> ## Documentation Index > Fetch the complete documentation index at: https://docs.idemeum.com/llms.txt > Use this file to discover all available pages before exploring further. # Allowlisting events > Idemeum tracks every execution across your workstations and represents each application as an event in the cloud. ## How allowlisting events work Allowlisting events are collected only when allowlisting is [enabled](/allowlisting/enable-allowlisting), and the [app control mode](/allowlisting/app-control-mode) for the device is set to `audit` or `rules`. * Events are captured on Windows and macOS workstations when applications execute * Idemeum agent tracks binary executions for `exe`, `msi`, `dmg`, and `pkg` files * Allowlisting execution events are uploaded to idemeum cloud every `5 minutes` ## Allowlisting event structure To access allowlisting events navigate to your admin portal and access `Activity` → `Events`. You will be presented with the high level view of all events for your tenant. You can click on each event to expand the metadata for the event. You can immediately see if EPM and / or Allowlisting are enabled for your tenant. If you see `Execution` column populated for each event, then Allowlisting is enabled. If you see `Elevation` column populated for each event, then EPM is also enabled. \\ Clean Shot 2026 05 25 At 12 50 16@2x | Value | Example | Description | | ---------------------- | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Timestamp | `1/30/26 3:33:52 PM` | Date and time for when the execution or elevation happened. | | Computer | `AL-W11-L` | Workstation that generated the event. Next to the computer name you will see the icon for Windows or macOS. | | User | `SYSTEM` | User under which context the application is executing. | | Filename | `updater.exe` | Filename of the executed application. | | Execution | `Windows Chrome` | Tag that shows whether the application was allowed to execute or not. When in audit mode, the tag will be `Audit` as there are no rules enforcement. If you hover over the tag, you will see the rule that is matching the execution based on which the decision is made. | | Elevation | `Allow` | Tag that shows whether the application was allowed to elevate or not. For standard non-admin executions this tag is not shown. | | Confidence score | `Soft allow` | Idemeum confidence score that shows how safe the application is in your environment. We use 20+ behavioral attributes to calculate the score. Learn more [here](/application-trust/confidence-score). | | Reputation | `Known good, Unknown, Malware` | Reputation of the file obtained from Sophos Intelligence cloud. Learn more [here](/application-trust/malware-reputation). | | Publisher | `Google LLC` | Organization that signed the executable. If you expand the event, you will be able to see whether the publisher is verified by operating system or not. | | Parent | `services.exe` | Parent process that was responsible for launching the executable. | | Actions | `...` | Actions that you can take on the event, including rule creation. | | Description | `Google updater` | Description of the executable file. | | File path | `C:/program...` | File path from where the executable is launching. | | File version | `2.5.1` | File version of the executable. | | SHA256 hash | `320F6790E928200...` | Hash of the executable file takes with SHA256 algorithm. | | Verified publisher | `Yes` | If the executable is legitimately signed with the certificate, and that certificate is trusted on the endpoint, the publisher will show as verfified. | | Certificate thumbprint | `607A3EDAA64933...` | Hash of the certificate that is used to sign the executable (if executable is signed). | | Certificate elements | `CN=Google LLC,OU=Google...` | When you expand the event, idemeum shows you the elements of the certificate that is used to sign the executable, such as `CN`, `OU`, `C`, etc. |