cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Onboarding Ivanti Application Control logs to Azure Sentinel

Aman_Khan
Copper Contributor

‎Oct 06 2021 06:25 PM

‎Oct 06 2021 06:25 PM

Onboarding Ivanti Application Control logs to Azure Sentinel

Hi all,
Just wondering if anyone has onboarded "Ivanti Application Control " logs to Azure Sentinel?

-Log source is  on-prem (No cloud presence, neither a connector available in Sentinel)
-Product does not support Syslog or CEF
-To extract logs from central management server you can use a data base query (DbConnect in Splunk World)
OR
-To extract logs from clients you can extract logs from every client in  either XML or CSV format

Has anyone on-boarded these logs before or have any suggestions ?
Thank you



2,286 Views
1 Like
2 Replies
Reply
2 Replies
best response confirmed by Aman_Khan (Copper Contributor)
Aman_Khan

‎Sep 12 2022 11:09 PM

‎Sep 12 2022 11:09 PM

Solution

Re: Onboarding Ivanti Application Control logs to Azure Sentinel

Ended up forwarding Ivanti Logs to a Window Event Collector server:

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/forward-on-premises-windows-...

In my case filtered to only event IDs pertaining to AppSense i.e. 9*** .eg.
"ForwardedEvents!*[System[(EventID=9000)]]"
0 Likes
Reply
c2wak

‎Jan 31 2023 05:27 AM

‎Jan 31 2023 05:27 AM

Re: Onboarding Ivanti Application Control logs to Azure Sentinel

@Aman_Khan - Can you elaborate on this please as we have a requirement to do this. Ivanti doesnt write to eventlogs it keeps it in the Management Database? How are you forwarding / filtering these logs please? Any help appreciated.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Aman_Khan (Copper Contributor)
Aman_Khan

‎Sep 12 2022 11:09 PM

‎Sep 12 2022 11:09 PM

Solution

Re: Onboarding Ivanti Application Control logs to Azure Sentinel

Ended up forwarding Ivanti Logs to a Window Event Collector server:

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/forward-on-premises-windows-...

In my case filtered to only event IDs pertaining to AppSense i.e. 9*** .eg.
"ForwardedEvents!*[System[(EventID=9000)]]"

View solution in original post

0 Likes
Reply