How allowlisting events work
Allowlisting events are collected only when allowlisting is enabled, and the app control mode for the device is set to
audit or rules.- Events are captured on Windows and macOS workstations when applications execute
- Idemeum agent tracks binary executions for
exe,msi,dmg, andpkgfiles - Allowlisting execution events are uploaded to idemeum cloud every
5 minutes
Allowlisting event structure
To access allowlisting events navigate to your admin portal and accessActivity → Events. You will be presented with the high level view of all events for your tenant. You can click on each event to expand the metadata for the event.
You can immediately see if EPM and / or Allowlisting are enabled for your tenant. If you see Execution column populated for each event, then Allowlisting is enabled. If you see Elevation column populated for each event, then EPM is also enabled. \
| Value | Example | Description |
|---|---|---|
| Timestamp | 1/30/26 3:33:52 PM | Date and time for when the execution or elevation happened. |
| Computer | AL-W11-L | Workstation that generated the event. Next to the computer name you will see the icon for Windows or macOS. |
| User | SYSTEM | User under which context the application is executing. |
| Filename | updater.exe | Filename of the executed application. |
| Execution | Windows Chrome | Tag that shows whether the application was allowed to execute or not. When in audit mode, the tag will be Audit as there are no rules enforcement. If you hover over the tag, you will see the rule that is matching the execution based on which the decision is made. |
| Elevation | Allow | Tag that shows whether the application was allowed to elevate or not. For standard non-admin executions this tag is not shown. |
| Confidence score | Soft allow | Idemeum confidence score that shows how safe the application is in your environment. We use 20+ behavioral attributes to calculate the score. Learn more here. |
| Reputation | Known good, Unknown, Malware | Reputation of the file obtained from Sophos Intelligence cloud. Learn more here. |
| Publisher | Google LLC | Organization that signed the executable. If you expand the event, you will be able to see whether the publisher is verified by operating system or not. |
| Parent | services.exe | Parent process that was responsible for launching the executable. |
| Actions | ... | Actions that you can take on the event, including rule creation. |
| Description | Google updater | Description of the executable file. |
| File path | C:/program... | File path from where the executable is launching. |
| File version | 2.5.1 | File version of the executable. |
| SHA256 hash | 320F6790E928200... | Hash of the executable file takes with SHA256 algorithm. |
| Verified publisher | Yes | If the executable is legitimately signed with the certificate, and that certificate is trusted on the endpoint, the publisher will show as verfified. |
| Certificate thumbprint | 607A3EDAA64933... | Hash of the certificate that is used to sign the executable (if executable is signed). |
| Certificate elements | CN=Google LLC,OU=Google... | When you expand the event, idemeum shows you the elements of the certificate that is used to sign the executable, such as CN, OU, C, etc. |