Skip to main content

Audit Mode for End-User Elevation

  • Updated

Overview

Audit Mode for End-User Elevation helps IT teams safely transition end-users away from having local admin rights. When enabled, CyberQP logs all privileged applications and processes, executed on a system with the CyberQP Agent. These logs are viewable from the dashboard, allowing you to review actual usage and configure auto-elevation rules before enforcing full end-user elevation.

This reduces disruption to end-user workflows and minimizes helpdesk tickets by pre-approving commonly used applications.

 

Prerequisites

  • The latest version of CyberQP agent must be installed on the end-user’s workstation (6.1.1.2 or higher)
  • End User Elevation Product is enabled by your Account Rep
    Contact Rep
  • End-User Elevation must be enabled for Customer (see instructions below)

 

How Audit Mode Works

Once enabled, CyberQP will:

  • Log any processes that would have required elevation if the user didn't have local admin rights.
  • Allow technician to view these elevation events from the CyberQP dashboard.
  • Display details of each elevation event, with an option to check the associated program against the VirusTotal database for potential malicious activity.
  • Allow creating elevation rules from the audit events and add to Elevation Policies

This allows you to monitor real-world application usage before enforcing elevation policies, ensuring smoother transitions for end-users.

 

How to Enable Audit Mode for a Customer

  1. Go to Settings > Elevations > Customer Access > Manage Access
  2. Search or navigate to the customer you want to enable Audit Mode for
  3. Click Edit next to the customer
  4. In the modal, select Audit Mode as the elevation mode
  5. Click Save

 

What Changes on the Workstation

When Audit Mode is enabled, the CyberQP agent applies the following system-level changes to allow process-level auditing:

  • Enables Audit for Process Creation
    This causes Windows to start logging process creation events. Event ID 4688 under Windows Logs > Security.
  • Enables Command Line Process Auditing
    This ensures that Event ID 4688 includes the full command line used to start each process, providing deeper visibility into what’s being run.

These settings allow CyberQP to capture detailed audit logs without affecting the end-user’s current permissions or workflows.

 

For more information:
How to view elevation audit events

Related articles

Comments

0 comments

Please sign in to leave a comment.