Hello, Our internal security have posed a question to me that so far VMware Support haven't been able to understand correctly, let alone provide a suitable answer for.
What our security teams want to do is be able to review all the live inbound connections (via IP) to our Device Services and SEG and then compare this against a live log from the DS or SEG so they can exclude all the authorised Workspace ONE devices. This will leave us with a list of IPs showing where unauthorised or unsuccessful attempts have been made to access Workspace ONE.
Our intention is to pipe the log file into our Security Information and Event Management (SIEM) tool and then live compare this against the firewall log that is already held within our SIEM tool. With this information we will be able to identify where our service is attempting to be being accessed from via non-authorised devices.
Is there a log on the DS or SEG that details this? Would it be included as part of the IIS log? On our DS, there is a file called activedevices.csv however its blank and can find to reference to this anywhere. The DeviceServices.log also doesn’t seem to give this level of detail in a readable format.
Many thanks Darren