Skip to main content

How CyberQP Captures Privileged Events in Audit Mode for End-user Elevation

  • Updated

Overview

When Audit Mode is enabled for a customer in CyberQP, the agent begins monitoring elevated activity on end-user workstations. This mode is designed to help IT team discover which applications and processes users run that would typically require admin privileges—without actually restricting user permissions.

This article explains what changes are applied to the workstation, what kind of events are collected, how they're filtered, and how they can be viewed locally in Event Viewer.

 

Prerequisites

  • Audit Mode must be enabled for the customer from Settings > Elevations > Customer Access > Manage Access
  • CyberQP agent must be running on the workstation (Agent version 6.1.1.2 or higher)

 

What Changes Are Applied to the Workstation

When Audit Mode is enabled, CyberQP automatically configures the following two Windows audit policies on the local machine:

  1. Audit Process Creation
    This enables the system to log all process creation events under Event ID 4688 in Windows Logs > Security.
  2. Include Command Line in Process Creation Events
    This ensures each Event ID 4688 entry includes the full command line used to launch the process, providing more context about the activity.

Note: CyberQP stores the previous configuration for these policies and reverts them once Audit Mode is turned off.

 

What Types of Events Are Captured

Although Windows will begin logging all process creation events once these settings are enabled, the CyberQP agent applies additional filters to only capture events relevant to privileged activity.

CyberQP filters for:

  • Human users only
    Events triggered by built-in system accounts are ignored.
  • Parent process is explorer.exe
    This ensures we only capture processes launched directly by the user—e.g., from the Start menu, desktop, or file explorer.
  • Process has high integrity level
    Only processes with a Mandatory Integrity Level of High or greater are included, indicating that the process could use admin privileges.

CyberQP also applies additional logic to identify relevant metadata for certain file types like .msi installers and other special cases.

 

What Is Not Captured

  • System-initiated or background processes not launched by the user
  • Non-privileged processes (integrity level lower than High)
  • Sub-processes or services that don’t originate from explorer.exe
  • Events triggered by service accounts or internal OS operations

This targeted approach ensures you only see elevation-relevant activity tied to real user behavior.

Related articles

Comments

0 comments

Please sign in to leave a comment.