VMware Workspace ONE Intelligence integration guide
The VMware Workspace ONE Intelligence platform is a comprehensive solution that offers preventive protection, post-breach detection, automated investigation, and response capabilities.
The software possesses sophisticated endpoint detection and response (EDR) functionalities that cater to systems that operate on conventional operating systems such as Windows, Linux, and MacOS.
The aforementioned capabilities offer the ability to detect attacks in a nearly real-time manner and provide actionable insights. By utilizing effective alert prioritization techniques, security analysts can gain comprehensive visibility into the full extent of a breach and take appropriate response actions to remediate potential threats.
About Workspace ONE and the Mobile Security console communication
The configuration enables the sharing of alerts with VMware Workspace ONE Intelligence via API access.
In the event that a device reports a threat to the Mobile Security console, the corresponding threat details will be transmitted to the VMware Workspace ONE Intelligence integration that has been configured, provided that the severity of the threat meets or surpasses the minimum threshold that was established during the setup process.
The tool sends only the threats with critical severity to VMware Workspace ONE Intelligence by default. The information pertaining to a threat encompasses details about the user (if obtainable), the device in use, the operating system, and the forensics of the threat.
The VMware Workspace ONE Intelligence integration is configured to receive threat details for both MDM-managed and non-managed devices. VMware Workspace ONE Intelligence receives threat events from all integrated Mobile Security console MDM vendors.
Configuration steps
Perform the following steps to set up the the Mobile Security console Integration:
Login to the Mobile Security Console.
In the Navigation panel, select Manage.
When the Manage page opens, select the Integrations tab, select the Threat Reporting tab, and the following window opens:
Click on the green Add Integration button, and the following window opens which shows a listing of the integration partners to select.
Select the desired integration.
In the window that opens fill in the required information and click the Go On button.
Another window opens to finish setting up the integration. Enter the following information on this window.
Name – Enter a unique name for this Integration for Microsoft Azure Sentinel environment
Filter Level – Select the severity level from the drop-down menu which is reported from:
Critical – shows only Critical severity levels.
Elevated and Above – shows Elevated and Critical Severity Levels
Low and Above – shows Low, Elevated and Critical Severity Levels
Normal and Above – shows all Levels of severity.
Detailed Forensics - Click on the checkbox if the detailed forensic information is sent to Workspace ONE Intelligence.
Click on the Finish button and when it is configured and saved correctly, the Main Threat reporting window opens showing the integration is successful.