JamfProtectUnifiedLogs
| where isnotempty(EventSeverity)
| extend Host_IPs = tostring(parse_json(DvcIpAddr)[0])
relevantTechniques:
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
lookbackDuration: PT5H
reopenClosedIncident: false
enabled: false
createIncident: true
eventGroupingSettings:
aggregationKind: AlertPerResult
query: |
JamfProtectUnifiedLogs
| where isnotempty(EventSeverity)
| extend Host_IPs = tostring(parse_json(DvcIpAddr)[0])
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectUnifiedLogs.yaml
description: |
'Creates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel'
requiredDataConnectors:
- connectorId: JamfProtect
dataTypes:
- jamfprotect_CL
suppressionDuration: PT5H
entityMappings:
- entityType: Host
fieldMappings:
- columnName: DvcHostname
identifier: HostName
- entityType: IP
fieldMappings:
- columnName: Host_IPs
identifier: Address
name: Jamf Protect - Unified Logs
suppressionEnabled: false
id: 9eb2f758-003b-4303-83c6-97aed4c03e41
status: Available
customDetails:
Event_Process: TargetProcessName
Protect_Event_Type: EventType
Unified_Log: EventDescription
Tags: Match_tags
severity: Informational
kind: NRT
tactics:
version: 1.0.3
alertDetailsOverride:
alertSeverityColumnName: EventSeverity
alertDynamicProperties:
- alertProperty: ProviderName
value: EventVendor
- alertProperty: ProductName
value: EventProduct
alertDisplayNameFormat: '{{EventDescription}} on {{DvcHostname}}'
alertDescriptionFormat: '{{EventDescription}} has been captured in the unified logs'
