Jamf Protect¶
About¶
Jamf Protect is an endpoint security solution designed to help businesses identify, prevent and resolve threats across Mac devices. The application allows users to gain visibility across remote devices and send automated alerts in case suspicious activities are detected across scripts and software.
Product Details¶
Vendor URL: Jamf Protect
Product Type: EDR
Product Tier: Tier I
Integration Method: Syslog
Log Guide: Jamf Unified Logging
Parser Details¶
Log Format: JSON
Expected Normalization Rate: Above 90%
Data Label: JAMF_PROTECT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| architecture | principal.asset.hardware.cpu_platform |
| exec_chain_child.parent_path | about.file.full_path |
| exec_chain_child.parent_pid | about.process.parent_pid |
| header.time_seconds_epoch | event.timestamp |
| header.event_name | metadata.product_event_type |
| header.event_id | metadata.product_log_id |
| host_info.host_name | principal.hostname |
| host_info.host_uuid | principal.user.userid |
| host_info.osversion | principal.asset.platform_software.platform_patch_level |
| host_info.serial_number | principal.asset.hardware.serial_number |
| identity.signer_id | network.tls.client.certificate.issuer |
| return.description | security_result.summary |
| socket_inet.ip_address | principal.ip |
| socket_inet.port | principal.port |
| subject.group_id | about.group.product_object_id |
| subject.process_id | about.process.pid |
| subject.process_name | about.file.names |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all others | GENERIC_EVENT |
Log Sample¶
{"socket_inet":{"family":2,"id":128,"ip_address":"0.0.0.0","port":31488},"subject":{"effective_group_id":266,"group_name":"_timed","session_id":100000,"effective_user_name":"_timed","process_name":"/usr/libexec/timed","process_id":128,"effective_group_name":"_timed","audit_user_name":"","process_hash":"3f483dbe0f53dbe8d3ea4d24d80ee41215e49354","responsible_process_name":"","responsible_process_id":128,"terminal_id":{"type":4,"ip_address":"0.0.0.0","port":0},"user_name":"_timed","effective_user_id":266,"user_id":266,"group_id":266,"audit_id":4294967295},"header":{"event_modifier":0,"event_id":34,"event_name":"AUE_BIND","time_seconds_epoch":1677613384,"time_milliseconds_offset":548,"version":11},"return":{"return_value":0,"error":0,"description":"success"},"rateLimitingSeconds":1800,"exec_chain_child":{"parent_pid":1,"parent_uuid":"472194B9-0C06-4167-82B0-C25C450112CA","parent_path":"/sbin/launchd"},"exec_chain":{"thread_uuid":"B830F426-6183-4EC2-9C92-123392E25913"},"arguments":{"fd":7},"host_info":{"serial_number":"C02C21F5MD6R","host_name":"juggernaut","osversion":"Version 12.2.1 (Build 21D62)","host_uuid":"A45E4FDE-DFBD-5342-AF3D-52E413A0582A"},"key":"F4FAB97E-52A5-4990-BDD6-2258C9332637","identity":{"signer_id":"com.apple.timed","team_id_truncated":false,"signer_id_truncated":false,"cd_hash":"68a45bc59254dfbc993cad704774a426f043a484","team_id":"","signer_type":1}}
Sample Parsing¶
about.file.full_path = "/sbin/launchd"
about.process.parent_pid = "128"
event.timestamp = "2023-02-25T19:43:04Z"
metadata.product_event_type = "AUE_BIND"
metadata.product_log_id = "34"
principal.hostname = "juggernaut"
principal.user.userid = "A45E4FDE-DFBD-5342-AF3D-52E413A0582A"
principal.asset.platform_software.platform_patch_level = "Version 12.2.1 (Build 21D62)"
principal.asset.hardware.serial_number = "C02C21F5MD6R"
network.tls.client.certificate.issuer = ""
security_result.summary = "success"
principal.ip = "0.0.0.0"
principal.port = "31488"
about.group.product_object_id = "266"
about.process.pid = "128"
about.file.names = "/usr/libexec/timed"