JamfProtectUnifiedLogs
| where isnotempty(EventSeverity)
| extend Host_IPs = tostring(parse_json(DvcIpAddr)[0])
entityMappings:
- fieldMappings:
- columnName: DvcHostname
identifier: HostName
entityType: Host
- fieldMappings:
- columnName: Host_IPs
identifier: Address
entityType: IP
alertDetailsOverride:
alertSeverityColumnName: EventSeverity
alertDescriptionFormat: '{{EventDescription}} has been captured in the unified logs'
alertDynamicProperties:
- alertProperty: ProviderName
value: EventVendor
- alertProperty: ProductName
value: EventProduct
alertDisplayNameFormat: '{{EventDescription}} on {{DvcHostname}}'
tactics:
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
suppressionDuration: PT5H
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectUnifiedLogs.yaml
status: Available
version: 1.0.3
relevantTechniques:
query: |
JamfProtectUnifiedLogs
| where isnotempty(EventSeverity)
| extend Host_IPs = tostring(parse_json(DvcIpAddr)[0])
severity: Informational
kind: NRT
name: Jamf Protect - Unified Logs
customDetails:
Event_Process: TargetProcessName
Unified_Log: EventDescription
Protect_Event_Type: EventType
Tags: Match_tags
id: 9eb2f758-003b-4303-83c6-97aed4c03e41
description: |
'Creates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel'
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
- jamfprotect_CL
connectorId: JamfProtect
