Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Jamf Protect - Unified Logs

Back
Id9eb2f758-003b-4303-83c6-97aed4c03e41
RulenameJamf Protect - Unified Logs
DescriptionCreates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel
SeverityInformational
Required data connectorsJamfProtect
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectUnifiedLogs.yaml
Version1.0.2
Arm template9eb2f758-003b-4303-83c6-97aed4c03e41.json
Deploy To Azure
JamfProtect
| where EventType == "UnifiedLog"
| where isnotempty(EventSeverity)
| extend Host_IPs = tostring(parse_json(DvcIpAddr)[0])
severity: Informational
id: 9eb2f758-003b-4303-83c6-97aed4c03e41
status: Available
requiredDataConnectors:
- dataTypes:
  - jamfprotect_CL
  connectorId: JamfProtect
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    enabled: false
    reopenClosedIncident: false
  createIncident: true
kind: NRT
description: |
    'Creates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel'
suppressionDuration: PT5H
alertDetailsOverride:
  alertDisplayNameFormat: '{{EventDescription}} on {{DvcHostname}}'
  alertSeverityColumnName: EventSeverity
  alertDescriptionFormat: '{{EventDescription}} has been captured in the unified logs'
  alertDynamicProperties:
  - alertProperty: ProviderName
    value: EventVendor
  - alertProperty: ProductName
    value: EventProduct
query: |
  JamfProtect
  | where EventType == "UnifiedLog"
  | where isnotempty(EventSeverity)
  | extend Host_IPs = tostring(parse_json(DvcIpAddr)[0])  
tactics: 
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectUnifiedLogs.yaml
relevantTechniques: 
customDetails:
  Tags: Match_tags
  Unified_Log: EventDescription
  Protect_Event_Type: EventType
  Event_Process: TargetProcessName
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DvcHostname
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: Host_IPs
version: 1.0.2
name: Jamf Protect - Unified Logs
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionEnabled: false
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9eb2f758-003b-4303-83c6-97aed4c03e41')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9eb2f758-003b-4303-83c6-97aed4c03e41')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{EventDescription}} has been captured in the unified logs",
          "alertDisplayNameFormat": "{{EventDescription}} on {{DvcHostname}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProviderName",
              "value": "EventVendor"
            },
            {
              "alertProperty": "ProductName",
              "value": "EventProduct"
            }
          ],
          "alertSeverityColumnName": "EventSeverity"
        },
        "alertRuleTemplateName": "9eb2f758-003b-4303-83c6-97aed4c03e41",
        "customDetails": {
          "Event_Process": "TargetProcessName",
          "Protect_Event_Type": "EventType",
          "Tags": "Match_tags",
          "Unified_Log": "EventDescription"
        },
        "description": "'Creates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel'\n",
        "displayName": "Jamf Protect - Unified Logs",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DvcHostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "Host_IPs",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectUnifiedLogs.yaml",
        "query": "JamfProtect\n| where EventType == \"UnifiedLog\"\n| where isnotempty(EventSeverity)\n| extend Host_IPs = tostring(parse_json(DvcIpAddr)[0])\n",
        "severity": "Informational",
        "status": "Available",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": null,
        "techniques": null,
        "templateVersion": "1.0.2"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}