Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Jamf Protect - Unified Logs

Jamf Protect - Unified Logs

Back
Id9eb2f758-003b-4303-83c6-97aed4c03e41
RulenameJamf Protect - Unified Logs
DescriptionCreates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel
SeverityInformational
Required data connectorsJamfProtect
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectUnifiedLogs.yaml
Version1.0.2
Arm template9eb2f758-003b-4303-83c6-97aed4c03e41.json
Deploy To Azure
JamfProtect
| where EventType == "UnifiedLog"
| where isnotempty(EventSeverity)
| extend Host_IPs = tostring(parse_json(DvcIpAddr)[0])

severity: Informational
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectUnifiedLogs.yaml
relevantTechniques: 
tactics: 
suppressionEnabled: false
alertDetailsOverride:
  alertDescriptionFormat: '{{EventDescription}} has been captured in the unified logs'
  alertSeverityColumnName: EventSeverity
  alertDisplayNameFormat: '{{EventDescription}} on {{DvcHostname}}'
  alertDynamicProperties:
  - alertProperty: ProviderName
    value: EventVendor
  - alertProperty: ProductName
    value: EventProduct
customDetails:
  Tags: Match_tags
  Unified_Log: EventDescription
  Protect_Event_Type: EventType
  Event_Process: TargetProcessName
query: |
  JamfProtect
  | where EventType == "UnifiedLog"
  | where isnotempty(EventSeverity)
  | extend Host_IPs = tostring(parse_json(DvcIpAddr)[0])  
kind: NRT
status: Available
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DvcHostname
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: Host_IPs
version: 1.0.2
name: Jamf Protect - Unified Logs
suppressionDuration: PT5H
requiredDataConnectors:
- dataTypes:
  - jamfprotect_CL
  connectorId: JamfProtect
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: PT5H
    enabled: false
  createIncident: true
id: 9eb2f758-003b-4303-83c6-97aed4c03e41
description: |
    'Creates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel'

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9eb2f758-003b-4303-83c6-97aed4c03e41')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9eb2f758-003b-4303-83c6-97aed4c03e41')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "NRT",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Jamf Protect - Unified Logs",
        "description": "'Creates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel'\n",
        "severity": "Informational",
        "enabled": true,
        "query": "JamfProtect\n| where EventType == \"UnifiedLog\"\n| where isnotempty(EventSeverity)\n| extend Host_IPs = tostring(parse_json(DvcIpAddr)[0])\n",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": null,
        "techniques": null,
        "alertRuleTemplateName": "9eb2f758-003b-4303-83c6-97aed4c03e41",
        "incidentConfiguration": {
          "groupingConfiguration": {
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false,
            "lookbackDuration": "PT5H",
            "enabled": false
          },
          "createIncident": true
        },
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{EventDescription}} has been captured in the unified logs",
          "alertSeverityColumnName": "EventSeverity",
          "alertDisplayNameFormat": "{{EventDescription}} on {{DvcHostname}}",
          "alertDynamicProperties": [
            {
              "value": "EventVendor",
              "alertProperty": "ProviderName"
            },
            {
              "value": "EventProduct",
              "alertProperty": "ProductName"
            }
          ]
        },
        "customDetails": {
          "Unified_Log": "EventDescription",
          "Tags": "Match_tags",
          "Protect_Event_Type": "EventType",
          "Event_Process": "TargetProcessName"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "DvcHostname",
                "identifier": "HostName"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "columnName": "Host_IPs",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectUnifiedLogs.yaml",
        "templateVersion": "1.0.2",
        "status": "Available"
      }
    }
  ]
}