Onboarding Ivanti Application Control logs to Azure Sentinel

Aman_Khan · ‎Oct 06 2021

Hi all,
Just wondering if anyone has onboarded "Ivanti Application Control " logs to Azure Sentinel?

-Log source is on-prem (No cloud presence, neither a connector available in Sentinel)
-Product does not support Syslog or CEF
-To extract logs from central management server you can use a data base query (DbConnect in Splunk World)
OR
-To extract logs from clients you can extract logs from every client in either XML or CSV format

Has anyone on-boarded these logs before or have any suggestions ?
Thank you

Aman_Khan · ‎Sep 12 2022

Ended up forwarding Ivanti Logs to a Window Event Collector server:

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/forward-on-premises-windows-...

In my case filtered to only event IDs pertaining to AppSense i.e. 9*** .eg.
"ForwardedEvents!*[System[(EventID=9000)]]"

c2wak · ‎Jan 31 2023

@Aman_Khan - Can you elaborate on this please as we have a requirement to do this. Ivanti doesnt write to eventlogs it keeps it in the Management Database? How are you forwarding / filtering these logs please? Any help appreciated.

Onboarding Ivanti Application Control logs to Azure Sentinel

Onboarding Ivanti Application Control logs to Azure Sentinel

Re: Onboarding Ivanti Application Control logs to Azure Sentinel

Re: Onboarding Ivanti Application Control logs to Azure Sentinel

Products (52)

Special Topics (28)

Video Hub (447)

Most Active Hubs

Most Active Hubs

Video Hub

Onboarding Ivanti Application Control logs to Azure Sentinel

Onboarding Ivanti Application Control logs to Azure Sentinel

Re: Onboarding Ivanti Application Control logs to Azure Sentinel

Re: Onboarding Ivanti Application Control logs to Azure Sentinel