How EPM events work
EPM events are collected only when EPM is enabled, and the EPM control mode for the workstation is set to
audit or rules.- Events are captured on Windows and macOS workstations when applications need to launch with administrative privileges.
- On windows idemeum agent intercepts and captures the UAC event. For macOS we rely on endpoint security API to capture the elevation event.
- Elevation events are captured for both
adminandstandardusers - Idemeum cloud retains
120 daysof elevation events per tenant - There are no duplicates in elevation events. If the elevation event gets generated for the same application, user, and workstation, the time stamp gets updated and elevation events gets to the top of the list.
- Elevations events are uploaded to cloud in real time
EPM event structure
If you click on the event, you will be presented with the detailed information, including hashes, verified publisher, path, and more. At the bottom of the event section you will find the publisher certificate elements (i.e details of the organization that signed the executable). The green check mark indicates that the publisher is verified by operating system.
| Value | Example | Description |
|---|---|---|
| Timestamp | 1/30/26 3:33:52 PM | Date and time for when the execution or elevation happened. |
| Computer | AL-W11-L | Workstation that generated the event. Next to the computer name you will see the icon for Windows or macOS. |
| User | SYSTEM | User under which context the application is executing. |
| Filename | updater.exe | Filename of the executed application. |
| Elevation | Allow | Tag that shows whether the application was allowed to elevate or not. For standard non-admin executions this tag is not shown. |
| Publisher | Google LLC | Organization that signed the executable. If you expand the event, you will be able to see whether the publisher is verified by operating system or not. |
| Parent | consent.exe | Parent process that was responsible for launching the executable. |
| Actions | ... | Actions that you can take on the event, including rule creation. |
| Description | Google updater | Description of the executable file. |
| File path | C:/program... | File path from where the executable is launching. |
| File version | 2.5.1 | File version of the executable. |
| SHA256 hash | 320F6790E928200... | Hash of the executable file takes with SHA256 algorithm. |
| Verified publisher | Yes | If the executable is legitimately signed with the certificate, and that certificate is trusted on the endpoint, the publisher will show as verified. |
| Certificate thumbprint | 607A3EDAA64933... | Hash of the certificate that is used to sign the executable (if executable is signed). |
| Certificate elements | CN=Google LLC,OU=Google... | When you expand the event, idemeum shows you the elements of the certificate that is used to sign the executable, such as CN, OU, C, etc. |