For those customers with Ivanti Application Control (AppSense Application Manager) and Splunk, you may be interested in the app I've published on splunkbase:
Integrating AMC data into Splunk lets you
- Automatically add vital context to events - a user's real name, business unit, corporate title etc.
- Develop your own reports and dashboards using Splunk's best-in-class analytics and visualisation engine
- Integrate with Splunk Enterprise Security to ensure incidents appear in the same single-pane-of-glass used by your SOC analysts
- Query quickly across months and years of data without being limited by SQL and without locking production SQL Server databases
Example use cases:
- Provide first-line incident responders a near-real-time indication of who's being blocked from running something - whether it's the CEO, a contractor, a developer etc.
- Provide per-department views of the expected impact of application whitelisting before they move from Audit to Restricted-mode blocking
The app is free, requires no proprietary data model to install, and no SQL skills to extend.
A few techie points:
- All fields relevant to whitelisting and privilege management are extracted, including metadata (Vendor, Company Name, File Owner) often ignored by other reporting solutions
- Any additional fields added in the future will still be retrieved and can be extracted at search-time without depending upon an updated data model
- File paths are available in their original form (c:\users\greg\appdata\local...) and normalised (%localappdata%\...) to enable useful 'most blocked path' aggregation regardless of unique profile paths
- Technically all AMC events are retrieved and events relating to other parts of the User Workspace Manager suite can be viewed and reported upon. Currently the pre-built dashboards focus solely on Application Control
All suggestions for feedback are welcome - post here or use the Contact Developer link on splunkbase.