Manage events

This topic describes the Events Management page, where you can see the events collected by EPM and take immediate action to protect endpoints by applying policies for each event.

Overview

The Events Management page displays a list of aggregated events, which represent identical, recurring events. You can access each record to see details about the individual events. Then, you can take immediate action to protect endpoints by applying policies for each event.

The Events Management page gives you an at-a-glance view of the following EPM aggregated events. These events are triggered based on the configuration and monitoring rules set in the Default policies.

Type of event	Description
Application events	Events related to application activities, collected by policies on end user computers.
Privilege threat events	Events created by threat protection policies on end user computers.

For a list of specific events, see Event types, below.

View aggregated events

You can see aggregated events detected by EPM either according to a timeline or in a table. In both views, you can see the events in the order in which they occurred. You can search for specific events according to filename, checksum, publisher, or threat protection policy name, and can filter them according to event type, events carried out by administrators, and more.

At the top of the list of events, you can see the number of events that are currently displayed and the total number of events that have been sent to the EPM service.

By default, 250 aggregated events are displayed at a time. This is configurable in Server configuration > Common settings.

When the total number of aggregated events is higher than 20,000, EPM displays 20,000+. This number increases every 10,000 events.

In the Events Management page, select either Timeline or Table.

The following table describes how the events display differs in each option.

Display	Description
Timeline	A list of aggregated events in chronological order. This is the default display.
Table	A list of aggregated events in a sortable grid. By default, the aggregated events in the table are sorted according to the most recent event detected by EPM. You can resort them according to any column and apply filters to view a more focused list.

Display

Description

Timeline

A list of aggregated events in chronological order.

This is the default display.

Table

A list of aggregated events in a sortable grid.

By default, the aggregated events in the table are sorted according to the most recent event detected by EPM. You can resort them according to any column and apply filters to view a more focused list.

View aggregated event details

Click an aggregated event to view its event and file information, as described in the following table.

Aggregated event details

Details

Description

Event

The type of event that occurred. For more details, see Event types.

Executable

The name of the executable file that was launched, if relevant.

Number of events

The number of times that this event has occurred.

A predefined threshold determines the number of events that triggers a policy recommendation. Events that are logged over this threshold are counted without details.

Number of users

For privilege management events, EPM displays the number of users who have performed this event.

For threat protection events, EPM displays the number of users who have been exposed to the threat detected by the threat protection rules. In the timeline, you can see this number in the Users column, whereas in the table, you can see this number in the Event type column.

When an event indicates that users have been exposed to an attack or suspicious activity, analyze the activity and consider blocking the application.

Number of computers

The number of endpoints on which this event was performed.

More actions

Select from a list of actions to manage applications and events, or see more details. For details about these actions, see More event management actions.

Additional info

Extra information about the event.

For activity events, this could be the application type, its location, and checksum, whereas for user requests, this could be the request added by the user and other details about the request. Details include a timestamp and may also include a link to more information.

View event raw details

The details of each individual event, known as 'raw details', show specific information about each event.

In the event to view, click the number in the Events column to display the detailed events page, which includes an audit of every time the event happened.

By default, the table is sorted chronologically, starting with the most recent detected by EPM. You can resort the rows according to any column.

Click an event to open the details pane and view specific information about the event.

Tabs in the details pane
Tab	Description
Event Info	Basic details about the event, including the dates when it was first and last detected by EPM, and whether the user was a standard user or an administrator.
File Info	Details about the application file that triggered the event.
Source	Details about the process that triggered the event. This tab is empty if EPM has not received these details.
Pre-history	Details about the parent process of the process that triggered the event. This tab is empty if EPM has not received these details.
File Origin	The original location where this application file was detected. File origin details are not available for Threat Protection or Deception events.

Event types

Aggregated events are categorized according to the type of activity that triggered the notification. Depending on the event type, you can take action to apply a policy, exclude an application from a policy, or respond to a user request.

Events are categorized into the following types:

Event type	Description
Application events	Elevation request - An application managed by a Detect policy was launched. Trust - An application managed by an Elevate policy was launched. On Linux agents, EPM only collects privileged commands (sudo). Installation - A new file reached the endpoint. Launch - An application that doesn't require elevated privileges was launched. Block - The default deny mode is enabled. Access restricted - The policy restrict mode is enabled and a specific application tried to access a protected resource. Access detected - The policy detect mode is enabled and a specific application tried to access a protected resource. Ransomware - Ransomware protection is enabled and a specific application tried to access a protected resource. For details about the actions you can take, see More event management actions.
Privileged threat events	Attack detected - An unauthorized attempt was made to access the credential store. Attack blocked - An unauthorized attempt to access the credential store was blocked. Suspicious activity detected - An event related to suspicious actions in privilege threat protection was detected. Suspicious activity blocked - An event related to suspicious actions in privilege threat protection was blocked. For details about the actions you can take, see Manage events.
Manual request event	User request - A user requested manual elevation. For details, see Just in Time access and elevation.

Event type

Description

Application events

Elevation request - An application managed by a Detect policy was launched.
Trust - An application managed by an Elevate policy was launched.

On Linux agents, EPM only collects privileged commands (sudo).
Installation - A new file reached the endpoint.
Launch - An application that doesn't require elevated privileges was launched.
Block - The default deny mode is enabled.
Access restricted - The policy restrict mode is enabled and a specific application tried to access a protected resource.
Access detected - The policy detect mode is enabled and a specific application tried to access a protected resource.
Ransomware - Ransomware protection is enabled and a specific application tried to access a protected resource.

For details about the actions you can take, see More event management actions.

Privileged threat events

Attack detected - An unauthorized attempt was made to access the credential store.
Attack blocked - An unauthorized attempt to access the credential store was blocked.
Suspicious activity detected - An event related to suspicious actions in privilege threat protection was detected.
Suspicious activity blocked - An event related to suspicious actions in privilege threat protection was blocked.

For details about the actions you can take, see Manage events.

Manual request event

User request - A user requested manual elevation.

For details, see Just in Time access and elevation.

More event management actions

Manage single events

You can do the following actions for events that are displayed in a timeline and for single events in a table.

Option	Description
Add application to policy	Add the application to an existing policy or create a new advanced policy. For details, see Add applications to a policy, below.
Add application to application group	Add the application to an existing application group or create a new one. For details, see Add applications to an application group, below.
Approve temporary elevation	Approves a request for elevated access to a specific application for 24 hours. When the event includes multiple request for elevated access, this option approves the latest one. For details, see Approve temporary elevation below.
Delete event	Delete the event from the list of event audits.
Threat Intelligence	Run threat analysis for this application. For details, see Run threat analysis for an application.
File Summary	Opens a new tab that displays the File Summary page for this application. For details, see View application details.

Manage multiple events

When events are displayed in a table, you can select multiple events and do the following actions.

Option	Description
Add applications to policy	Add multiple applications to an existing policy or create a new advanced policy. For details, see Add applications to a policy, below.
Add applications to application group	Add multiple applications to an existing application group or create a new one. For details, see Add applications to an application group, below.
Delete	Delete multiple events from the list of event audits. It may take a few minutes to see that the events have been removed from the Events Management list. Currently, you can delete up to 50 events at the same time.

Option

Description

Add applications to policy

Add multiple applications to an existing policy or create a new advanced policy. For details, see Add applications to a policy, below.

Add applications to application group

Add multiple applications to an existing application group or create a new one. For details, see Add applications to an application group, below.

Delete

Delete multiple events from the list of event audits.

It may take a few minutes to see that the events have been removed from the Events Management list.

Currently, you can delete up to 50 events at the same time.

Add applications to a policy

Add applications to an existing policy

You can add applications to existing policies to apply immediate coverage.

Select the applications to add to the policy.
- To add a single application, in either the timeline or the table, in the row of the application to manage, click the More actions (...) button and select Add application to policy.
- To add multiple applications, display the aggregated events in a table, and select the events that specify the applications to add to an existing policy, then click Add applications to policy.
Search for the existing policy. Enter the name, action, and status of the policy, then click Apply to display a list of policies that match these criteria.

Select the policy to add the application to, then click one of the following:

Option	Description
Edit in policy	Open the Edit policy page and add the application to the policy and set properties.
Add to policy	Add the application to the policy to give it immediate coverage.

In the Policy form, under Scope, click View all to display all the definitions that are configured for this policy, including the new one you are adding now. The new policy definition appears at the top of the list.
In the line of the definition for the application you are adding now, click the More actions (...) button and select Edit.
In the Application definition window, click Add properties from event to display a list of the event details.

The details that are already in the policy scope are marked. Select additional properties to include in the policy scope, then click Add.

If you add a property to the policy scope definition and then change it, you can still revert to the original value before you save the policy.
Click Add properties from event again and select the event property. This overwrites the changed value, and applies the value collected by the event.
To remove a property that was automatically included, in the Application definition window, delete it from the list of properties.
Define the rest of the policy, as described in Application policies.

Add applications to a new policy

You can add applications to a new policy and apply the policy immediately.

Select the applications to add to the new policy.
- To add a single application, in either the timeline or the table, in the row of the application to manage, click the More actions (...) button and select Add application to policy.
- To add multiple applications, display the aggregated events in a table, and select the events that specify the applications to add to an existing policy, then click Add applications to policy.
In the Select application policy window, click Create advanced policy, and confirm that you want to create an advanced application policy.
Specify the name of the policy, the platform, and the action that the policy will manage, then click Continue.
Under Scope, the details of the event are already listed.

If you can't see all the events you selected, click View all to refresh the scope. The new policy definition appears at the top of the list.

To edit this scope, click the More actions (...) button and select Edit.
In the Application definition window, click Add properties from event to display a list of the event details.

The details that are already in the policy scope are marked. Select additional properties to include in the policy scope, then click Add.

If you add a property to the policy scope definition and then change it, you can still revert to the original value before you save the policy.
Click Add properties from event again and select the event property. This overwrites the changed value and applies the value collected by the event.
To remove a property that was automatically included, delete it from the list of properties.
Define the rest of the policy, as described in Application policies.

Create a trust policy

In the row of the application to manage, click the More actions (...) button and select Add application to policy.
Click the Create advanced policy drop-down, then select Create trust policy.
Define a trust application policy for the application. For more details, see Trust policies.

Add applications to an application group

Add applications to an existing application group

You can add applications to an existing application group to immediately apply the policy coverage that has already been defined for that group.

Select the applications to add to an existing application group.
- To add a single application, in either the timeline or the table, in the row of the application to manage, click the More actions (...) button and select Add application to application group.
- To add multiple applications, display the aggregated events in a table, and select the events that specify the applications to add to an existing policy, then click Add applications to application group.
Search for the existing application group. Enter the name and type of the application group, then click Apply to display a list of groups that match these criteria.

Select the application group to add the application to, then click one of the following:

Option	Description
Edit in application group	Open the Edit application group page and add the application to the group and set properties.
Add to application group	Add the application to the application group and apply the policies that manage the selected application group immediately.

All policies that manage the selected application group apply to this application immediately.

When you click Edit in application group, you are prompted to confirm that you want to update the application group you selected.
In the Application Groups form, under Scope, click View all to display all the definitions that are configured for this application group, including the new application you are adding now. The new application appears at the top of the list.
In the line of the definition for the application you are adding now, click the More actions (...) button and select Edit.
In the Application definition window, click Add properties from event to display a list of the application definitions.

The details that are already in the scope of the application group are marked. Select additional properties to include in the scope, then click Add.

If you add a property to the scope definition and then change it, you can still revert to the original value before you save the policy.
Click Add properties from event again and select the event property. This overwrites the changed value, and applies the value collected by the event.
To remove a property that was automatically included, delete it from the list of properties.
When you have finished defining the spplication definitions, click Done to return to the Application Group form, and then Save to add the new applications to the group.

Add applications to a new application group

You can create a new application group and add applications directly.

Select the applications to add to a new application group.
- To add a single application, in either the timeline or the table, in the row of the application to manage, click the More actions (...) button and select Add application to application group.
- To add multiple applications, display the aggregated events in a table, and select the events that specify the applications to add to an existing policy, then click Add applications to application group.
In the Select application group window, click Create application group, then specify the name of the application group and the platform of the applications it will include.
In the Application Groups form, under Scope, click View all to display the definitions for this application group. EPM takes these from the applications you are adding now.
In the line of the definition for each application, click the More actions (...) button and select Edit.
In the Application definition window, click Add properties from event to display a list of the application definitions.

The details that are already in the scope of the application group are marked. Select additional properties to include in the scope, then click Add.

If you add a property to the scope definition and then change it, you can still revert to the original value before you save the policy.
Click Add properties from event again and select the event property. This overwrites the changed value, and applies the value collected by the event.
To remove a property that was automatically included, in the Application definition window, delete it from the list of properties.
When you have finished defining the application definitions, click Done to return to the Application Group form, and then Create to add the new applications to the group.

For more details, see Application groups.

Approve temporary elevation

You can approve a request for elevated access to a specific application. This creates an elevation policy for the specific user, application, and computer in the request. This policy is active for 24 hours, after which it becomes inactive. It is automatically deleted after 3 months.

sg0no2nxnw

You must have the following Set permissions in the user role to approve these requests:

Capability	Permission
Policies New UI	Create Policy and Application Group Update Policy and Application Group (to add additional users to the policy target) Delete Policy and Application Group
End-User UI	View Only

Capability

Permission

Policies New UI

Create Policy and Application Group

Update Policy and Application Group (to add additional users to the policy target)

Delete Policy and Application Group

End-User UI

View Only

In the row of the application to manage, click the More actions (...) button and select one of the following options:

Option	Description
Approve temporary elevation	This option is available in single events and approves that event.
Approve temporary elevation for latest	This option is available in aggregated events and approves the most recent request for elevation. To grant temporary elevation for other elevation requests in the aggregated event, open the new policy and add the users who sent the requests to the target. For details, see Manage policies.

Option

Description

Approve temporary elevation

This option is available in single events and approves that event.

Approve temporary elevation for latest

This option is available in aggregated events and approves the most recent request for elevation.

To grant temporary elevation for other elevation requests in the aggregated event, open the new policy and add the users who sent the requests to the target. For details, see Manage policies.

Depending on whether application events are only displayed if the applications are not managed by a policy, events may disappear from the Events list after you grant elevation. For details, see Common settings.

Run threat analysis for an application

You can run a threat analysis for a single aggregated event.

In the row of the application to manage, click the More actions (...) button and select Threat Intelligence.
Select the threat intelligence service to run for the selected application. Depending on the application you selected, either a pop-up appears and displays the results or EPM opens a full report in a browser for a third party site.

For more details, see Assess threats.