Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Onboarding Ivanti Application Control logs to Azure Sentinel

Copper Contributor

Hi all,
Just wondering if anyone has onboarded "Ivanti Application Control " logs to Azure Sentinel?

-Log source is  on-prem (No cloud presence, neither a connector available in Sentinel)
-Product does not support Syslog or CEF
-To extract logs from central management server you can use a data base query (DbConnect in Splunk World)
-To extract logs from clients you can extract logs from every client in  either XML or CSV format

Has anyone on-boarded these logs before or have any suggestions ?
Thank you

2 Replies
best response confirmed by Aman_Khan (Copper Contributor)
Ended up forwarding Ivanti Logs to a Window Event Collector server:

In my case filtered to only event IDs pertaining to AppSense i.e. 9*** .eg.

@Aman_Khan - Can you elaborate on this please as we have a requirement to do this. Ivanti doesnt write to eventlogs it keeps it in the Management Database? How are you forwarding / filtering these logs please? Any help appreciated.