How elevation events work
Elevation events are collected only when EPM is enabled, and the EPM control mode for the workstation is set to
audit or rules.- Events are captured on Windows and macOS workstations when applications need to launch with administrative privileges or user needs to take a privileged action.
- On windows idemeum agent intercepts and captures the UAC event. For macOS we rely on endpoint security API to capture the elevation event.
- For
auditmode elevation events are captured for bothadminandstandardusers - Idemeum cloud retains
120 daysof elevation events per tenant - Elevations events are uploaded to cloud in real time
Elevation event structure
To access elevation events navigate to your admin portal and accessActivity → Events. You will be presented with the high level view of all events for your tenant. You can click on each event to expand the metadata for the event.
| Value | Example | Description |
|---|---|---|
| Timestamp | 1/30/26 3:33:52 PM | Date and time for when the execution or elevation happened. |
| Computer | AL-W11-L | Workstation that generated the event. Next to the computer name you will see the icon for Windows or macOS. |
| User | SYSTEM | User under which context the application is executing. |
| Filename | updater.exe | Filename of the executed application. |
| Elevation | Allow, Deny, Audit | Tag that shows whether the application was allowed to elevate or not. For standard non-admin executions this tag is not shown. Audit represents the device that is in audit mode and not enforcing any rules. |
| Confidence | Soft allow | Idemeum confidence score that shows how safe the application is in your environment. We use 20+ behavioral attributes to calculate the score. Learn more here. |
| Reputation | Known good, Unknown, Malware | Reputation of the file obtained from Sophos Intelligence cloud. Learn more here. |
| Publisher | Google LLC | Organization that signed the executable. If you expand the event, you will be able to see whether the publisher is verified by operating system or not. |
| Parent | consent.exe | Parent process that was responsible for launching the executable. |
| Actions | ... | Actions that you can take on the event, including rule creation. |
| Description | Google updater | Description of the executable file. |
| File path | C:/program... | File path from where the executable is launching. |
| File version | 2.5.1 | File version of the executable. |
| SHA256 hash | 320F6790E928200... | Hash of the executable file takes with SHA256 algorithm. |
| Verified publisher | Yes | If the executable is legitimately signed with the certificate, and that certificate is trusted on the endpoint, the publisher will show as verified. |
| Certificate thumbprint | 607A3EDAA64933... | Hash of the certificate that is used to sign the executable (if executable is signed). |
| Certificate elements | CN=Google LLC,OU=Google... | When you expand the event, idemeum shows you the elements of the certificate that is used to sign the executable, such as CN, OU, C, etc. |