Jamf Protect - Alerts
Id | 6098daa0-f05e-44d5-b5a0-913e63ba3179 |
Rulename | Jamf Protect - Alerts |
Description | Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel |
Severity | High |
Required data connectors | JamfProtect |
Kind | NRT |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml |
Version | 1.0.3 |
Arm template | 6098daa0-f05e-44d5-b5a0-913e63ba3179.json |
jamfprotect_CL
| where topicType_s == "alert"
and input_eventType_s <> "GPUnifiedLogEvent"
and isnotempty(input_match_severity_d)
| extend severity = case(input_match_severity_d == 0, "Informational", input_match_severity_d == 1, "Low", input_match_severity_d == 2, "Medium", input_match_severity_d == 3, "High", "Informational")
| extend Match_facts = parse_json(input_match_facts_s)
| extend Analytic_description = Match_facts[0].human
| extend Analytic_name = Match_facts[0].name
| extend AlertURL = strcat("https://", org_hd_s, ".jamfcloud.com/Alerts/", input_match_uuid_g)
| extend Input_Match = parse_json(input_match_actions_s)
| extend sha256hex = tostring(parse_json(input_related_binaries_s)[0].sha256hex)
| extend algorithm = "SHA256"
| extend Matched_Users = tostring(parse_json(input_related_users_s)[0].name)
| extend Host_IPs = tostring(parse_json(input_host_ips_s)[0])
| extend Tags = tostring(Match_facts[0].tags)
| extend Tactics = case(Tags has "Execution", "Execution", Tags has "Visibility", "Visibility", Tags has "Persistence", "Persistence", Tags has "LateralMovement", "Lateral Movement", Tags has "CredentialAccess", "Credential Acccess", Tags has "DefenseEvasion", "Defense Evasion", Tags has "PrivilegeEscalation", "Privilege Escalation", Tags has "Impact", "Impact", Tags has "CommandAndControl", "Command and Control", Tags has "Discovery", "Discovery", Tags has "InitialAccess", "Initial Access", "")
| extend Techniques = case(Tags has "T1003", "T1003", Tags has "T1036", "T1036", Tags has "T1204", "T1204", Tags has "T1068", "T1068", Tags has "T1485", "T1485", Tags has "T1489", "T1489", Tags has "T1219", "T1219", Tags has "T1219", "T1219", Tags has "T1059", "T1059", Tags has "T1557", "T1557",Tags has "T1090", "T1090", Tags has "T1547", "T1547", Tags has "T1204", "T1204", Tags has "T1068", "T1068", Tags has "T1053", "T1053", "")
| extend JamfPro = case(Input_Match has "SmartGroup", "Workflow with Jamf Pro", Input_Match has "Prevented", "No workflow, Prevented by Protect", "No workflow")
| extend ProviderName = "Jamf"
| extend ProductName = "Jamf Protect"
version: 1.0.3
entityMappings:
- entityType: Host
fieldMappings:
- columnName: input_host_hostname_s
identifier: HostName
- entityType: IP
fieldMappings:
- columnName: Host_IPs
identifier: Address
- entityType: Account
fieldMappings:
- columnName: Matched_Users
identifier: Name
- entityType: Process
fieldMappings:
- columnName: input_match_event_process_path_s
identifier: CommandLine
- entityType: FileHash
fieldMappings:
- columnName: algorithm
identifier: Algorithm
- columnName: sha256hex
identifier: Value
severity: High
kind: NRT
suppressionEnabled: false
suppressionDuration: PT5H
relevantTechniques:
query: |
jamfprotect_CL
| where topicType_s == "alert"
and input_eventType_s <> "GPUnifiedLogEvent"
and isnotempty(input_match_severity_d)
| extend severity = case(input_match_severity_d == 0, "Informational", input_match_severity_d == 1, "Low", input_match_severity_d == 2, "Medium", input_match_severity_d == 3, "High", "Informational")
| extend Match_facts = parse_json(input_match_facts_s)
| extend Analytic_description = Match_facts[0].human
| extend Analytic_name = Match_facts[0].name
| extend AlertURL = strcat("https://", org_hd_s, ".jamfcloud.com/Alerts/", input_match_uuid_g)
| extend Input_Match = parse_json(input_match_actions_s)
| extend sha256hex = tostring(parse_json(input_related_binaries_s)[0].sha256hex)
| extend algorithm = "SHA256"
| extend Matched_Users = tostring(parse_json(input_related_users_s)[0].name)
| extend Host_IPs = tostring(parse_json(input_host_ips_s)[0])
| extend Tags = tostring(Match_facts[0].tags)
| extend Tactics = case(Tags has "Execution", "Execution", Tags has "Visibility", "Visibility", Tags has "Persistence", "Persistence", Tags has "LateralMovement", "Lateral Movement", Tags has "CredentialAccess", "Credential Acccess", Tags has "DefenseEvasion", "Defense Evasion", Tags has "PrivilegeEscalation", "Privilege Escalation", Tags has "Impact", "Impact", Tags has "CommandAndControl", "Command and Control", Tags has "Discovery", "Discovery", Tags has "InitialAccess", "Initial Access", "")
| extend Techniques = case(Tags has "T1003", "T1003", Tags has "T1036", "T1036", Tags has "T1204", "T1204", Tags has "T1068", "T1068", Tags has "T1485", "T1485", Tags has "T1489", "T1489", Tags has "T1219", "T1219", Tags has "T1219", "T1219", Tags has "T1059", "T1059", Tags has "T1557", "T1557",Tags has "T1090", "T1090", Tags has "T1547", "T1547", Tags has "T1204", "T1204", Tags has "T1068", "T1068", Tags has "T1053", "T1053", "")
| extend JamfPro = case(Input_Match has "SmartGroup", "Workflow with Jamf Pro", Input_Match has "Prevented", "No workflow, Prevented by Protect", "No workflow")
| extend ProviderName = "Jamf"
| extend ProductName = "Jamf Protect"
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
eventGroupingSettings:
aggregationKind: AlertPerResult
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
lookbackDuration: PT5H
enabled: false
matchingMethod: AllEntities
requiredDataConnectors:
- connectorId: JamfProtect
dataTypes:
- jamfprotect_CL
customDetails:
Protect_Tags: Tags
Protect_Analytic: input_match_event_name_s
Related_File_hash: sha256hex
JamfPro_Status: JamfPro
Protect_Event_Type: input_eventType_s
Related_Binaries: input_related_binaries_s
description: |
'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
alertDetailsOverride:
alertDescriptionFormat: '{{Analytic_description}} - Please investigate'
alertDynamicProperties:
- value: AlertURL
alertProperty: AlertLink
- value: ProviderName
alertProperty: ProviderName
- value: ProductName
alertProperty: ProductName
- value: Techniques
alertProperty: Techniques
alertSeverityColumnName: severity
alertTacticsColumnName: Tactics
alertDisplayNameFormat: '{{Analytic_name}} detected on {{input_host_hostname_s}}'
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
name: Jamf Protect - Alerts
tactics:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Nrt",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Jamf Protect - Alerts",
"description": "'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'\n",
"severity": "High",
"enabled": true,
"query": "jamfprotect_CL\n| where topicType_s == \"alert\"\n and input_eventType_s <> \"GPUnifiedLogEvent\"\n and isnotempty(input_match_severity_d)\n| extend severity = case(input_match_severity_d == 0, \"Informational\", input_match_severity_d == 1, \"Low\", input_match_severity_d == 2, \"Medium\", input_match_severity_d == 3, \"High\", \"Informational\")\n| extend Match_facts = parse_json(input_match_facts_s)\n| extend Analytic_description = Match_facts[0].human\n| extend Analytic_name = Match_facts[0].name\n| extend AlertURL = strcat(\"https://\", org_hd_s, \".jamfcloud.com/Alerts/\", input_match_uuid_g)\n| extend Input_Match = parse_json(input_match_actions_s)\n| extend sha256hex = tostring(parse_json(input_related_binaries_s)[0].sha256hex)\n| extend algorithm = \"SHA256\"\n| extend Matched_Users = tostring(parse_json(input_related_users_s)[0].name)\n| extend Host_IPs = tostring(parse_json(input_host_ips_s)[0])\n| extend Tags = tostring(Match_facts[0].tags)\n| extend Tactics = case(Tags has \"Execution\", \"Execution\", Tags has \"Visibility\", \"Visibility\", Tags has \"Persistence\", \"Persistence\", Tags has \"LateralMovement\", \"Lateral Movement\", Tags has \"CredentialAccess\", \"Credential Acccess\", Tags has \"DefenseEvasion\", \"Defense Evasion\", Tags has \"PrivilegeEscalation\", \"Privilege Escalation\", Tags has \"Impact\", \"Impact\", Tags has \"CommandAndControl\", \"Command and Control\", Tags has \"Discovery\", \"Discovery\", Tags has \"InitialAccess\", \"Initial Access\", \"\")\n| extend Techniques = case(Tags has \"T1003\", \"T1003\", Tags has \"T1036\", \"T1036\", Tags has \"T1204\", \"T1204\", Tags has \"T1068\", \"T1068\", Tags has \"T1485\", \"T1485\", Tags has \"T1489\", \"T1489\", Tags has \"T1219\", \"T1219\", Tags has \"T1219\", \"T1219\", Tags has \"T1059\", \"T1059\", Tags has \"T1557\", \"T1557\",Tags has \"T1090\", \"T1090\", Tags has \"T1547\", \"T1547\", Tags has \"T1204\", \"T1204\", Tags has \"T1068\", \"T1068\", Tags has \"T1053\", \"T1053\", \"\")\n| extend JamfPro = case(Input_Match has \"SmartGroup\", \"Workflow with Jamf Pro\", Input_Match has \"Prevented\", \"No workflow, Prevented by Protect\", \"No workflow\")\n| extend ProviderName = \"Jamf\"\n| extend ProductName = \"Jamf Protect\"\n",
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": null,
"techniques": null,
"alertRuleTemplateName": "6098daa0-f05e-44d5-b5a0-913e63ba3179",
"incidentConfiguration": {
"groupingConfiguration": {
"lookbackDuration": "PT5H",
"reopenClosedIncident": false,
"enabled": false,
"matchingMethod": "AllEntities"
},
"createIncident": true
},
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "AlertURL"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
},
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "Techniques",
"value": "Techniques"
}
],
"alertSeverityColumnName": "severity",
"alertDisplayNameFormat": "{{Analytic_name}} detected on {{input_host_hostname_s}}",
"alertTacticsColumnName": "Tactics",
"alertDescriptionFormat": "{{Analytic_description}} - Please investigate"
},
"customDetails": {
"Protect_Tags": "Tags",
"Protect_Analytic": "input_match_event_name_s",
"Related_File_hash": "sha256hex",
"JamfPro_Status": "JamfPro",
"Protect_Event_Type": "input_eventType_s",
"Related_Binaries": "input_related_binaries_s"
},
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "input_host_hostname_s"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "Host_IPs"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "Matched_Users"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"identifier": "CommandLine",
"columnName": "input_match_event_process_path_s"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"identifier": "Algorithm",
"columnName": "algorithm"
},
{
"identifier": "Value",
"columnName": "sha256hex"
}
]
}
],
"status": "Available",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml",
"templateVersion": "1.0.3"
}
}
]
}