Elevation events

Overview

• Elevation events are captured only in audit or rules modes
• Elevation events are captured for both admin and standard users
• Idemeum cloud retains 120 days of elevation events per tenant
• There are no duplicates in elevation events. If the elevation event gets generated for the same application, user, and workstation, the time stamp gets updated and elevation events gets to the top of the list.
• Elevations events are uploaded to cloud in real time

Event structure

To access events navigate to your organization / customer admin portal and access Events section. If you click on the event, you will be presented with the detailed information, including hashes, verified publisher, path, and more. At the bottom of the event section you will find the publisher certificate elements (i.e details of the organization that signed the executable). The green checkmark indicates that the publisher is verified by operating system.

• Timestamp - date and time for when the execution or elevation happened
• Computer - workstation that generated the event
• User - user that was logged into the computer when event was generated
• Filename - file name of the executable
• Elevation - tag that shows whether the application was allowed to elevate, denied, or went through request flow
• Publisher - organization that signed the executable. If you expand the event, you will be able to see whether the publisher is verified by operating system or not.
• Action - actions that you can take on the event, including rule creation
• Certificate attributes - at the bottom of the event section you will find the publisher certificate elements (i.e details of the organization that signed the executable).