Security incident and event management (SIEM) refer to the process of recording, monitoring, correlating, and analyzing the security events in an IT environment in real-time. No matter the size of a business, SIEM tools can have significant benefits for everything from compliance reporting to stopping attacks. Any managed services provider (MSP) can benefit from having SIEM software in its portfolio.

SIEM tools combine security information management (SIM) and security event management (SEM) functionalities. They use log data flows from different areas of an organization to create a real-time picture of potential threats to the IT environment, enabling your cybersecurity to be proactive rather than reactive. By relying on data from a variety of hosts in an IT environment, SIEM tools can provide you with a broad understanding of what is happening at every level of a business.

The SIEM process is one of the most critical branches of cybersecurity. By collecting, naturalizing, and correlating log data from an organization, SIEM tools help you reduce security breaches with proactive security.

Integration Advantages:

Data Aggregation and Visibility: Visibility into your entire IT environment is one of the biggest benefits of SIEM. This visibility goes hand in hand with the way that logs are normalized and correlated in a SIEM tool.

That’s why the SIEM capabilities that relate to data aggregation and normalization are so beneficial. Not only does a SIEM tool collect and store the data from the security tools in your IT environment in a centralized location, but it also normalizes them into a uniform format so you can easily compare the data. The tool also analyzes and correlates this data, finding connections that can help you detect security incidents quickly.

Incident Detection: Many of the hosts on your system that log security breaches don’t include built-in incident detection capabilities. That means they can observe events and produce log entries, but can’t analyze them for potentially suspicious activity. However, because SIEM tools correlate and analyze the log data that’s produced across hosts, they’re able to detect the incidents that might otherwise be missed—either because the relevant logs were not analyzed or because they were too widely separated between hosts to be detected.

There is a huge difference between detecting an attack as it’s occurring versus detecting it long after it has already succeeded. By detecting incidents that might otherwise go unnoticed until much later, the SIEM workflow can limit the scale of damage that might result from the threat.

Improved Efficiency: SIEM tools can significantly improve your efficiency when it comes to understanding and handling events in your IT environment. With SIEM tools, you can view the security log data from the many different hosts in your system from a single interface. This expedites the incident handling process in several ways. First, the ability to easily see log data from the hosts in your environment allows your IT team to quickly identify an attack’s route through your business. Second, the centralized data lets you easily identify the hosts that were affected by an attack.

Working more efficiently, especially when it comes to ongoing security incidents, is a huge asset for MSPs to be able to provide for their customers. By responding quickly to perceived events, SIEM tools can help you reduce the financial impact of a breach—as well as the amount of damage that occurs in the first place.

Simplified Compliance Reporting: Practically every business, no matter the size or the industry, has at least some regulations that it needs to comply with. Ensuring that you’re abiding by those regulations and that you can prove your compliance can be a difficult and time-consuming task. Luckily, thanks to the collection, normalization, and organization of log data, SIEM tools can help simplify the compliance reporting process. In fact, the benefits of SIEM tools as centralized logging solutions for compliance reporting are so significant that some businesses deploy SIEMs primarily to streamline their compliance reporting.

SIEM tools can save businesses both time and money by simplifying compliance reporting to make sure MSP customers are not in violation of any regulations. Without accurate reporting to prove compliance, businesses may face hefty fines and loss of accreditation. With SIEM tools, MSPs can easily generate reports that provide details on their customers’ compliance with the relevant regulatory protocols.

Policy Violation Notifications: A SIEM system in place will assure that any policy violation activity is reported quickly so that immediate countermeasures can be deployed. SIEM systems come with an automated alerting mechanism that makes this process easy. You can use the SIEM altering tool to get emails and dashboard notifications. This helps in preventing chronic violations and taking strict action against users for regular violations as we already integrated Workspace ONE UEM and Workspace ONE Access with the Directory Service, please review it from the basic guide: Deploy Workspace One 101 – For Beginners.

Forensic Analysis of Major Security Breaches: SIEM systems are designed for identifying patterns in cyber-attacks to prevent the IT assets of an organization. From compliance management to real-time monitoring, its ultimate goal is to enhance the security practices of your organization. With advanced tools and a rich set of features, you need expertise for integrating SIEM into your existing infrastructure. Vendors offering SIEM as a service can analyze your business activities and integrate cost-efficient SIEM solutions for your corporate security.

Configure Syslog:

· Click Monitor.

· Click Reports & Analytics.

· Click Events.

· Click Syslog.

· Set the Syslog Integration to Enabled.

· In General Tab, enter the following data:

o Hostname which is your SIEM URL.

o Protocol: Select the required protocol from available options (UDP, TCP, or Secure TCP) to send the data. We support TLS v1.0, TLS v 1.1, and TLS v1.3.

o Port: Enter the port number to communicate with the SIEM tool in the Port text box.

o Syslog Facility: select the facility level for the feature from the Syslog Facility menu. The Syslog protocol defines the Syslog facility.

o Message Tag: Enter a descriptive tag to identify events from the Workspace ONE UEM console in the Message Tag text box. For example, “AirWatch”.

o Message Content: Enter the data to include in the transmission in the Message Content text box. This is how the message data gets formatted when sent using Syslog to your SIEM tool. Use lookup values to set the content. For secure TCP, Newline (CRLF) formatting using Enter, \n, \r does not work and gets automatically converted to tab, \t for secure TCP.

· Click Save and use the Test Connection button to ensure successful communication between the Workspace ONE UEM console and the SIEM tool.

Configure the Scheduler Syslog Task:

You can configure the Scheduler Syslog Task for on-premises deployments. This task sets the intervals at which the AirWatch Console sends requests to the SIEM tool for data.

· From Workspace ONE UEM console, go to GROUPS & SETTINGS.

· Click All settings.

· Click Admin.

· Click Schedule.

· Click Edit for Syslog task.

· Define the interval at which the Console sends data to the options configured in the Syslog feature in the Recurrence Type setting.

· Define Range setting.

· Click Save.

You have successfully configured the Scheduler Syslog Task.

Device-based targeted logging is ideal for logging exercises on a small number of devices.

· From the Workspace ONE UEM Console, go to Devices.

· Click List View.

· Select the device you want to target.

· From the Device details screen, click More.

· Click Targeted Logging.

· Click Create New Log.

· Select the time frame you desire and select Start.

· After the time is finished, go to Groups & Settings.

· Click All Settings.

· Click Admin.

· Click Diagnostics.

· Click Logging.

· Click Targeted Logging File Path.

· Navigate to the configured file path and open the log.

Enable Settings-Based Targeted Logging:

Device-based targeted logging is ideal for logging exercises on a large number of devices.

· From the Workspace ONE UEM Console, go to Groups & Settings.

· Click All Settings.

· Click Admin.

· Click Diagnostics.

· Click Logging.

· Select Enabled for the Targeted Logging setting and provide a comma-separated list of Device IDs.

· Once log gathering has concluded, reset Targeted Logging to Disabled.

The Single CA model uses only one Certificate Authority. All certificate requests will be processed by that CA. The Single CA model works well in smaller organizations, but larger organizations generally benefit from using a different model.

Having a Single CA makes it easy to administer. There is only one system you have to worry about. The Single CA model can also be very secure. You have to secure only one system. You also have more control over what certificate requests are processed.

The Single CA model does have its disadvantages. First, it doesn’t scale very well. All requests have to go to a single system. This system can become busy processing requests. Having a Single CA also represents a possible single point of failure. If that one system fails, certificate transactions cannot be processed.

Certification authority CA – Digital signature

The CA will ‘stamp’ the certificate with a signature. This signature binds all the other fields (listed above) into the certificate. The certificate identifies the CA via a digital signature but also by the name of the certificate. Certificates are issued by a CA which, by design, is a trusted party that vouches for the identity of those to whom it issues certificates. In order to prevent fake certificates, the CA’s public key must be trustworthy. The CA can publicize its public key or provide a certificate from a higher level CA which attests to the validity of its public key.

Workspace ONE UEM offers several deployment options for Microsoft certificate authorities:

· Workspace ONE UEM to the CA- This model uses the DCOM protocol. Workspace ONE UEM communicates directly with the Microsoft CA or through the AirWatch Cloud Connector to the CA.

Specifies the Distributed Component Object Model (DCOM) Remote Protocol, which exposes application objects via remote procedure calls (RPCs) and consists of a set of extensions layered on the Microsoft Remote Procedure Call Extensions.

· Mobile Devices to the CA – This model uses the NDES (a Microsoft proprietary version of SCEP) or SCEP protocol. Workspace ONE UEM only delegates certificate transactions between the device and the Microsoft CA.

The Network Device Enrollment Service (NDES) allows software on routers and other network devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP).

· Workspace ONE UEM SCEP Proxy – This model uses the NDES or SCEP protocol. Workspace ONE UEM is the proxy that sends certificate transactions between the device and the CA endpoint. The NDES/SCEP endpoint is not exposed to the Internet.

Creating a New Certificate Authority in Workspace ONE UEM:

· In the Workspace ONE UEM Administration Console, go to Devices.

· Click Certificates.

· Click Certificate Authorities.

· Click Add.

· Provide a Name and Description.

· Provide the hostname to reach your certificate server.

· Enter your CA Authority Name (Note: This is the name that appears in your Certification Authority).

· Enter your username of the service account and password.

· Click Test Connection.

· Click Save.

You have successfully created a New Certificate Authority in Workspace ONE UEM.

The Security Policies page lets you configure options that affect Workspace ONE UEM apps, Workspace ONE SDK-built apps, and wrapped apps.

Security Policies profiles offer security controls for SDK-built apps. Control security with authentication methods, tunneling app traffic, and restricting access to features with data loss prevention.

· From the Workspace ONE UEM Console, Go to Groups & Settings.

· Click All Settings.

· Click Apps.

· Click Settings and Policies.

· Click Profiles.

· Click Add Profile.

· Click SDK Profile.

· iOS and Android both need to be added for iOS Enterprise Apps and Android Enterprise Apps.

· Under Restrictions configure Enable Data Loss Prevention.

· Click Save.

Why do you need VMware Tunnel, we explain it before, please click here.

· From the Workspace ONE UEM Console, Go to Groups & Settings.

· Click All Settings.

· Click System.

· Click Enterprise Integration.

· Click VMware Tunnel.

· Click Download Installer.

· Select Workspace ONE Tunnel.

· Specify your server platform with the latest app version and your Workspace ONE Version.

· Setup the Workspace ONE Tunnel on your server.

· Click Save.

· From the Workspace ONE UEM Console, Go to Groups & Settings.

· Click All Settings.

· Click Apps.

· Click Settings and Policies.

· Click Security Policies.

· Verify that AirWatch App Tunnel is Enabled.

· Select VMware Tunnel: Proxy for App Tunnel Mode.

· Click Save.

Add Configured VMware Tunnel to iOS/Android SDK Profiles:

· From the Workspace ONE UEM Console, Go to Groups & Settings.

· Click All Settings.

· Click Apps.

· Click Settings and Policies.

· Click Profiles.

· Select the Profile we created before for iOS/Android.

· Click Proxy.

· Select Enable App Tunnel.

· Select VMware Tunnel Proxy for App Tunnel Mode.

· Click Save.

Modifying or Configuring Authentication Type That Is Used with Uploaded Enterprise Apps:

· From the Workspace ONE UEM Console, Go to Groups & Settings.

· Click All Settings.

· Click Apps.

· Click Settings and Policies.

· Click Security Policies.

· Modify Authentication Type for Enterprise Apps (You can Disable it, set Passcode, or enable Username and Password for recurring authentication with apps deployed through VMWare Workspace ONE (AirWatch) )

· Click Save.

· In the Workspace ONE UEM Administration Console, go to Devices.

· Click Certificates.

· Click Certificate Authorities.

· Click Add.

· Provide a Name for the Template.

· Select your Certificate Authority which you just created.

· Enter your Issuing Template in the following format: certificatetemplate:[ADCS-TEMPLATE]. In my lab, my issuing template would be “certificatetemplate:WS1Cert”.

· Select the Subject Name. Remember, the subject name is what the browser will present to the user. In Workspace ONE Access, we don’t have to use the subject to match the correct user.

· Select the correct private key length (per your CA settings).

· Select both Signing and Encryption.

· Under SAN, add the following:

Email Address -> {EmailAddress}

User Principal Name -> {UserPrincipalName}

DNS Name -> UDID={DeviceUid}

· Select Automatic Certificate Renewal.

· Select Name Certificate Revocation.

· Click Save.

You have successfully created a new certificate template in Workspace ONE UEM.

VMware provides logs to assist in troubleshooting your devices running Workspace ONE UEM.

You will have access to all your devices through your organization.

Workspace ONE UEM logging functions available for iOS Devices:

• Console app on macOS: (*.txt) Contains information related to all device-side transactions including MDM, Enrolment, access, and application run history.

• Hub App w/ Debug enabled in SDK (Agentlog####.txt) Contains information on system messages and stack traces when devices throw errors that are written from applications with the Log class.

• Crash Logs (*.crash) Contains information on application crashes that is stored on iOS devices.

• Sysdiagnose (*.tar.gz) Instructions are available on the Apple developer website. These logs will contain information from the past. If your issue has been reproduced in the last few hours, these logs should reference it.
• 
  

Workspace ONE UEM logging functions available for macOS Devices:

• Console.app (*.txt) Contains information related to all device-side transactions including MDM, enrollment, access, and application run history.

• /Library/Logs/DiagnosticReports (Intelligent Hub*.crash & hubd*.crash) Contains information on crashes related to the Hub daemon.

• Sudo Log collect (/var/log/) (System.log) Contains information on the mdmd and other OS-specific activities. Used only for macOS 10.12+

• /var/log/ (Install.log) Contains information on package installations including Munki

• /Library/Application Support/AirWatch/Data/Munki/managed installs/logs/ (ManagedSoftwareUpdate.log) Main Munki logging file which will contain information pertaining to macOS software deployment through UEM Internal Apps.

• /Library/Application Support/Airwatch/Data/Munki/munki_repo/munkiData/ (Munki_data.plist) Contains internal metadata information on current software being deployed through UEM Internal Apps.

• /Library/Preferences/ (AirWatchManagedInstalls.plist) Preference file used for VMware integration with Munki.

• /Library/Application Support/AirWatch/Data/Munki/Managed Installs/ (InstallInfo.plist) Contains status information on current software being deployed through UEM Internal Apps.

• /Library/Application Support/AirWatch/Data/Munki/Managed Installs/ (ManagedInstallReport.plist) Contains detailed status information on current software being deployed through UEM Internal Apps.

• /Library/Application Support/AirWatch/Data (AppStatuses_WS1.plist) Used for displaying software download and installation statuses within Intelligent Hub.

• /Library/ApplicationSupport/AirWatch/Data/Munki/Munki_Repo/catalogs/device_catalog.plist (device_catalog.plist) Contains metadata information about the internal apps like bundle id, installation criteria, pre/post-install scripts etc.

• /Library/ApplicationSupport/AirWatch/Data/Munki/Munki_Repo/manifests/device_manifest.plist (device_manifest.plist) Contains all the assigned apps.

• /Library/Application Support/AirWatch/Data/VPPApps.plist (VPPApps.plist) Contains information about assigned VPP apps like appurl, name, bundleid, status etc.

• /Library/ApplicationSupport/AirWatch/Data/CustomAttributes/CustomAttributes.plist (CustomAttributes.plist) Contains the latest key-value pairs generated by Custom Attribute scripts. Contents in this plist will be sent to UEM in regular Hub samples.

• /Library/Application Support/AirWatch/Data/com.vmware.hub.flags.plist (com.vmware.hub.flags.plist) Status of recently released features in the form of key-value pair. Key is the name of the feature and value can be either True/False.

/Library/Application Support/AirWatch/Data/ProductsNew (ProductsNew) Contains information about File/Action Products deployed through UEM Product Provisioning.

Workspace ONE UEM logging functions available for Android Devices:

• ADB/Android Studio/RXLogger (*.txt) Contains information on app-level traffic such as system messages and stack traces.

• Hub Debug Logs (*.txt) Contains information on app-level traffic such as system messages and stack traces filtered to the Workspace ONE Intelligent Hub and PackageManager.

• DumpState Logs (*.txt) Contains information collected from Android Debug Bridge (ADB) without an active connection to a device and used for historical logging.

Workspace ONE UEM logging functions available for Windows Phone Devices:

• Field Medic (*.etl) Contains information on enrollment and most other MDM-related functions.