jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
entityMappings:
- fieldMappings:
- columnName: DvcHostname
identifier: HostName
- columnName: DvcOs
identifier: OSFamily
- columnName: DvcOsVersion
identifier: OSVersion
entityType: Host
- fieldMappings:
- columnName: Host_IPs
identifier: Address
entityType: IP
- fieldMappings:
- columnName: TargetProcessCurrentDirectory
identifier: CommandLine
- columnName: TargetProcessId
identifier: ProcessId
entityType: Process
- fieldMappings:
- columnName: algorithm
identifier: Algorithm
- columnName: TargetBinarySHA256
identifier: Value
entityType: FileHash
alertDetailsOverride:
alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
alertTacticsColumnName: Tactics
alertSeverityColumnName: EventSeverity
alertDynamicProperties:
- alertProperty: ProviderName
value: EventVendor
- alertProperty: ProductName
value: EventProduct
- alertProperty: Techniques
value: Techniques
tactics:
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
suppressionDuration: PT5H
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
status: Available
version: 1.0.6
relevantTechniques:
query: |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
severity: High
kind: NRT
name: Jamf Protect - Alerts
customDetails:
Related_File_hash: TargetBinarySHA256
TargetBinarySigner: TargetBinarySigningTeamID
Protect_Event_Type: EventType
TargetBinarySignMsg: TargetBinarySigningInfoMessage
Protect_Analytic: EventMessage
Related_Binaries: TargetBinaryFilePath
JamfPro_Status: JamfPro
TargetbinarySign: TargetbinarySignerType
Protect_Tags: Tags
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
description: |
'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
- jamfprotectalerts_CL
connectorId: JamfProtect
