Collect Jamf Threat Events logs

Supported in:

This document describes how you can collect Jamf Threat Events logs by setting up a Google Security Operations feed and how log fields map to Google SecOps Unified Data Model (UDM) fields. This document also lists the supported Jamf Threat Events version.

For more information, see Data ingestion to Google SecOps.

A typical deployment consists of Jamf Threat Events and the Google SecOps feed configured to send logs to Google SecOps. Each customer deployment can differ and might be more complex.

The deployment contains the following components:

  • Jamf Protect: The Jamf Protect platform, configured with Jamf Security Cloud, where you collect network threat logs.

  • Google SecOps feed: The Google SecOps feed that fetches logs from Jamf Protect and writes logs to Google SecOps.

  • Google SecOps: Google SecOps retains and analyzes the logs from Jamf Protect.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the JAMF_THREAT_EVENTS ingestion label.

Before you begin

  • Ensure that you have a Jamf Protect set up.
  • Ensure that you are using Jamf Protect version 4.0.0 or later.
  • Ensure that all systems in the deployment architecture are configured with the UTC time zone.

Configure a feed in Google SecOps to ingest Jamf Threat Events logs

You can use either Amazon S3 or a webhook to set up an ingestion feed in Google SecOps, but we recommend using Amazon S3.

Set up an ingestion feed using Amazon S3

  1. From the Google SecOps menu, select Settings > Feeds > Add New.
  2. Select Amazon S3 as the Source Type.
  3. To create a feed for Jamf Threat Events, select Jamf Protect Threat Events as the Log Type.
  4. Click Next.
  5. Save the feed and then Submit.
  6. Copy the Feed ID from the feed name to use in Jamf Threat Events.

Set up an ingestion feed using a webhook

  1. From the Google SecOps menu, select Settings > Feeds > Add New.
  2. In the Feed name field, enter a name for the feed.
  3. In the Source Type list, select Webhook.
  4. To create a feed for Jamf Threat Events, select Jamf Protect Threat Events as the Log Type.
  5. Click Next.
  6. Optional: Specify values for the following input parameters:
    • Split delimiter: the delimiter that is used to separate log lines, such as \n.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label to be applied to the events from this feed.
  7. Click Next.
  8. Review your new feed configuration in the Finalize screen, and then click Submit.
  9. Click Generate Secret Key to generate a secret key to authenticate this feed.
  10. Copy and store the secret key as you cannot view this secret again. You can generate a new secret key again, but regeneration of the secret key makes the previous secret key obsolete.
  11. From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in Jamf Threat Events application.
  12. Click Done.
  13. Specify the endpoint URL in Jamf Threat Events.

Create an API key for a webhook feed

  1. Go to Google Cloud console > Credentials.

    Go to Credentials

  2. Click Create credentials, and then select API key.

  3. Restrict the API key access to the Google Security Operations API.

Set up Jamf Security Cloud for a webhook feed

  1. In the Jamf Security Cloud application, go to Integrations > Data Streams.
  2. Click New Configuration.
  3. Select Threat Events > Generic HTTP > Continue.
  4. In the HTTP Connection Configuration section, select https as the default protocol.
  5. Enter your server hostname in the Server Hostname/IP field, such as us-chronicle.googleapis.com.
  6. Enter your server port in the Port field, such as 443.
  7. Enter your web endpoint in the Endpoint field. (This is the Endpoint Information field that you copied from the webhook feed setup. It's already in the required format.)

  8. In the Additional headers section, enter the following settings, where each header is a custom, case-sensitive header that you manually enter:

    • Header name: X-goog-api-key and click Create option X-goog-api-key
    • Header value insert: API_KEY (The API key to authenticate to Google SecOps.)
    • Header name: X-Webhook-Access-Key and click Create option X-Webhook-Access-Key
    • Header value insert: SECRET (The secret key that you generated to authenticate the feed.)

  9. Click Test Configuration.

  10. If successful, click Create Configuration.

For more information about Google SecOps feeds, see Create and manage feeds using the feed management UI. For information about requirements for each feed type, see Feed configuration API.

Field mapping reference

The following table explains how the Google SecOps parser maps Jamf Threat Events logs fields to Google SecOps Unified Data Model (UDM) fields.

Field mapping reference: Event Identifier to Event Type

The following table lists the JAMF_THREAT_EVENTS log types and their corresponding UDM event types.

Event Identifier Event Type Security Category
ACCESS_BAD_HOST SCAN_HOST NETWORK_MALICIOUS
ACCESS_CRYPTOJACKING_HOST SCAN_HOST NETWORK_SUSPICIOUS
ACCESS_PHISHING_HOST SCAN_HOST PHISHING
ACCESS_SPAM_HOST SCAN_HOST NETWORK_SUSPICIOUS
ADMIN_APP_IN_INVENTORY SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS, SOFTWARE_PUA
ADWARE_APP_IN_INVENTORY SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS, SOFTWARE_PUA
ANTIVIRUS_DISABLED SCAN_UNCATEGORIZED
APP_INACTIVITY SCAN_UNCATEGORIZED
BANKER_MALWARE_APP_IN_INVENTORY SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS, SOFTWARE_PUA
DEVELOPER_MODE_ENABLED SCAN_UNCATEGORIZED
FIREWALL_DISABLED SCAN_UNCATEGORIZED POLICY_VIOLATION
IOS_PROFILE SCAN_UNCATEGORIZED
JAILBREAK SCAN_UNCATEGORIZED EXPLOIT
LEAK_CREDIT_CARD SCAN_UNCATEGORIZED ACL_VIOLATION
LEAK_EMAIL SCAN_UNCATEGORIZED ACL_VIOLATION
LEAK_LOCATION SCAN_UNCATEGORIZED ACL_VIOLATION
LEAK_PASSWORD SCAN_UNCATEGORIZED ACL_VIOLATION
LEAK_USERID SCAN_UNCATEGORIZED ACL_VIOLATION
LOCK_SCREEN_DISABLED SCAN_UNCATEGORIZED
MALICIOUS_APP_IN_INVENTORY SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS, SOFTWARE_PUA
MISSING_ANDROID_SECURITY_PATCHES SCAN_UNCATEGORIZED
OUT_OF_DATE_OS SCAN_UNCATEGORIZED
OUTDATED_OS SCAN_VULN_HOST SOFTWARE_MALICIOUS
OUTDATED_OS_LOW SCAN_VULN_HOST SOFTWARE_MALICIOUS
POTENTIALLY_UNWANTED_APP_IN_INVENTORY SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS, SOFTWARE_PUA
RANSOMWARE_APP_IN_INVENTORY SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS, SOFTWARE_PUA
RISKY_APP_DOWNLOAD SCAN_UNCATEGORIZED SOFTWARE_SUSPICIOUS
ROOTING_MALWARE_APP_IN_INVENTORY SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS, SOFTWARE_PUA
SIDE_LOADED_APP_IN_INVENTORY SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS, SOFTWARE_PUA
SMS_MALWARE_APP_IN_INVENTORY SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS, SOFTWARE_PUA
SPYWARE_APP_IN_INVENTORY SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS, SOFTWARE_PUA
SSL_MITM_TRUSTED_INVALID_CERT SCAN_NETWORK NETWORK_MALICIOUS
SSL_MITM_TRUSTED_VALID_CERT SCAN_NETWORK NETWORK_SUSPICIOUS
SSL_MITM_UNTRUSTED_INVALID_CERT SCAN_NETWORK NETWORK_MALICIOUS
SSL_MITM_UNTRUSTED_VALID_CERT SCAN_NETWORK NETWORK_SUSPICIOUS
SSL_STRIP_MITM SCAN_NETWORK NETWORK_MALICIOUS
SSL_TRUST_COMPROMISE SCAN_NETWORK NETWORK_SUSPICIOUS
STORAGE_ENCRYPTION_DISABLED SCAN_UNCATEGORIZED
THIRD_PARTY_APP_STORES_IN_INVENTORY SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS, SOFTWARE_PUA
TROJAN_MALWARE_APP_IN_INVENTORY SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS, SOFTWARE_PUA
UNKNOWN_SOURCES_ENABLED SCAN_UNCATEGORIZED
USB_APP_VERIFICATION_DISABLED SCAN_UNCATEGORIZED
USB_DEBUGGING_ENABLED SCAN_UNCATEGORIZED
USER_PASSWORD_DISABLED SCAN_UNCATEGORIZED
VULNERABLE_APP_IN_INVENTORY SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS, SOFTWARE_PUA

Field mapping reference: JAMF_THREAT_EVENTS

The following table lists the log fields of the JAMF_THREAT_EVENTS log type and their corresponding UDM fields.
Log field UDM mapping Logic
is_alert The is_alert UDM field is set to TRUE.
principal.asset.platform_software.platform The platform_name is extracted from the event.device.deviceName log field using a Grok pattern.

If the platform_name value is equal to Mac, then the principal.asset.platform_software.platform UDM field is set to MAC.
event.accessPoint principal.labels [event_accessPoint]
event.accessPointBssid principal.mac
event.account.customerId about.resource.product_object_id
event.account.name about.resource.name
event.account.parentId about.resource_ancestors.product_object_id
event.action security_result.action The security_result.action UDM field is set to one of the following values:
  • ALLOW if the event.action log field value is equal to Resolved or Detected.
  • BLOCK if the event.action log field value is equal to Blocked.
event.action security_result.action_details
event.alertId metadata.product_log_id
event.app.id target.labels [event_app_id]
event.app.name target.application
event.app.name target.file.full_path
event.app.sha1 target.file.sha1
event.app.sha256 target.file.sha256
event.app.version target.labels [event_app_version]
event.destination.ip target.ip
event.destination.name target.url
event.destination.port target.port
event.device.deviceId principal.asset.product_object_id
event.device.deviceName principal.asset.assetid
event.device.externalId principal.asset.attribute.labels [event_device_externalId]
event.device.os principal.asset.platform_software.platform_version
event.device.userDeviceName principal.asset.attribute.labels [event_device_userDeviceName]
event.eventType.description security_result.description
event.eventType.id security_result.threat_id
event.eventType.name metadata.product_event_type
event.eventType.name security_result.category_details
event.eventType.name security_result.threat_name
event.eventUrl security_result.url_back_to_product
event.location principal.asset.location.country_or_region
event.metadata.product metadata.product_name
event.metadata.schemaVersion about.labels [event_metadata_schemaVersion]
event.metadata.vendor metadata.vendor_name
event.severity security_result.severity_details
event.source.ip principal.ip
event.source.port princiap.port
event.timestamp metadata.event_timestamp
event.user.email principal.user.email_addresses
event.user.name principal.user.user_display_name
sourceUserName principal.user.user_display_name

What's next

Need more help? Get answers from Community members and Google SecOps professionals.