jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
description: |
'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
suppressionEnabled: false
name: Jamf Protect - Alerts
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
enabled: false
reopenClosedIncident: false
lookbackDuration: PT5H
kind: NRT
requiredDataConnectors:
- connectorId: JamfProtect
dataTypes:
- jamfprotectalerts_CL
customDetails:
Related_File_hash: TargetBinarySHA256
TargetBinarySigner: TargetBinarySigningTeamID
TargetBinarySignMsg: TargetBinarySigningInfoMessage
Protect_Event_Type: EventType
TargetbinarySign: TargetbinarySignerType
Related_Binaries: TargetBinaryFilePath
Protect_Analytic: EventMessage
Protect_Tags: Tags
JamfPro_Status: JamfPro
suppressionDuration: PT5H
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: OSFamily
columnName: DvcOs
- identifier: OSVersion
columnName: DvcOsVersion
- entityType: IP
fieldMappings:
- identifier: Address
columnName: Host_IPs
- entityType: Process
fieldMappings:
- identifier: CommandLine
columnName: TargetProcessCurrentDirectory
- identifier: ProcessId
columnName: TargetProcessId
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: algorithm
- identifier: Value
columnName: TargetBinarySHA256
tactics:
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
status: Available
version: 1.0.6
query: |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
alertDetailsOverride:
alertTacticsColumnName: Tactics
alertSeverityColumnName: EventSeverity
alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
alertDynamicProperties:
- alertProperty: ProviderName
value: EventVendor
- alertProperty: ProductName
value: EventProduct
- alertProperty: Techniques
value: Techniques
severity: High
relevantTechniques:
