Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Jamf Protect - Unified Logs

Back
Id9eb2f758-003b-4303-83c6-97aed4c03e41
RulenameJamf Protect - Unified Logs
DescriptionCreates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel
SeverityInformational
Required data connectorsJamfProtect
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectUnifiedLogs.yaml
Version1.0.1
Arm template9eb2f758-003b-4303-83c6-97aed4c03e41.json
Deploy To Azure
jamfprotect_CL
| where input_eventType_s == "GPUnifiedLogEvent"
| extend severity = case(input_match_severity_d == 0, "Informational", input_match_severity_d == 1, "Low", input_match_severity_d == 2, "Medium", input_match_severity_d == 3, "High", "Informational")
| where isnotempty(severity)
| extend Host_IPs = tostring(parse_json(input_host_ips_s)[0])
| extend ProviderName = "Jamf"
| extend ProductName = "Jamf Protect"
| extend ProductNameComponentName = "Unified Logging"
version: 1.0.1
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: input_host_hostname_s
    identifier: HostName
- entityType: IP
  fieldMappings:
  - columnName: Host_IPs
    identifier: Address
- entityType: Process
  fieldMappings:
  - columnName: input_match_event_process_s
    identifier: ProcessId
severity: Informational
kind: NRT
suppressionEnabled: false
suppressionDuration: PT5H
relevantTechniques: 
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: 9eb2f758-003b-4303-83c6-97aed4c03e41
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    enabled: false
    matchingMethod: AllEntities
requiredDataConnectors:
- connectorId: JamfProtect
  dataTypes:
  - jamfprotect_CL
customDetails:
  Unified_Log: input_match_event_name_s
  Protect_Event_Type: input_eventType_s
  Event_Process: input_match_event_process_s
  Tags: input_match_event_tags_s
description: |
    'Creates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel'
query: |
  jamfprotect_CL
  | where input_eventType_s == "GPUnifiedLogEvent"
  | extend severity = case(input_match_severity_d == 0, "Informational", input_match_severity_d == 1, "Low", input_match_severity_d == 2, "Medium", input_match_severity_d == 3, "High", "Informational")
  | where isnotempty(severity)
  | extend Host_IPs = tostring(parse_json(input_host_ips_s)[0])
  | extend ProviderName = "Jamf"
  | extend ProductName = "Jamf Protect"
  | extend ProductNameComponentName = "Unified Logging"  
alertDetailsOverride:
  alertDynamicProperties:
  - value: ProviderName
    alertProperty: ProviderName
  - value: ProductName
    alertProperty: ProductName
  alertSeverityColumnName: severity
  alertDescriptionFormat: '{{input_match_event_name_s}} has been captured in the unified logs'
  alertDisplayNameFormat: '{{input_match_event_name_s}} on {{input_host_hostname_s}}'
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectUnifiedLogs.yaml
name: Jamf Protect - Unified Logs
tactics: 
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9eb2f758-003b-4303-83c6-97aed4c03e41')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9eb2f758-003b-4303-83c6-97aed4c03e41')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Nrt",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Jamf Protect - Unified Logs",
        "description": "'Creates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel'\n",
        "severity": "Informational",
        "enabled": true,
        "query": "jamfprotect_CL\n| where input_eventType_s == \"GPUnifiedLogEvent\"\n| extend severity = case(input_match_severity_d == 0, \"Informational\", input_match_severity_d == 1, \"Low\", input_match_severity_d == 2, \"Medium\", input_match_severity_d == 3, \"High\", \"Informational\")\n| where isnotempty(severity)\n| extend Host_IPs = tostring(parse_json(input_host_ips_s)[0])\n| extend ProviderName = \"Jamf\"\n| extend ProductName = \"Jamf Protect\"\n| extend ProductNameComponentName = \"Unified Logging\"\n",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": null,
        "techniques": null,
        "alertRuleTemplateName": "9eb2f758-003b-4303-83c6-97aed4c03e41",
        "incidentConfiguration": {
          "groupingConfiguration": {
            "lookbackDuration": "PT5H",
            "reopenClosedIncident": false,
            "enabled": false,
            "matchingMethod": "AllEntities"
          },
          "createIncident": true
        },
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertDynamicProperties": [
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            },
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            }
          ],
          "alertSeverityColumnName": "severity",
          "alertDisplayNameFormat": "{{input_match_event_name_s}} on {{input_host_hostname_s}}",
          "alertDescriptionFormat": "{{input_match_event_name_s}} has been captured in the unified logs"
        },
        "customDetails": {
          "Unified_Log": "input_match_event_name_s",
          "Protect_Event_Type": "input_eventType_s",
          "Event_Process": "input_match_event_process_s",
          "Tags": "input_match_event_tags_s"
        },
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "input_host_hostname_s"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "Host_IPs"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "identifier": "ProcessId",
                "columnName": "input_match_event_process_s"
              }
            ]
          }
        ],
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectUnifiedLogs.yaml",
        "templateVersion": "1.0.1"
      }
    }
  ]
}