. All events where EPM prevented users from modifying privileged groups.
The report name in legacy reporting: Privileged Account Management

Updated about 2 months ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.