Skip to content

Commit

Permalink
adding solution for Jamf Push connector
Browse files Browse the repository at this point in the history
idoshabi07 committed Jan 23, 2025
1 parent 925290f commit 126ea95
Showing 14 changed files with 3,915 additions and 986 deletions.
277 changes: 277 additions & 0 deletions Solutions/Jamf Protect/Data Connectors/JamfProtect_ccp/DCR.json

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
@@ -0,0 +1,208 @@
{
"name": "JamfProtectPush",
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
"location": "[parameters('workspace-location')]",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "JamfProtectPush",
"title": "Jamf Protect Push Connector",
"publisher": "Jamf",
"descriptionMarkdown": "The [Jamf Protect](https://www.jamf.com/products/jamf-protect/) connector provides the capability to read raw event data from Jamf Protect in Microsoft Sentinel.",
"graphQueries": [
{
"metricName": "Telemetry",
"legend": "jamfprotecttelemetryv2_CL",
"baseQuery": "jamfprotecttelemetryv2_CL"
},
{
"metricName": "Unified Logs",
"legend": "jamfprotectunifiedlogs_CL",
"baseQuery": "jamfprotectunifiedlogs_CL"
},
{
"metricName": "Telemetry (Legacy)",
"legend": "jamfprotecttelemetryv1_CL",
"baseQuery": "jamfprotecttelemetryv1_CL"
},
{
"metricName": "Alerts",
"legend": "jamfprotectalerts_CL",
"baseQuery": "jamfprotectalerts_CL"
}
],
"sampleQueries": [
{
"description": "Jamf Protect - All Alerts",
"query": "jamfprotectalerts_CL\n | sort by TimeGenerated desc"
},
{
"description": "Jamf Protect - All Telemetry events",
"query": "jamfprotecttelemetry_CL\n | sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "jamfprotecttelemetryv2_CL",
"lastDataReceivedQuery": "jamfprotecttelemetryv2_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "jamfprotectunifiedlogs_CL",
"lastDataReceivedQuery": "jamfprotectunifiedlogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "jamfprotecttelemetryv1_CL",
"lastDataReceivedQuery": "jamfprotecttelemetryv1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "jamfprotectalerts_CL",
"lastDataReceivedQuery": "jamfprotectalerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "IsConnectedQuery",
"value": [
"jamfprotecttelemetryv2_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"jamfprotectunifiedlogs_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"jamfprotecttelemetryv1_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
"jamfprotectalerts_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
}
],
"availability": {
"status": 1
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
}
],
"customs": [
{
"name": "Microsoft Entra",
"description": "Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher."
},
{
"name": "Microsoft Azure",
"description": "Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role"
}
]
},
"instructionSteps": [
{
"title": "1. Create ARM Resources and Provide the Required Permissions",
"description": "This connector reads data from the tables that Jamf Protect uses in a Microsoft Analytics Workspace, if the [data forwarding](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html?hl=sentinel#task-4227) option is enabled in Jamf Protect then raw event data is sent to the Microsoft Sentinel Ingestion API.",
"instructions": [
{
"type": "Markdown",
"parameters": {
"content": "#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \"Connect\" will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). \nIt will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token."
}
},
{
"parameters": {
"label": "Deploy Jamf Protect connector resources",
"applicationDisplayName": "Jamf Protect Connector Application"
},
"type": "DeployPushConnectorButton"
}
]
},
{
"title": "2. Push your logs into the workspace",
"description": "Use the following parameters to configure the your machine to send the logs to the workspace.",
"instructions": [
{
"parameters": {
"label": "Tenant ID (Directory ID)",
"fillWith": [
"TenantId"
]
},
"type": "CopyableLabel"
},
{
"parameters": {
"label": "Entra Application ID",
"fillWith": [
"ApplicationId"
],
"placeholder": "Deploy push connector to get the Application ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"label": "Entra Application Secret",
"fillWith": [
"ApplicationSecret"
],
"placeholder": "Deploy push connector to get the Application Secret"
},
"type": "CopyableLabel"
},
{
"parameters": {
"label": "DCE Uri",
"fillWith": [
"DataCollectionEndpoint"
],
"placeholder": "Deploy push connector to get the DCR Uri"
},
"type": "CopyableLabel"
},
{
"parameters": {
"label": "DCR Immutable ID",
"fillWith": [
"DataCollectionRuleId"
],
"placeholder": "Deploy push connector to get the DCR ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"label": "Telemetry Stream ID",
"value": "Custom-jamfprotecttelemetryv1_CL"
},
"type": "CopyableLabel"
},
{
"parameters": {
"label": "Unified Logs Stream ID",
"value": "Custom-jamfprotectunifiedlogs_CL"
},
"type": "CopyableLabel"
},
{
"parameters": {
"label": "Telemetry (Legacy) Stream ID",
"value": "Custom-jamfprotecttelemetryv2_CL"
},
"type": "CopyableLabel"
},
{
"parameters": {
"label": "Alerts Stream ID",
"value": "Custom-jamfprotectalerts_CL"
},
"type": "CopyableLabel"
}
]
}
]
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
{
"name": "JamfProtectPushConnectorPolling",
"apiVersion": "2023-02-01-preview",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "Push",
"properties": {
"connectorDefinitionName": "JamfProtectPush",
"dcrConfig": {
"streamName": "Custom-jamfprotecttelemetryv2",
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
},
"auth": {
"type": "Push",
"AppId": "[[parameters('auth').appId]",
"ServicePrincipalId": "[[parameters('auth').servicePrincipalId]"
},
"request": {},
"response": {
"eventsJsonPaths": [
"$.messages"
]
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"SolutionName":"Jamf Protect for Microsoft Sentinel",
"SolutionAuthor": "Thijs Xhaflaire",
"SolutionVersion":"3.2.0",
"PackageId": "azuresentinel.azure-sentinel-solution-JamfProtectPushV1",
"TemplateName": "JamfProtectPushV1",
"ConnectorDefinitionTemplateVersion": "1.0.0",
"DataConnectorsTemplateVersion": "1.0.0",
"PackageIcon":"JamfProtect",
"SolutionTier": "Partner"
}
236 changes: 236 additions & 0 deletions Solutions/Jamf Protect/Data Connectors/JamfProtect_ccp/table.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,236 @@
{
"name": "jamfprotectalerts_CL",
"type": "Microsoft.OperationalInsights/workspaces/tables",
"apiVersion": "2021-03-01-privatepreview",
"tags": {},
"properties": {
"plan": "Analytics",
"schema": {
"name": "jamfprotectalerts_CL",
"columns": [
{
"name": "input",
"type": "dynamic"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "EventVendor",
"type": "string"
},
{
"name": "EventProduct",
"type": "string"
},
{
"name": "EventProductVersion",
"type": "dynamic"
},
{
"name": "EventSeverity",
"type": "string"
},
{
"name": "EventOriginalType",
"type": "dynamic"
},
{
"name": "EventOriginalUid",
"type": "dynamic"
},
{
"name": "EventType",
"type": "string"
},
{
"name": "EventResult",
"type": "string"
},
{
"name": "EventMessage",
"type": "dynamic"
},
{
"name": "EventResultMessage",
"type": "dynamic"
},
{
"name": "TargetHostname",
"type": "dynamic"
},
{
"name": "DvcHostname",
"type": "dynamic"
},
{
"name": "DvcSerial",
"type": "dynamic"
},
{
"name": "DvcIpAddr",
"type": "dynamic"
},
{
"name": "DvcId",
"type": "dynamic"
},
{
"name": "DvcOs",
"type": "string"
},
{
"name": "DvcOsVersion",
"type": "dynamic"
},
{
"name": "SrcDeviceType",
"type": "string"
},
{
"name": "ProcessEventType",
"type": "string"
},
{
"name": "ProcessEventSubType",
"type": "string"
},
{
"name": "ActingProcessName",
"type": "string"
},
{
"name": "ActingProcessId",
"type": "real"
},
{
"name": "ActingProcessGuid",
"type": "string"
},
{
"name": "ParentProcessName",
"type": "dynamic"
},
{
"name": "ParentProcessId",
"type": "real"
},
{
"name": "ParentProcessGuid",
"type": "string"
},
{
"name": "TargetProcessName",
"type": "dynamic"
},
{
"name": "TargetProcessId",
"type": "dynamic"
},
{
"name": "TargetProcessGuid",
"type": "dynamic"
},
{
"name": "TargetProcessSHA1",
"type": "string"
},
{
"name": "TargetProcessSHA256",
"type": "string"
},
{
"name": "TargetProcessCommandLine",
"type": "dynamic"
},
{
"name": "TargetProcessCurrentDirectory",
"type": "string"
},
{
"name": "TargetProcessStatusCode",
"type": "real"
},
{
"name": "TargetFilePath",
"type": "dynamic"
},
{
"name": "TargetFileSHA1",
"type": "dynamic"
},
{
"name": "TargetFileSHA256",
"type": "dynamic"
},
{
"name": "TargetFileSize",
"type": "dynamic"
},
{
"name": "TargetFileSigningInfoMessage",
"type": "dynamic"
},
{
"name": "TargetFileSignerType",
"type": "string"
},
{
"name": "TargetFileSigningTeamID",
"type": "dynamic"
},
{
"name": "TargetFileIsDownload",
"type": "boolean"
},
{
"name": "TargetFileIsAppBundle",
"type": "boolean"
},
{
"name": "TargetFileIsDirectory",
"type": "boolean"
},
{
"name": "TargetFileIsScreenshot",
"type": "boolean"
},
{
"name": "TargetFileExtendedAttributes",
"type": "dynamic"
},
{
"name": "TargetBinaryFilePath",
"type": "dynamic"
},
{
"name": "TargetBinarySHA1",
"type": "dynamic"
},
{
"name": "TargetBinarySHA256",
"type": "dynamic"
},
{
"name": "TargetBinarySigningInfoMessage",
"type": "dynamic"
},
{
"name": "TargetbinarySignerType",
"type": "string"
},
{
"name": "TargetBinarySigningTeamID",
"type": "dynamic"
},
{
"name": "TargetBinarySigningAppID",
"type": "dynamic"
}
]
},
"totalRetentionInDays": 30
}
}

263 changes: 263 additions & 0 deletions Solutions/Jamf Protect/Data Connectors/JamfProtect_ccp/table2.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,263 @@
{
"name": "jamfprotecttelemetryv1_CL",
"type": "Microsoft.OperationalInsights/workspaces/tables",
"apiVersion": "2021-03-01-privatepreview",
"tags": {},
"properties": {
"plan": "Analytics",
"schema": {
"name": "jamfprotecttelemetryv1_CL",
"columns": [
{
"name": "architecture",
"type": "string"
},
{
"name": "arguments",
"type": "dynamic"
},
{
"name": "attributes",
"type": "dynamic"
},
{
"name": "bios_firmware_versions",
"type": "dynamic"
},
{
"name": "contents",
"type": "string"
},
{
"name": "exec_args",
"type": "dynamic"
},
{
"name": "exec_chain",
"type": "dynamic"
},
{
"name": "exec_chain_child",
"type": "dynamic"
},
{
"name": "exec_chain_parent",
"type": "dynamic"
},
{
"name": "exec_env",
"type": "dynamic"
},
{
"name": "exit",
"type": "dynamic"
},
{
"name": "file",
"type": "dynamic"
},
{
"name": "header",
"type": "dynamic"
},
{
"name": "host_info",
"type": "dynamic"
},
{
"name": "identity",
"type": "dynamic"
},
{
"name": "key",
"type": "string"
},
{
"name": "metrics",
"type": "dynamic"
},
{
"name": "page_info",
"type": "dynamic"
},
{
"name": "path",
"type": "dynamic"
},
{
"name": "process",
"type": "dynamic"
},
{
"name": "rateLimitingSeconds",
"type": "int"
},
{
"name": "return",
"type": "dynamic"
},
{
"name": "socket_inet",
"type": "dynamic"
},
{
"name": "subject",
"type": "dynamic"
},
{
"name": "texts",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "EventVendor",
"type": "string"
},
{
"name": "EventProduct",
"type": "string"
},
{
"name": "EventSeverity",
"type": "string"
},
{
"name": "TargetModel",
"type": "dynamic"
},
{
"name": "DvcOsVersion",
"type": "dynamic"
},
{
"name": "TargetHostname",
"type": "dynamic"
},
{
"name": "DvcHostname",
"type": "dynamic"
},
{
"name": "DvcId",
"type": "dynamic"
},
{
"name": "EventType",
"type": "string"
},
{
"name": "ActingProcessId",
"type": "dynamic"
},
{
"name": "ActingProcessName",
"type": "dynamic"
},
{
"name": "ParentProcessName",
"type": "dynamic"
},
{
"name": "ParentProcessId",
"type": "dynamic"
},
{
"name": "ParentProcessGuid",
"type": "dynamic"
},
{
"name": "TargetProcessName",
"type": "dynamic"
},
{
"name": "TargetProcessId",
"type": "dynamic"
},
{
"name": "TargetProcessGuid",
"type": "dynamic"
},
{
"name": "TargetProcessSHA256",
"type": "dynamic"
},
{
"name": "TargetUserId",
"type": "dynamic"
},
{
"name": "TargetUsername",
"type": "dynamic"
},
{
"name": "TargetProcessCommandLine",
"type": "dynamic"
},
{
"name": "ActorUsername",
"type": "dynamic"
},
{
"name": "ActorUserId",
"type": "dynamic"
},
{
"name": "GroupName",
"type": "dynamic"
},
{
"name": "GroupID",
"type": "dynamic"
},
{
"name": "EffectiveGroupName",
"type": "dynamic"
},
{
"name": "EffectiveGroupID",
"type": "dynamic"
},
{
"name": "DstIpAddr",
"type": "dynamic"
},
{
"name": "DstPortNumber",
"type": "dynamic"
},
{
"name": "NetworkProtocolVersion",
"type": "string"
},
{
"name": "SrcIpAddr",
"type": "dynamic"
},
{
"name": "TargetBinarySHA256",
"type": "dynamic"
},
{
"name": "TargetbinarySignerType",
"type": "string"
},
{
"name": "TargetBinarySigningTeamID",
"type": "string"
},
{
"name": "TargetBinarySigningAppID",
"type": "string"
},
{
"name": "TargetFilePath",
"type": "dynamic"
}
]
},
"totalRetentionInDays": 30
}
}
99 changes: 99 additions & 0 deletions Solutions/Jamf Protect/Data Connectors/JamfProtect_ccp/table3.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
{
"name": "jamfprotecttelemetryv2_CL",
"type": "Microsoft.OperationalInsights/workspaces/tables",
"apiVersion": "2021-03-01-privatepreview",
"tags": {},
"properties": {
"plan": "Analytics",
"schema": {
"name": "jamfprotecttelemetryv2_CL",
"columns": [
{
"name": "action",
"type": "dynamic"
},
{
"name": "event",
"type": "dynamic"
},
{
"name": "EventOriginalType",
"type": "int"
},
{
"name": "EventCount",
"type": "int"
},
{
"name": "process",
"type": "dynamic"
},
{
"name": "thread",
"type": "dynamic"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "EventOriginalUid",
"type": "string"
},
{
"name": "EventVendor",
"type": "dynamic"
},
{
"name": "EventProduct",
"type": "dynamic"
},
{
"name": "EventSchemaVersion",
"type": "dynamic"
},
{
"name": "EventProductVersion",
"type": "dynamic"
},
{
"name": "EventSeverity",
"type": "string"
},
{
"name": "TargetHostname",
"type": "dynamic"
},
{
"name": "DvcHostname",
"type": "dynamic"
},
{
"name": "DvcSerial",
"type": "dynamic"
},
{
"name": "DvcIpAddr",
"type": "dynamic"
},
{
"name": "DvcId",
"type": "dynamic"
},
{
"name": "DvcOs",
"type": "string"
},
{
"name": "DvcOsVersion",
"type": "dynamic"
},
{
"name": "SrcDeviceType",
"type": "string"
}
]
},
"totalRetentionInDays": 30
}
}
115 changes: 115 additions & 0 deletions Solutions/Jamf Protect/Data Connectors/JamfProtect_ccp/table4.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
{
"name": "jamfprotectunifiedlogs_CL",
"type": "Microsoft.OperationalInsights/workspaces/tables",
"apiVersion": "2021-03-01-privatepreview",
"tags": {},
"properties": {
"plan": "Analytics",
"schema": {
"name": "jamfprotectunifiedlogs_CL",
"columns": [
{
"name": "input",
"type": "dynamic"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "EventProductVersion",
"type": "dynamic"
},
{
"name": "EventSeverity",
"type": "string"
},
{
"name": "EventOriginalType",
"type": "dynamic"
},
{
"name": "EventOriginalUid",
"type": "dynamic"
},
{
"name": "EventType",
"type": "string"
},
{
"name": "EventResult",
"type": "string"
},
{
"name": "EventMessage",
"type": "dynamic"
},
{
"name": "EventResultMessage",
"type": "dynamic"
},
{
"name": "TargetHostname",
"type": "dynamic"
},
{
"name": "DvcHostname",
"type": "dynamic"
},
{
"name": "DvcSerial",
"type": "dynamic"
},
{
"name": "DvcIpAddr",
"type": "dynamic"
},
{
"name": "DvcId",
"type": "dynamic"
},
{
"name": "DvcOs",
"type": "string"
},
{
"name": "DvcOsVersion",
"type": "dynamic"
},
{
"name": "SrcDeviceType",
"type": "string"
},
{
"name": "ProcessEventType",
"type": "string"
},
{
"name": "ProcessEventSubType",
"type": "string"
},
{
"name": "TargetProcessName",
"type": "dynamic"
},
{
"name": "TargetProcessId",
"type": "dynamic"
},
{
"name": "TargetProcessGuid",
"type": "dynamic"
},
{
"name": "TargetProcessCommandLine",
"type": "dynamic"
},
{
"name": "TargetProcessCurrentDirectory",
"type": "dynamic"
}
]
},
"totalRetentionInDays": 30
}
}
5 changes: 3 additions & 2 deletions Solutions/Jamf Protect/Data/Solution_JamfProtect.json
Original file line number Diff line number Diff line change
@@ -4,7 +4,8 @@
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/jamf_logo.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Jamf Protect](https://www.jamf.com/solutions/threat-prevention-remediation/) solution for Microsoft Sentinel enables you to ingest [Jamf Protect events](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html#task-4227) forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.",
"Data Connectors": [
"Data Connectors/JamfProtect.json"
"Data Connectors/JamfProtect.json",
"Data Connectors/JamfProtect_ccp/connectorDefinition.json"
],
"Parsers": [
"Parsers/JamfProtect.yaml"
@@ -32,7 +33,7 @@
"Playbooks/JamfProtect_Alert_Status_Resolved/azuredeploy.json",
"Playbooks/JamfProtect_LockComputer_with_JamfPro/azuredeploy.json"
],
"BasePath": "/Users/thijs.xhaflaire/Documents/GitHub/Microsoft/Azure-Sentinel/Solutions/Jamf Protect",
"BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Jamf Protect",
"Version": "3.1.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
Binary file modified Solutions/Jamf Protect/Package/3.1.1.zip
Binary file not shown.
6 changes: 3 additions & 3 deletions Solutions/Jamf Protect/Package/createUiDefinition.json
Original file line number Diff line number Diff line change
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/jamf_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Jamf%20Protect/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Jamf Protect](https://www.jamf.com/solutions/threat-prevention-remediation/) solution for Microsoft Sentinel enables you to ingest [Jamf Protect events](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html#task-4227) forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 3, **Hunting Queries:** 7, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/jamf_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Jamf%20Protect/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Jamf Protect](https://www.jamf.com/solutions/threat-prevention-remediation/) solution for Microsoft Sentinel enables you to ingest [Jamf Protect events](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html#task-4227) forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 3, **Hunting Queries:** 7, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -64,10 +64,10 @@
}
},
{
"name": "dataconnectors-parser-text",
"name": "dataconnectors2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
"text": "This Solution installs the data connector for Jamf Protect. You can get Jamf Protect data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
1,988 changes: 1,816 additions & 172 deletions Solutions/Jamf Protect/Package/mainTemplate.json

Large diffs are not rendered by default.

14 changes: 14 additions & 0 deletions Solutions/Jamf Protect/Package/testParameters.json
Original file line number Diff line number Diff line change
@@ -21,6 +21,20 @@
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"resourceGroupName": {
"type": "string",
"defaultValue": "[resourceGroup().name]",
"metadata": {
"description": "resource group name where Microsoft Sentinel is setup"
}
},
"subscription": {
"type": "string",
"defaultValue": "[last(split(subscription().id, '/'))]",
"metadata": {
"description": "subscription id where Microsoft Sentinel is setup"
}
},
"workbook1-name": {
"type": "string",
"defaultValue": "Jamf Protect Workbook",
1,654 changes: 845 additions & 809 deletions Solutions/Jamf Protect/Parsers/JamfProtect.yaml

Large diffs are not rendered by default.

0 comments on commit 126ea95

Please sign in to comment.