App Control Overview

The App Control Overview page displays charts for you to gain an overall insight in to the App Control performance. You can use this data to build and fine tune your configuration rules.

The charts on the overview page will, by default, show event data from your entire estate. Additionally, you can select a specific configuration using the drop-down in the top right corner. Selecting a configuration, filters all the data shown in the charts to events that were raised by devices which have the selected configuration applied. Allow one day to pass for App Control to gather enough data to show in the charts. Event data is processed between 8 pm and 4pm, but charts will not reflect this data until after 5am when aggregations used by the charts are recalculated. Click into any chart to drill down for further detail.

App Control displays warnings to remove older events when it reaches 80% or maximum capacity to accommodate new events. App Control retains event data for a maximum of 7 days or up to 10 million events, or whichever comes first. Once either threshold is exceeded, App Control will continue to process new events, but will automatically purge older events until the total number of stored events falls below the specified limit.
To ensure effective event management and prevent recurring alerts, administrators must identify the root cause of the events and adjust the application configuration accordingly. For step-by-step guidance, refer to App Control Rules.
Use the Product Performance charts on the App Control Overview page to identify and address the events that are generating alerts. Event alerts are generated and assessed daily. These alerts cannot be dismissed manually; they will be automatically cleared once event counts drop below the specified threshold. After new rules are created, please note that it may take up to 24 hours or longer for the alert to be dismissed.

The page has three sections:

• Applications Executed
• Deployment indicator
• Product Performance

Applications Executed

This charts section contains the following:

Applications executed with untrusted owners (top 5)

The chart shows the top 5 applications that have been executed whose file owner is not trusted and has been, or would have been, blocked by App Control's Trusted Ownership. Use the drop-down selector to change the chart data from Applications to All files, and the time range drop-down selector to change the time period of the application capture, select from the last day (from 00:00 previous day), 3 days, and 7 days. Click on the chart to drill down to see the top 20 applications and more granular detail. The Applications executed with untrusted owners page appears. The file is listed, together with the number of executions and the number of users attempting execution. If you have changed the time period it persists through the drill down.

On the Applications executed with untrusted owners page, you have the following actions:

• Create Rule: Select the files for which you want to create an Allow Rule. Click Actions > Create Rule. Follow the steps in Create an Allow Rule for any of the files that have been executed without trusted ownership.
• Hide: Select an item to hide from the results. Click Actions > Hide. You may want to hide files/applications from the list that you have already included in a rule.
• Unhide: Select the Show Hidden Files/Applications check box, the Hidden column displays in the table and all hidden files/applications are shown. Select the items you want to unhide, click Actions > Unhide.

• File Name drill-down: Click on a File Name to see further file details, such as information to identify which users executed the file, together with the file owner and file path, last execution date and time, and the number of executions.
  Select the files for which you want to create an Allow Rule. Click Actions > Create Rule. Follow the steps in Create an Allow Rule for any of the files that have been executed without trusted ownership.
• File Name expand: Click the icon next to a file to expand the file information to see the product versions, parent processes, file paths, product and company names, number of users and number of executions.
  Select the Parent Processes for which you want to create an Allow Rule. Click Actions > Create Rule. Follow the steps in Create an Allow Rule for any of the files that have been executed without trusted ownership.. The selected Parent Process is populated in the When stage of the rule creation.

Applications executed with elevated privileges (top 5)

The chart shows the top 5 applications that have been elevated via the Windows Run as Administrator option. Use the drop-down selector to change the time period of the application capture, select from the last day (from 00:00 previous day), 3 days, and 7 days. Click on the chart to drill down to see the top 20 applications and more granular detail. The Applications executed with elevated privileges page appears. The file is listed, together with the number of executions and the number of users attempting execution. If you have changed the time period it persists through the drill down.

On the Applications executed with elevated privileges page, you have the following actions:

• Create Rule: Select the files for which you want to create an Elevate Rule. Click Actions > Create Rule. Follow the steps in Create an Elevate Rule for any of the items that have been executed with elevated privileges.
• Hide: Select an item to exclude from the results. Click Actions > Exclude.
• Unhide: Select the Show Hidden Files/Applications check box, the Hidden column displays in the table and all hidden files/applications are shown. Select the items you want to unhide, click Actions > Unhide.

• File Name drill-down: Click on a File Name to see further file details, such as information to identify which users executed the file, together with the file owner and file path, last execution date and time, and the number of executions.
  Select the files for which you want to create an Elevate Rule. Click Actions > Create Rule. Follow the steps in Create an Elevate Rule for any of the items that have been executed with elevated privileges.
• File Name expand: Click the icon next to a file to expand the file information to see the product versions, parent processes, file paths, product and company names, number of users and number of executions.
  Select the Parent Processes for which you want to create an Elevate Rule. Click Actions > Create Rule. Follow the steps in Create an Elevate Rule for any of the items that have been executed with elevated privileges.. The selected Parent Process is populated in the When stage of the rule creation.

Deployment indicator

The Deployment indicator displays the total number of devices that have been discovered by Ivanti Neurons and the number of those that have an Ivanti Neurons agent installed, with an Agent Policy which has the App Control Capability enabled, and an App Control configuration successfully deployed.

Click on the progress bar to display the Deployment page.

Deployment page

The Deployment page lists all discovered devices, with details of the Device Name, Display Name, IP Address, OS and version, whether the App Control capability is enabled, and the assigned Policy.

Product Performance

The Product Performance charts provide an insight into your users application behavior. Click anywhere on a chart to drill-down to see user information and more granular detail. The following charts are available: