Hi, I need to analyze all event logs and see which ones belong to end users who used privileged elevations to categorize them into the high-flex category. The filters in the Analytics tab seem limited and there are a lot of event logs.
How can I quickly go about identifying which users belong in the high flex category?
Thanks all!
Hey Nova24.
The typical scenario is software used that can help you categorize your users, along with the role they have in the company.
Depending on Company and size you will typically have 90-99% in Low Flex, 0-10% Medium Flex and 0-5% in High Flex.
I don’t know if you have a full roll out and already removed admin rights, but you have analytics data. if you strictly want to identify that from analytics, it’s possible, but you need to know you software.
Use the Event Action, and find Cancelled and Self Elevated, this will give you a list of software, Windows Functions that the End-user has either uses the Run As Administrator or the app has requested UAC and the user has cancelled in the lack of permissions.
Then export this to a CSV file and do some excel magic.
Kind regards
Jens
Thanks Jens! We're currently utilizing high flex only and everyone is assigned to it. How can I differentiate what’s being elevated in the backend for software installations or version updates, etc. vs. what’s is being triggered by the users? What kind of filters do I need to use to ensure that we’re building an accurate high flex user list?
Hi Nova24.
Within the Analytics you have some options to choose from.
While using the following filters you can sort of figure out what is what, but requires you to understanding the Application Groups, and how Windows and Windows UAC functions etc.
I use the following filters frequently.
Workstyle: (High Flexibility), Will ensure you only see Events from High Flexibility Workstyle.
Event Action: (Elevated and Self-Elevated)
Elevated - The Application triggered a UAC Prompt and EPM elevated the process for the user, could be a software update or Windows function, depending the Application Group we hit!
Self Elevated - User executed the software with Run as Administrator.
Application Group Name:
(Default) Any Trusted & Signed UAC Prompt: (Trusted mean the file is owned by an administrator, System or TrustedInstaller)
This covers Windows functions and application, and anything that triggers UAC from c:\Windows, c:\Program Files would hit this groups. So some Updates of already known software with trusted ownership will come from here.
(Default) Any Signed UAC Prompt:
Any software that is signed and triggers UAC (requested Admin rights).
Installers, EXE that does not have Trusted Ownership (downloads folder, temp folder, User Profile etc.)
(Default) Any UAC Prompt:
Covers the same as Signed, except the files are NOT Signed, so a higher risk with unsigned software as the integrity of it is not guaranteed.
(Default) Any Application:
When used with Self-Elevated, This would cover anything that is not already Allow-Listed or known. The end-user has chosen to Right Click and Run as Administrator.
If you used the filters I have set in the GIF animation, you can export all columns and line and review it excel and use for a checklist on your progress.
Kind regars
Jens
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
