> ## Documentation Index > Fetch the complete documentation index at: https://docs.idemeum.com/llms.txt > Use this file to discover all available pages before exploring further. # Elevation events > Control agent captures every elevation event on your workstation and uploads each event metadata to the cloud. ## How elevation events work Elevation events are collected only when EPM is [enabled](/documentation/products/epm/enable-epm), and the [EPM control mode](/documentation/products/epm/epm-control-mode) for the workstation is set to `audit` or `rules`. * Events are captured on Windows and macOS workstations when applications need to launch with administrative privileges or user needs to take a privileged action. * On windows idemeum agent intercepts and captures the [UAC](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works) event. For macOS we rely on [endpoint security API ](https://developer.apple.com/documentation/endpointsecurity)to capture the elevation event. * For `audit` mode elevation events are captured for both `admin` and `standard` users * Idemeum cloud retains `120 days` of elevation events per tenant * Elevations events are uploaded to cloud in real time ## Elevation event structure To access elevation events navigate to your admin portal and access `Activity` → `Events`. You will be presented with the high level view of all events for your tenant. You can click on each event to expand the metadata for the event. Clean Shot 2026 05 25 At 11 04 27@2x Now let's look at what each attribute in the event means. | Value | Example | Description | | ---------------------- | ------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Timestamp | `1/30/26 3:33:52 PM` | Date and time for when the execution or elevation happened. | | Computer | `AL-W11-L` | Workstation that generated the event. Next to the computer name you will see the icon for Windows or macOS. | | User | `SYSTEM` | User under which context the application is executing. | | Filename | `updater.exe` | Filename of the executed application. | | Elevation | `Allow, Deny, Audit` | Tag that shows whether the application was allowed to elevate or not. For standard non-admin executions this tag is not shown. `Audit` represents the device that is in audit mode and not enforcing any rules. | | Confidence | `Soft allow` | Idemeum confidence score that shows how safe the application is in your environment. We use 20+ behavioral attributes to calculate the score. Learn more [here](/application-trust/confidence-score). | | Reputation | `Known good, Unknown, Malware` | Reputation of the file obtained from Sophos Intelligence cloud. Learn more [here](/application-trust/malware-reputation). | | Publisher | `Google LLC` | Organization that signed the executable. If you expand the event, you will be able to see whether the publisher is verified by operating system or not. | | Parent | `consent.exe` | Parent process that was responsible for launching the executable. | | Actions | `...` | Actions that you can take on the event, including rule creation. | | Description | `Google updater` | Description of the executable file. | | File path | `C:/program...` | File path from where the executable is launching. | | File version | `2.5.1` | File version of the executable. | | SHA256 hash | `320F6790E928200...` | Hash of the executable file takes with SHA256 algorithm. | | Verified publisher | `Yes` | If the executable is legitimately signed with the certificate, and that certificate is trusted on the endpoint, the publisher will show as verified. | | Certificate thumbprint | `607A3EDAA64933...` | Hash of the certificate that is used to sign the executable (if executable is signed). | | Certificate elements | `CN=Google LLC,OU=Google...` | When you expand the event, idemeum shows you the elements of the certificate that is used to sign the executable, such as `CN`, `OU`, `C`, etc. |