Ivanti Access reports

Authentication traffic that goes through Ivanti Access is captured and displayed in Access Reports. Each IdP or SP proxy request to Ivanti Access is logged and displayed as a separate row. For a single authentication instance, there may be up to two log entries.

Each row provides visibility into users, devices, and apps accessing cloud services.

You can do the following with the report data displayed in Access Reports:

Filter the reported instances to view a subset.
View details for the reported instances.
Export the reported instances that are displayed.
Search for reports in the search bar with advanced and flexible query search to filter desired report data.
Ivanti Access Report now displays the Client IP or the Device IP in the Access Reports.

Figure 1. Ivanti Access report

Delegated IdP field in Ivanti Access reports

Ivanti Access displays the persisting Delegated IDP field in Ivanti Access reports that help users identify the log entries for delegated IdP.

Figure 2. Delegated IdP field in Ivanti Access report

authnRequestID field in Ivanti Access reports

The authrequestID field for SP proxy and IdP proxy in Ivanti Access Reports allows administrators to correlate entries for the IdP proxy and SP proxy that are part of the same pair. The authrequestID for SpProxy and IDpProxy is now visible in Ivanti Access Reports which lets you relate between the two entries. Export the report to a .csv file to do the correlation.

The authnrequestId is not searchable through flexible search.

Figure 3. authnrequestid in Ivanti access report

Search Ivanti Access reports

Ivanti Access reports includes a search option that allows you to do advanced and flexible queries to filter the desired data and customize the report in Reports > Access.

Figure 4. reports search bar

The screen displays the advanced query that you can use to search the report. A maximum or 1024 characters is supported in a query.

The following query words are searched in the Search bar:

Source IP
UserAgent
Username
Exception
Service Name
Request Class
Assertion Attributes
Request Method
Note
Request Url

Flexible Query

The following flexible query types are supported. If more than one word (except boolean operators) is specified, the select condition is composed by operators.

An exception is thrown for any word (except boolean operators) with wildcard (*,?) having length less than three characters. For example: ab*, a?b, etc results in an exception, while abc*, abc? will not result in exception.
Searching is not case sensitive.

**Table 27.** Flexible query type
Type	Supported Values
Operators	AND \| OR \| NOT
Unsupported characters	All characters except the invisible control characters and unused code points are supported.
Wildcards	* and ?

Query Examples

The following table provides examples of search queries.

Table 28. Search query examples

Type

Example

AND Operator

To search for records having IP Address as 10.11.12.13 and Chrome as the User agent:

•10.11.12.13 AND chrome

OR Operator

To search for records having IP Address as 10.11.12.13 or chrome:

• 10.11.12.13 OR chrome

Difference between AND and OR.

A AND B means both A and B must be present in the record.

A OR B means either A or B should be present in the record.

NOT Operator

NOT operator is used to exclude certain terms from the result.

For example, the below query returns all records that do not contain chrome and 10.11.12.13

•NOT chrome AND NOT 10.11.12.13

Wildcard

If the details are partially unknown, use wildcards to fetch the results:

•10.11.1* AND chro*

Using Quotes (“)

Double quotes are used around search words to get the exact match.

For example: To fetch the results with chrome version, use the below query:

•“Chrome/60.0.3112.113”

This query returns the records that have chrome version, 60.0.3112.113

If two words are separated by a space, then by default OR operator is used.

For example, a search query, Intel Mac os x is interpreted as Intel OR Mac OR os OR x.

To search for space separated words as an exact string, apply double quotes around the whole string.

For example: "Intel Mac os x"

This query returns the records with complete string Intel Mac os x.

Grouping

Multiple Operators along with parenthesis can be used for searching.

For example, (chrome AND (10.11.12.13 OR 10.11.12.14))

This query returns all the records with chrome and IP Address as either 10.11.12.13 or 10.11.12.14.

It is recommended to include parenthesis in the query as it provides grouping. For example, the above example without parenthesis might be interpreted differently by the system and desired results might not be obtained.

Best Practice: If the search word contains a special character, Ivanti recommends to use double quotes around the searched word.

For example: While searching for username [email protected], it is recommended to use quotes around the username for better results - "[email protected]".

Display exceptions in reports

When there is an Ivanti Access Report with error, by expanding Report Details an exception message is displayed. When you click More, stack trace is also displayed. Also, the default message has the error code and message.

Figure 5. exceptions in reports

Filtering report data

To filter report data, do one or a combination of the following in the left panel:

•Enter a Start Date & Time and End Date & Time.

•Select the data type to view a subset of the reported data.

The report data is always sorted by timestamp in descending order. By default, the filter for time is set from 12 AM to 12 AM.

Data available for filtering

The following fields are available to filter the report data. When you run a report, the active federated pairs, policies, and rules are listed on top of the list. The deleted items are structured at the bottom of the list.

**Table 29.** Data for filtering
Item	Description
Start Date & Time	Enter a start date and time to filter the data.
End Date & Time	Enter an end date and time to filter the data.
Federated Pair	Select the federated pair for which you want to see data.
Action	Select one of the following: •Allow •Block •Error •Warn
Policy	Select the conditional access policy for which you want to see data.
Rule	Select the conditional access rule for which you want to see data. Only the rules in the selected policy are available for selection. If a policy is not selected, rules will not be available for selection.

Viewing details

To view additional details for a report entry, click on one of the following options:

Show Detail: Click on Show Detail to see the details for all rows.
Click on the three dots (...) adjacent to each row to view details for that log entry.

Figure 6. report details

Exporting report data

The Export feature allows you to download Ivanti Access report data as a CSV file. You can then import the .csv file to a reporting tool and generate custom views and reports.

When you export report data, only the rows in the Reports > Access view will be downloaded. You cannot customize the fields for exporting.

Procedure

In the Ivanti Access administrative portal, go to Reports > Access.

Click on Export. The Export Reports window appears that displays the size of the report file.

Figure 7. Export reports

Click Export if the size is appropriate.

A CSV file containing the report data is downloaded.

•When a report is exported, there is an appropriate entry in the Audit reports.

•Use the left navigation filter to select appropriate records such as files that are larger in size. Only the filtered records are then exported in the file and can help in reducing file sizes.