Skip to main content

Discovery, Auditing, and Events

Endpoint Policy ManagerLeast Privilege Manager uses Windows event logs to generate interesting events that you can audit. You can use these events to audit what has occurred.

NOTE: See the Events video for a demo of the Endpoint Policy Manager Least Privilege Manager Events in action.

You can also use these events, before you fully roll out Endpoint Policy Manager Least Privilege Manager, to discover what rules you would need to make when you transition from local admin rights to SecureRun™.

NOTE: See the Use Discovery to know what rules to make as you transition from Local Admin rights video for a demo of Endpoint Policy Manager Least Privilege Manager Discovery in action.

Events are logged on each endpoint machine and only when the interesting event occurs. You can find Endpoint Policy Manager Least Privilege Manager events inside Event Viewer in the Application and Services folder and under the Endpoint Policy Manager node. Once you get an understanding of Endpoint Policy Manager Least Privilege Manager and events, you might want to set up event forwarding to capture and forward events from multiple machines. In this way you can see what multiple users are doing and look through the events for interesting ideas to convert into rules.

Endpoint Policy Manager Least Privilege Manager has two event sources, which can be seen in Event Viewer.

  • Endpoint Policy Manager Least Privilege Manager Client
  • Endpoint Policy Manager Least Privilege Manager Client—Operational

![A screenshot of a computer

Description automatically generated](/img/product_docs/endpointpolicymanager/endpointpolicymanager/leastprivilege/events/discovery_auditing_and_events.webp)