Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Jamf Protect - Alerts

Back
Id6098daa0-f05e-44d5-b5a0-913e63ba3179
RulenameJamf Protect - Alerts
DescriptionCreates an incident based on Jamf Protect Alert data in Microsoft Sentinel
SeverityHigh
Required data connectorsJamfProtect
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
Version1.0.3
Arm template6098daa0-f05e-44d5-b5a0-913e63ba3179.json
Deploy To Azure
jamfprotect_CL
| where topicType_s == "alert"
  and input_eventType_s <> "GPUnifiedLogEvent"
  and isnotempty(input_match_severity_d)
| extend severity = case(input_match_severity_d == 0, "Informational", input_match_severity_d == 1, "Low", input_match_severity_d == 2, "Medium", input_match_severity_d == 3, "High", "Informational")
| extend Match_facts = parse_json(input_match_facts_s)
| extend Analytic_description =  Match_facts[0].human
| extend Analytic_name =  Match_facts[0].name
| extend AlertURL = strcat("https://", org_hd_s, ".jamfcloud.com/Alerts/", input_match_uuid_g)
| extend Input_Match = parse_json(input_match_actions_s)
| extend sha256hex = tostring(parse_json(input_related_binaries_s)[0].sha256hex)
| extend algorithm = "SHA256"
| extend Matched_Users = tostring(parse_json(input_related_users_s)[0].name)
| extend Host_IPs = tostring(parse_json(input_host_ips_s)[0])
| extend Tags = tostring(Match_facts[0].tags)
| extend Tactics = case(Tags has "Execution", "Execution", Tags has "Visibility", "Visibility", Tags has "Persistence", "Persistence", Tags has "LateralMovement", "Lateral Movement", Tags has "CredentialAccess", "Credential Acccess", Tags has "DefenseEvasion", "Defense Evasion", Tags has "PrivilegeEscalation", "Privilege Escalation", Tags has "Impact", "Impact", Tags has "CommandAndControl", "Command and Control", Tags has "Discovery", "Discovery", Tags has "InitialAccess", "Initial Access", "")
| extend Techniques = case(Tags has "T1003", "T1003", Tags has "T1036", "T1036", Tags has "T1204", "T1204", Tags has "T1068", "T1068", Tags has "T1485", "T1485", Tags has "T1489", "T1489", Tags has "T1219", "T1219", Tags has "T1219", "T1219", Tags has "T1059", "T1059", Tags has "T1557", "T1557",Tags has "T1090", "T1090", Tags has "T1547", "T1547", Tags has "T1204", "T1204", Tags has "T1068", "T1068", Tags has "T1053", "T1053", "")
| extend JamfPro = case(Input_Match has "SmartGroup", "Workflow with Jamf Pro", Input_Match has "Prevented", "No workflow, Prevented by Protect", "No workflow")
| extend ProviderName = "Jamf"
| extend ProductName = "Jamf Protect"
version: 1.0.3
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: input_host_hostname_s
    identifier: HostName
- entityType: IP
  fieldMappings:
  - columnName: Host_IPs
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: Matched_Users
    identifier: Name
- entityType: Process
  fieldMappings:
  - columnName: input_match_event_process_path_s
    identifier: CommandLine
- entityType: FileHash
  fieldMappings:
  - columnName: algorithm
    identifier: Algorithm
  - columnName: sha256hex
    identifier: Value
severity: High
kind: NRT
suppressionEnabled: false
suppressionDuration: PT5H
relevantTechniques: 
query: |
  jamfprotect_CL
  | where topicType_s == "alert"
    and input_eventType_s <> "GPUnifiedLogEvent"
    and isnotempty(input_match_severity_d)
  | extend severity = case(input_match_severity_d == 0, "Informational", input_match_severity_d == 1, "Low", input_match_severity_d == 2, "Medium", input_match_severity_d == 3, "High", "Informational")
  | extend Match_facts = parse_json(input_match_facts_s)
  | extend Analytic_description =  Match_facts[0].human
  | extend Analytic_name =  Match_facts[0].name
  | extend AlertURL = strcat("https://", org_hd_s, ".jamfcloud.com/Alerts/", input_match_uuid_g)
  | extend Input_Match = parse_json(input_match_actions_s)
  | extend sha256hex = tostring(parse_json(input_related_binaries_s)[0].sha256hex)
  | extend algorithm = "SHA256"
  | extend Matched_Users = tostring(parse_json(input_related_users_s)[0].name)
  | extend Host_IPs = tostring(parse_json(input_host_ips_s)[0])
  | extend Tags = tostring(Match_facts[0].tags)
  | extend Tactics = case(Tags has "Execution", "Execution", Tags has "Visibility", "Visibility", Tags has "Persistence", "Persistence", Tags has "LateralMovement", "Lateral Movement", Tags has "CredentialAccess", "Credential Acccess", Tags has "DefenseEvasion", "Defense Evasion", Tags has "PrivilegeEscalation", "Privilege Escalation", Tags has "Impact", "Impact", Tags has "CommandAndControl", "Command and Control", Tags has "Discovery", "Discovery", Tags has "InitialAccess", "Initial Access", "")
  | extend Techniques = case(Tags has "T1003", "T1003", Tags has "T1036", "T1036", Tags has "T1204", "T1204", Tags has "T1068", "T1068", Tags has "T1485", "T1485", Tags has "T1489", "T1489", Tags has "T1219", "T1219", Tags has "T1219", "T1219", Tags has "T1059", "T1059", Tags has "T1557", "T1557",Tags has "T1090", "T1090", Tags has "T1547", "T1547", Tags has "T1204", "T1204", Tags has "T1068", "T1068", Tags has "T1053", "T1053", "")
  | extend JamfPro = case(Input_Match has "SmartGroup", "Workflow with Jamf Pro", Input_Match has "Prevented", "No workflow, Prevented by Protect", "No workflow")
  | extend ProviderName = "Jamf"
  | extend ProductName = "Jamf Protect"  
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    enabled: false
    matchingMethod: AllEntities
requiredDataConnectors:
- connectorId: JamfProtect
  dataTypes:
  - jamfprotect_CL
customDetails:
  Protect_Tags: Tags
  Protect_Analytic: input_match_event_name_s
  Related_File_hash: sha256hex
  JamfPro_Status: JamfPro
  Protect_Event_Type: input_eventType_s
  Related_Binaries: input_related_binaries_s
description: |
    'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
alertDetailsOverride:
  alertDescriptionFormat: '{{Analytic_description}} - Please investigate'
  alertDynamicProperties:
  - value: AlertURL
    alertProperty: AlertLink
  - value: ProviderName
    alertProperty: ProviderName
  - value: ProductName
    alertProperty: ProductName
  - value: Techniques
    alertProperty: Techniques
  alertSeverityColumnName: severity
  alertTacticsColumnName: Tactics
  alertDisplayNameFormat: '{{Analytic_name}} detected on {{input_host_hostname_s}}'
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
name: Jamf Protect - Alerts
tactics: 
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Nrt",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Jamf Protect - Alerts",
        "description": "'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'\n",
        "severity": "High",
        "enabled": true,
        "query": "jamfprotect_CL\n| where topicType_s == \"alert\"\n  and input_eventType_s <> \"GPUnifiedLogEvent\"\n  and isnotempty(input_match_severity_d)\n| extend severity = case(input_match_severity_d == 0, \"Informational\", input_match_severity_d == 1, \"Low\", input_match_severity_d == 2, \"Medium\", input_match_severity_d == 3, \"High\", \"Informational\")\n| extend Match_facts = parse_json(input_match_facts_s)\n| extend Analytic_description =  Match_facts[0].human\n| extend Analytic_name =  Match_facts[0].name\n| extend AlertURL = strcat(\"https://\", org_hd_s, \".jamfcloud.com/Alerts/\", input_match_uuid_g)\n| extend Input_Match = parse_json(input_match_actions_s)\n| extend sha256hex = tostring(parse_json(input_related_binaries_s)[0].sha256hex)\n| extend algorithm = \"SHA256\"\n| extend Matched_Users = tostring(parse_json(input_related_users_s)[0].name)\n| extend Host_IPs = tostring(parse_json(input_host_ips_s)[0])\n| extend Tags = tostring(Match_facts[0].tags)\n| extend Tactics = case(Tags has \"Execution\", \"Execution\", Tags has \"Visibility\", \"Visibility\", Tags has \"Persistence\", \"Persistence\", Tags has \"LateralMovement\", \"Lateral Movement\", Tags has \"CredentialAccess\", \"Credential Acccess\", Tags has \"DefenseEvasion\", \"Defense Evasion\", Tags has \"PrivilegeEscalation\", \"Privilege Escalation\", Tags has \"Impact\", \"Impact\", Tags has \"CommandAndControl\", \"Command and Control\", Tags has \"Discovery\", \"Discovery\", Tags has \"InitialAccess\", \"Initial Access\", \"\")\n| extend Techniques = case(Tags has \"T1003\", \"T1003\", Tags has \"T1036\", \"T1036\", Tags has \"T1204\", \"T1204\", Tags has \"T1068\", \"T1068\", Tags has \"T1485\", \"T1485\", Tags has \"T1489\", \"T1489\", Tags has \"T1219\", \"T1219\", Tags has \"T1219\", \"T1219\", Tags has \"T1059\", \"T1059\", Tags has \"T1557\", \"T1557\",Tags has \"T1090\", \"T1090\", Tags has \"T1547\", \"T1547\", Tags has \"T1204\", \"T1204\", Tags has \"T1068\", \"T1068\", Tags has \"T1053\", \"T1053\", \"\")\n| extend JamfPro = case(Input_Match has \"SmartGroup\", \"Workflow with Jamf Pro\", Input_Match has \"Prevented\", \"No workflow, Prevented by Protect\", \"No workflow\")\n| extend ProviderName = \"Jamf\"\n| extend ProductName = \"Jamf Protect\"\n",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": null,
        "techniques": null,
        "alertRuleTemplateName": "6098daa0-f05e-44d5-b5a0-913e63ba3179",
        "incidentConfiguration": {
          "groupingConfiguration": {
            "lookbackDuration": "PT5H",
            "reopenClosedIncident": false,
            "enabled": false,
            "matchingMethod": "AllEntities"
          },
          "createIncident": true
        },
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "AlertURL"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            },
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "Techniques",
              "value": "Techniques"
            }
          ],
          "alertSeverityColumnName": "severity",
          "alertDisplayNameFormat": "{{Analytic_name}} detected on {{input_host_hostname_s}}",
          "alertTacticsColumnName": "Tactics",
          "alertDescriptionFormat": "{{Analytic_description}} - Please investigate"
        },
        "customDetails": {
          "Protect_Tags": "Tags",
          "Protect_Analytic": "input_match_event_name_s",
          "Related_File_hash": "sha256hex",
          "JamfPro_Status": "JamfPro",
          "Protect_Event_Type": "input_eventType_s",
          "Related_Binaries": "input_related_binaries_s"
        },
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "input_host_hostname_s"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "Host_IPs"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "Matched_Users"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "identifier": "CommandLine",
                "columnName": "input_match_event_process_path_s"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "identifier": "Algorithm",
                "columnName": "algorithm"
              },
              {
                "identifier": "Value",
                "columnName": "sha256hex"
              }
            ]
          }
        ],
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml",
        "templateVersion": "1.0.3"
      }
    }
  ]
}