![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/jamf_logo.svg\"){kind=logo}
",
"Description": "The [Jamf Protect](https://www.jamf.com/solutions/threat-prevention-remediation/) solution for Microsoft Sentinel enables you to ingest [Jamf Protect events](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html#task-4227) forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.",
"Data Connectors": [
- "Data Connectors/JamfProtect.json"
+ "Data Connectors/JamfProtect.json",
+ "Data Connectors/JamfProtect_ccp/connectorDefinition.json"
],
"Parsers": [
"Parsers/JamfProtect.yaml"
@@ -32,7 +33,7 @@
"Playbooks/JamfProtect_Alert_Status_Resolved/azuredeploy.json",
"Playbooks/JamfProtect_LockComputer_with_JamfPro/azuredeploy.json"
],
- "BasePath": "/Users/thijs.xhaflaire/Documents/GitHub/Microsoft/Azure-Sentinel/Solutions/Jamf Protect",
+ "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Jamf Protect",
"Version": "3.1.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
diff --git a/Solutions/Jamf Protect/Package/3.1.1.zip b/Solutions/Jamf Protect/Package/3.1.1.zip
index dfab820c162..76bc66d07a2 100644
Binary files a/Solutions/Jamf Protect/Package/3.1.1.zip and b/Solutions/Jamf Protect/Package/3.1.1.zip differ
diff --git a/Solutions/Jamf Protect/Package/createUiDefinition.json b/Solutions/Jamf Protect/Package/createUiDefinition.json
index 5ccb070d126..9b0ece53e37 100644
--- a/Solutions/Jamf Protect/Package/createUiDefinition.json
+++ b/Solutions/Jamf Protect/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Jamf%20Protect/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Jamf Protect](https://www.jamf.com/solutions/threat-prevention-remediation/) solution for Microsoft Sentinel enables you to ingest [Jamf Protect events](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html#task-4227) forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 3, **Hunting Queries:** 7, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Jamf%20Protect/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Jamf Protect](https://www.jamf.com/solutions/threat-prevention-remediation/) solution for Microsoft Sentinel enables you to ingest [Jamf Protect events](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html#task-4227) forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 3, **Hunting Queries:** 7, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -64,10 +64,10 @@
}
},
{
- "name": "dataconnectors-parser-text",
+ "name": "dataconnectors2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
+ "text": "This Solution installs the data connector for Jamf Protect. You can get Jamf Protect data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
diff --git a/Solutions/Jamf Protect/Package/mainTemplate.json b/Solutions/Jamf Protect/Package/mainTemplate.json
index 4b2df75e1c5..63fec43f380 100644
--- a/Solutions/Jamf Protect/Package/mainTemplate.json
+++ b/Solutions/Jamf Protect/Package/mainTemplate.json
@@ -28,6 +28,20 @@
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ },
"workbook1-name": {
"type": "string",
"defaultValue": "Jamf Protect Workbook",
@@ -53,11 +67,18 @@
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "3.1.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "dataConnectorCCPVersion": "1.0.0",
+ "_dataConnectorContentIdConnectorDefinition2": "JamfProtectPush",
+ "dataConnectorTemplateNameConnectorDefinition2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition2')))]",
+ "_dataConnectorContentIdConnections2": "JamfProtectPushConnections",
+ "dataConnectorTemplateNameConnections2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections2')))]",
+ "blanks": "[replace('b', 'b', '')]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','JamfProtect')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'JamfProtect')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('JamfProtect-Parser')))]",
- "parserVersion1": "3.1.0",
+ "parserVersion1": "3.2.0",
"parserContentId1": "JamfProtect-Parser"
},
"workbookVersion1": "2.0.0",
@@ -65,7 +86,6 @@
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
"workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
"_workbookContentId1": "[variables('workbookContentId1')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"analyticRuleObject1": {
"analyticRuleVersion1": "1.0.5",
@@ -75,11 +95,11 @@
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6098daa0-f05e-44d5-b5a0-913e63ba3179','-', '1.0.5')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.3",
+ "analyticRuleVersion2": "1.0.4",
"_analyticRulecontentId2": "44da53c3-f3b0-4b70-afff-f79275cb9442",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '44da53c3-f3b0-4b70-afff-f79275cb9442')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('44da53c3-f3b0-4b70-afff-f79275cb9442')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','44da53c3-f3b0-4b70-afff-f79275cb9442','-', '1.0.3')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','44da53c3-f3b0-4b70-afff-f79275cb9442','-', '1.0.4')))]"
},
"analyticRuleObject3": {
"analyticRuleVersion3": "1.0.2",
@@ -285,12 +305,1395 @@
"name": "Thijs Xhaflaire",
"email": "[variables('_email')]"
},
- "support": {
- "name": "Jamf Software, LLC",
- "email": "support@jamf.com",
- "tier": "Partner",
- "link": "https://www.jamf.com/support/"
- }
+ "support": {
+ "name": "Jamf Software, LLC",
+ "email": "support@jamf.com",
+ "tier": "Partner",
+ "link": "https://www.jamf.com/support/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "Jamf Protect",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId1')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Jamf Protect",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Thijs Xhaflaire",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Jamf Software, LLC",
+ "email": "support@jamf.com",
+ "tier": "Partner",
+ "link": "https://www.jamf.com/support/"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "Jamf Protect",
+ "publisher": "Jamf",
+ "descriptionMarkdown": "The [Jamf Protect](https://www.jamf.com/products/jamf-protect/) connector provides the capability to read raw event data from Jamf Protect in Microsoft Sentinel.",
+ "graphQueries": [
+ {
+ "metricName": "Total Activities data received",
+ "legend": "jamfprotect_CL",
+ "baseQuery": "jamfprotect_CL"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "jamfprotect_CL",
+ "lastDataReceivedQuery": "jamfprotect_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "jamfprotect_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Jamf Protect - All events.",
+ "query": "jamfprotect_CL\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Jamf Protect - All active endpoints.",
+ "query": "jamfprotect_CL\n | where notempty(input_host_hostname_s) | summarize Event = count() by input_host_hostname_s\n | project-rename HostName = input_host_hostname_s\n | sort by Event desc"
+ },
+ {
+ "description": "Jamf Protect - Top 10 endpoints with Alerts",
+ "query": "jamfprotect_CL\n | where topicType_s == 'alert' and notempty(input_eventType_s) and notempty(input_host_hostname_s)\n | summarize Event = count() by input_host_hostname_s\n | project-rename HostName = input_host_hostname_s\n | top 10 by Event"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "This connector reads data from the jamfprotect_CL table created by Jamf Protect in a Microsoft Analytics Workspace, if the [data forwarding](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html?hl=sentinel#task-4227) option is enabled in Jamf Protect then raw event data is sent to the Microsoft Sentinel Ingestion API."
+ }
+ ],
+ "id": "[variables('_uiConfigId1')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition2'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]",
+ "displayName": "Jamf Protect Push Connector",
+ "contentKind": "DataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "JamfProtectPush",
+ "title": "Jamf Protect Push Connector",
+ "publisher": "Jamf",
+ "descriptionMarkdown": "The [Jamf Protect](https://www.jamf.com/products/jamf-protect/) connector provides the capability to read raw event data from Jamf Protect in Microsoft Sentinel.",
+ "graphQueries": [
+ {
+ "metricName": "Telemetry",
+ "legend": "jamfprotecttelemetryv2_CL",
+ "baseQuery": "jamfprotecttelemetryv2_CL"
+ },
+ {
+ "metricName": "Unified Logs",
+ "legend": "jamfprotectunifiedlogs_CL",
+ "baseQuery": "jamfprotectunifiedlogs_CL"
+ },
+ {
+ "metricName": "Telemetry (Legacy)",
+ "legend": "jamfprotecttelemetryv1_CL",
+ "baseQuery": "jamfprotecttelemetryv1_CL"
+ },
+ {
+ "metricName": "Alerts",
+ "legend": "jamfprotectalerts_CL",
+ "baseQuery": "jamfprotectalerts_CL"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Jamf Protect - All Alerts",
+ "query": "jamfprotectalerts_CL\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Jamf Protect - All Telemetry events",
+ "query": "jamfprotecttelemetry_CL\n | sort by TimeGenerated desc"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "jamfprotecttelemetryv2_CL",
+ "lastDataReceivedQuery": "jamfprotecttelemetryv2_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "jamfprotectunifiedlogs_CL",
+ "lastDataReceivedQuery": "jamfprotectunifiedlogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "jamfprotecttelemetryv1_CL",
+ "lastDataReceivedQuery": "jamfprotecttelemetryv1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "jamfprotectalerts_CL",
+ "lastDataReceivedQuery": "jamfprotectalerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "jamfprotecttelemetryv2_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
+ "jamfprotectunifiedlogs_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
+ "jamfprotecttelemetryv1_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
+ "jamfprotectalerts_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Microsoft Entra",
+ "description": "Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher."
+ },
+ {
+ "name": "Microsoft Azure",
+ "description": "Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "1. Create ARM Resources and Provide the Required Permissions",
+ "description": "This connector reads data from the tables that Jamf Protect uses in a Microsoft Analytics Workspace, if the [data forwarding](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html?hl=sentinel#task-4227) option is enabled in Jamf Protect then raw event data is sent to the Microsoft Sentinel Ingestion API.",
+ "instructions": [
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \"Connect\" will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). \nIt will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token."
+ }
+ },
+ {
+ "parameters": {
+ "label": "Deploy Jamf Protect connector resources",
+ "applicationDisplayName": "Jamf Protect Connector Application"
+ },
+ "type": "DeployPushConnectorButton"
+ }
+ ]
+ },
+ {
+ "title": "2. Push your logs into the workspace",
+ "description": "Use the following parameters to configure the your machine to send the logs to the workspace.",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Tenant ID (Directory ID)",
+ "fillWith": [
+ "TenantId"
+ ]
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "Entra Application ID",
+ "fillWith": [
+ "ApplicationId"
+ ],
+ "placeholder": "Deploy push connector to get the Application ID"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "Entra Application Secret",
+ "fillWith": [
+ "ApplicationSecret"
+ ],
+ "placeholder": "Deploy push connector to get the Application Secret"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "DCE Uri",
+ "fillWith": [
+ "DataCollectionEndpoint"
+ ],
+ "placeholder": "Deploy push connector to get the DCR Uri"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "DCR Immutable ID",
+ "fillWith": [
+ "DataCollectionRuleId"
+ ],
+ "placeholder": "Deploy push connector to get the DCR ID"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "Telemetry Stream ID",
+ "value": "Custom-jamfprotecttelemetryv1_CL"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "Unified Logs Stream ID",
+ "value": "Custom-jamfprotectunifiedlogs_CL"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "Telemetry (Legacy) Stream ID",
+ "value": "Custom-jamfprotecttelemetryv2_CL"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "Alerts Stream ID",
+ "value": "Custom-jamfprotectalerts_CL"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Thijs Xhaflaire",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Jamf Software, LLC",
+ "email": "support@jamf.com",
+ "tier": "Partner",
+ "link": "https://www.jamf.com/support/"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections2')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "JamfProtectCustomDCR",
+ "apiVersion": "2022-06-01",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "kind": "[variables('blanks')]",
+ "properties": {
+ "streamDeclarations": {
+ "Custom-jamfprotecttelemetryv2": {
+ "columns": [
+ {
+ "name": "action",
+ "type": "dynamic"
+ },
+ {
+ "name": "action_type",
+ "type": "int"
+ },
+ {
+ "name": "deadline",
+ "type": "int"
+ },
+ {
+ "name": "event",
+ "type": "dynamic"
+ },
+ {
+ "name": "event_type",
+ "type": "int"
+ },
+ {
+ "name": "glob_seq_num",
+ "type": "int"
+ },
+ {
+ "name": "host",
+ "type": "dynamic"
+ },
+ {
+ "name": "mach_time",
+ "type": "long"
+ },
+ {
+ "name": "metadata",
+ "type": "dynamic"
+ },
+ {
+ "name": "process",
+ "type": "dynamic"
+ },
+ {
+ "name": "seq_num",
+ "type": "int"
+ },
+ {
+ "name": "thread",
+ "type": "dynamic"
+ },
+ {
+ "name": "time",
+ "type": "datetime"
+ },
+ {
+ "name": "uuid",
+ "type": "string"
+ },
+ {
+ "name": "version",
+ "type": "int"
+ }
+ ]
+ },
+ "Custom-jamfprotectunifiedlogs": {
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "caid",
+ "type": "string"
+ },
+ {
+ "name": "certid",
+ "type": "string"
+ },
+ {
+ "name": "input",
+ "type": "dynamic"
+ }
+ ]
+ },
+ "Custom-jamfprotecttelemetryv1": {
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "arguments",
+ "type": "dynamic"
+ },
+ {
+ "name": "exec_chain",
+ "type": "dynamic"
+ },
+ {
+ "name": "header",
+ "type": "dynamic"
+ },
+ {
+ "name": "host_info",
+ "type": "dynamic"
+ },
+ {
+ "name": "key",
+ "type": "string"
+ },
+ {
+ "name": "return",
+ "type": "dynamic"
+ },
+ {
+ "name": "subject",
+ "type": "dynamic"
+ },
+ {
+ "name": "identity",
+ "type": "dynamic"
+ },
+ {
+ "name": "texts",
+ "type": "string"
+ },
+ {
+ "name": "metrics",
+ "type": "dynamic"
+ },
+ {
+ "name": "page_info",
+ "type": "dynamic"
+ },
+ {
+ "name": "attributes",
+ "type": "dynamic"
+ },
+ {
+ "name": "exec_chain_child",
+ "type": "dynamic"
+ },
+ {
+ "name": "path",
+ "type": "dynamic"
+ },
+ {
+ "name": "_event_score",
+ "type": "int"
+ },
+ {
+ "name": "contents",
+ "type": "string"
+ },
+ {
+ "name": "file",
+ "type": "dynamic"
+ },
+ {
+ "name": "socket_inet",
+ "type": "dynamic"
+ },
+ {
+ "name": "exit",
+ "type": "dynamic"
+ },
+ {
+ "name": "exec_args",
+ "type": "dynamic"
+ },
+ {
+ "name": "exec_env",
+ "type": "dynamic"
+ },
+ {
+ "name": "exec_chain_parent",
+ "type": "dynamic"
+ },
+ {
+ "name": "architecture",
+ "type": "string"
+ },
+ {
+ "name": "bios_firmware_versions",
+ "type": "dynamic"
+ },
+ {
+ "name": "process",
+ "type": "dynamic"
+ },
+ {
+ "name": "rateLimitingSeconds",
+ "type": "int"
+ }
+ ]
+ },
+ "Custom-jamfprotectalerts": {
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "caid",
+ "type": "string"
+ },
+ {
+ "name": "certid",
+ "type": "string"
+ },
+ {
+ "name": "input",
+ "type": "dynamic"
+ }
+ ]
+ }
+ },
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-jamfprotecttelemetryv2"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source\n//ASIM - Generic Fields\n| extend\n EventVendor = metadata.vendor,\n EventProduct = metadata.product,\n EventSchemaVersion = metadata.schemaVersion,\n EventProductVersion = host.protectVersion,\n EventSeverity = \"Informational\",\n //\n // Jamf Protect - Device Hostnames\n TargetHostname = host.hostname,\n DvcHostname = host.hostname,\n DvcSerial = host.serial,\n DvcIpAddr = host.ips,\n DvcId = host.provisioningUDID,\n DvcOs = \"macOS\",\n DvcOsVersion = host.os,\n SrcDeviceType = \"Computer\"\n| project-rename\n TimeGenerated = ['time'],\n EventOriginalUid = uuid,\n EventOriginalType = event_type,\n EventCount = glob_seq_num\n| project-away\n metadata,\n host,\n seq_num,\n version,\n deadline,\n mach_time,\n action_type\n\n",
+ "outputStream": "Custom-jamfprotecttelemetryv2_CL"
+ },
+ {
+ "streams": [
+ "Custom-jamfprotectunifiedlogs"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source\n//ASIM - Generic Fields\n| extend\n EventVendor = \"Jamf\",\n EventProduct = \"Unified Log Stream\",\n // EventSchemaVersion = metadata.schemaVersion,\n EventProductVersion = input.host.protectVersion,\n EventSeverity = case(input.match.severity == 0, \"Informational\", input.match.severity == 1, \"Low\", input.match.severity == 2, \"Medium\", input.match.severity == 3, \"High\", \"Informational\"),\n EventOriginalType = input.eventType,\n EventOriginalUid = input.match.uuid,\n EventType = \"UnifiedLog\",\n EventResult = case(input.match.actions has \"Prevented\", \"Prevented\", \"Allowed\"),\n EventMessage = input.match.event.name,\n EventResultMessage = input.match.event.composedMessage,\n // EventReportUrl = strcat(\"https://\", context_identity_claims_hd_s, \".jamfcloud.com/Alerts/\", input.match.uuid),\n // //\n // // Jamf Protect - Device Hostnames\n TargetHostname = input.host.hostname,\n DvcHostname = input.host.hostname,\n DvcSerial = input.host.serial,\n DvcIpAddr = input.host.ips,\n DvcId = input.host.provisioningUDID,\n DvcOs = \"macOS\",\n DvcOsVersion = input.host.os,\n SrcDeviceType = \"Computer\",\n // Jamf Protect - Event Details\n //\n // Jamf Protect Alerts - Process\n //\n ProcessEventType = \"Create\",\n ProcessEventSubType = \"Exec\",\n TargetProcessName = tostring(input.match.event.process),\n TargetProcessId = toreal(input.match.event.processIdentifier),\n TargetProcessGuid = tostring(input.match.event.uuid),\n TargetProcessCommandLine = input.match.event.process.args,\n TargetProcessCurrentDirectory = input.match.event.processImagePath\n| project-away\n caid,\n certid\n\n",
+ "outputStream": "Custom-jamfprotectunifiedlogs_CL"
+ },
+ {
+ "streams": [
+ "Custom-jamfprotecttelemetryv1"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source\n// ASIM - Common Fields\n| extend EventVendor = 'Jamf'\n| extend EventProduct = 'Device Telemetry Stream'\n// Data Field Normalization\n| extend\n EventSeverity = \"Informational\",\n //\n // Jamf Protect Telemetry - Endpoint Information\n //\n TargetModel = metrics.hw_model,\n DvcOsVersion = host_info.osversion,\n TargetHostname = host_info.host_name,\n DvcHostname = host_info.host_name,\n DvcId = host_info.host_uuid,\n // Jamf Protect - Event Types\n EventType = case(\n header.event_name == \"AUE_add_to_group\",\n \"UserAddedToGroup\",\n header.event_name == \"AUE_AUDITCTL\",\n \"AuditEvent\",\n header.event_name == \"AUE_AUDITON_SPOLICY\",\n \"AuditEvent\",\n header.event_name == \"AUE_auth_user\",\n \"Elevate\",\n header.event_name == \"AUE_BIND\",\n \"EndpointNetworkSession\",\n header.event_name == \"AUE_BIOS_FIRMWARE_VERSIONS\",\n \"SystemInformation\",\n header.event_name == \"AUE_CHDIR\",\n \"FolderMoved\",\n header.event_name == \"AUE_CHROOT\",\n \"FolderModified\",\n header.event_name == \"AUE_CONNECT\",\n \"EndpointNetworkSession\",\n header.event_name == \"AUE_create_group\",\n \"GroupCreated\",\n header.event_name == \"AUE_create_user\",\n \"UserCreated\",\n header.event_name == \"AUE_delete_group\",\n \"GroupDeleted\",\n header.event_name == \"AUE_delete_user\",\n \"UserDeleted\",\n header.event_name == \"AUE_EXECVE\",\n \"ProcessCreated\",\n header.event_name == \"AUE_EXIT\",\n \"ProcessTerminated\",\n header.event_name == \"AUE_FORK\",\n \"ProcessCreated\",\n header.event_name == \"AUE_GETAUID\",\n \"\",\n header.event_name == \"AUE_KILL\",\n \"ProcessTerminated\",\n header.event_name == \"AUE_LISTEN\",\n \"EndpointNetworkSession\",\n header.event_name == \"AUE_logout\",\n \"Logoff\",\n header.event_name == \"AUE_lw_login\",\n \"Logon\",\n header.event_name == \"AUE_MAC_SET_PROC\",\n \"AuditEvent\",\n header.event_name == \"AUE_modify_group\",\n \"GroupModified\",\n header.event_name == \"AUE_modify_password\",\n \"PasswordChanged\",\n header.event_name == \"AUE_modify_user\",\n \"UserModified\",\n header.event_name == \"AUE_MOUNT\",\n \"VolumeMount\",\n header.event_name == \"AUE_openssh\",\n \"SshInitiated\",\n header.event_name == \"AUE_PIDFORTASK\",\n \"ProcessCreated\",\n header.event_name == \"AUE_POSIX_SPAWN\",\n \"ProcessCreated\",\n header.event_name == \"AUE_remove_from_group\",\n \"UserRemovedFromGroup\",\n header.event_name == \"AUE_SESSION_CLOSE\",\n \"Logoff\",\n header.event_name == \"AUE_SESSION_END\",\n \"Logoff\",\n header.event_name == \"AUE_SESSION_START\",\n \"Logon\",\n header.event_name == \"AUE_SESSION_UPDATE\",\n \"\",\n header.event_name == \"AUE_SETPRIORITY\",\n \"\",\n header.event_name == \"AUE_SETSOCKOPT\",\n \"\",\n header.event_name == \"AUE_SETTIMEOFDAY\",\n \"SystemChange\",\n header.event_name == \"AUE_shutdown\",\n \"ShutdownInitiated\",\n header.event_name == \"AUE_SOCKETPAIR\",\n \"\",\n header.event_name == \"AUE_ssauthint\",\n \"Elevate\",\n header.event_name == \"AUE_ssauthmech\",\n \"Elevate\",\n header.event_name == \"AUE_ssauthorize\",\n \"Elevate\",\n header.event_name == \"AUE_TASKFORPID\",\n \"\",\n header.event_name == \"AUE_TASKNAMEFORPID\",\n \"\",\n header.event_name == \"AUE_UNMOUNT\",\n \"VolumeUnmount\",\n header.event_name == \"AUE_WAIT4\",\n \"ProcessTerminated\",\n header.event_name == \"PLAINTEXT_LOG_COLLECTION_EVENT\",\n \"LogFileCollected\",\n header.event_name == \"SYSTEM_PERFORMANCE_METRICS\",\n \"SystemPerformanceMetrics\",\n \"Unknown\"\n ),\n //\n // Jamf Protect Telemetry - Process\n //\n ActingProcessId = toreal(subject.responsible_process_id),\n ActingProcessName = tostring(subject.responsible_process_name),\n ParentProcessName = tostring(subject.parent_path),\n ParentProcessId = toreal(subject.parent_pid),\n ParentProcessGuid = tostring(subject.parent_uuid),\n TargetProcessName = tostring(subject.process_name),\n TargetProcessId = toreal(subject.process_id),\n TargetProcessGuid = tostring(exec_chain.uuid),\n TargetProcessSHA256 = tostring(subject.process_hash),\n TargetUserId = toreal(subject.user_id),\n TargetUsername = tostring(subject.user_name),\n TargetProcessCommandLine = exec_args.args_compiled,\n ActorUsername = tostring(subject.effective_user_name),\n ActorUserId = toreal(subject.audit_user_name),\n //\n // Jamf Protect Telemetry - Audit/Group\n //\n GroupName = tostring(subject.group_name),\n GroupID = toreal(subject.group_id),\n EffectiveGroupName = tostring(subject.effective_group_name),\n EffectiveGroupID = toreal(subject.effective_group_id),\n //\n // Jamf Protect Telemetry - Network\n //\n DstIpAddr = socket_inet.ip_address,\n DstPortNumber = socket_inet.port,\n NetworkProtocolVersion = case(socket_inet.id == 128, \"IPV4\", socket_inet.id == 129, \"IPV6\", \"\"),\n SrcIpAddr = subject.terminal.id.ip.address,\n //\n // Jamf Protect Telemetry - Binaries\n //\n TargetBinarySHA256 = tostring(identity.cd_hash),\n TargetbinarySignerType = case(identity.signer_type == 0, \"Developer\", identity.signer_type == 1, \"Apple\", \"\"),\n TargetBinarySigningTeamID = tostring(identity.team_id),\n TargetBinarySigningAppID = tostring(identity.signer_id),\n //\n // Jamf Protect Telemetry - Log File Collection\n //\n TargetFilePath = path\n| project-away _event_score\n\n",
+ "outputStream": "Custom-jamfprotecttelemetryv1_CL"
+ },
+ {
+ "streams": [
+ "Custom-jamfprotectalerts"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source\n//ASIM - Generic Fields\n| extend\n EventVendor = \"Jamf\",\n EventProduct = \"Alerts Stream\",\n // EventSchemaVersion = metadata.schemaVersion,\n EventProductVersion = input.host.protectVersion,\n EventSeverity = case(input.match.severity == 0, \"Informational\", input.match.severity == 1, \"Low\", input.match.severity == 2, \"Medium\", input.match.severity == 3, \"High\", \"Informational\"),\n EventOriginalType = input.eventType,\n EventOriginalUid = input.match.uuid,\n EventType = case(\n input.eventType == \"GPClickEvent\",\n \"Click\",\n input.eventType == \"GPDownloadEvent\",\n \"Download\",\n input.eventType == \"GPFSEvent\",\n \"FileSystem\",\n input.eventType == \"GPProcessEvent\",\n \"Process\",\n input.eventType == \"GPKeylogRegisterEvent\",\n \"Keylog\",\n input.eventType == \"GPGatekeeperEvent\",\n \"Gatekeeper\",\n input.eventType == \"GPMRTEvent\",\n \"MRT\",\n input.eventType == \"GPPreventedExecutionEvent\",\n \"ProcessDenied\",\n input.eventType == \"GPThreatMatchExecEvent\",\n \"ProcessPrevented\",\n input.eventType == \"GPUnifiedLogEvent\",\n \"UnifiedLog\",\n input.eventType == \"GPUSBEvent\",\n \"USB\",\n input.eventType == \"auth-mount\",\n \"UsbBlock\",\n \"Unknown\"\n ),\n EventResult = case(input.match.actions has \"Prevented\", \"Prevented\", \"Allowed\"),\n EventMessage = input.match.facts[0].name,\n EventResultMessage = input.match.facts[0].human,\n //\n // Jamf Protect - Device Hostnames\n //\n TargetHostname = input.host.hostname,\n DvcHostname = input.host.hostname,\n DvcSerial = input.host.serial,\n DvcIpAddr = input.host.ips,\n DvcId = input.host.provisioningUDID,\n DvcOs = \"macOS\",\n DvcOsVersion = input.host.os,\n SrcDeviceType = \"Computer\",\n //\n // Jamf Protect Alerts - Process\n //\n ProcessEventType = case(input.match.event.type == 0, \"None\", input.match.event.type == 1, \"Create\", input.match.event.type == 2, \"Exit\", \"\"),\n ProcessEventSubType = case(input.match.event.subType == 7, \"Exec\", input.match.event.subType == 1, \"Fork\", input.match.event.subType == 23, \"Execve\", input.match.event.subType == 43190, \"Posix Spawn\", \"\"),\n ActingProcessName = tostring(input.related.processes[array_length(input.related.processes) - 1].path),\n ActingProcessId = toreal(input.related.processes[0].responsiblePID),\n ActingProcessGuid = tostring(input.related.processes[array_length(input.related.processes) - 1].uuid),\n ParentProcessName = todynamic(iff(array_length(input.related.processes) > 1, tostring(input.related.processes[1].path), \"\")),\n ParentProcessId = iff(array_length(input.related.processes) > 1, toreal(input.related.processes[1].pid), double(null)),\n ParentProcessGuid = tostring(iff(array_length(input.related.processes) > 1, tostring(input.related.processes[1].uuid), \"\")),\n TargetProcessName = todynamic(input.related.processes[0].name),\n TargetProcessId = input.related.processes[0].pid,\n TargetProcessGuid = input.related.processes[0].uuid,\n TargetProcessSHA1 = tostring(input.related.binaries[0].sha1hex),\n TargetProcessSHA256 = tostring(input.related.binaries[0].sha256hex),\n TargetProcessCommandLine = input.related.processes[0].args,\n TargetProcessCurrentDirectory = tostring(input.related.processes[0].path),\n TargetProcessStatusCode = toreal(input.related.processes[0].exitCode),\n //\n // Jamf Protect Alerts - Files\n //\n TargetFilePath = input.related.files[0].path,\n TargetFileSHA1 = input.related.files[0].sha1hex,\n TargetFileSHA256 = input.related.files[0].sha256hex,\n TargetFileSize = input.related.files[0].size,\n TargetFileSigningInfoMessage = input.related.files[0].signingInfo.statusMessage,\n TargetFileSignerType = case(input.related.files[0].signingInfo.signerType == 0, \"Apple\", input.related.files[0].signingInfo.signerType == 1, \"App Store\", input.related.files[0].signingInfo.signerType == 2, \"Developer\", input.related.files[0].signingInfo.signerType == 3, \"Ad Hoc\", input.related.files[0].signingInfo.signerType == 4, \"Unsigned\", \"\"),\n TargetFileSigningTeamID = input.related.files[0].signingInfo.teamid,\n TargetFileIsDownload = tobool(input.related.files[0].isDownload),\n TargetFileIsAppBundle = tobool(input.related.files[0].isAppBundle),\n TargetFileIsDirectory = tobool(input.related.files[0].isDirectory),\n TargetFileIsScreenshot = tobool(input.related.files[0].isScreenShot),\n TargetFileExtendedAttributes = input.related.files[0].xattrs,\n // Jamf Protect Alerts - Binaries\n TargetBinaryFilePath = input.related.binaries[0].path,\n TargetBinarySHA1 = input.related.binaries[0].sha1hex,\n TargetBinarySHA256 = input.related.binaries[0].sha256hex,\n TargetBinarySigningInfoMessage = input.related.binaries[0].signingInfo.statusMessage,\n TargetbinarySignerType = case(input.related.binaries[0].signingInfo.signerType == 0, \"Apple\", input.related.binaries[0].signingInfo.signerType == 1, \"App Store\", input.related.binaries[0].signingInfo.signerType == 2, \"Developer\", input.related.binaries[0].signingInfo.signerType == 3, \"Ad Hoc\", input.related.binaries[0].signingInfo.signerType == 4, \"Unsigned\", \"\"),\n TargetBinarySigningTeamID = input.related.binaries[0].signingInfo.teamid,\n TargetBinarySigningAppID = input.related.binaries[0].signingInfo.appid\n| project-away\n caid,\n certid\n",
+ "outputStream": "Custom-jamfprotectalerts_CL"
+ }
+ ],
+ "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]"
+ }
+ },
+ {
+ "name": "jamfprotecttelemetryv2_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "plan": "Analytics",
+ "schema": {
+ "name": "jamfprotecttelemetryv2_CL",
+ "columns": [
+ {
+ "name": "action",
+ "type": "dynamic"
+ },
+ {
+ "name": "event",
+ "type": "dynamic"
+ },
+ {
+ "name": "EventOriginalType",
+ "type": "int"
+ },
+ {
+ "name": "EventCount",
+ "type": "int"
+ },
+ {
+ "name": "process",
+ "type": "dynamic"
+ },
+ {
+ "name": "thread",
+ "type": "dynamic"
+ },
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "EventOriginalUid",
+ "type": "string"
+ },
+ {
+ "name": "EventVendor",
+ "type": "dynamic"
+ },
+ {
+ "name": "EventProduct",
+ "type": "dynamic"
+ },
+ {
+ "name": "EventSchemaVersion",
+ "type": "dynamic"
+ },
+ {
+ "name": "EventProductVersion",
+ "type": "dynamic"
+ },
+ {
+ "name": "EventSeverity",
+ "type": "string"
+ },
+ {
+ "name": "TargetHostname",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcHostname",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcSerial",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcIpAddr",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcId",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcOs",
+ "type": "string"
+ },
+ {
+ "name": "DvcOsVersion",
+ "type": "dynamic"
+ },
+ {
+ "name": "SrcDeviceType",
+ "type": "string"
+ }
+ ]
+ },
+ "totalRetentionInDays": 30
+ }
+ },
+ {
+ "name": "jamfprotectalerts_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "plan": "Analytics",
+ "schema": {
+ "name": "jamfprotectalerts_CL",
+ "columns": [
+ {
+ "name": "input",
+ "type": "dynamic"
+ },
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "EventVendor",
+ "type": "string"
+ },
+ {
+ "name": "EventProduct",
+ "type": "string"
+ },
+ {
+ "name": "EventProductVersion",
+ "type": "dynamic"
+ },
+ {
+ "name": "EventSeverity",
+ "type": "string"
+ },
+ {
+ "name": "EventOriginalType",
+ "type": "dynamic"
+ },
+ {
+ "name": "EventOriginalUid",
+ "type": "dynamic"
+ },
+ {
+ "name": "EventType",
+ "type": "string"
+ },
+ {
+ "name": "EventResult",
+ "type": "string"
+ },
+ {
+ "name": "EventMessage",
+ "type": "dynamic"
+ },
+ {
+ "name": "EventResultMessage",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetHostname",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcHostname",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcSerial",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcIpAddr",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcId",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcOs",
+ "type": "string"
+ },
+ {
+ "name": "DvcOsVersion",
+ "type": "dynamic"
+ },
+ {
+ "name": "SrcDeviceType",
+ "type": "string"
+ },
+ {
+ "name": "ProcessEventType",
+ "type": "string"
+ },
+ {
+ "name": "ProcessEventSubType",
+ "type": "string"
+ },
+ {
+ "name": "ActingProcessName",
+ "type": "string"
+ },
+ {
+ "name": "ActingProcessId",
+ "type": "real"
+ },
+ {
+ "name": "ActingProcessGuid",
+ "type": "string"
+ },
+ {
+ "name": "ParentProcessName",
+ "type": "dynamic"
+ },
+ {
+ "name": "ParentProcessId",
+ "type": "real"
+ },
+ {
+ "name": "ParentProcessGuid",
+ "type": "string"
+ },
+ {
+ "name": "TargetProcessName",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetProcessId",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetProcessGuid",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetProcessSHA1",
+ "type": "string"
+ },
+ {
+ "name": "TargetProcessSHA256",
+ "type": "string"
+ },
+ {
+ "name": "TargetProcessCommandLine",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetProcessCurrentDirectory",
+ "type": "string"
+ },
+ {
+ "name": "TargetProcessStatusCode",
+ "type": "real"
+ },
+ {
+ "name": "TargetFilePath",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetFileSHA1",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetFileSHA256",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetFileSize",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetFileSigningInfoMessage",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetFileSignerType",
+ "type": "string"
+ },
+ {
+ "name": "TargetFileSigningTeamID",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetFileIsDownload",
+ "type": "boolean"
+ },
+ {
+ "name": "TargetFileIsAppBundle",
+ "type": "boolean"
+ },
+ {
+ "name": "TargetFileIsDirectory",
+ "type": "boolean"
+ },
+ {
+ "name": "TargetFileIsScreenshot",
+ "type": "boolean"
+ },
+ {
+ "name": "TargetFileExtendedAttributes",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetBinaryFilePath",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetBinarySHA1",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetBinarySHA256",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetBinarySigningInfoMessage",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetbinarySignerType",
+ "type": "string"
+ },
+ {
+ "name": "TargetBinarySigningTeamID",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetBinarySigningAppID",
+ "type": "dynamic"
+ }
+ ]
+ },
+ "totalRetentionInDays": 30
+ }
+ },
+ {
+ "name": "jamfprotecttelemetryv1_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "plan": "Analytics",
+ "schema": {
+ "name": "jamfprotecttelemetryv1_CL",
+ "columns": [
+ {
+ "name": "architecture",
+ "type": "string"
+ },
+ {
+ "name": "arguments",
+ "type": "dynamic"
+ },
+ {
+ "name": "attributes",
+ "type": "dynamic"
+ },
+ {
+ "name": "bios_firmware_versions",
+ "type": "dynamic"
+ },
+ {
+ "name": "contents",
+ "type": "string"
+ },
+ {
+ "name": "exec_args",
+ "type": "dynamic"
+ },
+ {
+ "name": "exec_chain",
+ "type": "dynamic"
+ },
+ {
+ "name": "exec_chain_child",
+ "type": "dynamic"
+ },
+ {
+ "name": "exec_chain_parent",
+ "type": "dynamic"
+ },
+ {
+ "name": "exec_env",
+ "type": "dynamic"
+ },
+ {
+ "name": "exit",
+ "type": "dynamic"
+ },
+ {
+ "name": "file",
+ "type": "dynamic"
+ },
+ {
+ "name": "header",
+ "type": "dynamic"
+ },
+ {
+ "name": "host_info",
+ "type": "dynamic"
+ },
+ {
+ "name": "identity",
+ "type": "dynamic"
+ },
+ {
+ "name": "key",
+ "type": "string"
+ },
+ {
+ "name": "metrics",
+ "type": "dynamic"
+ },
+ {
+ "name": "page_info",
+ "type": "dynamic"
+ },
+ {
+ "name": "path",
+ "type": "dynamic"
+ },
+ {
+ "name": "process",
+ "type": "dynamic"
+ },
+ {
+ "name": "rateLimitingSeconds",
+ "type": "int"
+ },
+ {
+ "name": "return",
+ "type": "dynamic"
+ },
+ {
+ "name": "socket_inet",
+ "type": "dynamic"
+ },
+ {
+ "name": "subject",
+ "type": "dynamic"
+ },
+ {
+ "name": "texts",
+ "type": "string"
+ },
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "EventVendor",
+ "type": "string"
+ },
+ {
+ "name": "EventProduct",
+ "type": "string"
+ },
+ {
+ "name": "EventSeverity",
+ "type": "string"
+ },
+ {
+ "name": "TargetModel",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcOsVersion",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetHostname",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcHostname",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcId",
+ "type": "dynamic"
+ },
+ {
+ "name": "EventType",
+ "type": "string"
+ },
+ {
+ "name": "ActingProcessId",
+ "type": "dynamic"
+ },
+ {
+ "name": "ActingProcessName",
+ "type": "dynamic"
+ },
+ {
+ "name": "ParentProcessName",
+ "type": "dynamic"
+ },
+ {
+ "name": "ParentProcessId",
+ "type": "dynamic"
+ },
+ {
+ "name": "ParentProcessGuid",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetProcessName",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetProcessId",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetProcessGuid",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetProcessSHA256",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetUserId",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetUsername",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetProcessCommandLine",
+ "type": "dynamic"
+ },
+ {
+ "name": "ActorUsername",
+ "type": "dynamic"
+ },
+ {
+ "name": "ActorUserId",
+ "type": "dynamic"
+ },
+ {
+ "name": "GroupName",
+ "type": "dynamic"
+ },
+ {
+ "name": "GroupID",
+ "type": "dynamic"
+ },
+ {
+ "name": "EffectiveGroupName",
+ "type": "dynamic"
+ },
+ {
+ "name": "EffectiveGroupID",
+ "type": "dynamic"
+ },
+ {
+ "name": "DstIpAddr",
+ "type": "dynamic"
+ },
+ {
+ "name": "DstPortNumber",
+ "type": "dynamic"
+ },
+ {
+ "name": "NetworkProtocolVersion",
+ "type": "string"
+ },
+ {
+ "name": "SrcIpAddr",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetBinarySHA256",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetbinarySignerType",
+ "type": "string"
+ },
+ {
+ "name": "TargetBinarySigningTeamID",
+ "type": "string"
+ },
+ {
+ "name": "TargetBinarySigningAppID",
+ "type": "string"
+ },
+ {
+ "name": "TargetFilePath",
+ "type": "dynamic"
+ }
+ ]
+ },
+ "totalRetentionInDays": 30
+ }
+ },
+ {
+ "name": "jamfprotectunifiedlogs_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "plan": "Analytics",
+ "schema": {
+ "name": "jamfprotectunifiedlogs_CL",
+ "columns": [
+ {
+ "name": "input",
+ "type": "dynamic"
+ },
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "EventProductVersion",
+ "type": "dynamic"
+ },
+ {
+ "name": "EventSeverity",
+ "type": "string"
+ },
+ {
+ "name": "EventOriginalType",
+ "type": "dynamic"
+ },
+ {
+ "name": "EventOriginalUid",
+ "type": "dynamic"
+ },
+ {
+ "name": "EventType",
+ "type": "string"
+ },
+ {
+ "name": "EventResult",
+ "type": "string"
+ },
+ {
+ "name": "EventMessage",
+ "type": "dynamic"
+ },
+ {
+ "name": "EventResultMessage",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetHostname",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcHostname",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcSerial",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcIpAddr",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcId",
+ "type": "dynamic"
+ },
+ {
+ "name": "DvcOs",
+ "type": "string"
+ },
+ {
+ "name": "DvcOsVersion",
+ "type": "dynamic"
+ },
+ {
+ "name": "SrcDeviceType",
+ "type": "string"
+ },
+ {
+ "name": "ProcessEventType",
+ "type": "string"
+ },
+ {
+ "name": "ProcessEventSubType",
+ "type": "string"
+ },
+ {
+ "name": "TargetProcessName",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetProcessId",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetProcessGuid",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetProcessCommandLine",
+ "type": "dynamic"
+ },
+ {
+ "name": "TargetProcessCurrentDirectory",
+ "type": "dynamic"
+ }
+ ]
+ },
+ "totalRetentionInDays": 30
}
}
]
@@ -298,95 +1701,87 @@
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition2'),'-', variables('dataConnectorCCPVersion'))))]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "Jamf Protect",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Jamf Protect",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Thijs Xhaflaire",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Jamf Software, LLC",
- "email": "support@jamf.com",
- "tier": "Partner",
- "link": "https://www.jamf.com/support/"
- }
+ "version": "[variables('dataConnectorCCPVersion')]"
}
},
{
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
"location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
+ "kind": "Customizable",
"properties": {
"connectorUiConfig": {
- "title": "Jamf Protect",
+ "id": "JamfProtectPush",
+ "title": "Jamf Protect Push Connector",
"publisher": "Jamf",
"descriptionMarkdown": "The [Jamf Protect](https://www.jamf.com/products/jamf-protect/) connector provides the capability to read raw event data from Jamf Protect in Microsoft Sentinel.",
"graphQueries": [
{
- "metricName": "Total Activities data received",
- "legend": "jamfprotect_CL",
- "baseQuery": "jamfprotect_CL"
- }
- ],
- "dataTypes": [
+ "metricName": "Telemetry",
+ "legend": "jamfprotecttelemetryv2_CL",
+ "baseQuery": "jamfprotecttelemetryv2_CL"
+ },
{
- "name": "jamfprotect_CL",
- "lastDataReceivedQuery": "jamfprotect_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ "metricName": "Unified Logs",
+ "legend": "jamfprotectunifiedlogs_CL",
+ "baseQuery": "jamfprotectunifiedlogs_CL"
+ },
+ {
+ "metricName": "Telemetry (Legacy)",
+ "legend": "jamfprotecttelemetryv1_CL",
+ "baseQuery": "jamfprotecttelemetryv1_CL"
+ },
+ {
+ "metricName": "Alerts",
+ "legend": "jamfprotectalerts_CL",
+ "baseQuery": "jamfprotectalerts_CL"
}
],
- "connectivityCriterias": [
+ "sampleQueries": [
{
- "type": "IsConnectedQuery",
- "value": [
- "jamfprotect_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
+ "description": "Jamf Protect - All Alerts",
+ "query": "jamfprotectalerts_CL\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Jamf Protect - All Telemetry events",
+ "query": "jamfprotecttelemetry_CL\n | sort by TimeGenerated desc"
}
],
- "sampleQueries": [
+ "dataTypes": [
{
- "description": "Jamf Protect - All events.",
- "query": "jamfprotect_CL\n | sort by TimeGenerated desc"
+ "name": "jamfprotecttelemetryv2_CL",
+ "lastDataReceivedQuery": "jamfprotecttelemetryv2_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
- "description": "Jamf Protect - All active endpoints.",
- "query": "jamfprotect_CL\n | where notempty(input_host_hostname_s) | summarize Event = count() by input_host_hostname_s\n | project-rename HostName = input_host_hostname_s\n | sort by Event desc"
+ "name": "jamfprotectunifiedlogs_CL",
+ "lastDataReceivedQuery": "jamfprotectunifiedlogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
- "description": "Jamf Protect - Top 10 endpoints with Alerts",
- "query": "jamfprotect_CL\n | where topicType_s == 'alert' and notempty(input_eventType_s) and notempty(input_host_hostname_s)\n | summarize Event = count() by input_host_hostname_s\n | project-rename HostName = input_host_hostname_s\n | top 10 by Event"
+ "name": "jamfprotecttelemetryv1_CL",
+ "lastDataReceivedQuery": "jamfprotecttelemetryv1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "jamfprotectalerts_CL",
+ "lastDataReceivedQuery": "jamfprotectalerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "jamfprotecttelemetryv2_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
+ "jamfprotectunifiedlogs_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
+ "jamfprotecttelemetryv1_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)",
+ "jamfprotectalerts_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
+ ]
}
],
"availability": {
- "status": 1,
- "isPreview": false
+ "status": 1
},
"permissions": {
"resourceProvider": [
@@ -400,27 +1795,268 @@
"read": true,
"delete": true
}
+ }
+ ],
+ "customs": [
+ {
+ "name": "Microsoft Entra",
+ "description": "Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher."
},
{
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
+ "name": "Microsoft Azure",
+ "description": "Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role"
}
]
},
"instructionSteps": [
{
- "description": "This connector reads data from the jamfprotect_CL table created by Jamf Protect in a Microsoft Analytics Workspace, if the [data forwarding](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html?hl=sentinel#task-4227) option is enabled in Jamf Protect then raw event data is sent to the Microsoft Sentinel Ingestion API."
+ "title": "1. Create ARM Resources and Provide the Required Permissions",
+ "description": "This connector reads data from the tables that Jamf Protect uses in a Microsoft Analytics Workspace, if the [data forwarding](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html?hl=sentinel#task-4227) option is enabled in Jamf Protect then raw event data is sent to the Microsoft Sentinel Ingestion API.",
+ "instructions": [
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \"Connect\" will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). \nIt will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token."
+ }
+ },
+ {
+ "parameters": {
+ "label": "Deploy Jamf Protect connector resources",
+ "applicationDisplayName": "Jamf Protect Connector Application"
+ },
+ "type": "DeployPushConnectorButton"
+ }
+ ]
+ },
+ {
+ "title": "2. Push your logs into the workspace",
+ "description": "Use the following parameters to configure the your machine to send the logs to the workspace.",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Tenant ID (Directory ID)",
+ "fillWith": [
+ "TenantId"
+ ]
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "Entra Application ID",
+ "fillWith": [
+ "ApplicationId"
+ ],
+ "placeholder": "Deploy push connector to get the Application ID"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "Entra Application Secret",
+ "fillWith": [
+ "ApplicationSecret"
+ ],
+ "placeholder": "Deploy push connector to get the Application Secret"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "DCE Uri",
+ "fillWith": [
+ "DataCollectionEndpoint"
+ ],
+ "placeholder": "Deploy push connector to get the DCR Uri"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "DCR Immutable ID",
+ "fillWith": [
+ "DataCollectionRuleId"
+ ],
+ "placeholder": "Deploy push connector to get the DCR ID"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "Telemetry Stream ID",
+ "value": "Custom-jamfprotecttelemetryv1_CL"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "Unified Logs Stream ID",
+ "value": "Custom-jamfprotectunifiedlogs_CL"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "Telemetry (Legacy) Stream ID",
+ "value": "Custom-jamfprotecttelemetryv2_CL"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "Alerts Stream ID",
+ "value": "Custom-jamfprotectalerts_CL"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
}
- ],
- "id": "[variables('_uiConfigId1')]"
+ ]
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Thijs Xhaflaire",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Jamf Software, LLC",
+ "email": "support@jamf.com",
+ "tier": "Partner",
+ "link": "https://www.jamf.com/support/"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections2')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
}
}
},
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections2'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnections2')]",
+ "displayName": "Jamf Protect Push Connector",
+ "contentKind": "ResourcesDataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {
+ "auth": {
+ "type": "object",
+ "defaultValue": {
+ "appId": "[[parameters('auth').appId]]",
+ "servicePrincipalId": "[[parameters('auth').servicePrincipalId]]"
+ }
+ },
+ "connectorDefinitionName": {
+ "defaultValue": "Jamf Protect Push Connector",
+ "type": "string",
+ "minLength": 1
+ },
+ "workspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "string"
+ },
+ "dcrConfig": {
+ "defaultValue": {
+ "dataCollectionEndpoint": "data collection Endpoint",
+ "dataCollectionRuleImmutableId": "data collection rule immutableId"
+ },
+ "type": "object"
+ }
+ },
+ "variables": {
+ "_dataConnectorContentIdConnections2": "[variables('_dataConnectorContentIdConnections2')]"
+ },
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections2')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections2'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnections2')]",
+ "kind": "ResourcesDataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Thijs Xhaflaire",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Jamf Software, LLC",
+ "email": "support@jamf.com",
+ "tier": "Partner",
+ "link": "https://www.jamf.com/support/"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'JamfProtectPushConnectorPolling')]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Push",
+ "properties": {
+ "connectorDefinitionName": "JamfProtectPush",
+ "dcrConfig": {
+ "streamName": "Custom-jamfprotecttelemetryv2",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "auth": {
+ "type": "Push",
+ "AppId": "[[parameters('auth').appId]",
+ "ServicePrincipalId": "[[parameters('auth').servicePrincipalId]"
+ },
+ "request": {},
+ "response": {
+ "eventsJsonPaths": [
+ "$.messages"
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections2'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -447,7 +2083,7 @@
"displayName": "JamfProtect",
"category": "Microsoft Sentinel Parser",
"functionAlias": "JamfProtect",
- "query": "let JamfProtectAlerts_view = view () {\n jamfprotect_CL\n| where topicType_s == \"alert\"\n and input_eventType_s <> \"GPUnifiedLogEvent\"\n and isnotempty(input_match_severity_d)\n// JSON Parsing at earliest stage\n| extend \n Related_users = parse_json(input_related_users_s),\n Related_files = parse_json(input_related_files_s),\n Related_binaries = parse_json(input_related_binaries_s),\n Related_groups = parse_json(input_related_groups_s),\n Related_processes = parse_json(input_related_processes_s),\n Match_facts = parse_json(input_match_facts_s),\n Match_tags = parse_json(input_match_tags_s),\n Match_actions = parse_json(input_match_actions_s),\n Match_context = parse_json(input_match_context_s),\n Match_event_process_signing = parse_json(input_match_event_process_signingInfo_s)\n// ASIM - Common Fields\n| extend EventVendor = 'Jamf'\n| extend EventProduct = 'Jamf Protect - Alerts'\n| project-rename\n EventOriginalUid = input_match_uuid_g\n| extend\n // Jamf Protect - Common Fields\n EventType = case(\n input_eventType_s == \"GPClickEvent\",\n \"Click\",\n input_eventType_s == \"GPDownloadEvent\",\n \"Download\",\n input_eventType_s == \"GPFSEvent\",\n \"FileSystem\",\n input_eventType_s == \"GPProcessEvent\",\n \"Process\",\n input_eventType_s == \"GPKeylogRegisterEvent\",\n \"Keylog\",\n input_eventType_s == \"GPGatekeeperEvent\",\n \"Gatekeeper\",\n input_eventType_s == \"GPMRTEvent\",\n \"MRT\",\n input_eventType_s == \"GPPreventedExecutionEvent\",\n \"ProcessDenied\",\n input_eventType_s == \"GPThreatMatchExecEvent\",\n \"ProcessPrevented\",\n input_eventType_s == \"GPUnifiedLogEvent\",\n \"UnifiedLog\",\n input_eventType_s == \"GPUSBEvent\",\n \"USB\",\n input_eventType_s == \"auth-mount\",\n \"UsbBlock\",\n \"Unknown\"\n ),\n EventDescription = coalesce(Match_facts[1].human, Match_facts[0].human),\n EventMessage = coalesce(Match_facts[1].name, Match_facts[0].name),\n EventStartTime = unixtime_milliseconds_todatetime(tolong(timestamp_d)),\n EventResult = case(Match_actions has \"Prevented\", \"Prevented\", \"Allowed\"),\n EventProductVersion = column_ifexists(\"input_host_protectVersion_s\", \"\"),\n //\n // Jamf Protect - Alert details\n //\n EventSeverity = case(input_match_severity_d == 0, \"Informational\", input_match_severity_d == 1, \"Low\", input_match_severity_d == 2, \"Medium\", input_match_severity_d == 3, \"High\", \"Informational\"),\n EventMatch = column_ifexists(\"input_match_event_matchValue_s\", \"\"),\n EventMatchType = column_ifexists(\"input_match_event_matchType_s\", \"\"),\n EventReportUrl = strcat(\"https://\", context_identity_claims_hd_s, \".jamfcloud.com/Alerts/\", EventOriginalUid),\n //\n // Jamf Protect - Source User\n SrcUsername = tostring(coalesce(Related_users[1].name, Related_users[0].name)),\n //\n // Jamf Protect - Source Device Hostnames\n //\n TargetHostname = column_ifexists(\"input_host_hostname_s\", \"\"),\n DvcHostname = column_ifexists(\"input_host_hostname_s\", \"\"),\n DvcIpAddr = column_ifexists(\"input_host_ips_s\", \"\"),\n DvcId = column_ifexists(\"input_host_provisioningUDID_g\", \"\"),\n DvcOs=\"macOS\",\n SrcDeviceType=\"Computer\",\n //\n // Jamf Protect Alerts - Process\n //\n ProcessEventType = case(input_match_event_type_d == 0, \"None\", input_match_event_type_d == 1, \"Create\", input_match_event_type_d == 2, \"Exit\", \"\"),\n ProcessEventSubType = case(input_match_event_subType_d == 7, \"Exec\", input_match_event_subType_d == 1, \"Fork\", input_match_event_subType_d == 23, \"Execve\", input_match_event_subType_d == 43190, \"Posix Spawn\", \"\"),\n ActingProcessName = tostring(Related_processes[array_length(Related_processes) - 1].path),\n ActingProcessCreationTime = format_datetime(unixtime_milliseconds_todatetime(tolong(Related_processes[array_length(Related_processes) - 1].startTimestamp)), 'HH:mm:ss'),\n ActingProcessId = coalesce(input_match_event_process_ppid_d, toreal(Related_processes[0].responsiblePID)),\n ActingProcessGuid = tostring(Related_processes[array_length(Related_processes) - 1].uuid),\n ParentProcessName = iff(array_length(Related_processes) > 1, tostring(Related_processes[1].path), \"\"),\n ParentProcessCreationTime = iff(array_length(Related_processes) > 1, format_datetime(unixtime_milliseconds_todatetime(tolong(Related_processes[1].startTimestamp)), 'HH:mm:ss'), \"\"),\n ParentProcessId = iff(array_length(Related_processes) > 1, toreal(Related_processes[1].pid), double(null)),\n ParentProcessGuid = iff(array_length(Related_processes) > 1, tostring(Related_processes[1].uuid), \"\"),\n TargetProcessName = coalesce(input_match_event_process_name_s, Related_processes[0].name),\n TargetProcessId = coalesce(toreal(input_match_event_process_pid_d), toreal(Related_processes[0].pid)),\n TargetProcessGuid = tostring(Related_processes[0].uuid),\n TargetProcessSHA1 = Related_binaries[0].sha1hex,\n TargetProcessSHA256 = Related_binaries[0].sha256hex,\n TargetProcessCreationTime = unixtime_milliseconds_todatetime(tolong(input_match_event_process_startTimestamp_d)),\n TargetProcessCommandLine = column_ifexists(\"input_match_event_process_args_s\", \"\"),\n TargetProcessCurrentDirectory = column_ifexists(\"input_match_event_process_path_s\", \"\"),\n //TargetProcessStatusCode = column_ifexists(Related_processes[0].exitCode, \"\"),\n TargetUserId = toreal(coalesce(Related_users[1].uid, Related_processes[0].uid)),\n TargetUsername = tostring(coalesce(Related_users[1].name, Related_users[0].uid)),\n //\n // Jamf Protect Alerts - Files\n //\n TargetFilePath = tostring(coalesce(input_match_event_path_s, Related_files[0].path)),\n TargetFileSHA1 = Related_files[0].sha1hex,\n TargetFileSHA256 = Related_files[0].sha256hex,\n TargetFileSize = Related_files[0].size,\n TargetFileSigningInfoMessage = Related_files[0].signingInfo.statusMessage,\n TargetFileSignerType = case(Related_files[0].signingInfo.signerType == 0, \"Apple\", Related_files[0].signingInfo.signerType == 1, \"App Store\", Related_files[0].signingInfo.signerType == 2, \"Developer\", Related_files[0].signingInfo.signerType == 3, \"Ad Hoc\", Related_files[0].signingInfo.signerType == 4, \"Unsigned\", \"\"),\n TargetFileSigningTeamID = Related_files[0].signingInfo.teamid,\n TargetFileIsDownload = case(Related_files[0].isDownload == \"true\", \"true\", Related_files[0].isDownload == \"false\", \"false\", \"\"),\n TargetFileIsAppBundle = case(Related_files[0].isAppBundle == \"true\", \"true\", Related_files[0].isAppBundle == \"false\", \"false\", \"\"),\n TargetFileIsDirectory = case(Related_files[0].isDirectory == \"true\", \"true\", Related_files[0].isDirectory == \"false\", \"false\", \"\"),\n TargetFileIsScreenshot = case(Related_files[0].isScreenShot == \"true\", \"true\", Related_files[0].isScreenShot == \"false\", \"false\", \"\"),\n //\n // Jamf Protect Alerts - Binaries\n TargetBinaryFilePath = Related_binaries[0].path,\n TargetBinarySHA1 = tostring(Related_binaries[0].sha1hex),\n TargetBinarySHA256 = tostring(Related_binaries[0].sha256hex),\n TargetBinarySigningInfoMessage = Related_binaries[0].signingInfo.statusMessage,\n TargetbinarySignerType = case(Related_binaries[0].signingInfo.signerType == 0, \"Apple\", Related_binaries[0].signingInfo.signerType == 1, \"App Store\", Related_binaries[0].signingInfo.signerType == 2, \"Developer\", Related_binaries[0].signingInfo.signerType == 3, \"Ad Hoc\", Related_binaries[0].signingInfo.signerType == 4, \"Unsigned\", \"\"),\n TargetBinarySigningTeamID = tostring(Related_binaries[0].signingInfo.teamid),\n TargetBinarySigningAppID = tostring(Related_binaries[0].signingInfo.appid)\n| project-reorder\n TimeGenerated,\n EventStartTime,\n EventVendor,\n EventProduct,\n EventType,\n EventDescription,\n EventMessage,\n EventSeverity,\n EventMatch,\n EventMatchType,\n EventResult,\n EventProductVersion,\n EventReportUrl,\n TargetHostname,\n DvcHostname,\n DvcId,\n DvcOs,\n DvcIpAddr,\n SrcDeviceType,\n SrcUsername,\n ProcessEventType,\n ProcessEventSubType,\n ActingProcessName,\n ActingProcessCreationTime,\n ActingProcessId,\n ActingProcessGuid,\n ParentProcessName,\n ParentProcessCreationTime,\n ParentProcessId,\n ParentProcessGuid,\n TargetProcessName,\n TargetProcessId,\n TargetProcessGuid,\n TargetProcessSHA1,\n TargetProcessSHA256,\n TargetProcessCreationTime,\n TargetProcessCommandLine,\n TargetProcessCurrentDirectory,\n //TargetProcessStatusCode,\n TargetUsername,\n TargetUserId,\n TargetFilePath,\n TargetFileSHA1,\n TargetFileSHA256,\n TargetFileSize,\n TargetFileSigningInfoMessage,\n TargetFileSignerType,\n TargetFileSigningTeamID,\n TargetFileIsAppBundle,\n TargetFileIsDirectory,\n TargetFileIsDownload,\n TargetFileIsScreenshot,\n TargetBinaryFilePath,\n TargetBinarySHA1,\n TargetBinarySHA256,\n TargetBinarySigningInfoMessage,\n TargetbinarySignerType,\n TargetBinarySigningTeamID,\n TargetBinarySigningAppID,\n Related_users,\n Related_files,\n Related_binaries,\n Related_groups,\n Related_processes,\n Match_event_process_signing,\n Match_facts,\n Match_actions,\n Match_tags,\n *input_match_event_*\n| project-keep\n TimeGenerated,\n EventStartTime,\n EventVendor,\n EventProduct,\n EventType,\n EventDescription,\n EventMessage,\n EventProductVersion,\n EventSeverity,\n EventMatch,\n EventMatchType,\n EventResult,\n EventReportUrl,\n TargetHostname,\n DvcHostname,\n DvcId,\n DvcOs,\n DvcIpAddr,\n SrcDeviceType,\n SrcUsername,\n ProcessEventType,\n ProcessEventSubType,\n ActingProcessName,\n ActingProcessCreationTime,\n ActingProcessId,\n ActingProcessGuid,\n ParentProcessName,\n ParentProcessCreationTime,\n ParentProcessId,\n ParentProcessGuid,\n TargetProcessName,\n TargetProcessId,\n TargetProcessGuid,\n TargetProcessSHA1,\n TargetProcessSHA256,\n TargetProcessCreationTime,\n TargetProcessCommandLine,\n TargetProcessCurrentDirectory,\n //TargetProcessStatusCode,\n TargetUsername,\n TargetUserId,\n TargetFilePath,\n TargetFileSHA1,\n TargetFileSHA256,\n TargetFileSize,\n TargetFileSigningInfoMessage,\n TargetFileSignerType,\n TargetFileSigningTeamID,\n TargetFileIsAppBundle,\n TargetFileIsDirectory,\n TargetFileIsDownload,\n TargetFileIsScreenshot,\n TargetBinaryFilePath,\n TargetBinarySHA1,\n TargetBinarySHA256,\n TargetBinarySigningInfoMessage,\n TargetbinarySignerType,\n TargetBinarySigningTeamID,\n TargetBinarySigningAppID,\n Related_users,\n Related_files,\n Related_binaries,\n Related_groups,\n Related_processes,\n Match_event_process_signing,\n Match_facts,\n Match_actions,\n Match_tags,\n *input_match_event_*\n};\n//\n// Jamf Protect - Unified Logs\n//\nlet JamfProtectUnifiedLog_view = view () {\n jamfprotect_CL\n | where input_eventType_s == \"GPUnifiedLogEvent\"\n and isnotempty(input_match_severity_d)\n // JSON Parsing at earliest stage\n | extend \n Related_users = parse_json(input_related_users_s),\n Related_files = parse_json(input_related_files_s),\n Related_binaries = parse_json(input_related_binaries_s),\n Related_groups = parse_json(input_related_groups_s),\n Related_processes = parse_json(input_related_processes_s),\n Match_facts = parse_json(input_match_facts_s),\n Match_tags = parse_json(input_match_tags_s),\n Match_actions = parse_json(input_match_actions_s),\n Match_context = parse_json(input_match_context_s),\n Match_event_process_signing = parse_json(input_match_event_process_signingInfo_s)\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Unified Log'\n | project-rename\n EventOriginalUid = input_match_uuid_g\n | extend\n // Jamf Protect - Common Fields\n EventType = case(\n input_eventType_s == \"GPClickEvent\",\n \"Click\",\n input_eventType_s == \"GPDownloadEvent\",\n \"Download\",\n input_eventType_s == \"GPFSEvent\",\n \"FileSystem\",\n input_eventType_s == \"GPProcessEvent\",\n \"Process\",\n input_eventType_s == \"GPKeylogRegisterEvent\",\n \"Keylog\",\n input_eventType_s == \"GPGatekeeperEvent\",\n \"Gatekeeper\",\n input_eventType_s == \"GPMRTEvent\",\n \"MRT\",\n input_eventType_s == \"GPPreventedExecutionEvent\",\n \"ProcessDenied\",\n input_eventType_s == \"GPThreatMatchExecEvent\",\n \"ProcessPrevented\",\n input_eventType_s == \"GPUnifiedLogEvent\",\n \"UnifiedLog\",\n input_eventType_s == \"GPUSBEvent\",\n \"USB\",\n input_eventType_s == \"Auth-mount\",\n \"UsbBlock\",\n \"Unknown\"\n ),\n EventDescription = coalesce(Match_facts[1].human, Match_facts[0].human),\n EventStartTime = unixtime_milliseconds_todatetime(tolong(timestamp_d)),\n EventResult = case(Match_actions has \"Prevented\", \"Prevented\", \"Allowed\"),\n //\n // Jamf Protect - Unified Logs details\n //\n EventSeverity = case(input_match_severity_d == 0, \"Informational\", input_match_severity_d == 1, \"Low\", input_match_severity_d == 2, \"Medium\", input_match_severity_d == 3, \"High\", \"Informational\"),\n EventMatch = column_ifexists(\"input_match_event_matchValue_s\", \"\"),\n EventMatchType = column_ifexists(\"input_match_event_matchType_s\", \"\"),\n EventReportUrl = strcat(\"https://\", context_identity_claims_hd_s, \".jamfcloud.com/Alerts/\", EventOriginalUid),\n //\n // Jamf Protect - Source User\n SrcUsername = tostring(coalesce(Related_users[1].name, Related_users[0].name)),\n //\n // Jamf Protect - Source Device Hostnames\n //\n TargetHostname = column_ifexists(\"input_host_hostname_s\", \"\"),\n DvcHostname = column_ifexists(\"input_host_hostname_s\", \"\"),\n DvcIpAddr = column_ifexists(\"input_host_ips_s\", \"\"),\n DvcId = column_ifexists(\"input_host_provisioningUDID_g\", \"\"),\n DvcOs=\"macOS\",\n SrcDeviceType=\"Computer\",\n //\n // Jamf Protect Unified Logs - Process\n //\n //ParentProcessName = coalesce(input_match_event_process_ppid_d, parse_json('input_related_processes_s')[0].ppid), //column_ifexists(\"exec_chain_child_parent_path_s\", \"\"), coalesce('input.match.event.process.ppid', mvindex('input.related.processes{}.ppid', 0))\n ProcessEventType = case(input_match_event_type_d == 0, \"None\", input_match_event_type_d == 1, \"Create\", input_match_event_type_d == 2, \"Exit\", \"\"),\n ProcessEventSubType = case(input_match_event_subType_d == 7, \"Exec\", input_match_event_subType_d == 1, \"Fork\", input_match_event_subType_d == 23, \"Execve\", input_match_event_subType_d == 43190, \"Posix Spawn\", \"\"),\n ParentProcessId = coalesce(input_match_event_process_ppid_d, toreal(Related_processes[0].ppid)),\n ParentProcessGuid = tostring(coalesce(input_match_event_process_pgid_d, toreal(Related_processes[0].pgid))),\n TargetProcessName = coalesce(input_match_event_process_name_s, Related_processes[0].name),\n TargetProcessId = coalesce(toreal(input_match_event_process_pid_d), toreal(Related_processes[0].pid)),\n TargetProcessGuid = tostring(Related_processes[0].uuid),\n TargetProcessSHA1 = Related_binaries[0].sha1hex,\n TargetProcessCreationTime = unixtime_milliseconds_todatetime(tolong(input_match_event_process_startTimestamp_d)),\n TargetProcessCommandLine = column_ifexists(\"input_match_event_process_args_s\", \"\"),\n TargetProcessCurrentDirectory = column_ifexists(\"input_match_event_process_path_s\", \"\"),\n TargetUserId = toreal(coalesce(Related_users[1].uid, Related_users[0].uid)),\n TargetUsername = tostring(coalesce(Related_users[1].name, Related_users[0].name)),\n //\n // Jamf Protect Unified Logs - Files\n //\n TargetFilePath = tostring(coalesce(input_match_event_path_s, Related_files[0].path)),\n TargetFileSHA1 = Related_files[0].sha1hex,\n TargetFileSHA256 = Related_files[0].sha256hex,\n TargetFileSize = Related_files[0].size,\n TargetFileSigningInfoMessage = Related_files[0].signingInfo.statusMessage,\n TargetFileSignerType = case(Related_files[0].signingInfo.signerType == 0, \"Apple\", Related_files[0].signingInfo.signerType == 1, \"App Store\", Related_files[0].signingInfo.signerType == 2, \"Developer\", Related_files[0].signingInfo.signerType == 3, \"Ad Hoc\", Related_files[0].signingInfo.signerType == 4, \"Unsigned\", \"\"),\n TargetFileSigningTeamID = Related_files[0].signingInfo.teamid,\n TargetFileIsDownload = case(Related_files[0].isDownload == \"true\", \"true\", Related_files[0].isDownload == \"false\", \"false\", \"\"),\n TargetFileIsAppBundle = case(Related_files[0].isAppBundle == \"true\", \"true\", Related_files[0].isAppBundle == \"false\", \"false\", \"\"),\n TargetFileIsDirectory = case(Related_files[0].isDirectory == \"true\", \"true\", Related_files[0].isDirectory == \"false\", \"false\", \"\"),\n TargetFileIsScreenshot = case(Related_files[0].isScreenShot == \"true\", \"true\", Related_files[0].isScreenShot == \"false\", \"false\", \"\")\n | project-reorder\n TimeGenerated,\n EventStartTime,\n EventVendor,\n EventProduct,\n EventType,\n EventDescription,\n EventSeverity,\n EventMatch,\n EventMatchType,\n EventResult,\n EventReportUrl,\n TargetHostname,\n DvcHostname,\n DvcId,\n DvcOs,\n DvcIpAddr,\n SrcDeviceType,\n SrcUsername,\n ProcessEventType,\n ProcessEventSubType,\n ParentProcessId,\n ParentProcessGuid,\n TargetProcessName,\n TargetProcessId,\n TargetProcessGuid,\n TargetProcessSHA1,\n TargetProcessCreationTime,\n TargetProcessCommandLine,\n TargetProcessCurrentDirectory,\n TargetUsername,\n TargetUserId,\n TargetFilePath,\n TargetFileSHA1,\n TargetFileSHA256,\n TargetFileSize,\n TargetFileSigningInfoMessage,\n TargetFileSignerType,\n TargetFileSigningTeamID,\n TargetFileIsAppBundle,\n TargetFileIsDirectory,\n TargetFileIsDownload,\n TargetFileIsScreenshot,\n Related_users,\n Related_files,\n Related_binaries,\n Related_groups,\n Related_processes,\n Match_event_process_signing,\n Match_facts,\n Match_actions,\n Match_tags\n | project-keep\n TimeGenerated,\n EventStartTime,\n EventVendor,\n EventProduct,\n EventType,\n EventDescription,\n EventSeverity,\n EventMatch,\n EventMatchType,\n EventResult,\n EventReportUrl,\n TargetHostname,\n DvcHostname,\n DvcId,\n DvcOs,\n DvcIpAddr,\n SrcDeviceType,\n SrcUsername,\n ProcessEventType,\n ProcessEventSubType,\n ParentProcessId,\n ParentProcessGuid,\n TargetProcessName,\n TargetProcessId,\n TargetProcessGuid,\n TargetProcessSHA1,\n TargetProcessCreationTime,\n TargetProcessCommandLine,\n TargetProcessCurrentDirectory,\n TargetUsername,\n TargetUserId,\n TargetFilePath,\n TargetFileSHA1,\n TargetFileSHA256,\n TargetFileSize,\n TargetFileSigningInfoMessage,\n TargetFileSignerType,\n TargetFileSigningTeamID,\n TargetFileIsAppBundle,\n TargetFileIsDirectory,\n TargetFileIsDownload,\n TargetFileIsScreenshot,\n Related_users,\n Related_files,\n Related_binaries,\n Related_groups,\n Related_processes,\n Match_event_process_signing,\n Match_facts,\n Match_actions,\n Match_tags,\n *input_match_event*\n};\n//\n// Jamf Protect - Network Traffic\n//\nlet JamfProtectNetworkTraffic_view = view () {\n jamfprotect_CL\n | where event_metadata_product_s == \"Network Traffic Stream\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Network Traffic Stream'\n | project-rename\n | extend\n // Jamf Protect - Common Fields\n EventType = \"query\",\n EventSubType = \"request\",\n EventStartTime = unixtime_milliseconds_todatetime(tolong(event_receiptTime_d)),\n EventResult = case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Prevented\", ''),\n // Jamf Protect - Source User\n SrcUsermail=column_ifexists('event_user_email_s', ''),\n SrcUsername = column_ifexists('event_user_name_s', ''),\n // Jamf Protect - Source Device Hostnames\n DvcHostname = case(isnotempty(input_host_hostname_s), input_host_hostname_s, isnotempty(host_info_host_name_s), host_info_host_name_s, event_device_userDeviceName_s),\n DvcIpAddr = column_ifexists(\"event_source_ip_s\", \"\"),\n DvcId = column_ifexists(\"event_device_externalId_g\", \"\"),\n DvcOs = case(event_device_osType_s == \"MAC_OS\", \"macOS\", event_device_osType_s == \"IOS\", \"iOS\", event_device_osType_s == \"ANDROID\", \"Android\", \"Other\"),\n SrcDeviceType = case(event_device_osType_s == \"MAC_OS\", \"Computer\", event_device_osType_s == \"IOS\", \"Mobile Device\", event_device_osType_s == \"ANDROID\", \"Mobile Device\", \"Other\"),\n // Jamf Protect - DNS Specific\n DnsQuery = column_ifexists('event_hostName_s', ''),\n DvcAction = case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Blocked\", ''),\n DnsQueryName = column_ifexists('event_domain_s', ''),\n DstIpAddr = column_ifexists('event_destination_ips_s', ''),\n ThreatCategory = column_ifexists('event_eventType_description_s', ''),\n DnsQueryTypeName = column_ifexists('event_dns_recordType_s', ''),\n DnsResponseName = column_ifexists('event_dns_responseStatus_s', ''),\n ThreatOriginalRiskLevel = column_ifexists('event_threat_result_s', '')\n | project-keep\n TimeGenerated,\n EventVendor,\n EventProduct,\n EventType,\n EventSubType,\n EventStartTime,\n EventResult,\n DvcHostname,\n DvcIpAddr,\n DvcId,\n DvcOs,\n SrcDeviceType,\n SrcUsermail,\n SrcUsername,\n DnsQuery,\n DnsQueryName,\n DstIpAddr,\n DnsQueryTypeName,\n DvcAction,\n DnsResponseName,\n ThreatOriginalRiskLevel\n};\n//\n// Jamf Protect - Endpoint Telemetry\n//\nlet JamfProtectTelemetry_view = view () {\n jamfprotect_CL\n | where header_event_name_s startswith \"AUE_\" \n or header_event_name_s == \"PLAINTEXT_LOG_COLLECTION_EVENT\"\n or header_event_name_s == \"SYSTEM_PERFORMANCE_METRICS\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Telemetry'\n // Data Field Normalization\n //| project-rename \n // DvcIpAddr = input_host_ips_s,\n // DvcId = context_identity_claims_clientid_g\n | extend\n // Jamf Protect Alerts - Generic Information\n EventSeverity = case(\n input_match_severity_d == 0,\n \"Informational\",\n input_match_severity_d == 1,\n \"Low\",\n input_match_severity_d == 2,\n \"Medium\",\n input_match_severity_d == 3,\n \"High\",\n \"Informational\"\n ),\n EventStartTime = unixtime_milliseconds_todatetime(tolong(timestamp_d)),\n EventResult = coalesce(return_description_s, texts_s),\n // Jamf Protect Telemetry - Endpoint Information\n TargetModel = column_ifexists(\"metrics_hw_model_s\", \"\"),\n DvcOsVersion = column_ifexists(\"host_info_osversion_s\", \"\"),\n TargetHostname = case(isnotempty(input_host_hostname_s), input_host_hostname_s, isnotempty(host_info_host_name_s), host_info_host_name_s, event_device_userDeviceName_s),\n DvcHostname = case(isnotempty(input_host_hostname_s), input_host_hostname_s, isnotempty(host_info_host_name_s), host_info_host_name_s, event_device_userDeviceName_s),\n DvcIpAddr = column_ifexists(\"input_host_ips_s\", \"\"),\n DvcId = column_ifexists(\"context_identity_claims_clientid_g\", \"\"),\n // Jamf Protect - Event Types\n EventType = case(\n header_event_name_s == \"AUE_add_to_group\",\n \"UserAddedToGroup\",\n header_event_name_s == \"AUE_AUDITCTL\",\n \"AuditEvent\",\n header_event_name_s == \"AUE_AUDITON_SPOLICY\",\n \"AuditEvent\",\n header_event_name_s == \"AUE_auth_user\",\n \"Elevate\",\n header_event_name_s == \"AUE_BIND\",\n \"EndpointNetworkSession\",\n header_event_name_s == \"AUE_BIOS_FIRMWARE_VERSIONS\",\n \"SystemInformation\",\n header_event_name_s == \"AUE_CHDIR\",\n \"FolderMoved\",\n header_event_name_s == \"AUE_CHROOT\",\n \"FolderModified\",\n header_event_name_s == \"AUE_CONNECT\",\n \"EndpointNetworkSession\",\n header_event_name_s == \"AUE_create_group\",\n \"GroupCreated\",\n header_event_name_s == \"AUE_create_user\",\n \"UserCreated\",\n header_event_name_s == \"AUE_delete_group\",\n \"GroupDeleted\",\n header_event_name_s == \"AUE_delete_user\",\n \"UserDeleted\",\n header_event_name_s == \"AUE_EXECVE\",\n \"ProcessCreated\",\n header_event_name_s == \"AUE_EXIT\",\n \"ProcessTerminated\",\n header_event_name_s == \"AUE_FORK\",\n \"ProcessCreated\",\n header_event_name_s == \"AUE_GETAUID\",\n \"\",\n header_event_name_s == \"AUE_KILL\",\n \"ProcessTerminated\",\n header_event_name_s == \"AUE_LISTEN\",\n \"EndpointNetworkSession\",\n header_event_name_s == \"AUE_logout\",\n \"Logoff\",\n header_event_name_s == \"AUE_lw_login\",\n \"Logon\",\n header_event_name_s == \"AUE_MAC_SET_PROC\",\n \"AuditEvent\",\n header_event_name_s == \"AUE_modify_group\",\n \"GroupModified\",\n header_event_name_s == \"AUE_modify_password\",\n \"PasswordChanged\",\n header_event_name_s == \"AUE_modify_user\",\n \"UserModified\",\n header_event_name_s == \"AUE_MOUNT\",\n \"VolumeMount\",\n header_event_name_s == \"AUE_openssh\",\n \"SshInitiated\",\n header_event_name_s == \"AUE_PIDFORTASK\",\n \"ProcessCreated\",\n header_event_name_s == \"AUE_POSIX_SPAWN\",\n \"ProcessCreated\",\n header_event_name_s == \"AUE_remove_from_group\",\n \"UserRemovedFromGroup\",\n header_event_name_s == \"AUE_SESSION_CLOSE\",\n \"Logoff\",\n header_event_name_s == \"AUE_SESSION_END\",\n \"Logoff\",\n header_event_name_s == \"AUE_SESSION_START\",\n \"Logon\",\n header_event_name_s == \"AUE_SESSION_UPDATE\",\n \"\",\n header_event_name_s == \"AUE_SETPRIORITY\",\n \"\",\n header_event_name_s == \"AUE_SETSOCKOPT\",\n \"\",\n header_event_name_s == \"AUE_SETTIMEOFDAY\",\n \"SystemChange\",\n header_event_name_s == \"AUE_shutdown\",\n \"ShutdownInitiated\",\n header_event_name_s == \"AUE_SOCKETPAIR\",\n \"\",\n header_event_name_s == \"AUE_ssauthint\",\n \"Elevate\",\n header_event_name_s == \"AUE_ssauthmech\",\n \"Elevate\",\n header_event_name_s == \"AUE_ssauthorize\",\n \"Elevate\",\n header_event_name_s == \"AUE_TASKFORPID\",\n \"\",\n header_event_name_s == \"AUE_TASKNAMEFORPID\",\n \"\",\n header_event_name_s == \"AUE_UNMOUNT\",\n \"VolumeUnmount\",\n header_event_name_s == \"AUE_WAIT4\",\n \"ProcessTerminated\",\n header_event_name_s == \"PLAINTEXT_LOG_COLLECTION_EVENT\",\n \"LogFileCollected\",\n header_event_name_s == \"SYSTEM_PERFORMANCE_METRICS\",\n \"SystemPerformanceMetrics\",\n \"Unknown\"\n ),\n // Jamf Protect Telemetry - Process\n ParentProcessName = column_ifexists(\"subject_responsible_process_name_s\", \"\"),\n ParentProcessId = column_ifexists(\"subject_responsible_process_id_d\", \"\"),\n ParentProcessGuid = column_ifexists(\"exec_chain_child_parent_uuid_g\", \"\"),\n TargetProcessName = column_ifexists(\"subject_process_name_s\", \"\"),\n TargetProcessId = column_ifexists(\"subject_process_id_d\", \"\"),\n TargetProcessGuid = column_ifexists(\"exec_chain_thread_uuid_g\", \"\"),\n TargetProcessSHA256 = todynamic(column_ifexists(\"subject_process_hash_s\", \"\")),\n TargetUserId = toreal(column_ifexists(\"subject_user_id_d\", \"\")),\n TargetUsername = tostring(column_ifexists(\"subject_user_name_s\", \"\")),\n TargetProcessCommandLine = column_ifexists(\"exec_args_args_compiled_s\", \"\"),\n ActorUsername = tostring(column_ifexists(\"subject_effective_user_name_s\", \"\")),\n ActorUserId = column_ifexists(\"subject_audit_user_name_s\", \"\"),\n //column_ifexists(\"application_name_s\", \"\"),\n //\n // Jamf Protect Telemetry - Audit/Group\n //\n GroupName = todynamic(column_ifexists(\"subject_group_name_s\", \"\")),\n // Jamf Protect Telemetry - Network\n DstIpAddr = column_ifexists(\"socket_inet_ip_address_s\", \"\"),\n DstPortNumber = column_ifexists(\"socket_inet_port_d\", \"\"),\n NetworkProtocolVersion = case(socket_inet_id_d == 128, \"IPV4\", socket_inet_id_d == 129, \"IPV6\", \"\"),\n SrcIpAddr = column_ifexists(\"subject_terminal_id_ip_address_s\", \"\"),\n //\n // Jamf Protect Telemetry - Binaries\n //\n // TargetBinaryFilePath = todynamic(Related_binaries[0].path),\n TargetBinarySHA256 = tostring(identity_cd_hash_s),\n // TargetBinarySigningInfoMessage = Related_binaries[0].signingInfo.statusMessage,\n TargetbinarySignerType = case(identity_signer_type_d == 0, \"Developer\", identity_signer_type_d == 1, \"Apple\", \"\"),\n TargetBinarySigningTeamID = tostring(identity_team_id_s),\n TargetBinarySigningAppID = tostring(identity_signer_id_s),\n //\n // Jamf Protect Telemetry - Log File Collection\n //\n TargetFilePath = tostring(parse_json(path_s))\n | project-reorder\n EventStartTime,\n EventVendor,\n EventProduct,\n EventType,\n EventSeverity,\n EventResult,\n TargetHostname,\n DvcHostname,\n DvcId,\n DvcOsVersion,\n DvcIpAddr,\n TargetModel,\n TargetUserId,\n TargetUsername,\n ParentProcessName,\n ParentProcessId,\n ParentProcessGuid,\n TargetProcessName,\n TargetProcessId,\n TargetProcessGuid,\n TargetProcessSHA256,\n TargetProcessCommandLine,\n ActorUsername,\n ActorUserId,\n TargetBinarySHA256,\n TargetbinarySignerType,\n TargetBinarySigningTeamID,\n TargetBinarySigningAppID,\n GroupName,\n SrcIpAddr,\n DstIpAddr,\n DstPortNumber,\n NetworkProtocolVersion,\n TargetFilePath\n | project-away\n arguments_sflags_d,\n arguments_am_failure_d,\n arguments_am_success_d\n};\n//\n// Jamf Protect - Threat Events\n//\nlet JamfProtectThreatEvents_view = view () {\n jamfprotect_CL\n | where event_metadata_product_s == \"Threat Events Stream\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Threat Events Stream'\n | project-rename\n | extend\n // Jamf Protect - Common Fields\n EventStartTime = column_ifexists(\"event_timestamp_t\", \"\"),\n EventResult=case(event_action_s == \"Blocked\", \"Blocked\", event_action_s == \"Detected\", \"Detected\", ''),\n EventReportUrl = column_ifexists(\"event_eventUrl_s\", \"\"),\n // Jamf Protect - Alert Details\n EventSeverity = case(event_severity_d == 2, \"Informational\", event_severity_d == 4, \"Low\", event_severity_d == 6, \"Medium\", event_severity_d == 8, \"High\", event_severity_d == 10, \"High\", \"Informational\"),\n // Jamf Protect - Source User\n SrcUsermail=column_ifexists('event_user_email_s', ''),\n SrcUsername=column_ifexists('event_user_name_s', ''),\n // Jamf Protect - Source Device Hostnames\n DvcHostname = column_ifexists(\"event_device_userDeviceName_s\", \"\"),\n DvcIpAddr = column_ifexists(\"event_source_ip_s\", \"\"),\n DvcId = column_ifexists(\"event_device_externalId_g\", \"\"),\n DvcOs=case(event_device_os_s has \"MAC_OS\", \"macOS\", event_device_os_s has \"IOS\", \"iOS\", event_device_os_s has \"ANDROID\", \"Android\", \"Other\"),\n SrcDeviceType=case(event_device_os_s has \"MAC_OS\", \"Computer\", event_device_os_s has \"IOS\", \"Mobile Device\", event_device_os_s has \"ANDROID\", \"Mobile Device\", \"Other\"),\n // Jamf Protect - DNS Specific\n DnsQuery=column_ifexists('event_hostName_s', ''),\n DvcAction=case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Blocked\", ''),\n DnsQueryName=column_ifexists('event_destination_name_s', ''),\n DstIpAddr=column_ifexists('event_destination_ip_s', ''),\n ThreatCategory=column_ifexists('event_eventType_description_s', ''),\n ThreatOriginalRiskLevel=column_ifexists('event_threat_result_s', ''),\n // Jamf Protect - App Specific\n TargetFileName = column_ifexists(\"event_app_name_s\", \"\"),\n TargetFileSHA1 = column_ifexists(\"event_app_sha1_s\", \"\"),\n TargetFileSHA256 = column_ifexists(\"event_app_sha256_s\", \"\")\n | project-keep\n TimeGenerated,\n EventVendor,\n EventProduct,\n EventStartTime,\n EventResult,\n EventReportUrl,\n EventSeverity,\n DvcHostname,\n DvcIpAddr,\n DvcId,\n SrcDeviceType,\n SrcUsermail,\n SrcUsername,\n DnsQuery,\n DnsQueryName,\n DstIpAddr,\n ThreatCategory,\n DvcAction,\n ThreatOriginalRiskLevel,\n TargetFileName,\n TargetFileSHA1,\n TargetFileSHA256\n};\nunion isfuzzy=true JamfProtectAlerts_view, JamfProtectUnifiedLog_view, JamfProtectNetworkTraffic_view, JamfProtectTelemetry_view, JamfProtectThreatEvents_view\n",
+ "query": "let JamfProtectAlerts_view = view () {\njamfprotectalerts_CL\n| extend\n ActingProcessCreationTime = unixtime_seconds_todatetime(tolong(input.related.processes[array_length(input.related.processes) - 1].startTimestamp)),\n ParentProcessCreationTime = iff(\n array_length(input.related.processes) > 1, \n unixtime_seconds_todatetime(tolong(input.related.processes[0].startTimestamp)), \n datetime(null)\n ),\n TargetProcessCreationTime = unixtime_seconds_todatetime(todouble(input.related.processes[0].startTimestamp)),\n TargetUserId = coalesce(input.related.users[1].uid, input.related.users[0].uid),\n TargetUsername = coalesce(input.related.users[1].name, input.related.users[0].name)\n };\nlet JamfProtectUnifiedLog_view = view () {\njamfprotectunifiedlogs_CL\n| extend EventStartTime = unixtime_seconds_todatetime(tolong(input.match.event.timestamp))\n};\n//\n// Jamf Protect - Endpoint Telemetry\n//\nlet JamfProtectTelemetryv1_view = view () {\njamfprotecttelemetryv1_CL\n| extend\n EventStartTime = unixtime_seconds_todatetime(todouble(header.time_seconds_epoch)),\n EventResult = coalesce(return.description, texts)\n};\nlet JamfProtectTelemetryv2_view = view () {\njamfprotecttelemetryv2_CL\n// Generic Fields\n| extend\n EventExpanded = tostring(parse_json(event)[strcat_array(bag_keys(event), '.')]),\n eventTypeHuman = tostring(bag_keys(event)[0])\n| extend EventResult = iif((event[eventTypeHuman]['success'] == true), \"Success\", dynamic(null))\n| extend\n EventMessage = case(\n eventTypeHuman == \"authentication\",\n \"A user authentication happened\",\n eventTypeHuman == \"authorization_judgement\",\n \"A process has its rights petition judged\",\n eventTypeHuman == \"authorization_petition\",\n \"A process has its rights petition judged\",\n eventTypeHuman == \"bios_uefi\",\n \"Collection of bios and firmware data\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"Apple’s Background Task Manager notified that an item has been added\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"Apple’s Background Task Manager notified that an existing item has been removed\",\n eventTypeHuman == \"chroot\",\n \"Software has changed its apparent root directory in which it's actively operating out of\",\n eventTypeHuman == \"cs_invalidated\",\n \"The system detected that a process has had its code signature marked as invalid\",\n eventTypeHuman == \"exec\",\n \"A new process has been executed\",\n eventTypeHuman == \"kextload\",\n \"A kernel extension (kext) was loaded\",\n eventTypeHuman == \"kextunload\",\n \"A kernel extension (kext) was unloaded\",\n eventTypeHuman == \"login_login\",\n \"A user attempted to log in using /usr/bin/login\",\n eventTypeHuman == \"login_logout\",\n \"A user logged out from /usr/bin/login\",\n eventTypeHuman == \"lw_session_lock\",\n \"A user has locked the screen\",\n eventTypeHuman == \"lw_session_login\",\n \"A user has logged in via the Login Window\",\n eventTypeHuman == \"lw_session_logout\",\n \"A user has logged out of an active graphical session\",\n eventTypeHuman == \"lw_session_unlock\",\n \"A user has unlocked the screen from the Login Window\",\n eventTypeHuman == \"mount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"od_attribute_set\",\n \"Attribute set on user or group using Open Directory\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Attribute added to a user or group using Open Directory\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Attribute removed from a user or group using Open Directory\",\n eventTypeHuman == \"od_create_group\",\n \"A group has been created using Open Directory\",\n eventTypeHuman == \"od_create_user\",\n \"A user has been created using Open Directory\",\n eventTypeHuman == \"od_delete_group\",\n \"A group has been deleted using Open Directory\",\n eventTypeHuman == \"od_delete_user\",\n \"A user has been deleted using Open Directory\",\n eventTypeHuman == \"od_disable_user\",\n \"A user has been disabled using Open Directory\",\n eventTypeHuman == \"od_enable_user\",\n \"A user has been enabled using Open Directory\",\n eventTypeHuman == \"od_group_add\",\n \"A member has been added to a group using Open Directory\",\n eventTypeHuman == \"od_group_remove\",\n \"A member has been removed from a group using Open Directory\",\n eventTypeHuman == \"od_group_set\",\n \"A group has a member initialised or replaced using Open Directory\",\n eventTypeHuman == \"od_modify_password\",\n \"A user password is modified via Open Directory\",\n eventTypeHuman == \"openssh_login\",\n \"A user has logged into the system via OpenSSH\",\n eventTypeHuman == \"openssh_logout\",\n \"A user has logged out of an OpenSSH session\",\n eventTypeHuman == \"performance\",\n \"Collection of system performance data\",\n eventTypeHuman == \"profile_add\",\n \"A configuration profile is installed on the system\",\n eventTypeHuman == \"profile_remove\",\n \"A configuration profile is removed from the system\",\n eventTypeHuman == \"remount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"screenscharing_attach\",\n \"A screensharing session has attached to a graphical session\",\n eventTypeHuman == \"screenscharing_detach\",\n \"A screensharing session has detached from a graphical session\",\n eventTypeHuman == \"settime\",\n \"The system time was attempted to be set\",\n eventTypeHuman == \"su\",\n \"A user attempts to start a new shell using a substitute user identity\",\n eventTypeHuman == \"sudo\",\n \"A sudo attempt occured\",\n eventTypeHuman == \"unmount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"xp_malware_detected\",\n \"Apple’s XProtect detected malware on the system\",\n eventTypeHuman == \"xp_malware_remediated\",\n \"Apple’s XProtect remediated malware on the system\",\n eventTypeHuman == \"file_collection\",\n \"A crash or diagnostic file has been collected\",\n eventTypeHuman == \"log_collection\",\n \"Entries from a log file have been collected\",\n \"No reason yet defined for this event\"\n ),\n EventType = case(\n eventTypeHuman == \"authentication\",\n \"Logon\",\n eventTypeHuman == \"authorization_judgement\",\n \"ProcessCreated\",\n eventTypeHuman == \"authorization_petition\",\n \"ProcessCreated\",\n eventTypeHuman == \"bios_uefi\",\n \"Hardware\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"Create\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"Delete\",\n eventTypeHuman == \"chroot\",\n \"Set\",\n eventTypeHuman == \"cs_invalidated\",\n \"Other\",\n eventTypeHuman == \"exec\",\n \"ProcessCreated\",\n eventTypeHuman == \"kextload\",\n \"Create\",\n eventTypeHuman == \"kextunload\",\n \"Delete\",\n eventTypeHuman == \"login_login\",\n \"Logon\",\n eventTypeHuman == \"login_logout\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_lock\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_login\",\n \"Logon\",\n eventTypeHuman == \"lw_session_logout\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_unlock\",\n \"Logon\",\n eventTypeHuman == \"mount\",\n \"FileSystemMounted\",\n eventTypeHuman == \"od_attribute_set\",\n \"Set\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Create\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Delete\",\n eventTypeHuman == \"od_create_group\",\n \"GroupCreated\",\n eventTypeHuman == \"od_create_user\",\n \"UserCreated\",\n eventTypeHuman == \"od_delete_group\",\n \"GroupDeleted\",\n eventTypeHuman == \"od_delete_user\",\n \"UserDeleted\",\n eventTypeHuman == \"od_disable_user\",\n \"UserDisabled\",\n eventTypeHuman == \"od_enable_user\",\n \"UserEnabled\",\n eventTypeHuman == \"od_group_add\",\n \"UserAddedToGroup\",\n eventTypeHuman == \"od_group_remove\",\n \"UserRemovedFromGroup\",\n eventTypeHuman == \"od_group_set\",\n \"GroupModified\",\n eventTypeHuman == \"od_modify_password\",\n \"PasswordChanged\",\n eventTypeHuman == \"openssh_login\",\n \"Logon\",\n eventTypeHuman == \"openssh_logout\",\n \"Logoff\",\n eventTypeHuman == \"performance\",\n \"PerformanceData\",\n eventTypeHuman == \"profile_add\",\n \"Create\",\n eventTypeHuman == \"profile_remove\",\n \"Delete\",\n eventTypeHuman == \"remount\",\n \"FileSystemRemounted\",\n eventTypeHuman == \"screenscharing_attach\",\n \"Logon\",\n eventTypeHuman == \"screenscharing_detach\",\n \"Logoff\",\n eventTypeHuman == \"settime\",\n \"Set\",\n eventTypeHuman == \"su\",\n \"Elevate\",\n eventTypeHuman == \"sudo\",\n \"Elevate\",\n eventTypeHuman == \"unmount\",\n \"FileSystemUnmounted\",\n eventTypeHuman == \"xp_malware_detected\",\n \"MalwareDetected\",\n eventTypeHuman == \"xp_malware_remediated\",\n \"MalwareRemediated\",\n \"\"\n ),\n EventSubType = case(\n eventTypeHuman == \"authentication\",\n \"Interactive\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"btm\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"btm\",\n eventTypeHuman == \"chroot\",\n \"Directory\",\n eventTypeHuman == \"cs_invalidated\",\n \"Other\",\n eventTypeHuman == \"kextload\",\n \"System Settings\",\n eventTypeHuman == \"kextunload\",\n \"System Settings\",\n eventTypeHuman == \"login_login\",\n \"Interactive\",\n eventTypeHuman == \"login_logout\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_lock\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_login\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_logout\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_unlock\",\n \"Interactive\",\n eventTypeHuman == \"od_attribute_set\",\n \"Attribute\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Attribute\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Attribute\",\n eventTypeHuman == \"openssh_login\",\n \"Interactive\",\n eventTypeHuman == \"openssh_logout\",\n \"Interactive\",\n eventTypeHuman == \"profile_add\",\n \"Configuration Profile\",\n eventTypeHuman == \"profile_remove\",\n \"Configuration Profile\",\n eventTypeHuman == \"screenscharing_attach\",\n \"RemoteInteractive\",\n eventTypeHuman == \"screenscharing_detach\",\n \"RemoteInteractive\",\n eventTypeHuman == \"settime\",\n \"System Settings\",\n eventTypeHuman == \"su\",\n \"Interactive\",\n eventTypeHuman == \"sudo\",\n \"Interactive\",\n \"\"\n )\n// Jamf Protect Telemetry - Event Process\n| extend eventContext = \n iif(\n isnotempty(event[eventTypeHuman]['app']['audit_token']),\n event[eventTypeHuman]['app'],\n iif(\n isnotempty(event[eventTypeHuman]['target']['audit_token']),\n event[eventTypeHuman]['target'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['od']['audit_token']),\n event[eventTypeHuman]['data']['od'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['token']['audit_token']),\n event[eventTypeHuman]['data']['token'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['touchid']['audit_token']),\n event[eventTypeHuman]['data']['touchid'],\n iif(\n isnotempty(event[eventTypeHuman]['instigator']['audit_token']),\n event[eventTypeHuman]['instigator'],\n ['process']\n)\n)\n)\n)\n)\n)\n| extend\n TargetProcessName = tostring(eventContext.executable.path),\n TargetProcessId = tostring(eventContext.audit_token.pid),\n TargetProcessGuid = tostring(eventContext.audit_token.uuid),\n TargetProcessCreationTime = tostring(eventContext.start_time),\n TargetProcessSHA1 = tostring(eventContext.executable.sha1),\n TargetProcessSHA256 = tostring(eventContext.executable.sha256),\n TargetProcessCommandLine = event[eventTypeHuman]['args'],\n TargetProcessTTY = tostring(eventContext.tty.path),\n TargetBinarySigningAppID = tostring(eventContext.signing_id),\n TargetBinarySigningTeamID = tostring(eventContext.team_id),\n TargetBinaryCDHash = tostring(eventContext.cdhash),\n TargetBinaryIsESClient = tobool(eventContext.is_es_client),\n TargetBinaryIsPlatformBinary = tobool(eventContext.is_platform_binary),\n TargetUserId = tostring(eventContext.audit_token.euid),\n ActingProcessId = tostring(eventContext.parent_audit_token.pid),\n ActingProcessGuid = tostring(eventContext.parent_audit_token.uuid),\n ActorUserId = tostring(eventContext.parent_audit_token.euid),\n ParentProcessId = tostring(eventContext.responsible_audit_token.pid),\n ParentProcessGuid = tostring(eventContext.responsible_audit_token.uuid)\n// Jamf Protect Telemetry - Revealing Code Signing flags\n| extend TargetProcessCodesignFlags = \n iif(isnotempty(eventContext.codesigning_flags),\n bag_pack(\n \"CS_VALID\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000001) > 0, true, false),\n \"CS_ADHOC\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000002) > 0, true, false),\n \"CS_GET_TASK_ALLOW\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000004) > 0, true, false),\n \"CS_INSTALLER\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000008) > 0, true, false),\n \"CS_FORCED_LV\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000010) > 0, true, false),\n \"CS_INVALID_ALLOWED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000020) > 0, true, false),\n \"CS_HARD\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000100) > 0, true, false),\n \"CS_KILL\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000200) > 0, true, false),\n \"CS_CHECK_EXPIRATION\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000400) > 0, true, false),\n \"CS_RESTRICT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000800) > 0, true, false),\n \"CS_ENFORCEMENT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00001000) > 0, true, false),\n \"CS_REQUIRE_LV\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00002000) > 0, true, false),\n \"CS_ENTITLEMENTS_VALIDATED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00004000) > 0, true, false),\n \"CS_NVRAM_UNRESTRICTED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00008000) > 0, true, false),\n \"CS_RUNTIME\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00010000) > 0, true, false),\n \"CS_LINKER_SIGNED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x20000) > 0, true, false),\n \"CS_EXEC_SET_HARD\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00100000) > 0, true, false),\n \"CS_EXEC_SET_KILL\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00200000) > 0, true, false),\n \"CS_EXEC_SET_ENFORCEMENT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00400000) > 0, true, false),\n \"CS_EXEC_INHERIT_SIP\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00800000) > 0, true, false),\n \"CS_KILLED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x01000000) > 0, true, false),\n \"CS_DYLD_PLATFORM\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x02000000) > 0, true, false),\n \"CS_PLATFORM_BINARY\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x04000000) > 0, true, false),\n \"CS_PLATFORM_PATH\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x08000000) > 0, true, false),\n \"CS_DEBUGGED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x10000000) > 0, true, false),\n \"CS_SIGNED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x20000000) > 0, true, false),\n \"CS_DEV_CODE\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x40000000) > 0, true, false),\n \"CS_DATAVAULT_CONTROLLER\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x80000000) > 0, true, false)\n ), \"\")\n// Event Specific - authentication\n| extend TargetUsername =\n iif(\n isnotempty(event[eventTypeHuman]['username']),\n event[eventTypeHuman]['username'],\n iif(\n isnotempty(event[eventTypeHuman]['to_username']),\n event[eventTypeHuman]['to_username'],\n iif(\n isnotempty(event[eventTypeHuman]['account_name']),\n event[eventTypeHuman]['account_name'],\n iif(\n isnotempty(event[eventTypeHuman]['user_name']),\n event[eventTypeHuman]['user_name'],\n iif(\n isnotempty(event[eventTypeHuman]['authentication_username']),\n event[eventTypeHuman]['authentication_username'],\n \"\"\n)\n)\n)\n)\n)\n// Event Specific - authentication\n| extend ActorUsername = \n iif(\n isnotempty(event[eventTypeHuman]['from_username']),\n event[eventTypeHuman]['from_username'],\n iif(\n isnotempty(event[eventTypeHuman]['session_username']),\n event[eventTypeHuman]['session_username'],\n \"\"\n)\n)\n| extend Authentication = iif(\n eventTypeHuman == \"authentication\",\n bag_pack(\n \"authentication_method\",\n iff(isnotempty(event[eventTypeHuman].data), tostring(bag_keys(event[eventTypeHuman].data)[0]), \"\")\n),\n dynamic(null)\n )\n// Event Specific - bios_uefi\n| extend HardwareInformation = iif(\n eventTypeHuman == \"bios_uefi\",\n bag_pack(\n \"host_architecture\",\n iff(isnotempty(event[eventTypeHuman].architecture), event[eventTypeHuman].architecture, \"\"),\n \"firmware_version\",\n iff(isnotempty(event[eventTypeHuman].bios.['firmware-version']), event[eventTypeHuman].bios.['firmware-version'], \"\"),\n \"system_firmware_version\",\n iff(isnotempty(event[eventTypeHuman].bios.['system-firmware-version']), event[eventTypeHuman].bios.['system-firmware-version'], \"\")\n),\n dynamic(null)\n )\n// Event Specific - btm_launch_item_add & btm_launch_item_remove\n| extend BtmItem = iif(\n eventTypeHuman in (\"btm_launch_item_add\", \"btm_launch_item_remove\", \"remount\"),\n bag_pack(\n \"btm_executable_path\",\n iff(isnotempty(event[eventTypeHuman].executable_path), event[eventTypeHuman].executable_path, \"\"),\n \"btm_item_app_url\",\n iff(isnotempty(event[eventTypeHuman].item.app_url), event[eventTypeHuman].item.app_url, \"\"),\n \"btm_item_url\",\n iff(isnotempty(event[eventTypeHuman].item.item_url), event[eventTypeHuman].item.item_url, \"\"),\n \"btm_item_managed\",\n iff(isnotempty(event[eventTypeHuman].item.managed), event[eventTypeHuman].item.managed, \"\"),\n \"btm_item_legacy\",\n iff(isnotempty(event[eventTypeHuman].item.legacy), event[eventTypeHuman].item.legacy, \"\"),\n \"btm_item_uid\",\n iff(isnotempty(event[eventTypeHuman].item.uid), event[eventTypeHuman].item.uid, \"\"),\n \"btm_item_type\",\n iff(\n isnotempty(event[eventTypeHuman].item.item_type),\n case(\n event[eventTypeHuman].item.item_type == 0,\n \"UserItem\",\n event[eventTypeHuman].item.item_type == 1,\n \"App\",\n event[eventTypeHuman].item.item_type == 2,\n \"LoginItem\",\n event[eventTypeHuman].item.item_type == 3,\n \"LaunchAgent\",\n event[eventTypeHuman].item.item_type == 4,\n \"LaunchDaemon\",\n \"Unknown\"\n),\n \"\"\n)\n),\n dynamic(null)\n )\n// Event Specific - chroot\n| extend Chroot = iif(\n eventTypeHuman == \"chroot\",\n bag_pack(\n \"apparent_root_directory\",\n iff(isnotempty(event[eventTypeHuman].target), event[eventTypeHuman].target.path, \"\"),\n \"stats\",\n iff(isnotempty(event[eventTypeHuman].target.stat), event[eventTypeHuman].target.stat, \"\")\n),\n dynamic(null)\n )\n// Event Specific - cs_invalidated\n// Event Specific - exec\n// Event Specific - kextload & kextunload\n| extend KernelExtension = iif(\n eventTypeHuman in (\"kextload\", \"kextunload\"),\n bag_pack(\n \"kext_identifier\",\n iff(isnotempty(event[eventTypeHuman].identifier), event[eventTypeHuman].identifier, \"\")\n),\n dynamic(null)\n )\n// Event Specific - lw_session_lock & lw_session_unlock & lw_session_login & lw_session_logout\n| extend LoginWindowSession = iif(\n eventTypeHuman in (\"lw_session_lock\", \"lw_session_unlock\", \"lw_session_login\", \"lw_session_logout\"),\n bag_pack(\n \"graphical_session_id\",\n iff(isnotempty(event[eventTypeHuman].graphical_session_id), event[eventTypeHuman].graphical_session_id, \"\")\n),\n dynamic(null)\n )\n// Event Specific - mount & remount & unmount\n| extend FileSystem = iif(\n eventTypeHuman in (\"mount\", \"unmount\", \"remount\"),\n bag_pack(\n \"volume_device_name\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_mntfromname), event[eventTypeHuman].statfs.f_mntfromname, \"\"),\n \"volume_mount_name\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_mntonname), event[eventTypeHuman].statfs.f_mntonname, \"\"),\n \"volume_file_system_type\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_fstypename), event[eventTypeHuman].statfs.f_fstypename, \"\"),\n \"volume_size\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_bsize), event[eventTypeHuman].statfs.f_bsize, \"\")\n),\n dynamic(null)\n )\n// Event Specific - od_attribute_set & od_attribute_value_add & od_attribute_value_remove & od_create_group & od_create_user & od_delete_group & od_delete_user & od_disable_user & od_enable_user\n| extend OpenDirectory = iif(\n eventTypeHuman in (\"od_attribute_set\", \"od_attribute_value_add\", \"od_attribute_value_remove\", \"od_create_group\", \"od_create_user\", \"od_delete_group\", \"od_delete_user\", \"od_disable_user\", \"od_enable_user\"),\n bag_pack(\n \"group_name\",\n iff(isnotempty(event[eventTypeHuman].group_name), event[eventTypeHuman].group_name, \"\"),\n \"member_array\",\n iff(isnotempty(event[eventTypeHuman].members.member_array), event[eventTypeHuman].members.member_array, \"\"),\n \"member_value\",\n iff(isnotempty(event[eventTypeHuman].member.member_value), event[eventTypeHuman].member.member_value, \"\"),\n \"user_name\",\n iff(isnotempty(event[eventTypeHuman].user_name), event[eventTypeHuman].user_name, \"\"),\n \"account_name\",\n iff(isnotempty(event[eventTypeHuman].account_name), event[eventTypeHuman].account_name, \"\"),\n \"db_path\",\n iff(isnotempty(event[eventTypeHuman].db_path), event[eventTypeHuman].db_path, \"\"),\n \"record_name\",\n iff(isnotempty(event[eventTypeHuman].record_name), event[eventTypeHuman].record_name, \"\"),\n \"attribute_name\",\n iff(isnotempty(event[eventTypeHuman].attribute_name), event[eventTypeHuman].attribute_name, \"\"),\n \"attribute_value\",\n iff(isnotempty(event[eventTypeHuman].attribute_value), event[eventTypeHuman].attribute_value, \"\"),\n \"node_name\",\n iff(isnotempty(event[eventTypeHuman].node_name), event[eventTypeHuman].node_name, \"\")\n),\n dynamic(null)\n )\n// Event Specific - openssh_login & openssh_logout\n| extend SSHContext = iif(\n eventTypeHuman in (\"openssh_login\", \"openssh_logout\"),\n bag_pack(\n \"source_address_type\", \n iff(\n isnotempty(event[eventTypeHuman].source_address_type),\n case(\n event[eventTypeHuman].source_address_type == 0,\n \"Unknown\",\n event[eventTypeHuman].source_address_type == 1,\n \"IPv4\",\n event[eventTypeHuman].source_address_type == 2,\n \"IPv6\",\n event[eventTypeHuman].source_address_type == 3,\n \"UNIX Socket\",\n \"Unknown\"\n),\n \"\" \n),\n \"result_type\", \n iff(\n isnotempty(event[eventTypeHuman].result_type),\n case(\n event[eventTypeHuman].result_type == 0,\n \"Exceeded maximum attempts\",\n event[eventTypeHuman].result_type == 1,\n \"Denied by root\",\n event[eventTypeHuman].result_type == 2,\n \"Success\",\n event[eventTypeHuman].result_type == 3,\n \"No reason\",\n event[eventTypeHuman].result_type == 4,\n \"Password\",\n event[eventTypeHuman].result_type == 5,\n \"kbdint\",\n event[eventTypeHuman].result_type == 6,\n \"Public key\",\n event[eventTypeHuman].result_type == 7,\n \"Host based\",\n event[eventTypeHuman].result_type == 8,\n \"GSS API\",\n event[eventTypeHuman].result_type == 9,\n \"Invalid user\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null) \n )\n// Event Specific - performance\n// Event Specific - profile_add & profile_remove\n| extend Profile = iif(\n eventTypeHuman in (\"profile_add\", \"profile_remove\"),\n bag_pack(\n \"profile_scope\",\n iff(isnotempty(event[eventTypeHuman].profile.scope), event[eventTypeHuman].profile.scope, \"\"),\n \"profile_identifier\",\n iff(isnotempty(event[eventTypeHuman].profile.identifier), event[eventTypeHuman].profile.identifiery, \"\"),\n \"profile_uuid\",\n iff(isnotempty(event[eventTypeHuman].profile.uuid), event[eventTypeHuman].profile.uuid, \"\"),\n \"profile_display_name\",\n iff(isnotempty(event[eventTypeHuman].profile.display_name), event[eventTypeHuman].profile.display_name, \"\"),\n \"profile_organization\",\n iff(isnotempty(event[eventTypeHuman].profile.organization), event[eventTypeHuman].profile.organization, \"\"),\n \"profile_is_updated\",\n iff(isnotempty(event[eventTypeHuman].is_update), event[eventTypeHuman].is_update, \"\"),\n \"profile_install_source\", \n iff(\n isnotempty(event[eventTypeHuman].profile.install_source),\n case(\n event[eventTypeHuman].profile.install_source == 0,\n \"mdm\",\n event[eventTypeHuman].profile.install_source == 1,\n \"manual\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null)\n )\n// Event Specific - screenscharing_attach & screensharing_detach\n| extend Screensharing = iif(\n eventTypeHuman in (\"screensharing_attach\", \"screensharing_detach\"),\n bag_pack(\n \"existing_session\",\n iff(isnotempty(event[eventTypeHuman].existing_session), event[eventTypeHuman].existing_session, \"\"),\n \"graphical_session_id\",\n iff(isnotempty(event[eventTypeHuman].graphical_authentication_username), event[eventTypeHuman].graphical_authentication_username, \"\"),\n \"session_username\",\n iff(isnotempty(event[eventTypeHuman].session_username), event[eventTypeHuman].session_username, \"\"),\n \"viewer_appleid\",\n iff(isnotempty(event[eventTypeHuman].viewer_appleid), event[eventTypeHuman].viewer_appleid, \"\"),\n \"authentication_type\",\n iff(isnotempty(event[eventTypeHuman].authentication_type), event[eventTypeHuman].authentication_type, \"\"),\n \"source_address\",\n iff(isnotempty(event[eventTypeHuman].source_address), event[eventTypeHuman].source_address, \"\"),\n \"source_address_type\", \n iff(\n isnotempty(event[eventTypeHuman].source_address_type),\n case(\n event[eventTypeHuman].source_address_type == 0,\n \"Unknown\",\n event[eventTypeHuman].source_address_type == 1,\n \"IPv4\",\n event[eventTypeHuman].source_address_type == 2,\n \"IPv6\",\n event[eventTypeHuman].source_address_type == 3,\n \"UNIX Socket\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null)\n )\n// Event Specific - su\n| extend Su = iif(\n eventTypeHuman == \"su\",\n bag_pack(\n \"username\",\n iff(isnotempty(event[eventTypeHuman].username), event[eventTypeHuman].username, \"\"),\n \"uid\",\n iff(isnotempty(event[eventTypeHuman].uid), event[eventTypeHuman].uid, \"\"),\n \"args\",\n iff(isnotempty(event[eventTypeHuman].argv), event[eventTypeHuman].argv, \"\"),\n \"env_vars\",\n iff(isnotempty(event[eventTypeHuman].env), event[eventTypeHuman].env, \"\"),\n \"env_count\",\n iff(isnotempty(event[eventTypeHuman].env_count), event[eventTypeHuman].env_count, \"\"),\n \"from_username\",\n iff(isnotempty(event[eventTypeHuman].from_username), event[eventTypeHuman].from_username, \"\"),\n \"to_username\",\n iff(isnotempty(event[eventTypeHuman].to_username), event[eventTypeHuman].to_username, \"\"),\n \"failure_message\",\n iff(isnotempty(event[eventTypeHuman].failure_reason), event[eventTypeHuman].failure_reason, \"\")\n),\n dynamic(null)\n )\n// Event Specific - sudo\n| extend Sudo = iif(\n eventTypeHuman == \"sudo\",\n bag_pack(\n \"TargetProcessCommandLine\",\n iff(isnotempty(event[eventTypeHuman].command), event[eventTypeHuman].command, \"\"),\n \"attribute_name\",\n iff(isnotempty(event[eventTypeHuman].attribute_name), event[eventTypeHuman].attribute_name, \"\"),\n \"attribute_value\",\n iff(isnotempty(event[eventTypeHuman].attribute_value), event[eventTypeHuman].attribute_value, \"\")\n),\n dynamic(null)\n )\n// Event Specific - xp_malware_detected & xp_malware_remediated\n| extend Xprotect = iif(\n eventTypeHuman in (\"xp_malware_detected\", \"xp_malware_remediated\"),\n bag_pack(\n \"detected_path\",\n iff(isnotempty(event[eventTypeHuman].detected_path), event[eventTypeHuman].detected_path, \"\"),\n \"remediated_path\",\n iff(isnotempty(event[eventTypeHuman].remediated_path), event[eventTypeHuman].remediated_path, \"\"),\n \"malware_identifier\",\n iff(isnotempty(event[eventTypeHuman].malware_identifier), event[eventTypeHuman].malware_identifier, \"\"),\n \"signature_version\",\n iff(isnotempty(event[eventTypeHuman].signature_version), event[eventTypeHuman].signature_version, \"\")\n),\n dynamic(null)\n )\n| project-away\naction,\nevent,\nprocess\n};\n//\n// Jamf Protect - Network Traffic\n//\nlet JamfProtectNetworkTraffic_view = view () {\n jamfprotect_CL\n | where event_metadata_product_s == \"Network Traffic Stream\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Network Traffic Stream'\n | project-rename\n | extend\n // Jamf Protect - Common Fields\n EventType = \"query\",\n EventSubType = \"request\",\n EventStartTime = unixtime_milliseconds_todatetime(tolong(event_receiptTime_d)),\n EventResult = case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Prevented\", ''),\n // Jamf Protect - Source User\n SrcUsermail=column_ifexists('event_user_email_s', ''),\n SrcUsername = column_ifexists('event_user_name_s', ''),\n // Jamf Protect - Source Device Hostnames\n DvcHostname = case(isnotempty(input_host_hostname_s), input_host_hostname_s, isnotempty(host_info_host_name_s), host_info_host_name_s, event_device_userDeviceName_s),\n DvcIpAddr = column_ifexists(\"event_source_ip_s\", \"\"),\n DvcId = column_ifexists(\"event_device_externalId_g\", \"\"),\n DvcOs = case(event_device_osType_s == \"MAC_OS\", \"macOS\", event_device_osType_s == \"IOS\", \"iOS\", event_device_osType_s == \"ANDROID\", \"Android\", \"Other\"),\n SrcDeviceType = case(event_device_osType_s == \"MAC_OS\", \"Computer\", event_device_osType_s == \"IOS\", \"Mobile Device\", event_device_osType_s == \"ANDROID\", \"Mobile Device\", \"Other\"),\n // Jamf Protect - DNS Specific\n DnsQuery = column_ifexists('event_hostName_s', ''),\n DvcAction = case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Blocked\", ''),\n DnsQueryName = column_ifexists('event_domain_s', ''),\n DstIpAddr = column_ifexists('event_destination_ips_s', ''),\n ThreatCategory = column_ifexists('event_eventType_description_s', ''),\n DnsQueryTypeName = column_ifexists('event_dns_recordType_s', ''),\n DnsResponseName = column_ifexists('event_dns_responseStatus_s', ''),\n ThreatOriginalRiskLevel = column_ifexists('event_threat_result_s', '')\n | project-keep\n TimeGenerated,\n EventVendor,\n EventProduct,\n EventType,\n EventSubType,\n EventStartTime,\n EventResult,\n DvcHostname,\n DvcIpAddr,\n DvcId,\n DvcOs,\n SrcDeviceType,\n SrcUsermail,\n SrcUsername,\n DnsQuery,\n DnsQueryName,\n DstIpAddr,\n DnsQueryTypeName,\n DvcAction,\n DnsResponseName,\n ThreatOriginalRiskLevel\n};\n// //\n// // Jamf Protect - Threat Events\n// //\nlet JamfProtectThreatEvents_view = view () {\n jamfprotect_CL\n | where event_metadata_product_s == \"Threat Events Stream\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Threat Events Stream'\n | project-rename\n | extend\n // Jamf Protect - Common Fields\n EventStartTime = column_ifexists(\"event_timestamp_t\", \"\"),\n EventResult=case(event_action_s == \"Blocked\", \"Blocked\", event_action_s == \"Detected\", \"Detected\", ''),\n EventReportUrl = column_ifexists(\"event_eventUrl_s\", \"\"),\n // Jamf Protect - Alert Details\n EventSeverity = case(event_severity_d == 2, \"Informational\", event_severity_d == 4, \"Low\", event_severity_d == 6, \"Medium\", event_severity_d == 8, \"High\", event_severity_d == 10, \"High\", \"Informational\"),\n // Jamf Protect - Source User\n SrcUsermail=column_ifexists('event_user_email_s', ''),\n SrcUsername=column_ifexists('event_user_name_s', ''),\n // Jamf Protect - Source Device Hostnames\n DvcHostname = column_ifexists(\"event_device_userDeviceName_s\", \"\"),\n DvcIpAddr = column_ifexists(\"event_source_ip_s\", \"\"),\n DvcId = column_ifexists(\"event_device_externalId_g\", \"\"),\n DvcOs=case(event_device_os_s has \"MAC_OS\", \"macOS\", event_device_os_s has \"IOS\", \"iOS\", event_device_os_s has \"ANDROID\", \"Android\", \"Other\"),\n SrcDeviceType=case(event_device_os_s has \"MAC_OS\", \"Computer\", event_device_os_s has \"IOS\", \"Mobile Device\", event_device_os_s has \"ANDROID\", \"Mobile Device\", \"Other\"),\n // Jamf Protect - DNS Specific\n DnsQuery=column_ifexists('event_hostName_s', ''),\n DvcAction=case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Blocked\", ''),\n DnsQueryName=column_ifexists('event_destination_name_s', ''),\n DstIpAddr=column_ifexists('event_destination_ip_s', ''),\n ThreatCategory=column_ifexists('event_eventType_description_s', ''),\n ThreatOriginalRiskLevel=column_ifexists('event_threat_result_s', ''),\n // Jamf Protect - App Specific\n TargetFileName = column_ifexists(\"event_app_name_s\", \"\"),\n TargetFileSHA1 = column_ifexists(\"event_app_sha1_s\", \"\"),\n TargetFileSHA256 = column_ifexists(\"event_app_sha256_s\", \"\")\n | project-keep\n TimeGenerated,\n EventVendor,\n EventProduct,\n EventStartTime,\n EventResult,\n EventReportUrl,\n EventSeverity,\n DvcHostname,\n DvcIpAddr,\n DvcId,\n SrcDeviceType,\n SrcUsermail,\n SrcUsername,\n DnsQuery,\n DnsQueryName,\n DstIpAddr,\n ThreatCategory,\n DvcAction,\n ThreatOriginalRiskLevel,\n TargetFileName,\n TargetFileSHA1,\n TargetFileSHA256\n};\nunion isfuzzy=true JamfProtectAlerts_view, JamfProtectUnifiedLog_view, JamfProtectTelemetryv1_view, JamfProtectTelemetryv2_view, JamfProtectNetworkTraffic_view, JamfProtectThreatEvents_view\n",
"functionParameters": "",
"version": 2,
"tags": [
@@ -497,8 +2133,8 @@
"contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
"displayName": "JamfProtect",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '3.1.0')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '3.1.0')))]",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '3.2.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '3.2.0')))]",
"version": "[variables('parserObject1').parserVersion1]"
}
},
@@ -512,7 +2148,7 @@
"displayName": "JamfProtect",
"category": "Microsoft Sentinel Parser",
"functionAlias": "JamfProtect",
- "query": "let JamfProtectAlerts_view = view () {\n jamfprotect_CL\n| where topicType_s == \"alert\"\n and input_eventType_s <> \"GPUnifiedLogEvent\"\n and isnotempty(input_match_severity_d)\n// JSON Parsing at earliest stage\n| extend \n Related_users = parse_json(input_related_users_s),\n Related_files = parse_json(input_related_files_s),\n Related_binaries = parse_json(input_related_binaries_s),\n Related_groups = parse_json(input_related_groups_s),\n Related_processes = parse_json(input_related_processes_s),\n Match_facts = parse_json(input_match_facts_s),\n Match_tags = parse_json(input_match_tags_s),\n Match_actions = parse_json(input_match_actions_s),\n Match_context = parse_json(input_match_context_s),\n Match_event_process_signing = parse_json(input_match_event_process_signingInfo_s)\n// ASIM - Common Fields\n| extend EventVendor = 'Jamf'\n| extend EventProduct = 'Jamf Protect - Alerts'\n| project-rename\n EventOriginalUid = input_match_uuid_g\n| extend\n // Jamf Protect - Common Fields\n EventType = case(\n input_eventType_s == \"GPClickEvent\",\n \"Click\",\n input_eventType_s == \"GPDownloadEvent\",\n \"Download\",\n input_eventType_s == \"GPFSEvent\",\n \"FileSystem\",\n input_eventType_s == \"GPProcessEvent\",\n \"Process\",\n input_eventType_s == \"GPKeylogRegisterEvent\",\n \"Keylog\",\n input_eventType_s == \"GPGatekeeperEvent\",\n \"Gatekeeper\",\n input_eventType_s == \"GPMRTEvent\",\n \"MRT\",\n input_eventType_s == \"GPPreventedExecutionEvent\",\n \"ProcessDenied\",\n input_eventType_s == \"GPThreatMatchExecEvent\",\n \"ProcessPrevented\",\n input_eventType_s == \"GPUnifiedLogEvent\",\n \"UnifiedLog\",\n input_eventType_s == \"GPUSBEvent\",\n \"USB\",\n input_eventType_s == \"auth-mount\",\n \"UsbBlock\",\n \"Unknown\"\n ),\n EventDescription = coalesce(Match_facts[1].human, Match_facts[0].human),\n EventMessage = coalesce(Match_facts[1].name, Match_facts[0].name),\n EventStartTime = unixtime_milliseconds_todatetime(tolong(timestamp_d)),\n EventResult = case(Match_actions has \"Prevented\", \"Prevented\", \"Allowed\"),\n EventProductVersion = column_ifexists(\"input_host_protectVersion_s\", \"\"),\n //\n // Jamf Protect - Alert details\n //\n EventSeverity = case(input_match_severity_d == 0, \"Informational\", input_match_severity_d == 1, \"Low\", input_match_severity_d == 2, \"Medium\", input_match_severity_d == 3, \"High\", \"Informational\"),\n EventMatch = column_ifexists(\"input_match_event_matchValue_s\", \"\"),\n EventMatchType = column_ifexists(\"input_match_event_matchType_s\", \"\"),\n EventReportUrl = strcat(\"https://\", context_identity_claims_hd_s, \".jamfcloud.com/Alerts/\", EventOriginalUid),\n //\n // Jamf Protect - Source User\n SrcUsername = tostring(coalesce(Related_users[1].name, Related_users[0].name)),\n //\n // Jamf Protect - Source Device Hostnames\n //\n TargetHostname = column_ifexists(\"input_host_hostname_s\", \"\"),\n DvcHostname = column_ifexists(\"input_host_hostname_s\", \"\"),\n DvcIpAddr = column_ifexists(\"input_host_ips_s\", \"\"),\n DvcId = column_ifexists(\"input_host_provisioningUDID_g\", \"\"),\n DvcOs=\"macOS\",\n SrcDeviceType=\"Computer\",\n //\n // Jamf Protect Alerts - Process\n //\n ProcessEventType = case(input_match_event_type_d == 0, \"None\", input_match_event_type_d == 1, \"Create\", input_match_event_type_d == 2, \"Exit\", \"\"),\n ProcessEventSubType = case(input_match_event_subType_d == 7, \"Exec\", input_match_event_subType_d == 1, \"Fork\", input_match_event_subType_d == 23, \"Execve\", input_match_event_subType_d == 43190, \"Posix Spawn\", \"\"),\n ActingProcessName = tostring(Related_processes[array_length(Related_processes) - 1].path),\n ActingProcessCreationTime = format_datetime(unixtime_milliseconds_todatetime(tolong(Related_processes[array_length(Related_processes) - 1].startTimestamp)), 'HH:mm:ss'),\n ActingProcessId = coalesce(input_match_event_process_ppid_d, toreal(Related_processes[0].responsiblePID)),\n ActingProcessGuid = tostring(Related_processes[array_length(Related_processes) - 1].uuid),\n ParentProcessName = iff(array_length(Related_processes) > 1, tostring(Related_processes[1].path), \"\"),\n ParentProcessCreationTime = iff(array_length(Related_processes) > 1, format_datetime(unixtime_milliseconds_todatetime(tolong(Related_processes[1].startTimestamp)), 'HH:mm:ss'), \"\"),\n ParentProcessId = iff(array_length(Related_processes) > 1, toreal(Related_processes[1].pid), double(null)),\n ParentProcessGuid = iff(array_length(Related_processes) > 1, tostring(Related_processes[1].uuid), \"\"),\n TargetProcessName = coalesce(input_match_event_process_name_s, Related_processes[0].name),\n TargetProcessId = coalesce(toreal(input_match_event_process_pid_d), toreal(Related_processes[0].pid)),\n TargetProcessGuid = tostring(Related_processes[0].uuid),\n TargetProcessSHA1 = Related_binaries[0].sha1hex,\n TargetProcessSHA256 = Related_binaries[0].sha256hex,\n TargetProcessCreationTime = unixtime_milliseconds_todatetime(tolong(input_match_event_process_startTimestamp_d)),\n TargetProcessCommandLine = column_ifexists(\"input_match_event_process_args_s\", \"\"),\n TargetProcessCurrentDirectory = column_ifexists(\"input_match_event_process_path_s\", \"\"),\n //TargetProcessStatusCode = column_ifexists(Related_processes[0].exitCode, \"\"),\n TargetUserId = toreal(coalesce(Related_users[1].uid, Related_processes[0].uid)),\n TargetUsername = tostring(coalesce(Related_users[1].name, Related_users[0].uid)),\n //\n // Jamf Protect Alerts - Files\n //\n TargetFilePath = tostring(coalesce(input_match_event_path_s, Related_files[0].path)),\n TargetFileSHA1 = Related_files[0].sha1hex,\n TargetFileSHA256 = Related_files[0].sha256hex,\n TargetFileSize = Related_files[0].size,\n TargetFileSigningInfoMessage = Related_files[0].signingInfo.statusMessage,\n TargetFileSignerType = case(Related_files[0].signingInfo.signerType == 0, \"Apple\", Related_files[0].signingInfo.signerType == 1, \"App Store\", Related_files[0].signingInfo.signerType == 2, \"Developer\", Related_files[0].signingInfo.signerType == 3, \"Ad Hoc\", Related_files[0].signingInfo.signerType == 4, \"Unsigned\", \"\"),\n TargetFileSigningTeamID = Related_files[0].signingInfo.teamid,\n TargetFileIsDownload = case(Related_files[0].isDownload == \"true\", \"true\", Related_files[0].isDownload == \"false\", \"false\", \"\"),\n TargetFileIsAppBundle = case(Related_files[0].isAppBundle == \"true\", \"true\", Related_files[0].isAppBundle == \"false\", \"false\", \"\"),\n TargetFileIsDirectory = case(Related_files[0].isDirectory == \"true\", \"true\", Related_files[0].isDirectory == \"false\", \"false\", \"\"),\n TargetFileIsScreenshot = case(Related_files[0].isScreenShot == \"true\", \"true\", Related_files[0].isScreenShot == \"false\", \"false\", \"\"),\n //\n // Jamf Protect Alerts - Binaries\n TargetBinaryFilePath = Related_binaries[0].path,\n TargetBinarySHA1 = tostring(Related_binaries[0].sha1hex),\n TargetBinarySHA256 = tostring(Related_binaries[0].sha256hex),\n TargetBinarySigningInfoMessage = Related_binaries[0].signingInfo.statusMessage,\n TargetbinarySignerType = case(Related_binaries[0].signingInfo.signerType == 0, \"Apple\", Related_binaries[0].signingInfo.signerType == 1, \"App Store\", Related_binaries[0].signingInfo.signerType == 2, \"Developer\", Related_binaries[0].signingInfo.signerType == 3, \"Ad Hoc\", Related_binaries[0].signingInfo.signerType == 4, \"Unsigned\", \"\"),\n TargetBinarySigningTeamID = tostring(Related_binaries[0].signingInfo.teamid),\n TargetBinarySigningAppID = tostring(Related_binaries[0].signingInfo.appid)\n| project-reorder\n TimeGenerated,\n EventStartTime,\n EventVendor,\n EventProduct,\n EventType,\n EventDescription,\n EventMessage,\n EventSeverity,\n EventMatch,\n EventMatchType,\n EventResult,\n EventProductVersion,\n EventReportUrl,\n TargetHostname,\n DvcHostname,\n DvcId,\n DvcOs,\n DvcIpAddr,\n SrcDeviceType,\n SrcUsername,\n ProcessEventType,\n ProcessEventSubType,\n ActingProcessName,\n ActingProcessCreationTime,\n ActingProcessId,\n ActingProcessGuid,\n ParentProcessName,\n ParentProcessCreationTime,\n ParentProcessId,\n ParentProcessGuid,\n TargetProcessName,\n TargetProcessId,\n TargetProcessGuid,\n TargetProcessSHA1,\n TargetProcessSHA256,\n TargetProcessCreationTime,\n TargetProcessCommandLine,\n TargetProcessCurrentDirectory,\n //TargetProcessStatusCode,\n TargetUsername,\n TargetUserId,\n TargetFilePath,\n TargetFileSHA1,\n TargetFileSHA256,\n TargetFileSize,\n TargetFileSigningInfoMessage,\n TargetFileSignerType,\n TargetFileSigningTeamID,\n TargetFileIsAppBundle,\n TargetFileIsDirectory,\n TargetFileIsDownload,\n TargetFileIsScreenshot,\n TargetBinaryFilePath,\n TargetBinarySHA1,\n TargetBinarySHA256,\n TargetBinarySigningInfoMessage,\n TargetbinarySignerType,\n TargetBinarySigningTeamID,\n TargetBinarySigningAppID,\n Related_users,\n Related_files,\n Related_binaries,\n Related_groups,\n Related_processes,\n Match_event_process_signing,\n Match_facts,\n Match_actions,\n Match_tags,\n *input_match_event_*\n| project-keep\n TimeGenerated,\n EventStartTime,\n EventVendor,\n EventProduct,\n EventType,\n EventDescription,\n EventMessage,\n EventProductVersion,\n EventSeverity,\n EventMatch,\n EventMatchType,\n EventResult,\n EventReportUrl,\n TargetHostname,\n DvcHostname,\n DvcId,\n DvcOs,\n DvcIpAddr,\n SrcDeviceType,\n SrcUsername,\n ProcessEventType,\n ProcessEventSubType,\n ActingProcessName,\n ActingProcessCreationTime,\n ActingProcessId,\n ActingProcessGuid,\n ParentProcessName,\n ParentProcessCreationTime,\n ParentProcessId,\n ParentProcessGuid,\n TargetProcessName,\n TargetProcessId,\n TargetProcessGuid,\n TargetProcessSHA1,\n TargetProcessSHA256,\n TargetProcessCreationTime,\n TargetProcessCommandLine,\n TargetProcessCurrentDirectory,\n //TargetProcessStatusCode,\n TargetUsername,\n TargetUserId,\n TargetFilePath,\n TargetFileSHA1,\n TargetFileSHA256,\n TargetFileSize,\n TargetFileSigningInfoMessage,\n TargetFileSignerType,\n TargetFileSigningTeamID,\n TargetFileIsAppBundle,\n TargetFileIsDirectory,\n TargetFileIsDownload,\n TargetFileIsScreenshot,\n TargetBinaryFilePath,\n TargetBinarySHA1,\n TargetBinarySHA256,\n TargetBinarySigningInfoMessage,\n TargetbinarySignerType,\n TargetBinarySigningTeamID,\n TargetBinarySigningAppID,\n Related_users,\n Related_files,\n Related_binaries,\n Related_groups,\n Related_processes,\n Match_event_process_signing,\n Match_facts,\n Match_actions,\n Match_tags,\n *input_match_event_*\n};\n//\n// Jamf Protect - Unified Logs\n//\nlet JamfProtectUnifiedLog_view = view () {\n jamfprotect_CL\n | where input_eventType_s == \"GPUnifiedLogEvent\"\n and isnotempty(input_match_severity_d)\n // JSON Parsing at earliest stage\n | extend \n Related_users = parse_json(input_related_users_s),\n Related_files = parse_json(input_related_files_s),\n Related_binaries = parse_json(input_related_binaries_s),\n Related_groups = parse_json(input_related_groups_s),\n Related_processes = parse_json(input_related_processes_s),\n Match_facts = parse_json(input_match_facts_s),\n Match_tags = parse_json(input_match_tags_s),\n Match_actions = parse_json(input_match_actions_s),\n Match_context = parse_json(input_match_context_s),\n Match_event_process_signing = parse_json(input_match_event_process_signingInfo_s)\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Unified Log'\n | project-rename\n EventOriginalUid = input_match_uuid_g\n | extend\n // Jamf Protect - Common Fields\n EventType = case(\n input_eventType_s == \"GPClickEvent\",\n \"Click\",\n input_eventType_s == \"GPDownloadEvent\",\n \"Download\",\n input_eventType_s == \"GPFSEvent\",\n \"FileSystem\",\n input_eventType_s == \"GPProcessEvent\",\n \"Process\",\n input_eventType_s == \"GPKeylogRegisterEvent\",\n \"Keylog\",\n input_eventType_s == \"GPGatekeeperEvent\",\n \"Gatekeeper\",\n input_eventType_s == \"GPMRTEvent\",\n \"MRT\",\n input_eventType_s == \"GPPreventedExecutionEvent\",\n \"ProcessDenied\",\n input_eventType_s == \"GPThreatMatchExecEvent\",\n \"ProcessPrevented\",\n input_eventType_s == \"GPUnifiedLogEvent\",\n \"UnifiedLog\",\n input_eventType_s == \"GPUSBEvent\",\n \"USB\",\n input_eventType_s == \"Auth-mount\",\n \"UsbBlock\",\n \"Unknown\"\n ),\n EventDescription = coalesce(Match_facts[1].human, Match_facts[0].human),\n EventStartTime = unixtime_milliseconds_todatetime(tolong(timestamp_d)),\n EventResult = case(Match_actions has \"Prevented\", \"Prevented\", \"Allowed\"),\n //\n // Jamf Protect - Unified Logs details\n //\n EventSeverity = case(input_match_severity_d == 0, \"Informational\", input_match_severity_d == 1, \"Low\", input_match_severity_d == 2, \"Medium\", input_match_severity_d == 3, \"High\", \"Informational\"),\n EventMatch = column_ifexists(\"input_match_event_matchValue_s\", \"\"),\n EventMatchType = column_ifexists(\"input_match_event_matchType_s\", \"\"),\n EventReportUrl = strcat(\"https://\", context_identity_claims_hd_s, \".jamfcloud.com/Alerts/\", EventOriginalUid),\n //\n // Jamf Protect - Source User\n SrcUsername = tostring(coalesce(Related_users[1].name, Related_users[0].name)),\n //\n // Jamf Protect - Source Device Hostnames\n //\n TargetHostname = column_ifexists(\"input_host_hostname_s\", \"\"),\n DvcHostname = column_ifexists(\"input_host_hostname_s\", \"\"),\n DvcIpAddr = column_ifexists(\"input_host_ips_s\", \"\"),\n DvcId = column_ifexists(\"input_host_provisioningUDID_g\", \"\"),\n DvcOs=\"macOS\",\n SrcDeviceType=\"Computer\",\n //\n // Jamf Protect Unified Logs - Process\n //\n //ParentProcessName = coalesce(input_match_event_process_ppid_d, parse_json('input_related_processes_s')[0].ppid), //column_ifexists(\"exec_chain_child_parent_path_s\", \"\"), coalesce('input.match.event.process.ppid', mvindex('input.related.processes{}.ppid', 0))\n ProcessEventType = case(input_match_event_type_d == 0, \"None\", input_match_event_type_d == 1, \"Create\", input_match_event_type_d == 2, \"Exit\", \"\"),\n ProcessEventSubType = case(input_match_event_subType_d == 7, \"Exec\", input_match_event_subType_d == 1, \"Fork\", input_match_event_subType_d == 23, \"Execve\", input_match_event_subType_d == 43190, \"Posix Spawn\", \"\"),\n ParentProcessId = coalesce(input_match_event_process_ppid_d, toreal(Related_processes[0].ppid)),\n ParentProcessGuid = tostring(coalesce(input_match_event_process_pgid_d, toreal(Related_processes[0].pgid))),\n TargetProcessName = coalesce(input_match_event_process_name_s, Related_processes[0].name),\n TargetProcessId = coalesce(toreal(input_match_event_process_pid_d), toreal(Related_processes[0].pid)),\n TargetProcessGuid = tostring(Related_processes[0].uuid),\n TargetProcessSHA1 = Related_binaries[0].sha1hex,\n TargetProcessCreationTime = unixtime_milliseconds_todatetime(tolong(input_match_event_process_startTimestamp_d)),\n TargetProcessCommandLine = column_ifexists(\"input_match_event_process_args_s\", \"\"),\n TargetProcessCurrentDirectory = column_ifexists(\"input_match_event_process_path_s\", \"\"),\n TargetUserId = toreal(coalesce(Related_users[1].uid, Related_users[0].uid)),\n TargetUsername = tostring(coalesce(Related_users[1].name, Related_users[0].name)),\n //\n // Jamf Protect Unified Logs - Files\n //\n TargetFilePath = tostring(coalesce(input_match_event_path_s, Related_files[0].path)),\n TargetFileSHA1 = Related_files[0].sha1hex,\n TargetFileSHA256 = Related_files[0].sha256hex,\n TargetFileSize = Related_files[0].size,\n TargetFileSigningInfoMessage = Related_files[0].signingInfo.statusMessage,\n TargetFileSignerType = case(Related_files[0].signingInfo.signerType == 0, \"Apple\", Related_files[0].signingInfo.signerType == 1, \"App Store\", Related_files[0].signingInfo.signerType == 2, \"Developer\", Related_files[0].signingInfo.signerType == 3, \"Ad Hoc\", Related_files[0].signingInfo.signerType == 4, \"Unsigned\", \"\"),\n TargetFileSigningTeamID = Related_files[0].signingInfo.teamid,\n TargetFileIsDownload = case(Related_files[0].isDownload == \"true\", \"true\", Related_files[0].isDownload == \"false\", \"false\", \"\"),\n TargetFileIsAppBundle = case(Related_files[0].isAppBundle == \"true\", \"true\", Related_files[0].isAppBundle == \"false\", \"false\", \"\"),\n TargetFileIsDirectory = case(Related_files[0].isDirectory == \"true\", \"true\", Related_files[0].isDirectory == \"false\", \"false\", \"\"),\n TargetFileIsScreenshot = case(Related_files[0].isScreenShot == \"true\", \"true\", Related_files[0].isScreenShot == \"false\", \"false\", \"\")\n | project-reorder\n TimeGenerated,\n EventStartTime,\n EventVendor,\n EventProduct,\n EventType,\n EventDescription,\n EventSeverity,\n EventMatch,\n EventMatchType,\n EventResult,\n EventReportUrl,\n TargetHostname,\n DvcHostname,\n DvcId,\n DvcOs,\n DvcIpAddr,\n SrcDeviceType,\n SrcUsername,\n ProcessEventType,\n ProcessEventSubType,\n ParentProcessId,\n ParentProcessGuid,\n TargetProcessName,\n TargetProcessId,\n TargetProcessGuid,\n TargetProcessSHA1,\n TargetProcessCreationTime,\n TargetProcessCommandLine,\n TargetProcessCurrentDirectory,\n TargetUsername,\n TargetUserId,\n TargetFilePath,\n TargetFileSHA1,\n TargetFileSHA256,\n TargetFileSize,\n TargetFileSigningInfoMessage,\n TargetFileSignerType,\n TargetFileSigningTeamID,\n TargetFileIsAppBundle,\n TargetFileIsDirectory,\n TargetFileIsDownload,\n TargetFileIsScreenshot,\n Related_users,\n Related_files,\n Related_binaries,\n Related_groups,\n Related_processes,\n Match_event_process_signing,\n Match_facts,\n Match_actions,\n Match_tags\n | project-keep\n TimeGenerated,\n EventStartTime,\n EventVendor,\n EventProduct,\n EventType,\n EventDescription,\n EventSeverity,\n EventMatch,\n EventMatchType,\n EventResult,\n EventReportUrl,\n TargetHostname,\n DvcHostname,\n DvcId,\n DvcOs,\n DvcIpAddr,\n SrcDeviceType,\n SrcUsername,\n ProcessEventType,\n ProcessEventSubType,\n ParentProcessId,\n ParentProcessGuid,\n TargetProcessName,\n TargetProcessId,\n TargetProcessGuid,\n TargetProcessSHA1,\n TargetProcessCreationTime,\n TargetProcessCommandLine,\n TargetProcessCurrentDirectory,\n TargetUsername,\n TargetUserId,\n TargetFilePath,\n TargetFileSHA1,\n TargetFileSHA256,\n TargetFileSize,\n TargetFileSigningInfoMessage,\n TargetFileSignerType,\n TargetFileSigningTeamID,\n TargetFileIsAppBundle,\n TargetFileIsDirectory,\n TargetFileIsDownload,\n TargetFileIsScreenshot,\n Related_users,\n Related_files,\n Related_binaries,\n Related_groups,\n Related_processes,\n Match_event_process_signing,\n Match_facts,\n Match_actions,\n Match_tags,\n *input_match_event*\n};\n//\n// Jamf Protect - Network Traffic\n//\nlet JamfProtectNetworkTraffic_view = view () {\n jamfprotect_CL\n | where event_metadata_product_s == \"Network Traffic Stream\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Network Traffic Stream'\n | project-rename\n | extend\n // Jamf Protect - Common Fields\n EventType = \"query\",\n EventSubType = \"request\",\n EventStartTime = unixtime_milliseconds_todatetime(tolong(event_receiptTime_d)),\n EventResult = case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Prevented\", ''),\n // Jamf Protect - Source User\n SrcUsermail=column_ifexists('event_user_email_s', ''),\n SrcUsername = column_ifexists('event_user_name_s', ''),\n // Jamf Protect - Source Device Hostnames\n DvcHostname = case(isnotempty(input_host_hostname_s), input_host_hostname_s, isnotempty(host_info_host_name_s), host_info_host_name_s, event_device_userDeviceName_s),\n DvcIpAddr = column_ifexists(\"event_source_ip_s\", \"\"),\n DvcId = column_ifexists(\"event_device_externalId_g\", \"\"),\n DvcOs = case(event_device_osType_s == \"MAC_OS\", \"macOS\", event_device_osType_s == \"IOS\", \"iOS\", event_device_osType_s == \"ANDROID\", \"Android\", \"Other\"),\n SrcDeviceType = case(event_device_osType_s == \"MAC_OS\", \"Computer\", event_device_osType_s == \"IOS\", \"Mobile Device\", event_device_osType_s == \"ANDROID\", \"Mobile Device\", \"Other\"),\n // Jamf Protect - DNS Specific\n DnsQuery = column_ifexists('event_hostName_s', ''),\n DvcAction = case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Blocked\", ''),\n DnsQueryName = column_ifexists('event_domain_s', ''),\n DstIpAddr = column_ifexists('event_destination_ips_s', ''),\n ThreatCategory = column_ifexists('event_eventType_description_s', ''),\n DnsQueryTypeName = column_ifexists('event_dns_recordType_s', ''),\n DnsResponseName = column_ifexists('event_dns_responseStatus_s', ''),\n ThreatOriginalRiskLevel = column_ifexists('event_threat_result_s', '')\n | project-keep\n TimeGenerated,\n EventVendor,\n EventProduct,\n EventType,\n EventSubType,\n EventStartTime,\n EventResult,\n DvcHostname,\n DvcIpAddr,\n DvcId,\n DvcOs,\n SrcDeviceType,\n SrcUsermail,\n SrcUsername,\n DnsQuery,\n DnsQueryName,\n DstIpAddr,\n DnsQueryTypeName,\n DvcAction,\n DnsResponseName,\n ThreatOriginalRiskLevel\n};\n//\n// Jamf Protect - Endpoint Telemetry\n//\nlet JamfProtectTelemetry_view = view () {\n jamfprotect_CL\n | where header_event_name_s startswith \"AUE_\" \n or header_event_name_s == \"PLAINTEXT_LOG_COLLECTION_EVENT\"\n or header_event_name_s == \"SYSTEM_PERFORMANCE_METRICS\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Telemetry'\n // Data Field Normalization\n //| project-rename \n // DvcIpAddr = input_host_ips_s,\n // DvcId = context_identity_claims_clientid_g\n | extend\n // Jamf Protect Alerts - Generic Information\n EventSeverity = case(\n input_match_severity_d == 0,\n \"Informational\",\n input_match_severity_d == 1,\n \"Low\",\n input_match_severity_d == 2,\n \"Medium\",\n input_match_severity_d == 3,\n \"High\",\n \"Informational\"\n ),\n EventStartTime = unixtime_milliseconds_todatetime(tolong(timestamp_d)),\n EventResult = coalesce(return_description_s, texts_s),\n // Jamf Protect Telemetry - Endpoint Information\n TargetModel = column_ifexists(\"metrics_hw_model_s\", \"\"),\n DvcOsVersion = column_ifexists(\"host_info_osversion_s\", \"\"),\n TargetHostname = case(isnotempty(input_host_hostname_s), input_host_hostname_s, isnotempty(host_info_host_name_s), host_info_host_name_s, event_device_userDeviceName_s),\n DvcHostname = case(isnotempty(input_host_hostname_s), input_host_hostname_s, isnotempty(host_info_host_name_s), host_info_host_name_s, event_device_userDeviceName_s),\n DvcIpAddr = column_ifexists(\"input_host_ips_s\", \"\"),\n DvcId = column_ifexists(\"context_identity_claims_clientid_g\", \"\"),\n // Jamf Protect - Event Types\n EventType = case(\n header_event_name_s == \"AUE_add_to_group\",\n \"UserAddedToGroup\",\n header_event_name_s == \"AUE_AUDITCTL\",\n \"AuditEvent\",\n header_event_name_s == \"AUE_AUDITON_SPOLICY\",\n \"AuditEvent\",\n header_event_name_s == \"AUE_auth_user\",\n \"Elevate\",\n header_event_name_s == \"AUE_BIND\",\n \"EndpointNetworkSession\",\n header_event_name_s == \"AUE_BIOS_FIRMWARE_VERSIONS\",\n \"SystemInformation\",\n header_event_name_s == \"AUE_CHDIR\",\n \"FolderMoved\",\n header_event_name_s == \"AUE_CHROOT\",\n \"FolderModified\",\n header_event_name_s == \"AUE_CONNECT\",\n \"EndpointNetworkSession\",\n header_event_name_s == \"AUE_create_group\",\n \"GroupCreated\",\n header_event_name_s == \"AUE_create_user\",\n \"UserCreated\",\n header_event_name_s == \"AUE_delete_group\",\n \"GroupDeleted\",\n header_event_name_s == \"AUE_delete_user\",\n \"UserDeleted\",\n header_event_name_s == \"AUE_EXECVE\",\n \"ProcessCreated\",\n header_event_name_s == \"AUE_EXIT\",\n \"ProcessTerminated\",\n header_event_name_s == \"AUE_FORK\",\n \"ProcessCreated\",\n header_event_name_s == \"AUE_GETAUID\",\n \"\",\n header_event_name_s == \"AUE_KILL\",\n \"ProcessTerminated\",\n header_event_name_s == \"AUE_LISTEN\",\n \"EndpointNetworkSession\",\n header_event_name_s == \"AUE_logout\",\n \"Logoff\",\n header_event_name_s == \"AUE_lw_login\",\n \"Logon\",\n header_event_name_s == \"AUE_MAC_SET_PROC\",\n \"AuditEvent\",\n header_event_name_s == \"AUE_modify_group\",\n \"GroupModified\",\n header_event_name_s == \"AUE_modify_password\",\n \"PasswordChanged\",\n header_event_name_s == \"AUE_modify_user\",\n \"UserModified\",\n header_event_name_s == \"AUE_MOUNT\",\n \"VolumeMount\",\n header_event_name_s == \"AUE_openssh\",\n \"SshInitiated\",\n header_event_name_s == \"AUE_PIDFORTASK\",\n \"ProcessCreated\",\n header_event_name_s == \"AUE_POSIX_SPAWN\",\n \"ProcessCreated\",\n header_event_name_s == \"AUE_remove_from_group\",\n \"UserRemovedFromGroup\",\n header_event_name_s == \"AUE_SESSION_CLOSE\",\n \"Logoff\",\n header_event_name_s == \"AUE_SESSION_END\",\n \"Logoff\",\n header_event_name_s == \"AUE_SESSION_START\",\n \"Logon\",\n header_event_name_s == \"AUE_SESSION_UPDATE\",\n \"\",\n header_event_name_s == \"AUE_SETPRIORITY\",\n \"\",\n header_event_name_s == \"AUE_SETSOCKOPT\",\n \"\",\n header_event_name_s == \"AUE_SETTIMEOFDAY\",\n \"SystemChange\",\n header_event_name_s == \"AUE_shutdown\",\n \"ShutdownInitiated\",\n header_event_name_s == \"AUE_SOCKETPAIR\",\n \"\",\n header_event_name_s == \"AUE_ssauthint\",\n \"Elevate\",\n header_event_name_s == \"AUE_ssauthmech\",\n \"Elevate\",\n header_event_name_s == \"AUE_ssauthorize\",\n \"Elevate\",\n header_event_name_s == \"AUE_TASKFORPID\",\n \"\",\n header_event_name_s == \"AUE_TASKNAMEFORPID\",\n \"\",\n header_event_name_s == \"AUE_UNMOUNT\",\n \"VolumeUnmount\",\n header_event_name_s == \"AUE_WAIT4\",\n \"ProcessTerminated\",\n header_event_name_s == \"PLAINTEXT_LOG_COLLECTION_EVENT\",\n \"LogFileCollected\",\n header_event_name_s == \"SYSTEM_PERFORMANCE_METRICS\",\n \"SystemPerformanceMetrics\",\n \"Unknown\"\n ),\n // Jamf Protect Telemetry - Process\n ParentProcessName = column_ifexists(\"subject_responsible_process_name_s\", \"\"),\n ParentProcessId = column_ifexists(\"subject_responsible_process_id_d\", \"\"),\n ParentProcessGuid = column_ifexists(\"exec_chain_child_parent_uuid_g\", \"\"),\n TargetProcessName = column_ifexists(\"subject_process_name_s\", \"\"),\n TargetProcessId = column_ifexists(\"subject_process_id_d\", \"\"),\n TargetProcessGuid = column_ifexists(\"exec_chain_thread_uuid_g\", \"\"),\n TargetProcessSHA256 = todynamic(column_ifexists(\"subject_process_hash_s\", \"\")),\n TargetUserId = toreal(column_ifexists(\"subject_user_id_d\", \"\")),\n TargetUsername = tostring(column_ifexists(\"subject_user_name_s\", \"\")),\n TargetProcessCommandLine = column_ifexists(\"exec_args_args_compiled_s\", \"\"),\n ActorUsername = tostring(column_ifexists(\"subject_effective_user_name_s\", \"\")),\n ActorUserId = column_ifexists(\"subject_audit_user_name_s\", \"\"),\n //column_ifexists(\"application_name_s\", \"\"),\n //\n // Jamf Protect Telemetry - Audit/Group\n //\n GroupName = todynamic(column_ifexists(\"subject_group_name_s\", \"\")),\n // Jamf Protect Telemetry - Network\n DstIpAddr = column_ifexists(\"socket_inet_ip_address_s\", \"\"),\n DstPortNumber = column_ifexists(\"socket_inet_port_d\", \"\"),\n NetworkProtocolVersion = case(socket_inet_id_d == 128, \"IPV4\", socket_inet_id_d == 129, \"IPV6\", \"\"),\n SrcIpAddr = column_ifexists(\"subject_terminal_id_ip_address_s\", \"\"),\n //\n // Jamf Protect Telemetry - Binaries\n //\n // TargetBinaryFilePath = todynamic(Related_binaries[0].path),\n TargetBinarySHA256 = tostring(identity_cd_hash_s),\n // TargetBinarySigningInfoMessage = Related_binaries[0].signingInfo.statusMessage,\n TargetbinarySignerType = case(identity_signer_type_d == 0, \"Developer\", identity_signer_type_d == 1, \"Apple\", \"\"),\n TargetBinarySigningTeamID = tostring(identity_team_id_s),\n TargetBinarySigningAppID = tostring(identity_signer_id_s),\n //\n // Jamf Protect Telemetry - Log File Collection\n //\n TargetFilePath = tostring(parse_json(path_s))\n | project-reorder\n EventStartTime,\n EventVendor,\n EventProduct,\n EventType,\n EventSeverity,\n EventResult,\n TargetHostname,\n DvcHostname,\n DvcId,\n DvcOsVersion,\n DvcIpAddr,\n TargetModel,\n TargetUserId,\n TargetUsername,\n ParentProcessName,\n ParentProcessId,\n ParentProcessGuid,\n TargetProcessName,\n TargetProcessId,\n TargetProcessGuid,\n TargetProcessSHA256,\n TargetProcessCommandLine,\n ActorUsername,\n ActorUserId,\n TargetBinarySHA256,\n TargetbinarySignerType,\n TargetBinarySigningTeamID,\n TargetBinarySigningAppID,\n GroupName,\n SrcIpAddr,\n DstIpAddr,\n DstPortNumber,\n NetworkProtocolVersion,\n TargetFilePath\n | project-away\n arguments_sflags_d,\n arguments_am_failure_d,\n arguments_am_success_d\n};\n//\n// Jamf Protect - Threat Events\n//\nlet JamfProtectThreatEvents_view = view () {\n jamfprotect_CL\n | where event_metadata_product_s == \"Threat Events Stream\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Threat Events Stream'\n | project-rename\n | extend\n // Jamf Protect - Common Fields\n EventStartTime = column_ifexists(\"event_timestamp_t\", \"\"),\n EventResult=case(event_action_s == \"Blocked\", \"Blocked\", event_action_s == \"Detected\", \"Detected\", ''),\n EventReportUrl = column_ifexists(\"event_eventUrl_s\", \"\"),\n // Jamf Protect - Alert Details\n EventSeverity = case(event_severity_d == 2, \"Informational\", event_severity_d == 4, \"Low\", event_severity_d == 6, \"Medium\", event_severity_d == 8, \"High\", event_severity_d == 10, \"High\", \"Informational\"),\n // Jamf Protect - Source User\n SrcUsermail=column_ifexists('event_user_email_s', ''),\n SrcUsername=column_ifexists('event_user_name_s', ''),\n // Jamf Protect - Source Device Hostnames\n DvcHostname = column_ifexists(\"event_device_userDeviceName_s\", \"\"),\n DvcIpAddr = column_ifexists(\"event_source_ip_s\", \"\"),\n DvcId = column_ifexists(\"event_device_externalId_g\", \"\"),\n DvcOs=case(event_device_os_s has \"MAC_OS\", \"macOS\", event_device_os_s has \"IOS\", \"iOS\", event_device_os_s has \"ANDROID\", \"Android\", \"Other\"),\n SrcDeviceType=case(event_device_os_s has \"MAC_OS\", \"Computer\", event_device_os_s has \"IOS\", \"Mobile Device\", event_device_os_s has \"ANDROID\", \"Mobile Device\", \"Other\"),\n // Jamf Protect - DNS Specific\n DnsQuery=column_ifexists('event_hostName_s', ''),\n DvcAction=case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Blocked\", ''),\n DnsQueryName=column_ifexists('event_destination_name_s', ''),\n DstIpAddr=column_ifexists('event_destination_ip_s', ''),\n ThreatCategory=column_ifexists('event_eventType_description_s', ''),\n ThreatOriginalRiskLevel=column_ifexists('event_threat_result_s', ''),\n // Jamf Protect - App Specific\n TargetFileName = column_ifexists(\"event_app_name_s\", \"\"),\n TargetFileSHA1 = column_ifexists(\"event_app_sha1_s\", \"\"),\n TargetFileSHA256 = column_ifexists(\"event_app_sha256_s\", \"\")\n | project-keep\n TimeGenerated,\n EventVendor,\n EventProduct,\n EventStartTime,\n EventResult,\n EventReportUrl,\n EventSeverity,\n DvcHostname,\n DvcIpAddr,\n DvcId,\n SrcDeviceType,\n SrcUsermail,\n SrcUsername,\n DnsQuery,\n DnsQueryName,\n DstIpAddr,\n ThreatCategory,\n DvcAction,\n ThreatOriginalRiskLevel,\n TargetFileName,\n TargetFileSHA1,\n TargetFileSHA256\n};\nunion isfuzzy=true JamfProtectAlerts_view, JamfProtectUnifiedLog_view, JamfProtectNetworkTraffic_view, JamfProtectTelemetry_view, JamfProtectThreatEvents_view\n",
+ "query": "let JamfProtectAlerts_view = view () {\njamfprotectalerts_CL\n| extend\n ActingProcessCreationTime = unixtime_seconds_todatetime(tolong(input.related.processes[array_length(input.related.processes) - 1].startTimestamp)),\n ParentProcessCreationTime = iff(\n array_length(input.related.processes) > 1, \n unixtime_seconds_todatetime(tolong(input.related.processes[0].startTimestamp)), \n datetime(null)\n ),\n TargetProcessCreationTime = unixtime_seconds_todatetime(todouble(input.related.processes[0].startTimestamp)),\n TargetUserId = coalesce(input.related.users[1].uid, input.related.users[0].uid),\n TargetUsername = coalesce(input.related.users[1].name, input.related.users[0].name)\n };\nlet JamfProtectUnifiedLog_view = view () {\njamfprotectunifiedlogs_CL\n| extend EventStartTime = unixtime_seconds_todatetime(tolong(input.match.event.timestamp))\n};\n//\n// Jamf Protect - Endpoint Telemetry\n//\nlet JamfProtectTelemetryv1_view = view () {\njamfprotecttelemetryv1_CL\n| extend\n EventStartTime = unixtime_seconds_todatetime(todouble(header.time_seconds_epoch)),\n EventResult = coalesce(return.description, texts)\n};\nlet JamfProtectTelemetryv2_view = view () {\njamfprotecttelemetryv2_CL\n// Generic Fields\n| extend\n EventExpanded = tostring(parse_json(event)[strcat_array(bag_keys(event), '.')]),\n eventTypeHuman = tostring(bag_keys(event)[0])\n| extend EventResult = iif((event[eventTypeHuman]['success'] == true), \"Success\", dynamic(null))\n| extend\n EventMessage = case(\n eventTypeHuman == \"authentication\",\n \"A user authentication happened\",\n eventTypeHuman == \"authorization_judgement\",\n \"A process has its rights petition judged\",\n eventTypeHuman == \"authorization_petition\",\n \"A process has its rights petition judged\",\n eventTypeHuman == \"bios_uefi\",\n \"Collection of bios and firmware data\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"Apple’s Background Task Manager notified that an item has been added\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"Apple’s Background Task Manager notified that an existing item has been removed\",\n eventTypeHuman == \"chroot\",\n \"Software has changed its apparent root directory in which it's actively operating out of\",\n eventTypeHuman == \"cs_invalidated\",\n \"The system detected that a process has had its code signature marked as invalid\",\n eventTypeHuman == \"exec\",\n \"A new process has been executed\",\n eventTypeHuman == \"kextload\",\n \"A kernel extension (kext) was loaded\",\n eventTypeHuman == \"kextunload\",\n \"A kernel extension (kext) was unloaded\",\n eventTypeHuman == \"login_login\",\n \"A user attempted to log in using /usr/bin/login\",\n eventTypeHuman == \"login_logout\",\n \"A user logged out from /usr/bin/login\",\n eventTypeHuman == \"lw_session_lock\",\n \"A user has locked the screen\",\n eventTypeHuman == \"lw_session_login\",\n \"A user has logged in via the Login Window\",\n eventTypeHuman == \"lw_session_logout\",\n \"A user has logged out of an active graphical session\",\n eventTypeHuman == \"lw_session_unlock\",\n \"A user has unlocked the screen from the Login Window\",\n eventTypeHuman == \"mount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"od_attribute_set\",\n \"Attribute set on user or group using Open Directory\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Attribute added to a user or group using Open Directory\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Attribute removed from a user or group using Open Directory\",\n eventTypeHuman == \"od_create_group\",\n \"A group has been created using Open Directory\",\n eventTypeHuman == \"od_create_user\",\n \"A user has been created using Open Directory\",\n eventTypeHuman == \"od_delete_group\",\n \"A group has been deleted using Open Directory\",\n eventTypeHuman == \"od_delete_user\",\n \"A user has been deleted using Open Directory\",\n eventTypeHuman == \"od_disable_user\",\n \"A user has been disabled using Open Directory\",\n eventTypeHuman == \"od_enable_user\",\n \"A user has been enabled using Open Directory\",\n eventTypeHuman == \"od_group_add\",\n \"A member has been added to a group using Open Directory\",\n eventTypeHuman == \"od_group_remove\",\n \"A member has been removed from a group using Open Directory\",\n eventTypeHuman == \"od_group_set\",\n \"A group has a member initialised or replaced using Open Directory\",\n eventTypeHuman == \"od_modify_password\",\n \"A user password is modified via Open Directory\",\n eventTypeHuman == \"openssh_login\",\n \"A user has logged into the system via OpenSSH\",\n eventTypeHuman == \"openssh_logout\",\n \"A user has logged out of an OpenSSH session\",\n eventTypeHuman == \"performance\",\n \"Collection of system performance data\",\n eventTypeHuman == \"profile_add\",\n \"A configuration profile is installed on the system\",\n eventTypeHuman == \"profile_remove\",\n \"A configuration profile is removed from the system\",\n eventTypeHuman == \"remount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"screenscharing_attach\",\n \"A screensharing session has attached to a graphical session\",\n eventTypeHuman == \"screenscharing_detach\",\n \"A screensharing session has detached from a graphical session\",\n eventTypeHuman == \"settime\",\n \"The system time was attempted to be set\",\n eventTypeHuman == \"su\",\n \"A user attempts to start a new shell using a substitute user identity\",\n eventTypeHuman == \"sudo\",\n \"A sudo attempt occured\",\n eventTypeHuman == \"unmount\",\n \"A file system has been mounted\",\n eventTypeHuman == \"xp_malware_detected\",\n \"Apple’s XProtect detected malware on the system\",\n eventTypeHuman == \"xp_malware_remediated\",\n \"Apple’s XProtect remediated malware on the system\",\n eventTypeHuman == \"file_collection\",\n \"A crash or diagnostic file has been collected\",\n eventTypeHuman == \"log_collection\",\n \"Entries from a log file have been collected\",\n \"No reason yet defined for this event\"\n ),\n EventType = case(\n eventTypeHuman == \"authentication\",\n \"Logon\",\n eventTypeHuman == \"authorization_judgement\",\n \"ProcessCreated\",\n eventTypeHuman == \"authorization_petition\",\n \"ProcessCreated\",\n eventTypeHuman == \"bios_uefi\",\n \"Hardware\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"Create\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"Delete\",\n eventTypeHuman == \"chroot\",\n \"Set\",\n eventTypeHuman == \"cs_invalidated\",\n \"Other\",\n eventTypeHuman == \"exec\",\n \"ProcessCreated\",\n eventTypeHuman == \"kextload\",\n \"Create\",\n eventTypeHuman == \"kextunload\",\n \"Delete\",\n eventTypeHuman == \"login_login\",\n \"Logon\",\n eventTypeHuman == \"login_logout\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_lock\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_login\",\n \"Logon\",\n eventTypeHuman == \"lw_session_logout\",\n \"Logoff\",\n eventTypeHuman == \"lw_session_unlock\",\n \"Logon\",\n eventTypeHuman == \"mount\",\n \"FileSystemMounted\",\n eventTypeHuman == \"od_attribute_set\",\n \"Set\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Create\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Delete\",\n eventTypeHuman == \"od_create_group\",\n \"GroupCreated\",\n eventTypeHuman == \"od_create_user\",\n \"UserCreated\",\n eventTypeHuman == \"od_delete_group\",\n \"GroupDeleted\",\n eventTypeHuman == \"od_delete_user\",\n \"UserDeleted\",\n eventTypeHuman == \"od_disable_user\",\n \"UserDisabled\",\n eventTypeHuman == \"od_enable_user\",\n \"UserEnabled\",\n eventTypeHuman == \"od_group_add\",\n \"UserAddedToGroup\",\n eventTypeHuman == \"od_group_remove\",\n \"UserRemovedFromGroup\",\n eventTypeHuman == \"od_group_set\",\n \"GroupModified\",\n eventTypeHuman == \"od_modify_password\",\n \"PasswordChanged\",\n eventTypeHuman == \"openssh_login\",\n \"Logon\",\n eventTypeHuman == \"openssh_logout\",\n \"Logoff\",\n eventTypeHuman == \"performance\",\n \"PerformanceData\",\n eventTypeHuman == \"profile_add\",\n \"Create\",\n eventTypeHuman == \"profile_remove\",\n \"Delete\",\n eventTypeHuman == \"remount\",\n \"FileSystemRemounted\",\n eventTypeHuman == \"screenscharing_attach\",\n \"Logon\",\n eventTypeHuman == \"screenscharing_detach\",\n \"Logoff\",\n eventTypeHuman == \"settime\",\n \"Set\",\n eventTypeHuman == \"su\",\n \"Elevate\",\n eventTypeHuman == \"sudo\",\n \"Elevate\",\n eventTypeHuman == \"unmount\",\n \"FileSystemUnmounted\",\n eventTypeHuman == \"xp_malware_detected\",\n \"MalwareDetected\",\n eventTypeHuman == \"xp_malware_remediated\",\n \"MalwareRemediated\",\n \"\"\n ),\n EventSubType = case(\n eventTypeHuman == \"authentication\",\n \"Interactive\",\n eventTypeHuman == \"btm_launch_item_add\",\n \"btm\",\n eventTypeHuman == \"btm_launch_item_remove\",\n \"btm\",\n eventTypeHuman == \"chroot\",\n \"Directory\",\n eventTypeHuman == \"cs_invalidated\",\n \"Other\",\n eventTypeHuman == \"kextload\",\n \"System Settings\",\n eventTypeHuman == \"kextunload\",\n \"System Settings\",\n eventTypeHuman == \"login_login\",\n \"Interactive\",\n eventTypeHuman == \"login_logout\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_lock\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_login\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_logout\",\n \"Interactive\",\n eventTypeHuman == \"lw_session_unlock\",\n \"Interactive\",\n eventTypeHuman == \"od_attribute_set\",\n \"Attribute\",\n eventTypeHuman == \"od_attribute_value_add\",\n \"Attribute\",\n eventTypeHuman == \"od_attribute_value_remove\",\n \"Attribute\",\n eventTypeHuman == \"openssh_login\",\n \"Interactive\",\n eventTypeHuman == \"openssh_logout\",\n \"Interactive\",\n eventTypeHuman == \"profile_add\",\n \"Configuration Profile\",\n eventTypeHuman == \"profile_remove\",\n \"Configuration Profile\",\n eventTypeHuman == \"screenscharing_attach\",\n \"RemoteInteractive\",\n eventTypeHuman == \"screenscharing_detach\",\n \"RemoteInteractive\",\n eventTypeHuman == \"settime\",\n \"System Settings\",\n eventTypeHuman == \"su\",\n \"Interactive\",\n eventTypeHuman == \"sudo\",\n \"Interactive\",\n \"\"\n )\n// Jamf Protect Telemetry - Event Process\n| extend eventContext = \n iif(\n isnotempty(event[eventTypeHuman]['app']['audit_token']),\n event[eventTypeHuman]['app'],\n iif(\n isnotempty(event[eventTypeHuman]['target']['audit_token']),\n event[eventTypeHuman]['target'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['od']['audit_token']),\n event[eventTypeHuman]['data']['od'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['token']['audit_token']),\n event[eventTypeHuman]['data']['token'],\n iif(\n isnotempty(event[eventTypeHuman]['data']['touchid']['audit_token']),\n event[eventTypeHuman]['data']['touchid'],\n iif(\n isnotempty(event[eventTypeHuman]['instigator']['audit_token']),\n event[eventTypeHuman]['instigator'],\n ['process']\n)\n)\n)\n)\n)\n)\n| extend\n TargetProcessName = tostring(eventContext.executable.path),\n TargetProcessId = tostring(eventContext.audit_token.pid),\n TargetProcessGuid = tostring(eventContext.audit_token.uuid),\n TargetProcessCreationTime = tostring(eventContext.start_time),\n TargetProcessSHA1 = tostring(eventContext.executable.sha1),\n TargetProcessSHA256 = tostring(eventContext.executable.sha256),\n TargetProcessCommandLine = event[eventTypeHuman]['args'],\n TargetProcessTTY = tostring(eventContext.tty.path),\n TargetBinarySigningAppID = tostring(eventContext.signing_id),\n TargetBinarySigningTeamID = tostring(eventContext.team_id),\n TargetBinaryCDHash = tostring(eventContext.cdhash),\n TargetBinaryIsESClient = tobool(eventContext.is_es_client),\n TargetBinaryIsPlatformBinary = tobool(eventContext.is_platform_binary),\n TargetUserId = tostring(eventContext.audit_token.euid),\n ActingProcessId = tostring(eventContext.parent_audit_token.pid),\n ActingProcessGuid = tostring(eventContext.parent_audit_token.uuid),\n ActorUserId = tostring(eventContext.parent_audit_token.euid),\n ParentProcessId = tostring(eventContext.responsible_audit_token.pid),\n ParentProcessGuid = tostring(eventContext.responsible_audit_token.uuid)\n// Jamf Protect Telemetry - Revealing Code Signing flags\n| extend TargetProcessCodesignFlags = \n iif(isnotempty(eventContext.codesigning_flags),\n bag_pack(\n \"CS_VALID\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000001) > 0, true, false),\n \"CS_ADHOC\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000002) > 0, true, false),\n \"CS_GET_TASK_ALLOW\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000004) > 0, true, false),\n \"CS_INSTALLER\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000008) > 0, true, false),\n \"CS_FORCED_LV\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000010) > 0, true, false),\n \"CS_INVALID_ALLOWED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000020) > 0, true, false),\n \"CS_HARD\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000100) > 0, true, false),\n \"CS_KILL\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000200) > 0, true, false),\n \"CS_CHECK_EXPIRATION\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000400) > 0, true, false),\n \"CS_RESTRICT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00000800) > 0, true, false),\n \"CS_ENFORCEMENT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00001000) > 0, true, false),\n \"CS_REQUIRE_LV\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00002000) > 0, true, false),\n \"CS_ENTITLEMENTS_VALIDATED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00004000) > 0, true, false),\n \"CS_NVRAM_UNRESTRICTED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00008000) > 0, true, false),\n \"CS_RUNTIME\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00010000) > 0, true, false),\n \"CS_LINKER_SIGNED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x20000) > 0, true, false),\n \"CS_EXEC_SET_HARD\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00100000) > 0, true, false),\n \"CS_EXEC_SET_KILL\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00200000) > 0, true, false),\n \"CS_EXEC_SET_ENFORCEMENT\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00400000) > 0, true, false),\n \"CS_EXEC_INHERIT_SIP\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x00800000) > 0, true, false),\n \"CS_KILLED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x01000000) > 0, true, false),\n \"CS_DYLD_PLATFORM\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x02000000) > 0, true, false),\n \"CS_PLATFORM_BINARY\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x04000000) > 0, true, false),\n \"CS_PLATFORM_PATH\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x08000000) > 0, true, false),\n \"CS_DEBUGGED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x10000000) > 0, true, false),\n \"CS_SIGNED\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x20000000) > 0, true, false),\n \"CS_DEV_CODE\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x40000000) > 0, true, false),\n \"CS_DATAVAULT_CONTROLLER\",\n iff(binary_and(toint(eventContext.codesigning_flags), 0x80000000) > 0, true, false)\n ), \"\")\n// Event Specific - authentication\n| extend TargetUsername =\n iif(\n isnotempty(event[eventTypeHuman]['username']),\n event[eventTypeHuman]['username'],\n iif(\n isnotempty(event[eventTypeHuman]['to_username']),\n event[eventTypeHuman]['to_username'],\n iif(\n isnotempty(event[eventTypeHuman]['account_name']),\n event[eventTypeHuman]['account_name'],\n iif(\n isnotempty(event[eventTypeHuman]['user_name']),\n event[eventTypeHuman]['user_name'],\n iif(\n isnotempty(event[eventTypeHuman]['authentication_username']),\n event[eventTypeHuman]['authentication_username'],\n \"\"\n)\n)\n)\n)\n)\n// Event Specific - authentication\n| extend ActorUsername = \n iif(\n isnotempty(event[eventTypeHuman]['from_username']),\n event[eventTypeHuman]['from_username'],\n iif(\n isnotempty(event[eventTypeHuman]['session_username']),\n event[eventTypeHuman]['session_username'],\n \"\"\n)\n)\n| extend Authentication = iif(\n eventTypeHuman == \"authentication\",\n bag_pack(\n \"authentication_method\",\n iff(isnotempty(event[eventTypeHuman].data), tostring(bag_keys(event[eventTypeHuman].data)[0]), \"\")\n),\n dynamic(null)\n )\n// Event Specific - bios_uefi\n| extend HardwareInformation = iif(\n eventTypeHuman == \"bios_uefi\",\n bag_pack(\n \"host_architecture\",\n iff(isnotempty(event[eventTypeHuman].architecture), event[eventTypeHuman].architecture, \"\"),\n \"firmware_version\",\n iff(isnotempty(event[eventTypeHuman].bios.['firmware-version']), event[eventTypeHuman].bios.['firmware-version'], \"\"),\n \"system_firmware_version\",\n iff(isnotempty(event[eventTypeHuman].bios.['system-firmware-version']), event[eventTypeHuman].bios.['system-firmware-version'], \"\")\n),\n dynamic(null)\n )\n// Event Specific - btm_launch_item_add & btm_launch_item_remove\n| extend BtmItem = iif(\n eventTypeHuman in (\"btm_launch_item_add\", \"btm_launch_item_remove\", \"remount\"),\n bag_pack(\n \"btm_executable_path\",\n iff(isnotempty(event[eventTypeHuman].executable_path), event[eventTypeHuman].executable_path, \"\"),\n \"btm_item_app_url\",\n iff(isnotempty(event[eventTypeHuman].item.app_url), event[eventTypeHuman].item.app_url, \"\"),\n \"btm_item_url\",\n iff(isnotempty(event[eventTypeHuman].item.item_url), event[eventTypeHuman].item.item_url, \"\"),\n \"btm_item_managed\",\n iff(isnotempty(event[eventTypeHuman].item.managed), event[eventTypeHuman].item.managed, \"\"),\n \"btm_item_legacy\",\n iff(isnotempty(event[eventTypeHuman].item.legacy), event[eventTypeHuman].item.legacy, \"\"),\n \"btm_item_uid\",\n iff(isnotempty(event[eventTypeHuman].item.uid), event[eventTypeHuman].item.uid, \"\"),\n \"btm_item_type\",\n iff(\n isnotempty(event[eventTypeHuman].item.item_type),\n case(\n event[eventTypeHuman].item.item_type == 0,\n \"UserItem\",\n event[eventTypeHuman].item.item_type == 1,\n \"App\",\n event[eventTypeHuman].item.item_type == 2,\n \"LoginItem\",\n event[eventTypeHuman].item.item_type == 3,\n \"LaunchAgent\",\n event[eventTypeHuman].item.item_type == 4,\n \"LaunchDaemon\",\n \"Unknown\"\n),\n \"\"\n)\n),\n dynamic(null)\n )\n// Event Specific - chroot\n| extend Chroot = iif(\n eventTypeHuman == \"chroot\",\n bag_pack(\n \"apparent_root_directory\",\n iff(isnotempty(event[eventTypeHuman].target), event[eventTypeHuman].target.path, \"\"),\n \"stats\",\n iff(isnotempty(event[eventTypeHuman].target.stat), event[eventTypeHuman].target.stat, \"\")\n),\n dynamic(null)\n )\n// Event Specific - cs_invalidated\n// Event Specific - exec\n// Event Specific - kextload & kextunload\n| extend KernelExtension = iif(\n eventTypeHuman in (\"kextload\", \"kextunload\"),\n bag_pack(\n \"kext_identifier\",\n iff(isnotempty(event[eventTypeHuman].identifier), event[eventTypeHuman].identifier, \"\")\n),\n dynamic(null)\n )\n// Event Specific - lw_session_lock & lw_session_unlock & lw_session_login & lw_session_logout\n| extend LoginWindowSession = iif(\n eventTypeHuman in (\"lw_session_lock\", \"lw_session_unlock\", \"lw_session_login\", \"lw_session_logout\"),\n bag_pack(\n \"graphical_session_id\",\n iff(isnotempty(event[eventTypeHuman].graphical_session_id), event[eventTypeHuman].graphical_session_id, \"\")\n),\n dynamic(null)\n )\n// Event Specific - mount & remount & unmount\n| extend FileSystem = iif(\n eventTypeHuman in (\"mount\", \"unmount\", \"remount\"),\n bag_pack(\n \"volume_device_name\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_mntfromname), event[eventTypeHuman].statfs.f_mntfromname, \"\"),\n \"volume_mount_name\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_mntonname), event[eventTypeHuman].statfs.f_mntonname, \"\"),\n \"volume_file_system_type\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_fstypename), event[eventTypeHuman].statfs.f_fstypename, \"\"),\n \"volume_size\",\n iff(isnotempty(event[eventTypeHuman].statfs.f_bsize), event[eventTypeHuman].statfs.f_bsize, \"\")\n),\n dynamic(null)\n )\n// Event Specific - od_attribute_set & od_attribute_value_add & od_attribute_value_remove & od_create_group & od_create_user & od_delete_group & od_delete_user & od_disable_user & od_enable_user\n| extend OpenDirectory = iif(\n eventTypeHuman in (\"od_attribute_set\", \"od_attribute_value_add\", \"od_attribute_value_remove\", \"od_create_group\", \"od_create_user\", \"od_delete_group\", \"od_delete_user\", \"od_disable_user\", \"od_enable_user\"),\n bag_pack(\n \"group_name\",\n iff(isnotempty(event[eventTypeHuman].group_name), event[eventTypeHuman].group_name, \"\"),\n \"member_array\",\n iff(isnotempty(event[eventTypeHuman].members.member_array), event[eventTypeHuman].members.member_array, \"\"),\n \"member_value\",\n iff(isnotempty(event[eventTypeHuman].member.member_value), event[eventTypeHuman].member.member_value, \"\"),\n \"user_name\",\n iff(isnotempty(event[eventTypeHuman].user_name), event[eventTypeHuman].user_name, \"\"),\n \"account_name\",\n iff(isnotempty(event[eventTypeHuman].account_name), event[eventTypeHuman].account_name, \"\"),\n \"db_path\",\n iff(isnotempty(event[eventTypeHuman].db_path), event[eventTypeHuman].db_path, \"\"),\n \"record_name\",\n iff(isnotempty(event[eventTypeHuman].record_name), event[eventTypeHuman].record_name, \"\"),\n \"attribute_name\",\n iff(isnotempty(event[eventTypeHuman].attribute_name), event[eventTypeHuman].attribute_name, \"\"),\n \"attribute_value\",\n iff(isnotempty(event[eventTypeHuman].attribute_value), event[eventTypeHuman].attribute_value, \"\"),\n \"node_name\",\n iff(isnotempty(event[eventTypeHuman].node_name), event[eventTypeHuman].node_name, \"\")\n),\n dynamic(null)\n )\n// Event Specific - openssh_login & openssh_logout\n| extend SSHContext = iif(\n eventTypeHuman in (\"openssh_login\", \"openssh_logout\"),\n bag_pack(\n \"source_address_type\", \n iff(\n isnotempty(event[eventTypeHuman].source_address_type),\n case(\n event[eventTypeHuman].source_address_type == 0,\n \"Unknown\",\n event[eventTypeHuman].source_address_type == 1,\n \"IPv4\",\n event[eventTypeHuman].source_address_type == 2,\n \"IPv6\",\n event[eventTypeHuman].source_address_type == 3,\n \"UNIX Socket\",\n \"Unknown\"\n),\n \"\" \n),\n \"result_type\", \n iff(\n isnotempty(event[eventTypeHuman].result_type),\n case(\n event[eventTypeHuman].result_type == 0,\n \"Exceeded maximum attempts\",\n event[eventTypeHuman].result_type == 1,\n \"Denied by root\",\n event[eventTypeHuman].result_type == 2,\n \"Success\",\n event[eventTypeHuman].result_type == 3,\n \"No reason\",\n event[eventTypeHuman].result_type == 4,\n \"Password\",\n event[eventTypeHuman].result_type == 5,\n \"kbdint\",\n event[eventTypeHuman].result_type == 6,\n \"Public key\",\n event[eventTypeHuman].result_type == 7,\n \"Host based\",\n event[eventTypeHuman].result_type == 8,\n \"GSS API\",\n event[eventTypeHuman].result_type == 9,\n \"Invalid user\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null) \n )\n// Event Specific - performance\n// Event Specific - profile_add & profile_remove\n| extend Profile = iif(\n eventTypeHuman in (\"profile_add\", \"profile_remove\"),\n bag_pack(\n \"profile_scope\",\n iff(isnotempty(event[eventTypeHuman].profile.scope), event[eventTypeHuman].profile.scope, \"\"),\n \"profile_identifier\",\n iff(isnotempty(event[eventTypeHuman].profile.identifier), event[eventTypeHuman].profile.identifiery, \"\"),\n \"profile_uuid\",\n iff(isnotempty(event[eventTypeHuman].profile.uuid), event[eventTypeHuman].profile.uuid, \"\"),\n \"profile_display_name\",\n iff(isnotempty(event[eventTypeHuman].profile.display_name), event[eventTypeHuman].profile.display_name, \"\"),\n \"profile_organization\",\n iff(isnotempty(event[eventTypeHuman].profile.organization), event[eventTypeHuman].profile.organization, \"\"),\n \"profile_is_updated\",\n iff(isnotempty(event[eventTypeHuman].is_update), event[eventTypeHuman].is_update, \"\"),\n \"profile_install_source\", \n iff(\n isnotempty(event[eventTypeHuman].profile.install_source),\n case(\n event[eventTypeHuman].profile.install_source == 0,\n \"mdm\",\n event[eventTypeHuman].profile.install_source == 1,\n \"manual\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null)\n )\n// Event Specific - screenscharing_attach & screensharing_detach\n| extend Screensharing = iif(\n eventTypeHuman in (\"screensharing_attach\", \"screensharing_detach\"),\n bag_pack(\n \"existing_session\",\n iff(isnotempty(event[eventTypeHuman].existing_session), event[eventTypeHuman].existing_session, \"\"),\n \"graphical_session_id\",\n iff(isnotempty(event[eventTypeHuman].graphical_authentication_username), event[eventTypeHuman].graphical_authentication_username, \"\"),\n \"session_username\",\n iff(isnotempty(event[eventTypeHuman].session_username), event[eventTypeHuman].session_username, \"\"),\n \"viewer_appleid\",\n iff(isnotempty(event[eventTypeHuman].viewer_appleid), event[eventTypeHuman].viewer_appleid, \"\"),\n \"authentication_type\",\n iff(isnotempty(event[eventTypeHuman].authentication_type), event[eventTypeHuman].authentication_type, \"\"),\n \"source_address\",\n iff(isnotempty(event[eventTypeHuman].source_address), event[eventTypeHuman].source_address, \"\"),\n \"source_address_type\", \n iff(\n isnotempty(event[eventTypeHuman].source_address_type),\n case(\n event[eventTypeHuman].source_address_type == 0,\n \"Unknown\",\n event[eventTypeHuman].source_address_type == 1,\n \"IPv4\",\n event[eventTypeHuman].source_address_type == 2,\n \"IPv6\",\n event[eventTypeHuman].source_address_type == 3,\n \"UNIX Socket\",\n \"Unknown\"\n),\n \"\" \n)\n),\n dynamic(null)\n )\n// Event Specific - su\n| extend Su = iif(\n eventTypeHuman == \"su\",\n bag_pack(\n \"username\",\n iff(isnotempty(event[eventTypeHuman].username), event[eventTypeHuman].username, \"\"),\n \"uid\",\n iff(isnotempty(event[eventTypeHuman].uid), event[eventTypeHuman].uid, \"\"),\n \"args\",\n iff(isnotempty(event[eventTypeHuman].argv), event[eventTypeHuman].argv, \"\"),\n \"env_vars\",\n iff(isnotempty(event[eventTypeHuman].env), event[eventTypeHuman].env, \"\"),\n \"env_count\",\n iff(isnotempty(event[eventTypeHuman].env_count), event[eventTypeHuman].env_count, \"\"),\n \"from_username\",\n iff(isnotempty(event[eventTypeHuman].from_username), event[eventTypeHuman].from_username, \"\"),\n \"to_username\",\n iff(isnotempty(event[eventTypeHuman].to_username), event[eventTypeHuman].to_username, \"\"),\n \"failure_message\",\n iff(isnotempty(event[eventTypeHuman].failure_reason), event[eventTypeHuman].failure_reason, \"\")\n),\n dynamic(null)\n )\n// Event Specific - sudo\n| extend Sudo = iif(\n eventTypeHuman == \"sudo\",\n bag_pack(\n \"TargetProcessCommandLine\",\n iff(isnotempty(event[eventTypeHuman].command), event[eventTypeHuman].command, \"\"),\n \"attribute_name\",\n iff(isnotempty(event[eventTypeHuman].attribute_name), event[eventTypeHuman].attribute_name, \"\"),\n \"attribute_value\",\n iff(isnotempty(event[eventTypeHuman].attribute_value), event[eventTypeHuman].attribute_value, \"\")\n),\n dynamic(null)\n )\n// Event Specific - xp_malware_detected & xp_malware_remediated\n| extend Xprotect = iif(\n eventTypeHuman in (\"xp_malware_detected\", \"xp_malware_remediated\"),\n bag_pack(\n \"detected_path\",\n iff(isnotempty(event[eventTypeHuman].detected_path), event[eventTypeHuman].detected_path, \"\"),\n \"remediated_path\",\n iff(isnotempty(event[eventTypeHuman].remediated_path), event[eventTypeHuman].remediated_path, \"\"),\n \"malware_identifier\",\n iff(isnotempty(event[eventTypeHuman].malware_identifier), event[eventTypeHuman].malware_identifier, \"\"),\n \"signature_version\",\n iff(isnotempty(event[eventTypeHuman].signature_version), event[eventTypeHuman].signature_version, \"\")\n),\n dynamic(null)\n )\n| project-away\naction,\nevent,\nprocess\n};\n//\n// Jamf Protect - Network Traffic\n//\nlet JamfProtectNetworkTraffic_view = view () {\n jamfprotect_CL\n | where event_metadata_product_s == \"Network Traffic Stream\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Network Traffic Stream'\n | project-rename\n | extend\n // Jamf Protect - Common Fields\n EventType = \"query\",\n EventSubType = \"request\",\n EventStartTime = unixtime_milliseconds_todatetime(tolong(event_receiptTime_d)),\n EventResult = case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Prevented\", ''),\n // Jamf Protect - Source User\n SrcUsermail=column_ifexists('event_user_email_s', ''),\n SrcUsername = column_ifexists('event_user_name_s', ''),\n // Jamf Protect - Source Device Hostnames\n DvcHostname = case(isnotempty(input_host_hostname_s), input_host_hostname_s, isnotempty(host_info_host_name_s), host_info_host_name_s, event_device_userDeviceName_s),\n DvcIpAddr = column_ifexists(\"event_source_ip_s\", \"\"),\n DvcId = column_ifexists(\"event_device_externalId_g\", \"\"),\n DvcOs = case(event_device_osType_s == \"MAC_OS\", \"macOS\", event_device_osType_s == \"IOS\", \"iOS\", event_device_osType_s == \"ANDROID\", \"Android\", \"Other\"),\n SrcDeviceType = case(event_device_osType_s == \"MAC_OS\", \"Computer\", event_device_osType_s == \"IOS\", \"Mobile Device\", event_device_osType_s == \"ANDROID\", \"Mobile Device\", \"Other\"),\n // Jamf Protect - DNS Specific\n DnsQuery = column_ifexists('event_hostName_s', ''),\n DvcAction = case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Blocked\", ''),\n DnsQueryName = column_ifexists('event_domain_s', ''),\n DstIpAddr = column_ifexists('event_destination_ips_s', ''),\n ThreatCategory = column_ifexists('event_eventType_description_s', ''),\n DnsQueryTypeName = column_ifexists('event_dns_recordType_s', ''),\n DnsResponseName = column_ifexists('event_dns_responseStatus_s', ''),\n ThreatOriginalRiskLevel = column_ifexists('event_threat_result_s', '')\n | project-keep\n TimeGenerated,\n EventVendor,\n EventProduct,\n EventType,\n EventSubType,\n EventStartTime,\n EventResult,\n DvcHostname,\n DvcIpAddr,\n DvcId,\n DvcOs,\n SrcDeviceType,\n SrcUsermail,\n SrcUsername,\n DnsQuery,\n DnsQueryName,\n DstIpAddr,\n DnsQueryTypeName,\n DvcAction,\n DnsResponseName,\n ThreatOriginalRiskLevel\n};\n// //\n// // Jamf Protect - Threat Events\n// //\nlet JamfProtectThreatEvents_view = view () {\n jamfprotect_CL\n | where event_metadata_product_s == \"Threat Events Stream\"\n // ASIM - Common Fields\n | extend EventVendor = 'Jamf'\n | extend EventProduct = 'Jamf Protect - Threat Events Stream'\n | project-rename\n | extend\n // Jamf Protect - Common Fields\n EventStartTime = column_ifexists(\"event_timestamp_t\", \"\"),\n EventResult=case(event_action_s == \"Blocked\", \"Blocked\", event_action_s == \"Detected\", \"Detected\", ''),\n EventReportUrl = column_ifexists(\"event_eventUrl_s\", \"\"),\n // Jamf Protect - Alert Details\n EventSeverity = case(event_severity_d == 2, \"Informational\", event_severity_d == 4, \"Low\", event_severity_d == 6, \"Medium\", event_severity_d == 8, \"High\", event_severity_d == 10, \"High\", \"Informational\"),\n // Jamf Protect - Source User\n SrcUsermail=column_ifexists('event_user_email_s', ''),\n SrcUsername=column_ifexists('event_user_name_s', ''),\n // Jamf Protect - Source Device Hostnames\n DvcHostname = column_ifexists(\"event_device_userDeviceName_s\", \"\"),\n DvcIpAddr = column_ifexists(\"event_source_ip_s\", \"\"),\n DvcId = column_ifexists(\"event_device_externalId_g\", \"\"),\n DvcOs=case(event_device_os_s has \"MAC_OS\", \"macOS\", event_device_os_s has \"IOS\", \"iOS\", event_device_os_s has \"ANDROID\", \"Android\", \"Other\"),\n SrcDeviceType=case(event_device_os_s has \"MAC_OS\", \"Computer\", event_device_os_s has \"IOS\", \"Mobile Device\", event_device_os_s has \"ANDROID\", \"Mobile Device\", \"Other\"),\n // Jamf Protect - DNS Specific\n DnsQuery=column_ifexists('event_hostName_s', ''),\n DvcAction=case(event_blocked_b == \"false\", \"Allowed\", event_blocked_b == \"true\", \"Blocked\", ''),\n DnsQueryName=column_ifexists('event_destination_name_s', ''),\n DstIpAddr=column_ifexists('event_destination_ip_s', ''),\n ThreatCategory=column_ifexists('event_eventType_description_s', ''),\n ThreatOriginalRiskLevel=column_ifexists('event_threat_result_s', ''),\n // Jamf Protect - App Specific\n TargetFileName = column_ifexists(\"event_app_name_s\", \"\"),\n TargetFileSHA1 = column_ifexists(\"event_app_sha1_s\", \"\"),\n TargetFileSHA256 = column_ifexists(\"event_app_sha256_s\", \"\")\n | project-keep\n TimeGenerated,\n EventVendor,\n EventProduct,\n EventStartTime,\n EventResult,\n EventReportUrl,\n EventSeverity,\n DvcHostname,\n DvcIpAddr,\n DvcId,\n SrcDeviceType,\n SrcUsermail,\n SrcUsername,\n DnsQuery,\n DnsQueryName,\n DstIpAddr,\n ThreatCategory,\n DvcAction,\n ThreatOriginalRiskLevel,\n TargetFileName,\n TargetFileSHA1,\n TargetFileSHA256\n};\nunion isfuzzy=true JamfProtectAlerts_view, JamfProtectUnifiedLog_view, JamfProtectTelemetryv1_view, JamfProtectTelemetryv2_view, JamfProtectNetworkTraffic_view, JamfProtectThreatEvents_view\n",
"functionParameters": "",
"version": 2,
"tags": [
@@ -670,90 +2306,91 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "JamfProtect",
"dataTypes": [
"jamfprotect_CL"
- ]
+ ],
+ "connectorId": "JamfProtect"
}
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "columnName": "DvcHostname",
- "identifier": "HostName"
+ "identifier": "HostName",
+ "columnName": "DvcHostname"
},
{
- "columnName": "DvcOs",
- "identifier": "OSFamily"
+ "identifier": "OSFamily",
+ "columnName": "DvcOs"
},
{
- "columnName": "DvcOsVersion",
- "identifier": "OSVersion"
+ "identifier": "OSVersion",
+ "columnName": "DvcOsVersion"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "IP",
"fieldMappings": [
{
- "columnName": "Host_IPs",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "Host_IPs"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "columnName": "TargetUsername",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "TargetUsername"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "columnName": "TargetProcessCurrentDirectory",
- "identifier": "CommandLine"
+ "identifier": "CommandLine",
+ "columnName": "TargetProcessCurrentDirectory"
},
{
- "columnName": "TargetProcessId",
- "identifier": "ProcessId"
+ "identifier": "ProcessId",
+ "columnName": "TargetProcessId"
}
- ]
+ ],
+ "entityType": "Process"
},
{
- "entityType": "FileHash",
"fieldMappings": [
{
- "columnName": "algorithm",
- "identifier": "Algorithm"
+ "identifier": "Algorithm",
+ "columnName": "algorithm"
},
{
- "columnName": "TargetBinarySHA256",
- "identifier": "Value"
+ "identifier": "Value",
+ "columnName": "TargetBinarySHA256"
}
- ]
+ ],
+ "entityType": "FileHash"
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "TargetbinarySign": "TargetbinarySignerType",
- "JamfPro_Status": "JamfPro",
"Protect_Tags": "Tags",
+ "Related_Binaries": "TargetBinaryFilePath",
"TargetBinarySigner": "TargetBinarySigningTeamID",
- "Related_File_hash": "TargetBinarySHA256",
"Protect_Analytic": "EventMessage",
"Protect_Event_Type": "EventType",
+ "TargetbinarySign": "TargetbinarySignerType",
+ "Related_File_hash": "TargetBinarySHA256",
"TargetBinarySignMsg": "TargetBinarySigningInfoMessage",
- "Related_Binaries": "TargetBinaryFilePath"
+ "JamfPro_Status": "JamfPro"
},
"alertDetailsOverride": {
+ "alertDescriptionFormat": "{{EventDescription}} - Please investigate",
"alertTacticsColumnName": "Tactics",
"alertSeverityColumnName": "EventSeverity",
"alertDynamicProperties": [
@@ -774,16 +2411,15 @@
"alertProperty": "Techniques"
}
],
- "alertDisplayNameFormat": "{{EventMessage}} detected on {{DvcHostname}}",
- "alertDescriptionFormat": "{{EventDescription}} - Please investigate"
+ "alertDisplayNameFormat": "{{EventMessage}} detected on {{DvcHostname}}"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
- "lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
- "enabled": false,
- "reopenClosedIncident": false
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "enabled": false
}
}
}
@@ -863,59 +2499,62 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "JamfProtect",
"dataTypes": [
"jamfprotect_CL"
- ]
+ ],
+ "connectorId": "JamfProtect"
}
],
"tactics": [
"InitialAccess"
],
+ "techniques": [
+ "T1133"
+ ],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "columnName": "Hostname",
- "identifier": "HostName"
+ "identifier": "HostName",
+ "columnName": "Hostname"
},
{
- "columnName": "DvcOs",
- "identifier": "OSFamily"
+ "identifier": "OSFamily",
+ "columnName": "DvcOs"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "IP",
"fieldMappings": [
{
- "columnName": "DstIpAddr",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "DstIpAddr"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "columnName": "SrcUsermail",
- "identifier": "AadUserId"
+ "identifier": "AadUserId",
+ "columnName": "SrcUsermail"
},
{
- "columnName": "SrcUsername",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "SrcUsername"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "URL",
"fieldMappings": [
{
- "columnName": "DnsQueryName",
- "identifier": "Url"
+ "identifier": "Url",
+ "columnName": "DnsQueryName"
}
- ]
+ ],
+ "entityType": "URL"
}
],
"eventGroupingSettings": {
@@ -925,6 +2564,7 @@
"Category": "ThreatCategory"
},
"alertDetailsOverride": {
+ "alertDescriptionFormat": "A Network Threat has been {{EventResult}} on {{DvcHostname}}",
"alertTacticsColumnName": "Tactics",
"alertSeverityColumnName": "EventSeverity",
"alertDynamicProperties": [
@@ -949,16 +2589,15 @@
"alertProperty": "Techniques"
}
],
- "alertDisplayNameFormat": "Network Threat detected on {{DvcHostname}}",
- "alertDescriptionFormat": "A Network Threat has been {{EventResult}} on {{DvcHostname}}"
+ "alertDisplayNameFormat": "Network Threat detected on {{DvcHostname}}"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
- "lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
- "enabled": false,
- "reopenClosedIncident": false
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "enabled": false
}
}
}
@@ -1038,42 +2677,43 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "JamfProtect",
"dataTypes": [
"jamfprotect_CL"
- ]
+ ],
+ "connectorId": "JamfProtect"
}
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "columnName": "DvcHostname",
- "identifier": "HostName"
+ "identifier": "HostName",
+ "columnName": "DvcHostname"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "IP",
"fieldMappings": [
{
- "columnName": "Host_IPs",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "Host_IPs"
}
- ]
+ ],
+ "entityType": "IP"
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "Protect_Event_Type": "EventType",
- "Event_Process": "TargetProcessName",
"Unified_Log": "EventDescription",
- "Tags": "Match_tags"
+ "Tags": "Match_tags",
+ "Protect_Event_Type": "EventType",
+ "Event_Process": "TargetProcessName"
},
"alertDetailsOverride": {
+ "alertDescriptionFormat": "{{EventDescription}} has been captured in the unified logs",
"alertSeverityColumnName": "EventSeverity",
"alertDynamicProperties": [
{
@@ -1085,16 +2725,15 @@
"alertProperty": "ProductName"
}
],
- "alertDisplayNameFormat": "{{EventDescription}} on {{DvcHostname}}",
- "alertDescriptionFormat": "{{EventDescription}} has been captured in the unified logs"
+ "alertDisplayNameFormat": "{{EventDescription}} on {{DvcHostname}}"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
- "lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
- "enabled": false,
- "reopenClosedIncident": false
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "enabled": false
}
}
}
@@ -3675,7 +5314,7 @@
"contentSchemaVersion": "3.0.0",
"displayName": "Jamf Protect",
"publisherDisplayName": "Jamf Software, LLC",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Jamf Protect solution for Microsoft Sentinel enables you to ingest Jamf Protect events forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.
\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 3, Hunting Queries: 7, Playbooks: 3
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Jamf Protect solution for Microsoft Sentinel enables you to ingest Jamf Protect events forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.
\nData Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 3, Hunting Queries: 7, Playbooks: 3
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3705,6 +5344,11 @@ "contentId": "[variables('_dataConnectorContentId1')]", "version": "[variables('dataConnectorVersion1')]" }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/Jamf Protect/Package/testParameters.json b/Solutions/Jamf Protect/Package/testParameters.json index 3f390a145a5..52529e16dab 100644 --- a/Solutions/Jamf Protect/Package/testParameters.json +++ b/Solutions/Jamf Protect/Package/testParameters.json @@ -21,6 +21,20 @@ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + }, "workbook1-name": { "type": "string", "defaultValue": "Jamf Protect Workbook", diff --git a/Solutions/Jamf Protect/Parsers/JamfProtect.yaml b/Solutions/Jamf Protect/Parsers/JamfProtect.yaml index 75d977b1529..6ed694f2026 100644 --- a/Solutions/Jamf Protect/Parsers/JamfProtect.yaml +++ b/Solutions/Jamf Protect/Parsers/JamfProtect.yaml @@ -1,816 +1,852 @@ id: d941b837-88fa-4c77-a4d8-76af0044cac0 Function: Title: Parser for JamfProtect - Version: '3.1.0' - LastUpdated: '2024-01-12' + Version: '3.2.0' + LastUpdated: '2025-01-06' Category: Microsoft Sentinel Parser FunctionName: JamfProtect FunctionAlias: JamfProtect FunctionQuery: | - let JamfProtectAlerts_view = view () { - jamfprotect_CL - | where topicType_s == "alert" - and input_eventType_s <> "GPUnifiedLogEvent" - and isnotempty(input_match_severity_d) - // JSON Parsing at earliest stage - | extend - Related_users = parse_json(input_related_users_s), - Related_files = parse_json(input_related_files_s), - Related_binaries = parse_json(input_related_binaries_s), - Related_groups = parse_json(input_related_groups_s), - Related_processes = parse_json(input_related_processes_s), - Match_facts = parse_json(input_match_facts_s), - Match_tags = parse_json(input_match_tags_s), - Match_actions = parse_json(input_match_actions_s), - Match_context = parse_json(input_match_context_s), - Match_event_process_signing = parse_json(input_match_event_process_signingInfo_s) - // ASIM - Common Fields - | extend EventVendor = 'Jamf' - | extend EventProduct = 'Jamf Protect - Alerts' - | project-rename - EventOriginalUid = input_match_uuid_g - | extend - // Jamf Protect - Common Fields - EventType = case( - input_eventType_s == "GPClickEvent", - "Click", - input_eventType_s == "GPDownloadEvent", - "Download", - input_eventType_s == "GPFSEvent", - "FileSystem", - input_eventType_s == "GPProcessEvent", - "Process", - input_eventType_s == "GPKeylogRegisterEvent", - "Keylog", - input_eventType_s == "GPGatekeeperEvent", - "Gatekeeper", - input_eventType_s == "GPMRTEvent", - "MRT", - input_eventType_s == "GPPreventedExecutionEvent", - "ProcessDenied", - input_eventType_s == "GPThreatMatchExecEvent", - "ProcessPrevented", - input_eventType_s == "GPUnifiedLogEvent", - "UnifiedLog", - input_eventType_s == "GPUSBEvent", - "USB", - input_eventType_s == "auth-mount", - "UsbBlock", - "Unknown" - ), - EventDescription = coalesce(Match_facts[1].human, Match_facts[0].human), - EventMessage = coalesce(Match_facts[1].name, Match_facts[0].name), - EventStartTime = unixtime_milliseconds_todatetime(tolong(timestamp_d)), - EventResult = case(Match_actions has "Prevented", "Prevented", "Allowed"), - EventProductVersion = column_ifexists("input_host_protectVersion_s", ""), - // - // Jamf Protect - Alert details - // - EventSeverity = case(input_match_severity_d == 0, "Informational", input_match_severity_d == 1, "Low", input_match_severity_d == 2, "Medium", input_match_severity_d == 3, "High", "Informational"), - EventMatch = column_ifexists("input_match_event_matchValue_s", ""), - EventMatchType = column_ifexists("input_match_event_matchType_s", ""), - EventReportUrl = strcat("https://", context_identity_claims_hd_s, ".jamfcloud.com/Alerts/", EventOriginalUid), - // - // Jamf Protect - Source User - SrcUsername = tostring(coalesce(Related_users[1].name, Related_users[0].name)), - // - // Jamf Protect - Source Device Hostnames - // - TargetHostname = column_ifexists("input_host_hostname_s", ""), - DvcHostname = column_ifexists("input_host_hostname_s", ""), - DvcIpAddr = column_ifexists("input_host_ips_s", ""), - DvcId = column_ifexists("input_host_provisioningUDID_g", ""), - DvcOs="macOS", - SrcDeviceType="Computer", - // - // Jamf Protect Alerts - Process - // - ProcessEventType = case(input_match_event_type_d == 0, "None", input_match_event_type_d == 1, "Create", input_match_event_type_d == 2, "Exit", ""), - ProcessEventSubType = case(input_match_event_subType_d == 7, "Exec", input_match_event_subType_d == 1, "Fork", input_match_event_subType_d == 23, "Execve", input_match_event_subType_d == 43190, "Posix Spawn", ""), - ActingProcessName = tostring(Related_processes[array_length(Related_processes) - 1].path), - ActingProcessCreationTime = format_datetime(unixtime_milliseconds_todatetime(tolong(Related_processes[array_length(Related_processes) - 1].startTimestamp)), 'HH:mm:ss'), - ActingProcessId = coalesce(input_match_event_process_ppid_d, toreal(Related_processes[0].responsiblePID)), - ActingProcessGuid = tostring(Related_processes[array_length(Related_processes) - 1].uuid), - ParentProcessName = iff(array_length(Related_processes) > 1, tostring(Related_processes[1].path), ""), - ParentProcessCreationTime = iff(array_length(Related_processes) > 1, format_datetime(unixtime_milliseconds_todatetime(tolong(Related_processes[1].startTimestamp)), 'HH:mm:ss'), ""), - ParentProcessId = iff(array_length(Related_processes) > 1, toreal(Related_processes[1].pid), double(null)), - ParentProcessGuid = iff(array_length(Related_processes) > 1, tostring(Related_processes[1].uuid), ""), - TargetProcessName = coalesce(input_match_event_process_name_s, Related_processes[0].name), - TargetProcessId = coalesce(toreal(input_match_event_process_pid_d), toreal(Related_processes[0].pid)), - TargetProcessGuid = tostring(Related_processes[0].uuid), - TargetProcessSHA1 = Related_binaries[0].sha1hex, - TargetProcessSHA256 = Related_binaries[0].sha256hex, - TargetProcessCreationTime = unixtime_milliseconds_todatetime(tolong(input_match_event_process_startTimestamp_d)), - TargetProcessCommandLine = column_ifexists("input_match_event_process_args_s", ""), - TargetProcessCurrentDirectory = column_ifexists("input_match_event_process_path_s", ""), - //TargetProcessStatusCode = column_ifexists(Related_processes[0].exitCode, ""), - TargetUserId = toreal(coalesce(Related_users[1].uid, Related_processes[0].uid)), - TargetUsername = tostring(coalesce(Related_users[1].name, Related_users[0].uid)), - // - // Jamf Protect Alerts - Files - // - TargetFilePath = tostring(coalesce(input_match_event_path_s, Related_files[0].path)), - TargetFileSHA1 = Related_files[0].sha1hex, - TargetFileSHA256 = Related_files[0].sha256hex, - TargetFileSize = Related_files[0].size, - TargetFileSigningInfoMessage = Related_files[0].signingInfo.statusMessage, - TargetFileSignerType = case(Related_files[0].signingInfo.signerType == 0, "Apple", Related_files[0].signingInfo.signerType == 1, "App Store", Related_files[0].signingInfo.signerType == 2, "Developer", Related_files[0].signingInfo.signerType == 3, "Ad Hoc", Related_files[0].signingInfo.signerType == 4, "Unsigned", ""), - TargetFileSigningTeamID = Related_files[0].signingInfo.teamid, - TargetFileIsDownload = case(Related_files[0].isDownload == "true", "true", Related_files[0].isDownload == "false", "false", ""), - TargetFileIsAppBundle = case(Related_files[0].isAppBundle == "true", "true", Related_files[0].isAppBundle == "false", "false", ""), - TargetFileIsDirectory = case(Related_files[0].isDirectory == "true", "true", Related_files[0].isDirectory == "false", "false", ""), - TargetFileIsScreenshot = case(Related_files[0].isScreenShot == "true", "true", Related_files[0].isScreenShot == "false", "false", ""), - // - // Jamf Protect Alerts - Binaries - TargetBinaryFilePath = Related_binaries[0].path, - TargetBinarySHA1 = tostring(Related_binaries[0].sha1hex), - TargetBinarySHA256 = tostring(Related_binaries[0].sha256hex), - TargetBinarySigningInfoMessage = Related_binaries[0].signingInfo.statusMessage, - TargetbinarySignerType = case(Related_binaries[0].signingInfo.signerType == 0, "Apple", Related_binaries[0].signingInfo.signerType == 1, "App Store", Related_binaries[0].signingInfo.signerType == 2, "Developer", Related_binaries[0].signingInfo.signerType == 3, "Ad Hoc", Related_binaries[0].signingInfo.signerType == 4, "Unsigned", ""), - TargetBinarySigningTeamID = tostring(Related_binaries[0].signingInfo.teamid), - TargetBinarySigningAppID = tostring(Related_binaries[0].signingInfo.appid) - | project-reorder - TimeGenerated, - EventStartTime, - EventVendor, - EventProduct, - EventType, - EventDescription, - EventMessage, - EventSeverity, - EventMatch, - EventMatchType, - EventResult, - EventProductVersion, - EventReportUrl, - TargetHostname, - DvcHostname, - DvcId, - DvcOs, - DvcIpAddr, - SrcDeviceType, - SrcUsername, - ProcessEventType, - ProcessEventSubType, - ActingProcessName, - ActingProcessCreationTime, - ActingProcessId, - ActingProcessGuid, - ParentProcessName, - ParentProcessCreationTime, - ParentProcessId, - ParentProcessGuid, - TargetProcessName, - TargetProcessId, - TargetProcessGuid, - TargetProcessSHA1, - TargetProcessSHA256, - TargetProcessCreationTime, - TargetProcessCommandLine, - TargetProcessCurrentDirectory, - //TargetProcessStatusCode, - TargetUsername, - TargetUserId, - TargetFilePath, - TargetFileSHA1, - TargetFileSHA256, - TargetFileSize, - TargetFileSigningInfoMessage, - TargetFileSignerType, - TargetFileSigningTeamID, - TargetFileIsAppBundle, - TargetFileIsDirectory, - TargetFileIsDownload, - TargetFileIsScreenshot, - TargetBinaryFilePath, - TargetBinarySHA1, - TargetBinarySHA256, - TargetBinarySigningInfoMessage, - TargetbinarySignerType, - TargetBinarySigningTeamID, - TargetBinarySigningAppID, - Related_users, - Related_files, - Related_binaries, - Related_groups, - Related_processes, - Match_event_process_signing, - Match_facts, - Match_actions, - Match_tags, - *input_match_event_* - | project-keep - TimeGenerated, - EventStartTime, - EventVendor, - EventProduct, - EventType, - EventDescription, - EventMessage, - EventProductVersion, - EventSeverity, - EventMatch, - EventMatchType, - EventResult, - EventReportUrl, - TargetHostname, - DvcHostname, - DvcId, - DvcOs, - DvcIpAddr, - SrcDeviceType, - SrcUsername, - ProcessEventType, - ProcessEventSubType, - ActingProcessName, - ActingProcessCreationTime, - ActingProcessId, - ActingProcessGuid, - ParentProcessName, - ParentProcessCreationTime, - ParentProcessId, - ParentProcessGuid, - TargetProcessName, - TargetProcessId, - TargetProcessGuid, - TargetProcessSHA1, - TargetProcessSHA256, - TargetProcessCreationTime, - TargetProcessCommandLine, - TargetProcessCurrentDirectory, - //TargetProcessStatusCode, - TargetUsername, - TargetUserId, - TargetFilePath, - TargetFileSHA1, - TargetFileSHA256, - TargetFileSize, - TargetFileSigningInfoMessage, - TargetFileSignerType, - TargetFileSigningTeamID, - TargetFileIsAppBundle, - TargetFileIsDirectory, - TargetFileIsDownload, - TargetFileIsScreenshot, - TargetBinaryFilePath, - TargetBinarySHA1, - TargetBinarySHA256, - TargetBinarySigningInfoMessage, - TargetbinarySignerType, - TargetBinarySigningTeamID, - TargetBinarySigningAppID, - Related_users, - Related_files, - Related_binaries, - Related_groups, - Related_processes, - Match_event_process_signing, - Match_facts, - Match_actions, - Match_tags, - *input_match_event_* - }; - // - // Jamf Protect - Unified Logs - // - let JamfProtectUnifiedLog_view = view () { - jamfprotect_CL - | where input_eventType_s == "GPUnifiedLogEvent" - and isnotempty(input_match_severity_d) - // JSON Parsing at earliest stage - | extend - Related_users = parse_json(input_related_users_s), - Related_files = parse_json(input_related_files_s), - Related_binaries = parse_json(input_related_binaries_s), - Related_groups = parse_json(input_related_groups_s), - Related_processes = parse_json(input_related_processes_s), - Match_facts = parse_json(input_match_facts_s), - Match_tags = parse_json(input_match_tags_s), - Match_actions = parse_json(input_match_actions_s), - Match_context = parse_json(input_match_context_s), - Match_event_process_signing = parse_json(input_match_event_process_signingInfo_s) - // ASIM - Common Fields - | extend EventVendor = 'Jamf' - | extend EventProduct = 'Jamf Protect - Unified Log' - | project-rename - EventOriginalUid = input_match_uuid_g - | extend - // Jamf Protect - Common Fields - EventType = case( - input_eventType_s == "GPClickEvent", - "Click", - input_eventType_s == "GPDownloadEvent", - "Download", - input_eventType_s == "GPFSEvent", - "FileSystem", - input_eventType_s == "GPProcessEvent", - "Process", - input_eventType_s == "GPKeylogRegisterEvent", - "Keylog", - input_eventType_s == "GPGatekeeperEvent", - "Gatekeeper", - input_eventType_s == "GPMRTEvent", - "MRT", - input_eventType_s == "GPPreventedExecutionEvent", - "ProcessDenied", - input_eventType_s == "GPThreatMatchExecEvent", - "ProcessPrevented", - input_eventType_s == "GPUnifiedLogEvent", - "UnifiedLog", - input_eventType_s == "GPUSBEvent", - "USB", - input_eventType_s == "Auth-mount", - "UsbBlock", - "Unknown" - ), - EventDescription = coalesce(Match_facts[1].human, Match_facts[0].human), - EventStartTime = unixtime_milliseconds_todatetime(tolong(timestamp_d)), - EventResult = case(Match_actions has "Prevented", "Prevented", "Allowed"), - // - // Jamf Protect - Unified Logs details - // - EventSeverity = case(input_match_severity_d == 0, "Informational", input_match_severity_d == 1, "Low", input_match_severity_d == 2, "Medium", input_match_severity_d == 3, "High", "Informational"), - EventMatch = column_ifexists("input_match_event_matchValue_s", ""), - EventMatchType = column_ifexists("input_match_event_matchType_s", ""), - EventReportUrl = strcat("https://", context_identity_claims_hd_s, ".jamfcloud.com/Alerts/", EventOriginalUid), - // - // Jamf Protect - Source User - SrcUsername = tostring(coalesce(Related_users[1].name, Related_users[0].name)), - // - // Jamf Protect - Source Device Hostnames - // - TargetHostname = column_ifexists("input_host_hostname_s", ""), - DvcHostname = column_ifexists("input_host_hostname_s", ""), - DvcIpAddr = column_ifexists("input_host_ips_s", ""), - DvcId = column_ifexists("input_host_provisioningUDID_g", ""), - DvcOs="macOS", - SrcDeviceType="Computer", - // - // Jamf Protect Unified Logs - Process - // - //ParentProcessName = coalesce(input_match_event_process_ppid_d, parse_json('input_related_processes_s')[0].ppid), //column_ifexists("exec_chain_child_parent_path_s", ""), coalesce('input.match.event.process.ppid', mvindex('input.related.processes{}.ppid', 0)) - ProcessEventType = case(input_match_event_type_d == 0, "None", input_match_event_type_d == 1, "Create", input_match_event_type_d == 2, "Exit", ""), - ProcessEventSubType = case(input_match_event_subType_d == 7, "Exec", input_match_event_subType_d == 1, "Fork", input_match_event_subType_d == 23, "Execve", input_match_event_subType_d == 43190, "Posix Spawn", ""), - ParentProcessId = coalesce(input_match_event_process_ppid_d, toreal(Related_processes[0].ppid)), - ParentProcessGuid = tostring(coalesce(input_match_event_process_pgid_d, toreal(Related_processes[0].pgid))), - TargetProcessName = coalesce(input_match_event_process_name_s, Related_processes[0].name), - TargetProcessId = coalesce(toreal(input_match_event_process_pid_d), toreal(Related_processes[0].pid)), - TargetProcessGuid = tostring(Related_processes[0].uuid), - TargetProcessSHA1 = Related_binaries[0].sha1hex, - TargetProcessCreationTime = unixtime_milliseconds_todatetime(tolong(input_match_event_process_startTimestamp_d)), - TargetProcessCommandLine = column_ifexists("input_match_event_process_args_s", ""), - TargetProcessCurrentDirectory = column_ifexists("input_match_event_process_path_s", ""), - TargetUserId = toreal(coalesce(Related_users[1].uid, Related_users[0].uid)), - TargetUsername = tostring(coalesce(Related_users[1].name, Related_users[0].name)), - // - // Jamf Protect Unified Logs - Files - // - TargetFilePath = tostring(coalesce(input_match_event_path_s, Related_files[0].path)), - TargetFileSHA1 = Related_files[0].sha1hex, - TargetFileSHA256 = Related_files[0].sha256hex, - TargetFileSize = Related_files[0].size, - TargetFileSigningInfoMessage = Related_files[0].signingInfo.statusMessage, - TargetFileSignerType = case(Related_files[0].signingInfo.signerType == 0, "Apple", Related_files[0].signingInfo.signerType == 1, "App Store", Related_files[0].signingInfo.signerType == 2, "Developer", Related_files[0].signingInfo.signerType == 3, "Ad Hoc", Related_files[0].signingInfo.signerType == 4, "Unsigned", ""), - TargetFileSigningTeamID = Related_files[0].signingInfo.teamid, - TargetFileIsDownload = case(Related_files[0].isDownload == "true", "true", Related_files[0].isDownload == "false", "false", ""), - TargetFileIsAppBundle = case(Related_files[0].isAppBundle == "true", "true", Related_files[0].isAppBundle == "false", "false", ""), - TargetFileIsDirectory = case(Related_files[0].isDirectory == "true", "true", Related_files[0].isDirectory == "false", "false", ""), - TargetFileIsScreenshot = case(Related_files[0].isScreenShot == "true", "true", Related_files[0].isScreenShot == "false", "false", "") - | project-reorder - TimeGenerated, - EventStartTime, - EventVendor, - EventProduct, - EventType, - EventDescription, - EventSeverity, - EventMatch, - EventMatchType, - EventResult, - EventReportUrl, - TargetHostname, - DvcHostname, - DvcId, - DvcOs, - DvcIpAddr, - SrcDeviceType, - SrcUsername, - ProcessEventType, - ProcessEventSubType, - ParentProcessId, - ParentProcessGuid, - TargetProcessName, - TargetProcessId, - TargetProcessGuid, - TargetProcessSHA1, - TargetProcessCreationTime, - TargetProcessCommandLine, - TargetProcessCurrentDirectory, - TargetUsername, - TargetUserId, - TargetFilePath, - TargetFileSHA1, - TargetFileSHA256, - TargetFileSize, - TargetFileSigningInfoMessage, - TargetFileSignerType, - TargetFileSigningTeamID, - TargetFileIsAppBundle, - TargetFileIsDirectory, - TargetFileIsDownload, - TargetFileIsScreenshot, - Related_users, - Related_files, - Related_binaries, - Related_groups, - Related_processes, - Match_event_process_signing, - Match_facts, - Match_actions, - Match_tags - | project-keep - TimeGenerated, - EventStartTime, - EventVendor, - EventProduct, - EventType, - EventDescription, - EventSeverity, - EventMatch, - EventMatchType, - EventResult, - EventReportUrl, - TargetHostname, - DvcHostname, - DvcId, - DvcOs, - DvcIpAddr, - SrcDeviceType, - SrcUsername, - ProcessEventType, - ProcessEventSubType, - ParentProcessId, - ParentProcessGuid, - TargetProcessName, - TargetProcessId, - TargetProcessGuid, - TargetProcessSHA1, - TargetProcessCreationTime, - TargetProcessCommandLine, - TargetProcessCurrentDirectory, - TargetUsername, - TargetUserId, - TargetFilePath, - TargetFileSHA1, - TargetFileSHA256, - TargetFileSize, - TargetFileSigningInfoMessage, - TargetFileSignerType, - TargetFileSigningTeamID, - TargetFileIsAppBundle, - TargetFileIsDirectory, - TargetFileIsDownload, - TargetFileIsScreenshot, - Related_users, - Related_files, - Related_binaries, - Related_groups, - Related_processes, - Match_event_process_signing, - Match_facts, - Match_actions, - Match_tags, - *input_match_event* - }; - // - // Jamf Protect - Network Traffic - // - let JamfProtectNetworkTraffic_view = view () { - jamfprotect_CL - | where event_metadata_product_s == "Network Traffic Stream" - // ASIM - Common Fields - | extend EventVendor = 'Jamf' - | extend EventProduct = 'Jamf Protect - Network Traffic Stream' - | project-rename - | extend - // Jamf Protect - Common Fields - EventType = "query", - EventSubType = "request", - EventStartTime = unixtime_milliseconds_todatetime(tolong(event_receiptTime_d)), - EventResult = case(event_blocked_b == "false", "Allowed", event_blocked_b == "true", "Prevented", ''), - // Jamf Protect - Source User - SrcUsermail=column_ifexists('event_user_email_s', ''), - SrcUsername = column_ifexists('event_user_name_s', ''), - // Jamf Protect - Source Device Hostnames - DvcHostname = case(isnotempty(input_host_hostname_s), input_host_hostname_s, isnotempty(host_info_host_name_s), host_info_host_name_s, event_device_userDeviceName_s), - DvcIpAddr = column_ifexists("event_source_ip_s", ""), - DvcId = column_ifexists("event_device_externalId_g", ""), - DvcOs = case(event_device_osType_s == "MAC_OS", "macOS", event_device_osType_s == "IOS", "iOS", event_device_osType_s == "ANDROID", "Android", "Other"), - SrcDeviceType = case(event_device_osType_s == "MAC_OS", "Computer", event_device_osType_s == "IOS", "Mobile Device", event_device_osType_s == "ANDROID", "Mobile Device", "Other"), - // Jamf Protect - DNS Specific - DnsQuery = column_ifexists('event_hostName_s', ''), - DvcAction = case(event_blocked_b == "false", "Allowed", event_blocked_b == "true", "Blocked", ''), - DnsQueryName = column_ifexists('event_domain_s', ''), - DstIpAddr = column_ifexists('event_destination_ips_s', ''), - ThreatCategory = column_ifexists('event_eventType_description_s', ''), - DnsQueryTypeName = column_ifexists('event_dns_recordType_s', ''), - DnsResponseName = column_ifexists('event_dns_responseStatus_s', ''), - ThreatOriginalRiskLevel = column_ifexists('event_threat_result_s', '') - | project-keep - TimeGenerated, - EventVendor, - EventProduct, - EventType, - EventSubType, - EventStartTime, - EventResult, - DvcHostname, - DvcIpAddr, - DvcId, - DvcOs, - SrcDeviceType, - SrcUsermail, - SrcUsername, - DnsQuery, - DnsQueryName, - DstIpAddr, - DnsQueryTypeName, - DvcAction, - DnsResponseName, - ThreatOriginalRiskLevel - }; - // - // Jamf Protect - Endpoint Telemetry - // - let JamfProtectTelemetry_view = view () { - jamfprotect_CL - | where header_event_name_s startswith "AUE_" - or header_event_name_s == "PLAINTEXT_LOG_COLLECTION_EVENT" - or header_event_name_s == "SYSTEM_PERFORMANCE_METRICS" - // ASIM - Common Fields - | extend EventVendor = 'Jamf' - | extend EventProduct = 'Jamf Protect - Telemetry' - // Data Field Normalization - //| project-rename - // DvcIpAddr = input_host_ips_s, - // DvcId = context_identity_claims_clientid_g - | extend - // Jamf Protect Alerts - Generic Information - EventSeverity = case( - input_match_severity_d == 0, - "Informational", - input_match_severity_d == 1, - "Low", - input_match_severity_d == 2, - "Medium", - input_match_severity_d == 3, - "High", - "Informational" - ), - EventStartTime = unixtime_milliseconds_todatetime(tolong(timestamp_d)), - EventResult = coalesce(return_description_s, texts_s), - // Jamf Protect Telemetry - Endpoint Information - TargetModel = column_ifexists("metrics_hw_model_s", ""), - DvcOsVersion = column_ifexists("host_info_osversion_s", ""), - TargetHostname = case(isnotempty(input_host_hostname_s), input_host_hostname_s, isnotempty(host_info_host_name_s), host_info_host_name_s, event_device_userDeviceName_s), - DvcHostname = case(isnotempty(input_host_hostname_s), input_host_hostname_s, isnotempty(host_info_host_name_s), host_info_host_name_s, event_device_userDeviceName_s), - DvcIpAddr = column_ifexists("input_host_ips_s", ""), - DvcId = column_ifexists("context_identity_claims_clientid_g", ""), - // Jamf Protect - Event Types - EventType = case( - header_event_name_s == "AUE_add_to_group", - "UserAddedToGroup", - header_event_name_s == "AUE_AUDITCTL", - "AuditEvent", - header_event_name_s == "AUE_AUDITON_SPOLICY", - "AuditEvent", - header_event_name_s == "AUE_auth_user", - "Elevate", - header_event_name_s == "AUE_BIND", - "EndpointNetworkSession", - header_event_name_s == "AUE_BIOS_FIRMWARE_VERSIONS", - "SystemInformation", - header_event_name_s == "AUE_CHDIR", - "FolderMoved", - header_event_name_s == "AUE_CHROOT", - "FolderModified", - header_event_name_s == "AUE_CONNECT", - "EndpointNetworkSession", - header_event_name_s == "AUE_create_group", - "GroupCreated", - header_event_name_s == "AUE_create_user", - "UserCreated", - header_event_name_s == "AUE_delete_group", - "GroupDeleted", - header_event_name_s == "AUE_delete_user", - "UserDeleted", - header_event_name_s == "AUE_EXECVE", - "ProcessCreated", - header_event_name_s == "AUE_EXIT", - "ProcessTerminated", - header_event_name_s == "AUE_FORK", - "ProcessCreated", - header_event_name_s == "AUE_GETAUID", - "", - header_event_name_s == "AUE_KILL", - "ProcessTerminated", - header_event_name_s == "AUE_LISTEN", - "EndpointNetworkSession", - header_event_name_s == "AUE_logout", - "Logoff", - header_event_name_s == "AUE_lw_login", - "Logon", - header_event_name_s == "AUE_MAC_SET_PROC", - "AuditEvent", - header_event_name_s == "AUE_modify_group", - "GroupModified", - header_event_name_s == "AUE_modify_password", - "PasswordChanged", - header_event_name_s == "AUE_modify_user", - "UserModified", - header_event_name_s == "AUE_MOUNT", - "VolumeMount", - header_event_name_s == "AUE_openssh", - "SshInitiated", - header_event_name_s == "AUE_PIDFORTASK", - "ProcessCreated", - header_event_name_s == "AUE_POSIX_SPAWN", - "ProcessCreated", - header_event_name_s == "AUE_remove_from_group", - "UserRemovedFromGroup", - header_event_name_s == "AUE_SESSION_CLOSE", - "Logoff", - header_event_name_s == "AUE_SESSION_END", - "Logoff", - header_event_name_s == "AUE_SESSION_START", - "Logon", - header_event_name_s == "AUE_SESSION_UPDATE", - "", - header_event_name_s == "AUE_SETPRIORITY", - "", - header_event_name_s == "AUE_SETSOCKOPT", - "", - header_event_name_s == "AUE_SETTIMEOFDAY", - "SystemChange", - header_event_name_s == "AUE_shutdown", - "ShutdownInitiated", - header_event_name_s == "AUE_SOCKETPAIR", - "", - header_event_name_s == "AUE_ssauthint", - "Elevate", - header_event_name_s == "AUE_ssauthmech", - "Elevate", - header_event_name_s == "AUE_ssauthorize", - "Elevate", - header_event_name_s == "AUE_TASKFORPID", - "", - header_event_name_s == "AUE_TASKNAMEFORPID", - "", - header_event_name_s == "AUE_UNMOUNT", - "VolumeUnmount", - header_event_name_s == "AUE_WAIT4", - "ProcessTerminated", - header_event_name_s == "PLAINTEXT_LOG_COLLECTION_EVENT", - "LogFileCollected", - header_event_name_s == "SYSTEM_PERFORMANCE_METRICS", - "SystemPerformanceMetrics", - "Unknown" - ), - // Jamf Protect Telemetry - Process - ParentProcessName = column_ifexists("subject_responsible_process_name_s", ""), - ParentProcessId = column_ifexists("subject_responsible_process_id_d", ""), - ParentProcessGuid = column_ifexists("exec_chain_child_parent_uuid_g", ""), - TargetProcessName = column_ifexists("subject_process_name_s", ""), - TargetProcessId = column_ifexists("subject_process_id_d", ""), - TargetProcessGuid = column_ifexists("exec_chain_thread_uuid_g", ""), - TargetProcessSHA256 = todynamic(column_ifexists("subject_process_hash_s", "")), - TargetUserId = toreal(column_ifexists("subject_user_id_d", "")), - TargetUsername = tostring(column_ifexists("subject_user_name_s", "")), - TargetProcessCommandLine = column_ifexists("exec_args_args_compiled_s", ""), - ActorUsername = tostring(column_ifexists("subject_effective_user_name_s", "")), - ActorUserId = column_ifexists("subject_audit_user_name_s", ""), - //column_ifexists("application_name_s", ""), - // - // Jamf Protect Telemetry - Audit/Group - // - GroupName = todynamic(column_ifexists("subject_group_name_s", "")), - // Jamf Protect Telemetry - Network - DstIpAddr = column_ifexists("socket_inet_ip_address_s", ""), - DstPortNumber = column_ifexists("socket_inet_port_d", ""), - NetworkProtocolVersion = case(socket_inet_id_d == 128, "IPV4", socket_inet_id_d == 129, "IPV6", ""), - SrcIpAddr = column_ifexists("subject_terminal_id_ip_address_s", ""), - // - // Jamf Protect Telemetry - Binaries - // - // TargetBinaryFilePath = todynamic(Related_binaries[0].path), - TargetBinarySHA256 = tostring(identity_cd_hash_s), - // TargetBinarySigningInfoMessage = Related_binaries[0].signingInfo.statusMessage, - TargetbinarySignerType = case(identity_signer_type_d == 0, "Developer", identity_signer_type_d == 1, "Apple", ""), - TargetBinarySigningTeamID = tostring(identity_team_id_s), - TargetBinarySigningAppID = tostring(identity_signer_id_s), - // - // Jamf Protect Telemetry - Log File Collection - // - TargetFilePath = tostring(parse_json(path_s)) - | project-reorder - EventStartTime, - EventVendor, - EventProduct, - EventType, - EventSeverity, - EventResult, - TargetHostname, - DvcHostname, - DvcId, - DvcOsVersion, - DvcIpAddr, - TargetModel, - TargetUserId, - TargetUsername, - ParentProcessName, - ParentProcessId, - ParentProcessGuid, - TargetProcessName, - TargetProcessId, - TargetProcessGuid, - TargetProcessSHA256, - TargetProcessCommandLine, - ActorUsername, - ActorUserId, - TargetBinarySHA256, - TargetbinarySignerType, - TargetBinarySigningTeamID, - TargetBinarySigningAppID, - GroupName, - SrcIpAddr, - DstIpAddr, - DstPortNumber, - NetworkProtocolVersion, - TargetFilePath - | project-away - arguments_sflags_d, - arguments_am_failure_d, - arguments_am_success_d - }; - // - // Jamf Protect - Threat Events - // - let JamfProtectThreatEvents_view = view () { - jamfprotect_CL - | where event_metadata_product_s == "Threat Events Stream" - // ASIM - Common Fields - | extend EventVendor = 'Jamf' - | extend EventProduct = 'Jamf Protect - Threat Events Stream' - | project-rename - | extend - // Jamf Protect - Common Fields - EventStartTime = column_ifexists("event_timestamp_t", ""), - EventResult=case(event_action_s == "Blocked", "Blocked", event_action_s == "Detected", "Detected", ''), - EventReportUrl = column_ifexists("event_eventUrl_s", ""), - // Jamf Protect - Alert Details - EventSeverity = case(event_severity_d == 2, "Informational", event_severity_d == 4, "Low", event_severity_d == 6, "Medium", event_severity_d == 8, "High", event_severity_d == 10, "High", "Informational"), - // Jamf Protect - Source User - SrcUsermail=column_ifexists('event_user_email_s', ''), - SrcUsername=column_ifexists('event_user_name_s', ''), - // Jamf Protect - Source Device Hostnames - DvcHostname = column_ifexists("event_device_userDeviceName_s", ""), - DvcIpAddr = column_ifexists("event_source_ip_s", ""), - DvcId = column_ifexists("event_device_externalId_g", ""), - DvcOs=case(event_device_os_s has "MAC_OS", "macOS", event_device_os_s has "IOS", "iOS", event_device_os_s has "ANDROID", "Android", "Other"), - SrcDeviceType=case(event_device_os_s has "MAC_OS", "Computer", event_device_os_s has "IOS", "Mobile Device", event_device_os_s has "ANDROID", "Mobile Device", "Other"), - // Jamf Protect - DNS Specific - DnsQuery=column_ifexists('event_hostName_s', ''), - DvcAction=case(event_blocked_b == "false", "Allowed", event_blocked_b == "true", "Blocked", ''), - DnsQueryName=column_ifexists('event_destination_name_s', ''), - DstIpAddr=column_ifexists('event_destination_ip_s', ''), - ThreatCategory=column_ifexists('event_eventType_description_s', ''), - ThreatOriginalRiskLevel=column_ifexists('event_threat_result_s', ''), - // Jamf Protect - App Specific - TargetFileName = column_ifexists("event_app_name_s", ""), - TargetFileSHA1 = column_ifexists("event_app_sha1_s", ""), - TargetFileSHA256 = column_ifexists("event_app_sha256_s", "") - | project-keep - TimeGenerated, - EventVendor, - EventProduct, - EventStartTime, - EventResult, - EventReportUrl, - EventSeverity, - DvcHostname, - DvcIpAddr, - DvcId, - SrcDeviceType, - SrcUsermail, - SrcUsername, - DnsQuery, - DnsQueryName, - DstIpAddr, - ThreatCategory, - DvcAction, - ThreatOriginalRiskLevel, - TargetFileName, - TargetFileSHA1, - TargetFileSHA256 - }; - union isfuzzy=true JamfProtectAlerts_view, JamfProtectUnifiedLog_view, JamfProtectNetworkTraffic_view, JamfProtectTelemetry_view, JamfProtectThreatEvents_view + let JamfProtectAlerts_view = view () { + jamfprotectalerts_CL + | extend + ActingProcessCreationTime = unixtime_seconds_todatetime(tolong(input.related.processes[array_length(input.related.processes) - 1].startTimestamp)), + ParentProcessCreationTime = iff( + array_length(input.related.processes) > 1, + unixtime_seconds_todatetime(tolong(input.related.processes[0].startTimestamp)), + datetime(null) + ), + TargetProcessCreationTime = unixtime_seconds_todatetime(todouble(input.related.processes[0].startTimestamp)), + TargetUserId = coalesce(input.related.users[1].uid, input.related.users[0].uid), + TargetUsername = coalesce(input.related.users[1].name, input.related.users[0].name) + }; + let JamfProtectUnifiedLog_view = view () { + jamfprotectunifiedlogs_CL + | extend EventStartTime = unixtime_seconds_todatetime(tolong(input.match.event.timestamp)) + }; + // + // Jamf Protect - Endpoint Telemetry + // + let JamfProtectTelemetryv1_view = view () { + jamfprotecttelemetryv1_CL + | extend + EventStartTime = unixtime_seconds_todatetime(todouble(header.time_seconds_epoch)), + EventResult = coalesce(return.description, texts) + }; + let JamfProtectTelemetryv2_view = view () { + jamfprotecttelemetryv2_CL + // Generic Fields + | extend + EventExpanded = tostring(parse_json(event)[strcat_array(bag_keys(event), '.')]), + eventTypeHuman = tostring(bag_keys(event)[0]) + | extend EventResult = iif((event[eventTypeHuman]['success'] == true), "Success", dynamic(null)) + | extend + EventMessage = case( + eventTypeHuman == "authentication", + "A user authentication happened", + eventTypeHuman == "authorization_judgement", + "A process has its rights petition judged", + eventTypeHuman == "authorization_petition", + "A process has its rights petition judged", + eventTypeHuman == "bios_uefi", + "Collection of bios and firmware data", + eventTypeHuman == "btm_launch_item_add", + "Apple’s Background Task Manager notified that an item has been added", + eventTypeHuman == "btm_launch_item_remove", + "Apple’s Background Task Manager notified that an existing item has been removed", + eventTypeHuman == "chroot", + "Software has changed its apparent root directory in which it's actively operating out of", + eventTypeHuman == "cs_invalidated", + "The system detected that a process has had its code signature marked as invalid", + eventTypeHuman == "exec", + "A new process has been executed", + eventTypeHuman == "kextload", + "A kernel extension (kext) was loaded", + eventTypeHuman == "kextunload", + "A kernel extension (kext) was unloaded", + eventTypeHuman == "login_login", + "A user attempted to log in using /usr/bin/login", + eventTypeHuman == "login_logout", + "A user logged out from /usr/bin/login", + eventTypeHuman == "lw_session_lock", + "A user has locked the screen", + eventTypeHuman == "lw_session_login", + "A user has logged in via the Login Window", + eventTypeHuman == "lw_session_logout", + "A user has logged out of an active graphical session", + eventTypeHuman == "lw_session_unlock", + "A user has unlocked the screen from the Login Window", + eventTypeHuman == "mount", + "A file system has been mounted", + eventTypeHuman == "od_attribute_set", + "Attribute set on user or group using Open Directory", + eventTypeHuman == "od_attribute_value_add", + "Attribute added to a user or group using Open Directory", + eventTypeHuman == "od_attribute_value_remove", + "Attribute removed from a user or group using Open Directory", + eventTypeHuman == "od_create_group", + "A group has been created using Open Directory", + eventTypeHuman == "od_create_user", + "A user has been created using Open Directory", + eventTypeHuman == "od_delete_group", + "A group has been deleted using Open Directory", + eventTypeHuman == "od_delete_user", + "A user has been deleted using Open Directory", + eventTypeHuman == "od_disable_user", + "A user has been disabled using Open Directory", + eventTypeHuman == "od_enable_user", + "A user has been enabled using Open Directory", + eventTypeHuman == "od_group_add", + "A member has been added to a group using Open Directory", + eventTypeHuman == "od_group_remove", + "A member has been removed from a group using Open Directory", + eventTypeHuman == "od_group_set", + "A group has a member initialised or replaced using Open Directory", + eventTypeHuman == "od_modify_password", + "A user password is modified via Open Directory", + eventTypeHuman == "openssh_login", + "A user has logged into the system via OpenSSH", + eventTypeHuman == "openssh_logout", + "A user has logged out of an OpenSSH session", + eventTypeHuman == "performance", + "Collection of system performance data", + eventTypeHuman == "profile_add", + "A configuration profile is installed on the system", + eventTypeHuman == "profile_remove", + "A configuration profile is removed from the system", + eventTypeHuman == "remount", + "A file system has been mounted", + eventTypeHuman == "screenscharing_attach", + "A screensharing session has attached to a graphical session", + eventTypeHuman == "screenscharing_detach", + "A screensharing session has detached from a graphical session", + eventTypeHuman == "settime", + "The system time was attempted to be set", + eventTypeHuman == "su", + "A user attempts to start a new shell using a substitute user identity", + eventTypeHuman == "sudo", + "A sudo attempt occured", + eventTypeHuman == "unmount", + "A file system has been mounted", + eventTypeHuman == "xp_malware_detected", + "Apple’s XProtect detected malware on the system", + eventTypeHuman == "xp_malware_remediated", + "Apple’s XProtect remediated malware on the system", + eventTypeHuman == "file_collection", + "A crash or diagnostic file has been collected", + eventTypeHuman == "log_collection", + "Entries from a log file have been collected", + "No reason yet defined for this event" + ), + EventType = case( + eventTypeHuman == "authentication", + "Logon", + eventTypeHuman == "authorization_judgement", + "ProcessCreated", + eventTypeHuman == "authorization_petition", + "ProcessCreated", + eventTypeHuman == "bios_uefi", + "Hardware", + eventTypeHuman == "btm_launch_item_add", + "Create", + eventTypeHuman == "btm_launch_item_remove", + "Delete", + eventTypeHuman == "chroot", + "Set", + eventTypeHuman == "cs_invalidated", + "Other", + eventTypeHuman == "exec", + "ProcessCreated", + eventTypeHuman == "kextload", + "Create", + eventTypeHuman == "kextunload", + "Delete", + eventTypeHuman == "login_login", + "Logon", + eventTypeHuman == "login_logout", + "Logoff", + eventTypeHuman == "lw_session_lock", + "Logoff", + eventTypeHuman == "lw_session_login", + "Logon", + eventTypeHuman == "lw_session_logout", + "Logoff", + eventTypeHuman == "lw_session_unlock", + "Logon", + eventTypeHuman == "mount", + "FileSystemMounted", + eventTypeHuman == "od_attribute_set", + "Set", + eventTypeHuman == "od_attribute_value_add", + "Create", + eventTypeHuman == "od_attribute_value_remove", + "Delete", + eventTypeHuman == "od_create_group", + "GroupCreated", + eventTypeHuman == "od_create_user", + "UserCreated", + eventTypeHuman == "od_delete_group", + "GroupDeleted", + eventTypeHuman == "od_delete_user", + "UserDeleted", + eventTypeHuman == "od_disable_user", + "UserDisabled", + eventTypeHuman == "od_enable_user", + "UserEnabled", + eventTypeHuman == "od_group_add", + "UserAddedToGroup", + eventTypeHuman == "od_group_remove", + "UserRemovedFromGroup", + eventTypeHuman == "od_group_set", + "GroupModified", + eventTypeHuman == "od_modify_password", + "PasswordChanged", + eventTypeHuman == "openssh_login", + "Logon", + eventTypeHuman == "openssh_logout", + "Logoff", + eventTypeHuman == "performance", + "PerformanceData", + eventTypeHuman == "profile_add", + "Create", + eventTypeHuman == "profile_remove", + "Delete", + eventTypeHuman == "remount", + "FileSystemRemounted", + eventTypeHuman == "screenscharing_attach", + "Logon", + eventTypeHuman == "screenscharing_detach", + "Logoff", + eventTypeHuman == "settime", + "Set", + eventTypeHuman == "su", + "Elevate", + eventTypeHuman == "sudo", + "Elevate", + eventTypeHuman == "unmount", + "FileSystemUnmounted", + eventTypeHuman == "xp_malware_detected", + "MalwareDetected", + eventTypeHuman == "xp_malware_remediated", + "MalwareRemediated", + "" + ), + EventSubType = case( + eventTypeHuman == "authentication", + "Interactive", + eventTypeHuman == "btm_launch_item_add", + "btm", + eventTypeHuman == "btm_launch_item_remove", + "btm", + eventTypeHuman == "chroot", + "Directory", + eventTypeHuman == "cs_invalidated", + "Other", + eventTypeHuman == "kextload", + "System Settings", + eventTypeHuman == "kextunload", + "System Settings", + eventTypeHuman == "login_login", + "Interactive", + eventTypeHuman == "login_logout", + "Interactive", + eventTypeHuman == "lw_session_lock", + "Interactive", + eventTypeHuman == "lw_session_login", + "Interactive", + eventTypeHuman == "lw_session_logout", + "Interactive", + eventTypeHuman == "lw_session_unlock", + "Interactive", + eventTypeHuman == "od_attribute_set", + "Attribute", + eventTypeHuman == "od_attribute_value_add", + "Attribute", + eventTypeHuman == "od_attribute_value_remove", + "Attribute", + eventTypeHuman == "openssh_login", + "Interactive", + eventTypeHuman == "openssh_logout", + "Interactive", + eventTypeHuman == "profile_add", + "Configuration Profile", + eventTypeHuman == "profile_remove", + "Configuration Profile", + eventTypeHuman == "screenscharing_attach", + "RemoteInteractive", + eventTypeHuman == "screenscharing_detach", + "RemoteInteractive", + eventTypeHuman == "settime", + "System Settings", + eventTypeHuman == "su", + "Interactive", + eventTypeHuman == "sudo", + "Interactive", + "" + ) + // Jamf Protect Telemetry - Event Process + | extend eventContext = + iif( + isnotempty(event[eventTypeHuman]['app']['audit_token']), + event[eventTypeHuman]['app'], + iif( + isnotempty(event[eventTypeHuman]['target']['audit_token']), + event[eventTypeHuman]['target'], + iif( + isnotempty(event[eventTypeHuman]['data']['od']['audit_token']), + event[eventTypeHuman]['data']['od'], + iif( + isnotempty(event[eventTypeHuman]['data']['token']['audit_token']), + event[eventTypeHuman]['data']['token'], + iif( + isnotempty(event[eventTypeHuman]['data']['touchid']['audit_token']), + event[eventTypeHuman]['data']['touchid'], + iif( + isnotempty(event[eventTypeHuman]['instigator']['audit_token']), + event[eventTypeHuman]['instigator'], + ['process'] + ) + ) + ) + ) + ) + ) + | extend + TargetProcessName = tostring(eventContext.executable.path), + TargetProcessId = tostring(eventContext.audit_token.pid), + TargetProcessGuid = tostring(eventContext.audit_token.uuid), + TargetProcessCreationTime = tostring(eventContext.start_time), + TargetProcessSHA1 = tostring(eventContext.executable.sha1), + TargetProcessSHA256 = tostring(eventContext.executable.sha256), + TargetProcessCommandLine = event[eventTypeHuman]['args'], + TargetProcessTTY = tostring(eventContext.tty.path), + TargetBinarySigningAppID = tostring(eventContext.signing_id), + TargetBinarySigningTeamID = tostring(eventContext.team_id), + TargetBinaryCDHash = tostring(eventContext.cdhash), + TargetBinaryIsESClient = tobool(eventContext.is_es_client), + TargetBinaryIsPlatformBinary = tobool(eventContext.is_platform_binary), + TargetUserId = tostring(eventContext.audit_token.euid), + ActingProcessId = tostring(eventContext.parent_audit_token.pid), + ActingProcessGuid = tostring(eventContext.parent_audit_token.uuid), + ActorUserId = tostring(eventContext.parent_audit_token.euid), + ParentProcessId = tostring(eventContext.responsible_audit_token.pid), + ParentProcessGuid = tostring(eventContext.responsible_audit_token.uuid) + // Jamf Protect Telemetry - Revealing Code Signing flags + | extend TargetProcessCodesignFlags = + iif(isnotempty(eventContext.codesigning_flags), + bag_pack( + "CS_VALID", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00000001) > 0, true, false), + "CS_ADHOC", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00000002) > 0, true, false), + "CS_GET_TASK_ALLOW", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00000004) > 0, true, false), + "CS_INSTALLER", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00000008) > 0, true, false), + "CS_FORCED_LV", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00000010) > 0, true, false), + "CS_INVALID_ALLOWED", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00000020) > 0, true, false), + "CS_HARD", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00000100) > 0, true, false), + "CS_KILL", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00000200) > 0, true, false), + "CS_CHECK_EXPIRATION", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00000400) > 0, true, false), + "CS_RESTRICT", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00000800) > 0, true, false), + "CS_ENFORCEMENT", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00001000) > 0, true, false), + "CS_REQUIRE_LV", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00002000) > 0, true, false), + "CS_ENTITLEMENTS_VALIDATED", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00004000) > 0, true, false), + "CS_NVRAM_UNRESTRICTED", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00008000) > 0, true, false), + "CS_RUNTIME", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00010000) > 0, true, false), + "CS_LINKER_SIGNED", + iff(binary_and(toint(eventContext.codesigning_flags), 0x20000) > 0, true, false), + "CS_EXEC_SET_HARD", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00100000) > 0, true, false), + "CS_EXEC_SET_KILL", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00200000) > 0, true, false), + "CS_EXEC_SET_ENFORCEMENT", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00400000) > 0, true, false), + "CS_EXEC_INHERIT_SIP", + iff(binary_and(toint(eventContext.codesigning_flags), 0x00800000) > 0, true, false), + "CS_KILLED", + iff(binary_and(toint(eventContext.codesigning_flags), 0x01000000) > 0, true, false), + "CS_DYLD_PLATFORM", + iff(binary_and(toint(eventContext.codesigning_flags), 0x02000000) > 0, true, false), + "CS_PLATFORM_BINARY", + iff(binary_and(toint(eventContext.codesigning_flags), 0x04000000) > 0, true, false), + "CS_PLATFORM_PATH", + iff(binary_and(toint(eventContext.codesigning_flags), 0x08000000) > 0, true, false), + "CS_DEBUGGED", + iff(binary_and(toint(eventContext.codesigning_flags), 0x10000000) > 0, true, false), + "CS_SIGNED", + iff(binary_and(toint(eventContext.codesigning_flags), 0x20000000) > 0, true, false), + "CS_DEV_CODE", + iff(binary_and(toint(eventContext.codesigning_flags), 0x40000000) > 0, true, false), + "CS_DATAVAULT_CONTROLLER", + iff(binary_and(toint(eventContext.codesigning_flags), 0x80000000) > 0, true, false) + ), "") + // Event Specific - authentication + | extend TargetUsername = + iif( + isnotempty(event[eventTypeHuman]['username']), + event[eventTypeHuman]['username'], + iif( + isnotempty(event[eventTypeHuman]['to_username']), + event[eventTypeHuman]['to_username'], + iif( + isnotempty(event[eventTypeHuman]['account_name']), + event[eventTypeHuman]['account_name'], + iif( + isnotempty(event[eventTypeHuman]['user_name']), + event[eventTypeHuman]['user_name'], + iif( + isnotempty(event[eventTypeHuman]['authentication_username']), + event[eventTypeHuman]['authentication_username'], + "" + ) + ) + ) + ) + ) + // Event Specific - authentication + | extend ActorUsername = + iif( + isnotempty(event[eventTypeHuman]['from_username']), + event[eventTypeHuman]['from_username'], + iif( + isnotempty(event[eventTypeHuman]['session_username']), + event[eventTypeHuman]['session_username'], + "" + ) + ) + | extend Authentication = iif( + eventTypeHuman == "authentication", + bag_pack( + "authentication_method", + iff(isnotempty(event[eventTypeHuman].data), tostring(bag_keys(event[eventTypeHuman].data)[0]), "") + ), + dynamic(null) + ) + // Event Specific - bios_uefi + | extend HardwareInformation = iif( + eventTypeHuman == "bios_uefi", + bag_pack( + "host_architecture", + iff(isnotempty(event[eventTypeHuman].architecture), event[eventTypeHuman].architecture, ""), + "firmware_version", + iff(isnotempty(event[eventTypeHuman].bios.['firmware-version']), event[eventTypeHuman].bios.['firmware-version'], ""), + "system_firmware_version", + iff(isnotempty(event[eventTypeHuman].bios.['system-firmware-version']), event[eventTypeHuman].bios.['system-firmware-version'], "") + ), + dynamic(null) + ) + // Event Specific - btm_launch_item_add & btm_launch_item_remove + | extend BtmItem = iif( + eventTypeHuman in ("btm_launch_item_add", "btm_launch_item_remove", "remount"), + bag_pack( + "btm_executable_path", + iff(isnotempty(event[eventTypeHuman].executable_path), event[eventTypeHuman].executable_path, ""), + "btm_item_app_url", + iff(isnotempty(event[eventTypeHuman].item.app_url), event[eventTypeHuman].item.app_url, ""), + "btm_item_url", + iff(isnotempty(event[eventTypeHuman].item.item_url), event[eventTypeHuman].item.item_url, ""), + "btm_item_managed", + iff(isnotempty(event[eventTypeHuman].item.managed), event[eventTypeHuman].item.managed, ""), + "btm_item_legacy", + iff(isnotempty(event[eventTypeHuman].item.legacy), event[eventTypeHuman].item.legacy, ""), + "btm_item_uid", + iff(isnotempty(event[eventTypeHuman].item.uid), event[eventTypeHuman].item.uid, ""), + "btm_item_type", + iff( + isnotempty(event[eventTypeHuman].item.item_type), + case( + event[eventTypeHuman].item.item_type == 0, + "UserItem", + event[eventTypeHuman].item.item_type == 1, + "App", + event[eventTypeHuman].item.item_type == 2, + "LoginItem", + event[eventTypeHuman].item.item_type == 3, + "LaunchAgent", + event[eventTypeHuman].item.item_type == 4, + "LaunchDaemon", + "Unknown" + ), + "" + ) + ), + dynamic(null) + ) + // Event Specific - chroot + | extend Chroot = iif( + eventTypeHuman == "chroot", + bag_pack( + "apparent_root_directory", + iff(isnotempty(event[eventTypeHuman].target), event[eventTypeHuman].target.path, ""), + "stats", + iff(isnotempty(event[eventTypeHuman].target.stat), event[eventTypeHuman].target.stat, "") + ), + dynamic(null) + ) + // Event Specific - cs_invalidated + // Event Specific - exec + // Event Specific - kextload & kextunload + | extend KernelExtension = iif( + eventTypeHuman in ("kextload", "kextunload"), + bag_pack( + "kext_identifier", + iff(isnotempty(event[eventTypeHuman].identifier), event[eventTypeHuman].identifier, "") + ), + dynamic(null) + ) + // Event Specific - lw_session_lock & lw_session_unlock & lw_session_login & lw_session_logout + | extend LoginWindowSession = iif( + eventTypeHuman in ("lw_session_lock", "lw_session_unlock", "lw_session_login", "lw_session_logout"), + bag_pack( + "graphical_session_id", + iff(isnotempty(event[eventTypeHuman].graphical_session_id), event[eventTypeHuman].graphical_session_id, "") + ), + dynamic(null) + ) + // Event Specific - mount & remount & unmount + | extend FileSystem = iif( + eventTypeHuman in ("mount", "unmount", "remount"), + bag_pack( + "volume_device_name", + iff(isnotempty(event[eventTypeHuman].statfs.f_mntfromname), event[eventTypeHuman].statfs.f_mntfromname, ""), + "volume_mount_name", + iff(isnotempty(event[eventTypeHuman].statfs.f_mntonname), event[eventTypeHuman].statfs.f_mntonname, ""), + "volume_file_system_type", + iff(isnotempty(event[eventTypeHuman].statfs.f_fstypename), event[eventTypeHuman].statfs.f_fstypename, ""), + "volume_size", + iff(isnotempty(event[eventTypeHuman].statfs.f_bsize), event[eventTypeHuman].statfs.f_bsize, "") + ), + dynamic(null) + ) + // Event Specific - od_attribute_set & od_attribute_value_add & od_attribute_value_remove & od_create_group & od_create_user & od_delete_group & od_delete_user & od_disable_user & od_enable_user + | extend OpenDirectory = iif( + eventTypeHuman in ("od_attribute_set", "od_attribute_value_add", "od_attribute_value_remove", "od_create_group", "od_create_user", "od_delete_group", "od_delete_user", "od_disable_user", "od_enable_user"), + bag_pack( + "group_name", + iff(isnotempty(event[eventTypeHuman].group_name), event[eventTypeHuman].group_name, ""), + "member_array", + iff(isnotempty(event[eventTypeHuman].members.member_array), event[eventTypeHuman].members.member_array, ""), + "member_value", + iff(isnotempty(event[eventTypeHuman].member.member_value), event[eventTypeHuman].member.member_value, ""), + "user_name", + iff(isnotempty(event[eventTypeHuman].user_name), event[eventTypeHuman].user_name, ""), + "account_name", + iff(isnotempty(event[eventTypeHuman].account_name), event[eventTypeHuman].account_name, ""), + "db_path", + iff(isnotempty(event[eventTypeHuman].db_path), event[eventTypeHuman].db_path, ""), + "record_name", + iff(isnotempty(event[eventTypeHuman].record_name), event[eventTypeHuman].record_name, ""), + "attribute_name", + iff(isnotempty(event[eventTypeHuman].attribute_name), event[eventTypeHuman].attribute_name, ""), + "attribute_value", + iff(isnotempty(event[eventTypeHuman].attribute_value), event[eventTypeHuman].attribute_value, ""), + "node_name", + iff(isnotempty(event[eventTypeHuman].node_name), event[eventTypeHuman].node_name, "") + ), + dynamic(null) + ) + // Event Specific - openssh_login & openssh_logout + | extend SSHContext = iif( + eventTypeHuman in ("openssh_login", "openssh_logout"), + bag_pack( + "source_address_type", + iff( + isnotempty(event[eventTypeHuman].source_address_type), + case( + event[eventTypeHuman].source_address_type == 0, + "Unknown", + event[eventTypeHuman].source_address_type == 1, + "IPv4", + event[eventTypeHuman].source_address_type == 2, + "IPv6", + event[eventTypeHuman].source_address_type == 3, + "UNIX Socket", + "Unknown" + ), + "" + ), + "result_type", + iff( + isnotempty(event[eventTypeHuman].result_type), + case( + event[eventTypeHuman].result_type == 0, + "Exceeded maximum attempts", + event[eventTypeHuman].result_type == 1, + "Denied by root", + event[eventTypeHuman].result_type == 2, + "Success", + event[eventTypeHuman].result_type == 3, + "No reason", + event[eventTypeHuman].result_type == 4, + "Password", + event[eventTypeHuman].result_type == 5, + "kbdint", + event[eventTypeHuman].result_type == 6, + "Public key", + event[eventTypeHuman].result_type == 7, + "Host based", + event[eventTypeHuman].result_type == 8, + "GSS API", + event[eventTypeHuman].result_type == 9, + "Invalid user", + "Unknown" + ), + "" + ) + ), + dynamic(null) + ) + // Event Specific - performance + // Event Specific - profile_add & profile_remove + | extend Profile = iif( + eventTypeHuman in ("profile_add", "profile_remove"), + bag_pack( + "profile_scope", + iff(isnotempty(event[eventTypeHuman].profile.scope), event[eventTypeHuman].profile.scope, ""), + "profile_identifier", + iff(isnotempty(event[eventTypeHuman].profile.identifier), event[eventTypeHuman].profile.identifiery, ""), + "profile_uuid", + iff(isnotempty(event[eventTypeHuman].profile.uuid), event[eventTypeHuman].profile.uuid, ""), + "profile_display_name", + iff(isnotempty(event[eventTypeHuman].profile.display_name), event[eventTypeHuman].profile.display_name, ""), + "profile_organization", + iff(isnotempty(event[eventTypeHuman].profile.organization), event[eventTypeHuman].profile.organization, ""), + "profile_is_updated", + iff(isnotempty(event[eventTypeHuman].is_update), event[eventTypeHuman].is_update, ""), + "profile_install_source", + iff( + isnotempty(event[eventTypeHuman].profile.install_source), + case( + event[eventTypeHuman].profile.install_source == 0, + "mdm", + event[eventTypeHuman].profile.install_source == 1, + "manual", + "Unknown" + ), + "" + ) + ), + dynamic(null) + ) + // Event Specific - screenscharing_attach & screensharing_detach + | extend Screensharing = iif( + eventTypeHuman in ("screensharing_attach", "screensharing_detach"), + bag_pack( + "existing_session", + iff(isnotempty(event[eventTypeHuman].existing_session), event[eventTypeHuman].existing_session, ""), + "graphical_session_id", + iff(isnotempty(event[eventTypeHuman].graphical_authentication_username), event[eventTypeHuman].graphical_authentication_username, ""), + "session_username", + iff(isnotempty(event[eventTypeHuman].session_username), event[eventTypeHuman].session_username, ""), + "viewer_appleid", + iff(isnotempty(event[eventTypeHuman].viewer_appleid), event[eventTypeHuman].viewer_appleid, ""), + "authentication_type", + iff(isnotempty(event[eventTypeHuman].authentication_type), event[eventTypeHuman].authentication_type, ""), + "source_address", + iff(isnotempty(event[eventTypeHuman].source_address), event[eventTypeHuman].source_address, ""), + "source_address_type", + iff( + isnotempty(event[eventTypeHuman].source_address_type), + case( + event[eventTypeHuman].source_address_type == 0, + "Unknown", + event[eventTypeHuman].source_address_type == 1, + "IPv4", + event[eventTypeHuman].source_address_type == 2, + "IPv6", + event[eventTypeHuman].source_address_type == 3, + "UNIX Socket", + "Unknown" + ), + "" + ) + ), + dynamic(null) + ) + // Event Specific - su + | extend Su = iif( + eventTypeHuman == "su", + bag_pack( + "username", + iff(isnotempty(event[eventTypeHuman].username), event[eventTypeHuman].username, ""), + "uid", + iff(isnotempty(event[eventTypeHuman].uid), event[eventTypeHuman].uid, ""), + "args", + iff(isnotempty(event[eventTypeHuman].argv), event[eventTypeHuman].argv, ""), + "env_vars", + iff(isnotempty(event[eventTypeHuman].env), event[eventTypeHuman].env, ""), + "env_count", + iff(isnotempty(event[eventTypeHuman].env_count), event[eventTypeHuman].env_count, ""), + "from_username", + iff(isnotempty(event[eventTypeHuman].from_username), event[eventTypeHuman].from_username, ""), + "to_username", + iff(isnotempty(event[eventTypeHuman].to_username), event[eventTypeHuman].to_username, ""), + "failure_message", + iff(isnotempty(event[eventTypeHuman].failure_reason), event[eventTypeHuman].failure_reason, "") + ), + dynamic(null) + ) + // Event Specific - sudo + | extend Sudo = iif( + eventTypeHuman == "sudo", + bag_pack( + "TargetProcessCommandLine", + iff(isnotempty(event[eventTypeHuman].command), event[eventTypeHuman].command, ""), + "attribute_name", + iff(isnotempty(event[eventTypeHuman].attribute_name), event[eventTypeHuman].attribute_name, ""), + "attribute_value", + iff(isnotempty(event[eventTypeHuman].attribute_value), event[eventTypeHuman].attribute_value, "") + ), + dynamic(null) + ) + // Event Specific - xp_malware_detected & xp_malware_remediated + | extend Xprotect = iif( + eventTypeHuman in ("xp_malware_detected", "xp_malware_remediated"), + bag_pack( + "detected_path", + iff(isnotempty(event[eventTypeHuman].detected_path), event[eventTypeHuman].detected_path, ""), + "remediated_path", + iff(isnotempty(event[eventTypeHuman].remediated_path), event[eventTypeHuman].remediated_path, ""), + "malware_identifier", + iff(isnotempty(event[eventTypeHuman].malware_identifier), event[eventTypeHuman].malware_identifier, ""), + "signature_version", + iff(isnotempty(event[eventTypeHuman].signature_version), event[eventTypeHuman].signature_version, "") + ), + dynamic(null) + ) + | project-away + action, + event, + process + }; + // + // Jamf Protect - Network Traffic + // + let JamfProtectNetworkTraffic_view = view () { + jamfprotect_CL + | where event_metadata_product_s == "Network Traffic Stream" + // ASIM - Common Fields + | extend EventVendor = 'Jamf' + | extend EventProduct = 'Jamf Protect - Network Traffic Stream' + | project-rename + | extend + // Jamf Protect - Common Fields + EventType = "query", + EventSubType = "request", + EventStartTime = unixtime_milliseconds_todatetime(tolong(event_receiptTime_d)), + EventResult = case(event_blocked_b == "false", "Allowed", event_blocked_b == "true", "Prevented", ''), + // Jamf Protect - Source User + SrcUsermail=column_ifexists('event_user_email_s', ''), + SrcUsername = column_ifexists('event_user_name_s', ''), + // Jamf Protect - Source Device Hostnames + DvcHostname = case(isnotempty(input_host_hostname_s), input_host_hostname_s, isnotempty(host_info_host_name_s), host_info_host_name_s, event_device_userDeviceName_s), + DvcIpAddr = column_ifexists("event_source_ip_s", ""), + DvcId = column_ifexists("event_device_externalId_g", ""), + DvcOs = case(event_device_osType_s == "MAC_OS", "macOS", event_device_osType_s == "IOS", "iOS", event_device_osType_s == "ANDROID", "Android", "Other"), + SrcDeviceType = case(event_device_osType_s == "MAC_OS", "Computer", event_device_osType_s == "IOS", "Mobile Device", event_device_osType_s == "ANDROID", "Mobile Device", "Other"), + // Jamf Protect - DNS Specific + DnsQuery = column_ifexists('event_hostName_s', ''), + DvcAction = case(event_blocked_b == "false", "Allowed", event_blocked_b == "true", "Blocked", ''), + DnsQueryName = column_ifexists('event_domain_s', ''), + DstIpAddr = column_ifexists('event_destination_ips_s', ''), + ThreatCategory = column_ifexists('event_eventType_description_s', ''), + DnsQueryTypeName = column_ifexists('event_dns_recordType_s', ''), + DnsResponseName = column_ifexists('event_dns_responseStatus_s', ''), + ThreatOriginalRiskLevel = column_ifexists('event_threat_result_s', '') + | project-keep + TimeGenerated, + EventVendor, + EventProduct, + EventType, + EventSubType, + EventStartTime, + EventResult, + DvcHostname, + DvcIpAddr, + DvcId, + DvcOs, + SrcDeviceType, + SrcUsermail, + SrcUsername, + DnsQuery, + DnsQueryName, + DstIpAddr, + DnsQueryTypeName, + DvcAction, + DnsResponseName, + ThreatOriginalRiskLevel + }; + // // + // // Jamf Protect - Threat Events + // // + let JamfProtectThreatEvents_view = view () { + jamfprotect_CL + | where event_metadata_product_s == "Threat Events Stream" + // ASIM - Common Fields + | extend EventVendor = 'Jamf' + | extend EventProduct = 'Jamf Protect - Threat Events Stream' + | project-rename + | extend + // Jamf Protect - Common Fields + EventStartTime = column_ifexists("event_timestamp_t", ""), + EventResult=case(event_action_s == "Blocked", "Blocked", event_action_s == "Detected", "Detected", ''), + EventReportUrl = column_ifexists("event_eventUrl_s", ""), + // Jamf Protect - Alert Details + EventSeverity = case(event_severity_d == 2, "Informational", event_severity_d == 4, "Low", event_severity_d == 6, "Medium", event_severity_d == 8, "High", event_severity_d == 10, "High", "Informational"), + // Jamf Protect - Source User + SrcUsermail=column_ifexists('event_user_email_s', ''), + SrcUsername=column_ifexists('event_user_name_s', ''), + // Jamf Protect - Source Device Hostnames + DvcHostname = column_ifexists("event_device_userDeviceName_s", ""), + DvcIpAddr = column_ifexists("event_source_ip_s", ""), + DvcId = column_ifexists("event_device_externalId_g", ""), + DvcOs=case(event_device_os_s has "MAC_OS", "macOS", event_device_os_s has "IOS", "iOS", event_device_os_s has "ANDROID", "Android", "Other"), + SrcDeviceType=case(event_device_os_s has "MAC_OS", "Computer", event_device_os_s has "IOS", "Mobile Device", event_device_os_s has "ANDROID", "Mobile Device", "Other"), + // Jamf Protect - DNS Specific + DnsQuery=column_ifexists('event_hostName_s', ''), + DvcAction=case(event_blocked_b == "false", "Allowed", event_blocked_b == "true", "Blocked", ''), + DnsQueryName=column_ifexists('event_destination_name_s', ''), + DstIpAddr=column_ifexists('event_destination_ip_s', ''), + ThreatCategory=column_ifexists('event_eventType_description_s', ''), + ThreatOriginalRiskLevel=column_ifexists('event_threat_result_s', ''), + // Jamf Protect - App Specific + TargetFileName = column_ifexists("event_app_name_s", ""), + TargetFileSHA1 = column_ifexists("event_app_sha1_s", ""), + TargetFileSHA256 = column_ifexists("event_app_sha256_s", "") + | project-keep + TimeGenerated, + EventVendor, + EventProduct, + EventStartTime, + EventResult, + EventReportUrl, + EventSeverity, + DvcHostname, + DvcIpAddr, + DvcId, + SrcDeviceType, + SrcUsermail, + SrcUsername, + DnsQuery, + DnsQueryName, + DstIpAddr, + ThreatCategory, + DvcAction, + ThreatOriginalRiskLevel, + TargetFileName, + TargetFileSHA1, + TargetFileSHA256 + }; + union isfuzzy=true JamfProtectAlerts_view, JamfProtectUnifiedLog_view, JamfProtectTelemetryv1_view, JamfProtectTelemetryv2_view, JamfProtectNetworkTraffic_view, JamfProtectThreatEvents_view