Forum Discussion
Aman_Khan
Oct 07, 2021Copper Contributor
Onboarding Ivanti Application Control logs to Azure Sentinel
Hi all,
Just wondering if anyone has onboarded "Ivanti Application Control " logs to Azure Sentinel?
-Log source is on-prem (No cloud presence, neither a connector available in Sentinel)
-Product does not support Syslog or CEF
-To extract logs from central management server you can use a data base query (DbConnect in Splunk World)
OR
-To extract logs from clients you can extract logs from every client in either XML or CSV format
Has anyone on-boarded these logs before or have any suggestions ?
Thank you
- Ended up forwarding Ivanti Logs to a Window Event Collector server:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/forward-on-premises-windows-security-event-logs-to-microsoft/ba-p/3040784
In my case filtered to only event IDs pertaining to AppSense i.e. 9*** .eg.
"ForwardedEvents!*[System[(EventID=9000)]]"
- Aman_KhanCopper ContributorEnded up forwarding Ivanti Logs to a Window Event Collector server:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/forward-on-premises-windows-security-event-logs-to-microsoft/ba-p/3040784
In my case filtered to only event IDs pertaining to AppSense i.e. 9*** .eg.
"ForwardedEvents!*[System[(EventID=9000)]]"