Jamf Protect - Alerts
| Id | 6098daa0-f05e-44d5-b5a0-913e63ba3179 |
| Rulename | Jamf Protect - Alerts |
| Description | Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel |
| Severity | High |
| Required data connectors | JamfProtect |
| Kind | NRT |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml |
| Version | 1.0.6 |
| Arm template | 6098daa0-f05e-44d5-b5a0-913e63ba3179.json |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
status: Available
version: 1.0.6
tactics:
name: Jamf Protect - Alerts
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
customDetails:
Protect_Analytic: EventMessage
TargetBinarySignMsg: TargetBinarySigningInfoMessage
TargetBinarySigner: TargetBinarySigningTeamID
JamfPro_Status: JamfPro
TargetbinarySign: TargetbinarySignerType
Related_File_hash: TargetBinarySHA256
Protect_Event_Type: EventType
Related_Binaries: TargetBinaryFilePath
Protect_Tags: Tags
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
query: |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
kind: NRT
severity: High
relevantTechniques:
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: PT5H
enabled: false
reopenClosedIncident: false
matchingMethod: AllEntities
alertDetailsOverride:
alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
alertTacticsColumnName: Tactics
alertDynamicProperties:
- alertProperty: ProviderName
value: EventVendor
- alertProperty: ProductName
value: EventProduct
- alertProperty: Techniques
value: Techniques
alertSeverityColumnName: EventSeverity
suppressionEnabled: false
eventGroupingSettings:
aggregationKind: AlertPerResult
suppressionDuration: PT5H
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: OSFamily
columnName: DvcOs
- identifier: OSVersion
columnName: DvcOsVersion
entityType: Host
- fieldMappings:
- identifier: Address
columnName: Host_IPs
entityType: IP
- fieldMappings:
- identifier: CommandLine
columnName: TargetProcessCurrentDirectory
- identifier: ProcessId
columnName: TargetProcessId
entityType: Process
- fieldMappings:
- identifier: Algorithm
columnName: algorithm
- identifier: Value
columnName: TargetBinarySHA256
entityType: FileHash
requiredDataConnectors:
- dataTypes:
- jamfprotectalerts_CL
connectorId: JamfProtect
description: |
'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
"kind": "NRT",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{EventResultMessage}} - Please investigate",
"alertDisplayNameFormat": "{{EventMessage}} detected on {{DvcHostname}}",
"alertDynamicProperties": [
{
"alertProperty": "ProviderName",
"value": "EventVendor"
},
{
"alertProperty": "ProductName",
"value": "EventProduct"
},
{
"alertProperty": "Techniques",
"value": "Techniques"
}
],
"alertSeverityColumnName": "EventSeverity",
"alertTacticsColumnName": "Tactics"
},
"alertRuleTemplateName": "6098daa0-f05e-44d5-b5a0-913e63ba3179",
"customDetails": {
"JamfPro_Status": "JamfPro",
"Protect_Analytic": "EventMessage",
"Protect_Event_Type": "EventType",
"Protect_Tags": "Tags",
"Related_Binaries": "TargetBinaryFilePath",
"Related_File_hash": "TargetBinarySHA256",
"TargetbinarySign": "TargetbinarySignerType",
"TargetBinarySigner": "TargetBinarySigningTeamID",
"TargetBinarySignMsg": "TargetBinarySigningInfoMessage"
},
"description": "'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'\n",
"displayName": "Jamf Protect - Alerts",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DvcHostname",
"identifier": "HostName"
},
{
"columnName": "DvcOs",
"identifier": "OSFamily"
},
{
"columnName": "DvcOsVersion",
"identifier": "OSVersion"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "Host_IPs",
"identifier": "Address"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "TargetProcessCurrentDirectory",
"identifier": "CommandLine"
},
{
"columnName": "TargetProcessId",
"identifier": "ProcessId"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "algorithm",
"identifier": "Algorithm"
},
{
"columnName": "TargetBinarySHA256",
"identifier": "Value"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml",
"query": "jamfprotectalerts_CL\n| extend\n algorithm = \"SHA256\",\n Host_IPs = tostring(parse_json(DvcIpAddr)[0]),\n Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),\n Tactics = case(input.match.tags has \"Execution\", \"Execution\", input.match.tags has \"Visibility\", \"Visibility\", input.match.tags has \"Persistence\", \"Persistence\", input.match.tags has \"LateralMovement\", \"LateralMovement\", input.match.tags has \"CredentialAccess\", \"CredentialAcccess\", input.match.tags has \"DefenseEvasion\", \"DefenseEvasion\", input.match.tags has \"PrivilegeEscalation\", \"PrivilegeEscalation\", input.match.tags has \"Impact\", \"Impact\", input.match.tags has \"CommandAndControl\", \"CommandandControl\", input.match.tags has \"Discovery\", \"Discovery\", input.match.tags has \"InitialAccess\", \"InitialAccess\", \"\"),\n Techniques = pack_array(extract(@\"[A-Za-z]\\d{4}\", 0, tostring(input.match.tags))),\n JamfPro = case(input.match.actions has \"SmartGroup\", \"Workflow with Jamf Pro\", input.match.actions has \"Prevented\", \"No workflow, Prevented by Protect\", \"No workflow\")\n",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": null,
"techniques": null,
"templateVersion": "1.0.6"
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}