Collect Jamf Threat Events logs
This document describes how you can collect Jamf Threat Events logs by setting up a Google Security Operations feed and how log fields map to Google Security Operations Unified Data Model (UDM) fields. This document also lists the supported Jamf Threat Events version.
For more information, see Data ingestion to Google Security Operations.
A typical deployment consists of Jamf Threat Events and the Google Security Operations feed configured to send logs to Google Security Operations. Each customer deployment can differ and might be more complex.
The deployment contains the following components:
Jamf Protect. The Jamf Protect platform from which you collect logs.
Google Security Operations feed. The Google Security Operations feed that fetches logs from Jamf Protect and writes logs to Google Security Operations.
Google Security Operations. Google Security Operations retains and analyzes the logs from Jamf Protect.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with the JAMF_THREAT_EVENTS ingestion label.
Before you begin
- Ensure that you have a Jamf Protect set up.
- Ensure that you are using Jamf Protect version 4.0.0 or later.
- Ensure that all systems in the deployment architecture are configured with the UTC time zone.
Configure a feed in Google Security Operations to ingest Jamf Threat Events logs
You can use either Amazon S3 or a webhook to set up an ingestion feed in Google Security Operations, but we recommend using Amazon S3.
Set up an ingestion feed using Amazon S3
- From the Google Security Operations menu, select Settings > Feeds > Add New.
- Select Amazon S3 as the Source Type.
- To create a feed for Jamf Threat Events, select Jamf Protect Threat Events as the Log Type.
- Click Next.
- Save the feed and then Submit.
- Copy the Feed ID from the feed name to use in Jamf Threat Events.
Set up an ingestion feed using a webhook
- From the Google Security Operations menu, select Settings > Feeds > Add New.
- In the Feed name field, enter a name for the feed.
- In the Source Type list, select Webhook.
- To create a feed for Jamf Threat Events, select Jamf Protect Threat Events as the Log Type.
- Click Next.
- Optional: Specify values for the following input parameters:
- Split delimiter: the delimiter that is used to separate log lines, such as
\n. - Asset namespace: the asset namespace.
- Ingestion labels: the label to be applied to the events from this feed.
- Split delimiter: the delimiter that is used to separate log lines, such as
- Click Next.
- Review your new feed configuration in the Finalize screen, and then click Submit.
- Click Generate Secret Key to generate a secret key to authenticate this feed.
- Copy and store the secret key as you cannot view this secret again. You can generate a new secret key again, but regeneration of the secret key makes the previous secret key obsolete.
- From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in Jamf Threat Events application.
- Click Done.
- Specify the endpoint URL in Jamf Threat Events.
Create an API key for a webhook feed
Go to Google Cloud console > Credentials.
Click Create credentials, and then select API key.
Restrict the API key access to the Google Security Operations API.
Set up Jamf Protect for a webhook feed
- In the Jamf Protect application, navigate to the related Action configuration.
- To add a new Data endpoint, click Create Actions.
- Select HTTP as the protocol.
- Enter the HTTPS URL of the Google Security Operations API endpoint in the URL field. (This is the Endpoint Information field that you copied from the webhook feed setup. It's already in the required format.)
Enable authentication by specifying the API key and Secret key as part of the custom header in the following format:
X-goog-api-key = API_KEY X-Webhook-Access-Key = SECRETRecommendation: Specify the API key as a header instead of specifying it in the URL. If your webhook client doesn't support custom headers, you can specify the API key and Secret key using query parameters in the following format:
ENDPOINT_URL?key=API_KEY&secret=SECRETReplace the following:
ENDPOINT_URL: The feed endpoint URL.API_KEY: The API key to authenticate to Google Security Operations.SECRET: The secret key that you generated to authenticate the feed.
In the Collect Logs section, select Alerts & Unified Logs.
Click Submit.
For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type.
Field mapping reference
The following table explains how the Google Security Operations parser maps Jamf Threat Events logs fields to Google Security Operations Unified Data Model (UDM) fields.
Field mapping reference: Event Identifier to Event Type
The following table lists theJAMF_THREAT_EVENTS log types and their corresponding UDM event types.
| Event Identifier | Event Type | Security Category |
|---|---|---|
MALICIOUS_APP_IN_INVENTORY |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS, SOFTWARE_PUA |
ADWARE_APP_IN_INVENTORY |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS, SOFTWARE_PUA |
BANKER_MALWARE_APP_IN_INVENTORY |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS, SOFTWARE_PUA |
POTENTIALLY_UNWANTED_APP_IN_INVENTORY |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS, SOFTWARE_PUA |
RANSOMWARE_APP_IN_INVENTORY |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS, SOFTWARE_PUA |
ROOTING_MALWARE_APP_IN_INVENTORY |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS, SOFTWARE_PUA |
SMS_MALWARE_APP_IN_INVENTORY |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS, SOFTWARE_PUA |
SPYWARE_APP_IN_INVENTORY |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS, SOFTWARE_PUA |
TROJAN_MALWARE_APP_IN_INVENTORY |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS, SOFTWARE_PUA |
THIRD_PARTY_APP_STORES_IN_INVENTORY |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS, SOFTWARE_PUA |
ADMIN_APP_IN_INVENTORY |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS, SOFTWARE_PUA |
SIDE_LOADED_APP_IN_INVENTORY |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS, SOFTWARE_PUA |
VULNERABLE_APP_IN_INVENTORY |
SCAN_UNCATEGORIZED |
SOFTWARE_MALICIOUS, SOFTWARE_PUA |
SSL_TRUST_COMPROMISE |
SCAN_NETWORK |
NETWORK_SUSPICIOUS |
JAILBREAK |
SCAN_UNCATEGORIZED |
EXPLOIT |
IOS_PROFILE |
SCAN_UNCATEGORIZED |
|
OUTDATED_OS |
SCAN_VULN_HOST |
SOFTWARE_MALICIOUS |
OUTDATED_OS_LOW |
SCAN_VULN_HOST |
SOFTWARE_MALICIOUS |
OUT_OF_DATE_OS |
SCAN_UNCATEGORIZED |
|
LOCK_SCREEN_DISABLED |
SCAN_UNCATEGORIZED |
|
STORAGE_ENCRYPTION_DISABLED |
SCAN_UNCATEGORIZED |
|
UNKNOWN_SOURCES_ENABLED |
SCAN_UNCATEGORIZED |
|
DEVELOPER_MODE_ENABLED |
SCAN_UNCATEGORIZED |
|
USB_DEBUGGING_ENABLED |
SCAN_UNCATEGORIZED |
|
USB_APP_VERIFICATION_DISABLED |
SCAN_UNCATEGORIZED |
|
FIREWALL_DISABLED |
SCAN_UNCATEGORIZED |
POLICY_VIOLATION |
USER_PASSWORD_DISABLED |
SCAN_UNCATEGORIZED |
|
ANTIVIRUS_DISABLED |
SCAN_UNCATEGORIZED |
|
APP_INACTIVITY |
SCAN_UNCATEGORIZED |
|
MISSING_ANDROID_SECURITY_PATCHES |
SCAN_UNCATEGORIZED |
|
ACCESS_SPAM_HOST |
SCAN_HOST |
NETWORK_SUSPICIOUS |
ACCESS_PHISHING_HOST |
SCAN_HOST |
PHISHING |
ACCESS_BAD_HOST |
SCAN_HOST |
NETWORK_MALICIOUS |
RISKY_APP_DOWNLOAD |
SCAN_UNCATEGORIZED |
SOFTWARE_SUSPICIOUS |
ACCESS_CRYPTOJACKING_HOST |
SCAN_HOST |
NETWORK_SUSPICIOUS |
SSL_MITM_TRUSTED_VALID_CERT |
SCAN_NETWORK |
NETWORK_SUSPICIOUS |
SSL_MITM_UNTRUSTED_VALID_CERT |
SCAN_NETWORK |
NETWORK_SUSPICIOUS |
SSL_STRIP_MITM |
SCAN_NETWORK |
NETWORK_MALICIOUS |
SSL_MITM_UNTRUSTED_INVALID_CERT |
SCAN_NETWORK |
NETWORK_MALICIOUS |
SSL_MITM_TRUSTED_INVALID_CERT |
SCAN_NETWORK |
NETWORK_MALICIOUS |
LEAK_CREDIT_CARD |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
LEAK_PASSWORD |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
LEAK_EMAIL |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
LEAK_USERID |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
LEAK_LOCATION |
SCAN_UNCATEGORIZED |
ACL_VIOLATION |
Field mapping reference: JAMF_THREAT_EVENTS
The following table lists the log fields of theJAMF_THREAT_EVENTS log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
event.account.parentId |
about.resource_ancestors.product_object_id |
|
event.account.name |
about.resource.name |
|
event.account.customerId |
about.resource.product_object_id |
|
|
is_alert |
The is_alert UDM field is set to TRUE. |
event.timestamp |
metadata.event_timestamp |
|
event.eventType.name |
metadata.product_event_type |
|
event.alertId |
metadata.product_log_id |
|
event.metadata.product |
metadata.product_name |
|
event.metadata.vendor |
metadata.vendor_name |
|
event.source.port |
princiap.port |
|
event.device.deviceName |
principal.asset.assetid |
|
event.location |
principal.asset.location.country_or_region |
|
|
principal.asset.platform_software.platform |
The platform_name is extracted from the event.device.deviceName log field using a Grok pattern.If the platform_name value is equal to Mac, then the principal.asset.platform_software.platform UDM field is set to MAC.
|
event.device.os |
principal.asset.platform_software.platform_version |
|
event.device.deviceId |
principal.asset.product_object_id |
|
event.source.ip |
principal.ip |
|
event.accessPointBssid |
principal.mac |
|
event.user.email |
principal.user.email_addresses |
|
event.user.name |
principal.user.user_display_name |
|
sourceUserName |
principal.user.user_display_name |
|
event.device.externalId |
principal.asset.attribute.labels [event_device_externalId] |
|
event.device.userDeviceName |
principal.asset.attribute.labels [event_device_userDeviceName] |
|
event.accessPoint |
principal.labels [event_accessPoint] |
|
event.action |
security_result.action |
The security_result.action UDM field is set to one of the following values:
|
event.action |
security_result.action_details |
|
event.eventType.name |
security_result.category_details |
|
event.eventType.description |
security_result.description |
|
event.severity |
security_result.severity_details |
|
event.eventType.id |
security_result.threat_id |
|
event.eventType.name |
security_result.threat_name |
|
event.eventUrl |
security_result.url_back_to_product |
|
event.destination.port |
target.port |
|
event.app.name |
target.application |
|
event.app.name |
target.file.full_path |
|
event.app.sha1 |
target.file.sha1 |
|
event.app.sha256 |
target.file.sha256 |
|
event.destination.ip |
target.ip |
|
event.destination.name |
target.url |
|
event.app.version |
target.labels [event_app_version] |
|
event.app.id |
target.labels [event_app_id] |
|
event.metadata.schemaVersion |
about.labels [event_metadata_schemaVersion] |
What's next
Need more help? Get answers from Community members and Google SecOps professionals.