Security Controls

Application Control Events

In this section:

Event Options

Events Selection

Event Filtering

Event Options

The Application Control Configuration Events feature allows you to define rules for the capture of auditing information and to raise events, and includes a filter for specifying the events you wish to capture in the log.

Capture Centrally - Select to capture the event information centrally.

If you select to use central event logging it is recommended you use scheduled database maintenance, to help prevent the events records getting too large. For details on AC Event maintenance see Database Maintenance.

Capture Locally - Select to capture the event information locally.

Send events to Event Log - Select whether to send events to the Application or the IvantiEvent Log.

Send events to the Local Log File - Select whether to send events to the local file log, the default path is %SYSTEMDRIVE%\IvantiLogs\Auditing\ApplicationControlEvents_%COMPUTERNAME%.xml. Alternatively you can specify a different path and choose between xml or csv format.

Anonymize

Always use anonymous MACHINE name in events - select to omit the machine name from all events.

Always use anonymous USER name in events - select to omit the user name from all events. Anonymous logging also searches the file path for any instances where a directory matches the username and replaces the directory name with the string

Events Selection

Event Selection lists all Application Control events. Select the events that you want to capture.

Available Events

Event ID Event Name Event Description
9000 Denied Execution A request to run a file was denied.
9001 Allowed Execution A request to run a file was allowed.
9002 Overwrite Changed Owner An allowed executable file was overwritten. The owner of the file has been changed to the name of the user that renamed it.
9003 Rename Changed Owner An allowed executable file was renamed. The owner of the file has been changed to the name of the user that renamed it.
9004 Application Limit Denial A request to run an application was denied because the configured maximum number of instances are already running.
9005 Time Limit Denial A request to run an application was denied because the current time is outside the access times.
9006 Self-Authorization A user self-authorized an application.
9007 Self-Authorized allow A request to run a file was allowed because a user has authorized it.
9009 Scripted Rule Timeout A script ran for the maximum configured time without completing. The rule was not applied.
9010 Scripted Rule Fail An error was encountered while running a script. The rule was not applied.
9011 Scripted Rule Success A script completed successfully.
9015 Application Started An allowed application started running.
9016 Unable to change ownership An error occurred while trying to change the owner of a file.
9017 Application Termination An application was terminated .
9018 Application User Privileges Changed An application's user privileges have changed.
9023 Self-Elevation allowed A user started an application with elevated (full administrator) rights.
9024 URL Redirection A web-browser tried to navigate to a URL and Ivanti Application Control redirected to a different URL.
9030 Application Elevated An application started with elevated (full administrator) rights.
9055 Service start/stop A service was started or stopped.
9056 Untrusted file with metadata match Failed to verify the certificate of a signed file. A rule-item that matches the certificate's name was not applied.
9099 Not licensed Ivanti Application Control is not licensed.

A single request for an application can generate multiple 9001 events due to the way in which Windows responds to execution requests. So it's good practice to use event 9015 to accurately audit how many times a user has run an application.

9001, 9007, and 9015 events are disabled by default as they can generate excessive event data on busy endpoints. We recommend these events are only used for troubleshooting purposes, and only for short periods of time.

Event Filtering

Event Filtering allows you to filter the file types that you want to audit. This is particularly useful if you choose a high volume event.

The Event filter table is accessed from the Application Control Configuration Editor dialog, under Configuration Settings > Events > Filtering in the Auditing dialog.

The Enable event filtering option is enabled by default and configured to include the recommended file filters.

Select or clear the file types as required for each listed event.

You can add new file types to the list by right-click > Add.

Related Topics

Event Viewer

Database Maintenance


Was this article useful?