JamfProtectUnifiedLogs
| where isnotempty(EventSeverity)
| extend Host_IPs = tostring(parse_json(DvcIpAddr)[0])
name: Jamf Protect - Unified Logs
incidentConfiguration:
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: PT5H
matchingMethod: AllEntities
createIncident: true
query: |
JamfProtectUnifiedLogs
| where isnotempty(EventSeverity)
| extend Host_IPs = tostring(parse_json(DvcIpAddr)[0])
entityMappings:
- entityType: Host
fieldMappings:
- columnName: DvcHostname
identifier: HostName
- entityType: IP
fieldMappings:
- columnName: Host_IPs
identifier: Address
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectUnifiedLogs.yaml
suppressionEnabled: false
tactics:
suppressionDuration: PT5H
kind: NRT
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.3
alertDetailsOverride:
alertDescriptionFormat: '{{EventDescription}} has been captured in the unified logs'
alertSeverityColumnName: EventSeverity
alertDisplayNameFormat: '{{EventDescription}} on {{DvcHostname}}'
alertDynamicProperties:
- value: EventVendor
alertProperty: ProviderName
- value: EventProduct
alertProperty: ProductName
relevantTechniques:
id: 9eb2f758-003b-4303-83c6-97aed4c03e41
customDetails:
Event_Process: TargetProcessName
Tags: Match_tags
Protect_Event_Type: EventType
Unified_Log: EventDescription
severity: Informational
requiredDataConnectors:
- connectorId: JamfProtect
dataTypes:
- jamfprotect_CL
status: Available
description: |
'Creates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel'
