JamfProtectUnifiedLogs
| where isnotempty(EventSeverity)
| extend Host_IPs = tostring(parse_json(DvcIpAddr)[0])
description: |
'Creates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel'
version: 1.0.3
tactics:
query: |
JamfProtectUnifiedLogs
| where isnotempty(EventSeverity)
| extend Host_IPs = tostring(parse_json(DvcIpAddr)[0])
status: Available
kind: NRT
customDetails:
Unified_Log: EventDescription
Tags: Match_tags
Event_Process: TargetProcessName
Protect_Event_Type: EventType
alertDetailsOverride:
alertDescriptionFormat: '{{EventDescription}} has been captured in the unified logs'
alertDynamicProperties:
- value: EventVendor
alertProperty: ProviderName
- value: EventProduct
alertProperty: ProductName
alertSeverityColumnName: EventSeverity
alertDisplayNameFormat: '{{EventDescription}} on {{DvcHostname}}'
suppressionEnabled: false
relevantTechniques:
id: 9eb2f758-003b-4303-83c6-97aed4c03e41
suppressionDuration: PT5H
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: DvcHostname
entityType: Host
- fieldMappings:
- identifier: Address
columnName: Host_IPs
entityType: IP
eventGroupingSettings:
aggregationKind: AlertPerResult
severity: Informational
name: Jamf Protect - Unified Logs
incidentConfiguration:
groupingConfiguration:
lookbackDuration: PT5H
enabled: false
reopenClosedIncident: false
matchingMethod: AllEntities
createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectUnifiedLogs.yaml
requiredDataConnectors:
- dataTypes:
- jamfprotect_CL
connectorId: JamfProtect
