jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
eventGroupingSettings:
aggregationKind: AlertPerResult
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
lookbackDuration: PT5H
reopenClosedIncident: false
enabled: false
createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
query: |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
kind: NRT
suppressionEnabled: false
status: Available
customDetails:
TargetbinarySign: TargetbinarySignerType
JamfPro_Status: JamfPro
TargetBinarySignMsg: TargetBinarySigningInfoMessage
Protect_Tags: Tags
Protect_Analytic: EventMessage
Related_Binaries: TargetBinaryFilePath
Protect_Event_Type: EventType
Related_File_hash: TargetBinarySHA256
TargetBinarySigner: TargetBinarySigningTeamID
name: Jamf Protect - Alerts
suppressionDuration: PT5H
relevantTechniques:
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: OSFamily
columnName: DvcOs
- identifier: OSVersion
columnName: DvcOsVersion
entityType: Host
- fieldMappings:
- identifier: Address
columnName: Host_IPs
entityType: IP
- fieldMappings:
- identifier: CommandLine
columnName: TargetProcessCurrentDirectory
- identifier: ProcessId
columnName: TargetProcessId
entityType: Process
- fieldMappings:
- identifier: Algorithm
columnName: algorithm
- identifier: Value
columnName: TargetBinarySHA256
entityType: FileHash
requiredDataConnectors:
- connectorId: JamfProtect
dataTypes:
- jamfprotectalerts_CL
version: 1.0.6
severity: High
alertDetailsOverride:
alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
alertDynamicProperties:
- alertProperty: ProviderName
value: EventVendor
- alertProperty: ProductName
value: EventProduct
- alertProperty: Techniques
value: Techniques
alertTacticsColumnName: Tactics
alertSeverityColumnName: EventSeverity
alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
description: |
'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
tactics:
