Skip to main content

How to view elevation audit events

  • Updated

Overview

CyberQP provides visibility into privileged actions performed on workstations. The Audit page allows you to monitor these elevation requests, filter them, and determine whether an auto-elevation policy exists for each request or a new elevation rule should be created.

Prerequisites

  • End-User Elevation feature must be enabled for the customer.
    How To
  • The end-user's workstation must have CyberQP Agent version 6.1.1.2 or higher installed.

Steps to View Elevation Audit Events

  1. Navigate to Elevations > Audit from the sidebar.
  2. You’ll see a list of all audit events.
  3. Use filters to narrow results by:
    • Date
    • Customer
    • Program name
    • Publisher
    • Computer name

How to Check If a Matching Policy Exists

  • Each audit event includes a Matching Policy column.
  • This shows how many auto-elevation policies match the request.
  • If it displays 0, that means no existing auto-elevation rule applies, and you may need to create one.

  • Click the number in the Matching Policy column to see the list of matching policies.

    Important: Make sure all policies are published. Draft policies will not trigger auto-elevation, even if they match the request.

FAQs

1. How long does it take for audit events to appear on the dashboard?

Audit events appear instantly, provided:

  • A privileged process or application was run on the machine by a user with Administrative permissions.
  • The machine is running the latest CyberQP agent (6.1.1.2 or higher)
  • Audit Mode is enabled for the customer.

Refresh the page if you don't see new events immediately.

2. How does CyberQP capture audit events?

CyberQP enables two Windows security settings on the workstation:

  • Audit Process Creation:
    Logs Event ID 4688 under Windows Logs > Security whenever a new process starts.
  • Command Line Process Auditing:
    Ensures Event ID 4688 includes the full command line used to launch the process for better visibility.

3. Does CyberQP capture all UAC events, including non-privileged ones?

No. CyberQP only captures privileged elevation audit events.

Related articles

Comments

0 comments

Please sign in to leave a comment.