1 Reply Latest reply on Feb 12, 2018 2:45 AM by timothyb

    Ivanti Application Control for Splunk

    Fordo Apprentice

      For those customers with Ivanti Application Control (AppSense Application Manager) and Splunk, you may be interested in the app I've published on splunkbase:

       

      Ivanti Application Control for Splunk | Splunkbase

       

      ivanti_ac_screenie_overview_800x600.png

       

      Integrating AMC data into Splunk lets you

      • Automatically add vital context to events - a user's real name, business unit, corporate title etc.
      • Develop your own reports and dashboards using Splunk's best-in-class analytics and visualisation engine
      • Integrate with Splunk Enterprise Security to ensure incidents appear in the same single-pane-of-glass used by your SOC analysts
      • Query quickly across months and years of data without being limited by SQL and without locking production SQL Server databases

       

      Example use cases:

      • Provide first-line incident responders a near-real-time indication of who's being blocked from running something - whether it's the CEO, a contractor, a developer etc.
      • Provide per-department views of the expected impact of application whitelisting before they move from Audit to Restricted-mode blocking

       

      The app is free, requires no proprietary data model to install, and no SQL skills to extend.

       

      A few techie points:

      • All fields relevant to whitelisting and privilege management are extracted, including metadata (Vendor, Company Name, File Owner) often ignored by other reporting solutions
      • Any additional fields added in the future will still be retrieved and can be extracted at search-time without depending upon an updated data model
      • File paths are available in their original form (c:\users\greg\appdata\local...) and normalised (%localappdata%\...) to enable useful 'most blocked path' aggregation regardless of unique profile paths
      • Technically all AMC events are retrieved and events relating to other parts of the User Workspace Manager suite can be viewed and reported upon. Currently the pre-built dashboards focus solely on Application Control

       

      All suggestions for feedback are welcome - post here or use the Contact Developer link on splunkbase.

       

      Greg