P VMware AirWatch

Introduction

Mobile device management (MDM) is a device lifecycle management technology that enables IT to deploy, configure, manage, support and secure mobile devices through MDM profiles installed on the devices. MDM software provides asset inventory, over-the- air configuration of email, apps and Wi-Fi, remote troubleshooting, and remote lock and wipe capabilities to secure the device and the enterprise data on it.

AirWatch Mobile Device Management allows you to monitor the following components:-

Operations - Enrollment activity and Status change
Security - Security information management and Application management
Compliance - Profile management and All events

Main Use Cases

Covered under L1- Entity Monitoring - Indicators and Warnings package

  • User Account Logoff
  • User Account Logon
  • User Account Logon Failure
  • User Account Harvesting Attempt
  • User Account Created
  • User Account Deleted

Covered under Product Package

  • AirWatch Delete Device Requested
  • AirWatch Device Enterprise Wipe Requested
  • AirWatch Remove Profile Requested
  • AirWatch UnAuthorized Security Pin Input Attempt

Supported Log Sources

Here are the log source types supported by this package as delivered:
Vendor Product
VMware AirWatch

Download Instruction

Download the package from the ArcSight Marketplace.

Prerequisites and Supported Packages

Ensure the following is completed:
  • Activate Base Package 2.5.4 or later.
  • The L1-Entity Monitoring - Indicators and Warnings package.

Package Installation Procedure

1. Download and extract P-VMware_AirWatch_1.0.0.0.zip into your ArcSight console's home directory.
2. Open a command prompt and navigate to ARCSIGHT_HOME.
3. If you are installing this package on Windows system, execute the PVMwareAirWatchInstallAndUpdate _1.0.0.0.bat file to install the package.
4. If you are installing this package on Linux system,execute the PVMwareAirWatchInstallAndUpdate _1.0.0.0.sh file to install the package.
5. You will be prompted to enter the manager hostname and port, username and password. The password is displayed in cleartext, please be aware of your environment.
6. If you run into any issues during installation, the errors will be displayed in the command prompt window.
7. Within the ArcSight Console on the Navigator Panel - Packages Tab, you will find the P-VMware AirWatch Server installed.
8. You can now delete the files from ARCSIGHT_HOME 1. P-VMware_AirWatch_1.0.0.0.arb 2. PVMwareAirWatchInstallAndUpdate _1.0.0.0.bat/PVMwareAirWatchInstallAndUpdate_1.0.0.0.sh

Content Configuration

Below filters needs to be configured for L1-Entity Monitoring - Indicators and Warnings rules to trigger

L1 Entity Monitoring Filter URI in P-VMware AirWatch Description

/All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logoff

Note: Product filters should be added to Use Case Rules with OR statements

/All Filters/ArcSight Activate/Core/Product Filters/VMware/AirWatch/Entity Authentication/VMware AirWatch Logged Out This Filter Detects any User account logged out.
/All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logon /All Filters/ArcSight Activate/Core/Product Filters/VMware/AirWatch/Entity Authentication/VMware AirWatch Login This filter detects when User was authenticated and logged in successfully

/All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logon Failure

Note: Product filters should be added to Use Case Rules with OR statements

/All Filters/ArcSight Activate/Core/Product Filters/VMware/AirWatch/Entity Authentication/VMware AirWatch Login Failure This Filter Detects Login attempt failed
/All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Created /All Filters/ArcSight Activate/Core/Product Filters/VMware/AirWatch/Entity Management/AirWatch User Added This filters detects when a user account is created
/All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Deleted /All Filters/ArcSight Activate/Core/Product Filters/VMware/AirWatch/Entity Management/AirWatch User Deleted This filter detects when user a account is deleted

Rules: Product Specific complete Description:

I&W Aggregation Fields Agent Severity Behaviour Custom Format Object Outcome Significance Technique Event Annotation Stage
AirWatch Delete Device Requested
  • event1.dvcHostName
  • event1.atkUserName
  • event1.Device Product
  • event1.dvcAddress
  • event1.Device Event Class ID
  • event1.Device Vendor
  • event1.Device Event Category
  • event1.Customer Resource
High /Delete /Attack Life Cycle/Exploit /Host/Resource /Success /Suspicious /Code/Application Command

Triage

AirWatch Device Enterprise Wipe Requested
  • event1.dvcHostName
  • event1.atkUserName
  • event1.Device Product
  • event1.dvcAddress
  • event1.Device Event Class ID
  • event1.Device Vendor
  • event1.Customer Resource
  • event1.Device Event Category
High /Execute/Query /Attack Life Cycle/Exploit /Host/Resource /Success /Suspicious /Code/Application Command

Triage

AirWatch! Remove Profile Requested
  • event1.dvcHostName
  • event1.atkUserName
  • event1.Device Product
  • event1.dvcAddress
  • event1.Device Event Class ID
  • event1.Device Vendor
  • event1.Device Event Category
  • event1.Customer Resource
High Execute /Attack Life Cycle/Activities/Expand Access /Host/Resource /Success /Suspicious /Code/Application Command Triage
AirWatch UnAuthorized Security Pin Input Attempt
  • event1.dvcHostName
  • event1.atkUserName
  • event1.Device Product
  • event1.dvcAddress
  • event1.Device Event Class ID
  • event1.Device Vendor
  • event1.Device Event Category
  • event1.Customer Resource
High /Authentication/Verify /Attack Life Cycle/Activities/Expand Access /Host/Application /Attempt /Suspicious /Brute Force Triage

Resources

PVMwareAirwatchResources link contains a table of all resources included in this package

Test Plan

PVMwareAirwatchTestPlan provides the methodology for testing this package

Uninstallation

Cookbook uninstallation instructions
  1. Go to the Packages tab in the Navigator on the ESM console
  2. Right-click on the Arcsight Activate->P-VMware AirWatch and select uninstall Package.
  3. Then Hit the Delete button when asked if you are sure you want to delete the package.
  4. Leave Delete Resources checked and hit OK.
  5. Follow the prompts through the rest of the process
  6. Remove the filter connections set in the L1 Entity packages.
-- GeorgeBoitano - 26 Jan 2016


Topic revision: r17 - 04 Oct 2019, DatNguyen


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback