Columns in Results Panel/Custom Report, Application Control
You can control how column information for log entries is displayed in the Results panel, from the Template settings dialog.
The following table describes the log entry information for columns in the Results panel and custom reports.
Ellipses (…) in the Results panel indicate hidden log entries. For example, if you group a set of results using the value in one column, then multiple values in other columns, the results are shown as […].
|
Column |
Description |
|---|---|
|
Audit Event |
Shows the type of event that triggered the audit log. |
|
Audit Type |
Shows the type of action the administrator carried out. The can be Device Control, Application Control, or Unspecified. |
|
Computer |
Shows the name of the computer where file access was requested. |
|
Count |
Shows the number of log entries hidden in a single row, accompanied by a grouping symbol displayed on the column header. Alternatively, The may be a computed column of data. |
|
Custom Message |
Indicates the reason the application is running or not running. For example, although authorized, the file may not run because the computer is in non-blocking mode or because there is a file path rule authorization. |
|
File Ext |
Shows the file extension. |
|
File Group |
Shows the file group the executable, script, macro, or file containing a VBA macro assignment. The can also be shown as <Not Authorized>. |
|
File Name |
Shows the file that access was authorized or denied for. |
|
File Name (full) |
Shows the full name (including path) of the file that access was authorized or denied. |
|
File Path |
Shows the file path for the file that access was authorized or denied. |
|
File Type |
Indicates whether the file relates to a script or an application, for example Executable or Script. |
|
Hash |
Shows the digital signature of the file, created by SHA-1 (Secure Hash Algorithm -1) that differentiate files with the same name. |
|
NT Account Name |
Domain user name of the person who triggered the event, for example MARVIN/johns or LocalSystem. |
|
Other |
Shows additional information for an audit event, such as, when an administrator erases a scheduled permission. The column may also show parameters. |
|
Reason |
Indicates whether an action was granted or denied. Possible values: GRANTED, DENIED, NOPERMISSIONS, LOCALAUTH, QUOTAEXCEED, NON-ENCRYPTED, SANCTUARY-ENCRYPTED, PGP-ENCRYPTED, OVERRIDESHADOW-CONFIGURED. |
|
SID |
Shows the secondary identifier for the user, for example S-1-5-21-647365748-5676349349-7385635473-1645. The is useful when attributing actions recorded in log files to users who have left your organization. |
|
Target |
Shows the device name for which the permissions were modified. |
|
Target Computer |
Shows the name of the computer that was the target of the administrator action. |
|
Target User |
Shows the name of the user or group that the administrator action was applied. |
|
Traced On (Console time) |
Shows the date the event occurred on the console computer. |
|
Traced On (Endpoint time) |
Shows the date the event occurred on the client computer. |
|
Traced On (UTC) |
Shows the date (Coordinated Universal Time) the event occurred on the client computer. |
|
Transferred On (Console) |
Shows the date the event record was transferred from the client computer to the Ivanti Device and Application Control Application Server. |
|
Transferred On (UTC) |
Shows the date (Coordinated Universal Time) the event record was transferred from the client computer to the Ivanti Device and Application Control Application Server. |
|
Type |
Shows the cause of the event that triggered the log. The can be Execution Granted, Execution Denied, or the type of audit event. |
|
User |
Shows the name of the user who triggered the event. For users removed from the Active Directory, The field displays the SID, enabling the person who triggered an event to be identified after they have left your organization. |
|
X.500 User Name |
Shows the user name in Lightweight Directory Access Protocol format. The reflects the directory tree in which the user information is stored. For example, the X.500 user name may be CN=John Smith, CN=Users,or DC=Marvin. |
Columns with names starting Count, Min, Max, Sum and Average may also be displayed. These contain computed data based on the values in the specified columns.
The Custom Message field displays one of the following values which are affected by the system-wide option settings for Execution Blocking and the logging mode:
|
Value |
Description |
|---|---|
|
Authorized |
The file is known, its digital signature is recorded in the Ivanti Device and Application Control database. If The file is assigned to a file group, The is also shown. |
|
Denied |
The file was not allowed to run because it was not centrally or locally authorized. |
|
Logon |
The file was allowed to run because Relaxed logon default option is enabled. |
|
ok-dllDontCare |
The *.dll execution was authorized because the Execution Blocking option was set to Ask user for *.exe only. |
|
ok-hash |
The file ran and the action was logged because the option to Log Everything is enabled. The option should only be set for a limited period, or else the system generates an unmanageable amount of data. |
|
ok-localAuth |
The file is not centrally authorized, but the user was prompted for local authorization. |
|
ok-nonBlocking |
The file ran because the Non-Blocking option was enabled. |
|
ok-nonBlockUsr |
The file is not centrally authorized, but ran because the Non-Blocking option was enabled for a user or group of users. |
|
ok-pathRule |
The file was allowed to run because it matched a path rule. |