jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: OSFamily
columnName: DvcOs
- identifier: OSVersion
columnName: DvcOsVersion
- entityType: IP
fieldMappings:
- identifier: Address
columnName: Host_IPs
- entityType: Process
fieldMappings:
- identifier: CommandLine
columnName: TargetProcessCurrentDirectory
- identifier: ProcessId
columnName: TargetProcessId
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: algorithm
- identifier: Value
columnName: TargetBinarySHA256
tactics:
suppressionEnabled: false
suppressionDuration: PT5H
requiredDataConnectors:
- dataTypes:
- jamfprotectalerts_CL
connectorId: JamfProtect
alertDetailsOverride:
alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
alertTacticsColumnName: Tactics
alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
alertDynamicProperties:
- value: EventVendor
alertProperty: ProviderName
- value: EventProduct
alertProperty: ProductName
- value: Techniques
alertProperty: Techniques
alertSeverityColumnName: EventSeverity
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
severity: High
status: Available
customDetails:
TargetBinarySignMsg: TargetBinarySigningInfoMessage
TargetbinarySign: TargetbinarySignerType
JamfPro_Status: JamfPro
TargetBinarySigner: TargetBinarySigningTeamID
Protect_Tags: Tags
Related_Binaries: TargetBinaryFilePath
Related_File_hash: TargetBinarySHA256
Protect_Event_Type: EventType
Protect_Analytic: EventMessage
query: |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
kind: NRT
version: 1.0.6
name: Jamf Protect - Alerts
description: |
'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
incidentConfiguration:
groupingConfiguration:
enabled: false
lookbackDuration: PT5H
reopenClosedIncident: false
matchingMethod: AllEntities
createIncident: true
