Increasing Visibility to Ivanti Application Control Events with Xtraction

Introduction

Ivanti’s Application Control has great built-in auditing features that provide insight to actions controlled within Application Control. Although historical auditing is useful, sometimes it can become overwhelming and noisy.

Common Auditing Events:

  • Applications allowed/denied execution
  • Applications running under elevated privileges
  • Self-elevation of applications to run as Administrator
  • Policy change requests

It is key to be able to separate the actionable events from the informational events and be able to present this information in a visible and readable format. Depending on the size of the environment and the number of devices reporting information, the sheer amount of data can become overwhelming.

Ivanti’s Xtraction is a powerful dashboard reporting tool that produces charts and tables in an organized format for better consumption. Xtraction can integrate with a plethora of products, including Application Control, to produce just about any imaginable report.

How Application Control Auditing works out-of-box

Application Control utilizes a configuration deployed on endpoints that determines what programs, websites, and actions a user can and cannot access. Each of these access controls, whether it is an allow or deny, the result can be audited to help refine policy and configuration. There are a number of defined audited events that can be enabled depending on the information that needs to be captured; some events produce more traffic than others, so be careful what is being captured and how long the events are retained.

Trusted ownership is a large part of Application Control. Trusted ownership only allows apps that were introduced by trusted administrators; the list of trusted administrators can be modified to suit any environment. Trusted ownership helps prevent unwarranted and unwanted execution of code, whether it’s good or bad. This code could be introduced into the environment from software a user downloaded or via other means.

Figure 1 – Denied Execution Template 

Upon execution, since the software was not downloaded by a trusted owner, or explicitly defined in the policy, they will get an execution denied prompt; as seen in Figure 1. This can be leveraged with auditing to know exactly who tried to execute untrusted software and what they were trying to execute.

Xtraction Integration with Application Control

Xtraction is a reporting software that uses Data Sources to communicate with databases for information extraction. Each Data Source establishes its own database connection which allows for individual, or compound reporting.

Xtraction uses Dashboards to present information in a clean format and utilizes graphs and charts depending on business needs; Xtraction can also create Documents and Reports.

Dashboard features:

  • Ability to customize components/multiple datasets into charts, graphs, or lists
  • Drill down for more in-depth data visibility
  • Filter based on specific criteria
  • View real-time or historical data
  • Generate and schedule reports for email delivery

Figure 2 – Event Monitor

All of these mechanisms can be used together to have a true understanding of the environment.

Application Control auditing is an important part of Application Control. Each audited event is useful for tweaking the configuration, for example, if there is a need to allow or deny a new item. Auditing helps to gain insight into the actions being performed on an endpoint within an environment.

Xtraction can be used to report on the auditing produced by Application Control, this can be coupled with a number of different charts or graphs depending on the need; figure 2 shows an example of a Dashboard produced from Xtraction for Application Control auditing events.

Figure 2 uses the following components and features to quickly display data for Application Control events:

  • Pivot Charts
    • Displays filtered event numbers compared with event description and user
  • Time Chart
    • Displays the number of events within the past week
  • Filters for specific event numbers that pertain to Application Control events

For optimal reporting, this Dashboard could be scheduled and sent out via email weekly to stay up to date on the events being produced by Application Control.

Summary

After a brief overview of Xtraction and Application Control, hopefully there is a better understanding of how they can be used together and the benefits they provide. Application Control is a very useful security tool that provides powerful auditing capabilities.

Leveraging Xtraction, the audited events can be utilized to produce customizable Dashboards in an organized format that will help you refine Application Control policies to create a better user experience. Each created Dashboard can be saved for reuse, sent out regularly via email, or customized at any time if the information needs to be changed.

Zach Thurmond
IT Consultant
Critical Design Associates

LinkedIn Profile