jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
name: Jamf Protect - Alerts
incidentConfiguration:
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: PT5H
matchingMethod: AllEntities
createIncident: true
query: |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
entityMappings:
- entityType: Host
fieldMappings:
- columnName: DvcHostname
identifier: HostName
- columnName: DvcOs
identifier: OSFamily
- columnName: DvcOsVersion
identifier: OSVersion
- entityType: IP
fieldMappings:
- columnName: Host_IPs
identifier: Address
- entityType: Process
fieldMappings:
- columnName: TargetProcessCurrentDirectory
identifier: CommandLine
- columnName: TargetProcessId
identifier: ProcessId
- entityType: FileHash
fieldMappings:
- columnName: algorithm
identifier: Algorithm
- columnName: TargetBinarySHA256
identifier: Value
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
suppressionEnabled: false
tactics:
suppressionDuration: PT5H
kind: NRT
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.6
alertDetailsOverride:
alertDynamicProperties:
- value: EventVendor
alertProperty: ProviderName
- value: EventProduct
alertProperty: ProductName
- value: Techniques
alertProperty: Techniques
alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
alertSeverityColumnName: EventSeverity
alertTacticsColumnName: Tactics
relevantTechniques:
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
customDetails:
TargetBinarySigner: TargetBinarySigningTeamID
Protect_Tags: Tags
Protect_Event_Type: EventType
TargetBinarySignMsg: TargetBinarySigningInfoMessage
Protect_Analytic: EventMessage
Related_Binaries: TargetBinaryFilePath
Related_File_hash: TargetBinarySHA256
TargetbinarySign: TargetbinarySignerType
JamfPro_Status: JamfPro
severity: High
requiredDataConnectors:
- connectorId: JamfProtect
dataTypes:
- jamfprotectalerts_CL
status: Available
description: |
'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
