Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Jamf Protect - Network Threats

Back
Id44da53c3-f3b0-4b70-afff-f79275cb9442
RulenameJamf Protect - Network Threats
DescriptionCreates an incident based based on Jamf Protect’s Network Threat Event Stream alerts.
SeverityInformational
TacticsInitialAccess
Required data connectorsJamfProtect
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectNetworkThreats.yaml
Version1.0.2
Arm template44da53c3-f3b0-4b70-afff-f79275cb9442.json
Deploy To Azure
jamfprotect_CL
| where event_metadata_product_s == "Threat Events Stream"
    and event_action_s == "Blocked"
    and isnotempty(event_severity_d)
| extend severity = case(event_severity_d == 2, "Informational", event_severity_d == 4, "Low", event_severity_d == 6, "Medium", event_severity_d == 8, "High", event_severity_d == 10, "High", "Informational")
| extend Category =  event_eventType_description_s
| extend AlertURL = event_eventUrl_s
| extend User = event_user_name_s
| extend Email = event_user_email_s
| extend Hostname = event_device_userDeviceName_s
| extend Destination_IPs = event_destination_ip_s
| extend Destination = event_destination_name_s
| extend Tactics = "Initial Access"
| extend Techniques = "T1566"
| extend Action = event_action_s
| extend ProviderName = "Jamf"
| extend ProductName = "Jamf Protect"
| extend ProductNameComponentName = "Network Threat Prevention"
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectNetworkThreats.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  jamfprotect_CL
  | where event_metadata_product_s == "Threat Events Stream"
      and event_action_s == "Blocked"
      and isnotempty(event_severity_d)
  | extend severity = case(event_severity_d == 2, "Informational", event_severity_d == 4, "Low", event_severity_d == 6, "Medium", event_severity_d == 8, "High", event_severity_d == 10, "High", "Informational")
  | extend Category =  event_eventType_description_s
  | extend AlertURL = event_eventUrl_s
  | extend User = event_user_name_s
  | extend Email = event_user_email_s
  | extend Hostname = event_device_userDeviceName_s
  | extend Destination_IPs = event_destination_ip_s
  | extend Destination = event_destination_name_s
  | extend Tactics = "Initial Access"
  | extend Techniques = "T1566"
  | extend Action = event_action_s
  | extend ProviderName = "Jamf"
  | extend ProductName = "Jamf Protect"
  | extend ProductNameComponentName = "Network Threat Prevention"  
requiredDataConnectors:
- dataTypes:
  - jamfprotect_CL
  connectorId: JamfProtect
version: 1.0.2
status: Available
name: Jamf Protect - Network Threats
id: 44da53c3-f3b0-4b70-afff-f79275cb9442
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: Hostname
  - identifier: OSVersion
    columnName: event_device_os_s
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: Destination_IPs
  entityType: IP
- fieldMappings:
  - identifier: AadUserId
    columnName: Email
  - identifier: FullName
    columnName: User
  entityType: Account
- fieldMappings:
  - identifier: Url
    columnName: Destination
  entityType: URL
suppressionDuration: PT5H
customDetails:
  Category: Category
tactics:
- InitialAccess
suppressionEnabled: false
relevantTechniques: 
alertDetailsOverride:
  alertSeverityColumnName: severity
  alertDisplayNameFormat: Network Threat detected on {{Hostname}}
  alertTacticsColumnName: Tactics
  alertDescriptionFormat: A Network Threat has been {{Action}} on {{Hostname}}
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: AlertURL
  - alertProperty: ProviderName
    value: ProviderName
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: RemediationSteps
    value: Action
  - alertProperty: Techniques
    value: Techniques
severity: Informational
description: |
    'Creates an incident based based on Jamf Protect's Network Threat Event Stream alerts.'
kind: NRT
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    enabled: false
    reopenClosedIncident: false
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/44da53c3-f3b0-4b70-afff-f79275cb9442')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/44da53c3-f3b0-4b70-afff-f79275cb9442')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Nrt",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Jamf Protect - Network Threats",
        "description": "'Creates an incident based based on Jamf Protect's Network Threat Event Stream alerts.'\n",
        "severity": "Informational",
        "enabled": true,
        "query": "jamfprotect_CL\n| where event_metadata_product_s == \"Threat Events Stream\"\n    and event_action_s == \"Blocked\"\n    and isnotempty(event_severity_d)\n| extend severity = case(event_severity_d == 2, \"Informational\", event_severity_d == 4, \"Low\", event_severity_d == 6, \"Medium\", event_severity_d == 8, \"High\", event_severity_d == 10, \"High\", \"Informational\")\n| extend Category =  event_eventType_description_s\n| extend AlertURL = event_eventUrl_s\n| extend User = event_user_name_s\n| extend Email = event_user_email_s\n| extend Hostname = event_device_userDeviceName_s\n| extend Destination_IPs = event_destination_ip_s\n| extend Destination = event_destination_name_s\n| extend Tactics = \"Initial Access\"\n| extend Techniques = \"T1566\"\n| extend Action = event_action_s\n| extend ProviderName = \"Jamf\"\n| extend ProductName = \"Jamf Protect\"\n| extend ProductNameComponentName = \"Network Threat Prevention\"\n",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": null,
        "alertRuleTemplateName": "44da53c3-f3b0-4b70-afff-f79275cb9442",
        "incidentConfiguration": {
          "groupingConfiguration": {
            "reopenClosedIncident": false,
            "enabled": false,
            "matchingMethod": "AllEntities",
            "lookbackDuration": "PT5H"
          },
          "createIncident": true
        },
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertSeverityColumnName": "severity",
          "alertDescriptionFormat": "A Network Threat has been {{Action}} on {{Hostname}}",
          "alertDisplayNameFormat": "Network Threat detected on {{Hostname}}",
          "alertTacticsColumnName": "Tactics",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "AlertURL"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            },
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "RemediationSteps",
              "value": "Action"
            },
            {
              "alertProperty": "Techniques",
              "value": "Techniques"
            }
          ]
        },
        "customDetails": {
          "Category": "Category"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "Hostname"
              },
              {
                "identifier": "OSVersion",
                "columnName": "event_device_os_s"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "Destination_IPs"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "identifier": "AadUserId",
                "columnName": "Email"
              },
              {
                "identifier": "FullName",
                "columnName": "User"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "Destination"
              }
            ],
            "entityType": "URL"
          }
        ],
        "templateVersion": "1.0.2",
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectNetworkThreats.yaml"
      }
    }
  ]
}