Event Viewer (2021.1)

Introduced in Application Control 2021.1, Event Viewer is a powerful query tool that allows you to view, group and filter or search events and then use events identified to modify or create configuration rules using simple drag or copy gestures. Event Viewer queries are based on event types, and can be easily customized to focus on specific time periods, users or machines and then filtered or searched to identify specific event attributes.

In this section:

Create query

Customize query results displayed

Save and manage custom queries

Modify configuration rules

The typical use case for the Event Viewer is to review audit data on an iterative basis at the initial setup of Application Control and modify the configuration accordingly. It is also valuable for specific queries in response to user requests or operational requirements. Performing such reviews periodically can help ensure your configuration remains fit for purpose and meets the requirements of users across your organization.

The following videos provides an introduction to Event Viewer feature:

Event Viewer - Overview (6m)

Example use-case: Privilege Discovery (4m)

The Event Viewer tool is available only for Ivanti Management Center (MC) users, that is, where Management Center is used to collect event data.
Users will need to upgrade to the latest versions of both Application Control and the MC to ensure event viewer data is returned as expected.

Create query

1.From the console ribbon, select Manage > Event Viewer.

The Application Control Events dialog is displayed.

2.Click Manage Connections.
The Management Server Database Connection dialog opens.

Connection details are the same as those used by AppSense in Enterprise mode to store and deploy configurations via Ivanti Management Center. If you have previously saved a database connection, details will be saved as part of your user profile and listed here. To add or modify an MC connection see Create MC connection: below.

3.From the Select Management Server dialog, click the connection required or select the connection and click Connect.
The user connection dialog opens.

4.In the user connection dialog select the options required:

Connect as

Current User - Select this option to connect using your current user profile.

Custom User - Select this option to connect using an alternative user profile.
Note that to access the MC the user profile you select must have required database access permissions.

Remember me - Select or clear this checkbox as required.

When complete, click OK to save connection credentials.
With connection details entered, the user connection dialog will close and the connection is established.

5.In the View field click the arrow icon and select the view required from the list.

The list comprises preconfigured views plus any customized views you have saved previously.
Each view represents a category of event(s) you can query and will return results based upon the corresponding event IDs.

For example, the view Denied Executables displays events for: denied execution, application limit denial, time limit denial, application termination, denied execution (using trusted ownership) and denied execution (using rule policy). Other views return only single event types. The Privilege Management view, for example, returns only application user privilege changed events (ID 9018).

Preconfigured views include:

Denied Executables

Allowed Executables

Privilege Management

Privilege Discovery

Self Authorization

Self Elevation

Browser Control

Note that certain queries are likely to return a large amount of data and can take considerable time to run - especially if your database is very large. It is strongly recommended you constrain such queries using filters such as Time Range, User or Machine, and select Summary Only where applicable.

6.In the Time Range field click the arrow icon and select the period required from the list.
Alternatively, select <Specify custom period> and in the Custom Time Range dialog, specify a start and end time for the time range required then click OK.

7.If required, click the ellipses next to the User field, and select (or specify) the user required from the Select User dialog, then click OK.

Event Viewer queries filtered for specific users allows you to troubleshoot and address reported user issues or requests. Adding a time range for your query allows highly specific results. The query will return only the events raised for the user and time range required.

To specify the user required, enter the exact match comprising the domain and user name. For example, ivanti/example.username

Select User

Note, the User field is not available if the Summary Only checkbox is selected.

In the Select User dialog, click Advanced... to expand the dialog:

In the Common Queries panel, enter a search term in the Name and/or Description field then click Find Now.
Matched results are listed.

Select the user required and click OK to confirm.

8. If required, click the ellipses next to the Machine field, and select the machine required. Alternatively, enter an exact match for the machine domain and name directly.

The Machine field is not available if the Summary Only checkbox is selected.

9.Select or clear the Summary Only checkbox as required.

The Summary Only option groups similar events and provides total occurrences and user counts for all instances identified. This data allows an administrator to see immediately which events are recurring and/or by how many users. For example, it identifies files that have been blocked most frequently, or applications that have been allowed. The Summary Only view ignores user and machine-specific data, providing numbers of instances only. It is available for allowed and denied executable queries only.

With the Summary Only option cleared, the query will return all event data as a simple grid without values for total or user count.

10. To run the query, select Run Query.
Results are listed and can be reviewed. If you make changes to the View or filters you must re-run the query to update the results.

Environment Variables

Application Control normalizes absolute file paths for executables identified in events. It substitutes standard environment variables for certain user or machine-specific values. This means that when the same file is accessed by different users and/or on different machines, the normalized path shows this as identical.

Example:

Absolute paths

Normalized path

C:\ProgramData

D:\ProgramData

%programdata%

C:\users\test\desktop\test.exe

%userprofile%\desktop\test.exe

Customize query results displayed

Once you have run the query you can tailor how your results are displayed, save your customized view and export results.

Configure display

The results section of the Application Control Events dialog is configurable.

Group results - example by column header. Drag a column header into the top of the results table. This action will group your returned results according to the column header selected.

Use theSearch results - example tool to include only those events that match your search criteria. The search applies to all columns. Criteria could include file names or extensions, user or machine names for example. In the case of the Denied Executables query, where a number of event IDs are returned, you could search for a particular event ID, for example.

Apply Filter columns - example to one or more column headers. This allows you to include OR exclude events that match your criteria.
Click Show Filter Editor to add filters to the query results. Alternatively, mouse-over a column header then click the filter icon.
The Filter Editor dialog opens, allowing you to specify the filter criteria required.

See, the Privilege Discovery use-case video for an illustration of creating and applying a filter.

Click Choose Columns to customize which columns display in the query results.

Reorder the columns by clicking and dragging the column headers to new locations.

Click within a column header to sort the column in ascending or descending order.

Save and manage custom queries

Modifications can be saved as a custom query enabling you to retain the changes made, revisit and re-run the query as required. Saved custom queries are available for selection from the list of views (refer to the View field).

Click Save to save any changes you have made to a custom query.

Click Save As to save your current custom query with a unique name. Note, you must first run the query to activate the Save As option.

Click Manage to display the list of all custom queries. The Manage Views dialog allows you to select a query and then rename or delete it.

Export data

Query results can be exported in CSV format. Click Export Data and select the option required:

Export current view with selected columns - exports only the current customized view.

Export current view with all columns - exports all returned query results

Modify configuration rules

The Event Viewer runs in a separate window to the Application Control console. This enables users to drag (or copy and paste) items from the viewer to the console and immediately modify or create the rules required.

Events listed can be dragged and dropped or copied and pasted to create File Path, File Name, Folder or File Hash Rule Items for the following:

Rule Collections

Rule Sets > Executable Control > Allowed/Denied

Rule Sets > Privilege Management > Applications/Self-Elevation

Having run your query and reviewed results:

1.Open the Application Control console and in the Configuration navigation pane, expand Rules and select the configuration rule required.

2.In the Event Viewer dialog, select the event required and either copy or drag the item to the configuration dialog.
Note that if required, multiple events can be selected and added to the configuration.

3.The Select Rule Item Type dialog is displayed.
Select the rule type required:

File Path - copies the full path of the file from the event ID. Applies to file rules.

File name - copies the file name from the event ID. Applies to file rules.

Folder - copies the folder name and path from the event ID. Applies to folder rules.

File Hash - copies the file hash from the event ID. Applies to signature rules.

4.The rule item is immediately added to the configuration.

5.If the item added is a file or folder you can view and/or edit its properties and metadata to ensure inegrity.
Double-click the newly added item to open the Edit dialog, or right-click the item and select Edit.

Note that by default metadata is not enabled for items added via Event Viewer. Click the Metadata tab in the Edit dialog and select the checkbox(es) for the data required. The relevant data is immediately displayed. For further information see Metadata.

Results Context Menu

Right-click within a column header to display the context menu. The menu lists a number of additional actions.

Related Topics

 Auditing

Management Center Help