Elevation events
Elevation events are captured for all privileged actions performed by users on Windows or macOS computers
Overview
- Elevation events are captured only in
auditorrulesmodes - Elevation events are captured for both
adminandstandardusers - Idemeum cloud retains
120 daysof elevation events per tenant - There are no duplicates in elevation events. If the elevation event gets generated for the same application, user, and workstation, the time stamp gets updated and elevation events gets to the top of the list.
- On Windows idemeum turns on UAC level to max to capture elevation events
- On macOS idemeum leverages integration with Endpoint Security API
Elevation event attributes
The following attributes are captured for an elevation event:
| Attribute | Description | Example |
|---|---|---|
| Date | Date and time of an event | 5/7/24 12:39:27 PM |
| Device | Device name where event was generated | W10-D-SURFACE |
| User | User that generated the event | alex |
| Name | Name of the application | Task Manager |
| File name | File name of the executable that was launched | taskmgr.exe |
| Description | Description of the executable | Task Manager |
| File path | File location of the executable | c:\windows\system32\taskmgr.exe |
| File version | Version of the executable | 10.0.22621.3085 |
| SHA256 hash | SHA hash of the executable | 305648070AB0BE39039... |
| Verified publisher | Check if the publisher of executable is verified | Yes |
| Publisher name | Name of the executable publisher | Microsoft Corporation |
| Certificate thumbprint | Publisher certificate hash | D8FB0CC66A0... |
| Certificate attributes | Publisher certificate attributes | CN=Microsoft Windows,O=Microsoft Corporation... |
How to access elevation events
- Navigate to your customer tenant admin portal
- Access
Elevation→Events
There are various filters that you can use to navigate through events, including time window, publisher, username, desktop name, and others. Simply click the dropdown, choose the values you are looking for, and apply filter by clicking the blue filter button.