Collect Jamf Threat Events logs

Supported in:

Google secops SIEM

This document describes how you can collect Jamf Threat Events logs by setting up a Google Security Operations feed and how log fields map to Google SecOps Unified Data Model (UDM) fields. This document also lists the supported Jamf Threat Events version.

For more information, see Data ingestion to Google SecOps.

A typical deployment consists of Jamf Threat Events and the Google SecOps feed configured to send logs to Google SecOps. Each customer deployment can differ and might be more complex.

The deployment contains the following components:

Jamf Protect: The Jamf Protect platform, configured with Jamf Security Cloud, where you collect network threat logs.
Google SecOps feed: The Google SecOps feed that fetches logs from Jamf Protect and writes logs to Google SecOps.
Google SecOps: Google SecOps retains and analyzes the logs from Jamf Protect.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the JAMF_THREAT_EVENTS ingestion label.

Before you begin

Ensure you have the following prerequisites:

A Jamf Protect Telemetry set up
Jamf Protect version 4.0.0 or later
All systems in the deployment architecture are configured with the UTC time zone.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

SIEM Settings > Feeds
Content Hub > Content Packs

Set up feeds from SIEM Settings > Feeds

You can use either Amazon S3 or a webhook to set up an ingestion feed in Google SecOps, but we recommend using Amazon S3.

Set up an ingestion feed using Amazon S3

To configure multiple feeds for different log types within this product family, see Configure feeds by product.

To configure a single feed, follow these steps:

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed; for example, Jamf Threat Events Logs.
Select Amazon S3 as the Source Type.
To create a feed for Jamf Threat Events, select Jamf Protect Threat Events as the Log Type.
Click Next.
Save the feed and then Submit.
Copy the Feed ID from the feed name to use in Jamf Threat Events.

Set up an ingestion feed using a webhook

For Google Security Operations unified customers only:
To configure multiple feeds for different log types within this product family, see Configure multiple feeds.

For all customers:
To configure a single feed, follow these steps:

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed. Skip this step if you're using the Google SecOps SIEM-standalone platform.
In the Feed name field, enter a name for the feed; for example, Jamf Threat Events Logs.
In the Source Type list, select Webhook.
To create a feed for Jamf Threat Events, select Jamf Protect Threat Events as the Log Type.
Click Next.
Optional: Specify values for the following input parameters:
- Split delimiter: The delimiter that is used to separate log lines, such as \n.
- Asset namespace: The asset namespace.
- Ingestion labels: The label to be applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.
Click Generate Secret Key to generate a secret key to authenticate this feed.
Copy and store the secret key as you cannot view this secret again. You can generate a new secret key again, but regeneration of the secret key makes the previous secret key obsolete.
From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in Jamf Threat Events application.
Click Done.
Specify the endpoint URL in Jamf Threat Events.

Set up feeds from the Content Hub

Specify values for the following fields:

Region: The region where the Amazon S3 bucket is located.
S3 URI: The bucket URI.
- s3://your-log-bucket-name/
  - Replace your-log-bucket-name with the actual name of your S3 bucket.
URI is a: Select either Directory or Directory which includes subdirectories, depending on your bucket structure.
Source deletion options: Select the deletion option according to your ingestion preferences.
Access Key ID: The user's access key with permissions to read from the S3 bucket.
Secret Access Key: The user's secret key with permissions to read from the S3 bucket.

Advanced options

Feed Name: A prepopulated value that identifies the feed.
Source Type: Method used to collect logs into Google SecOps.
Asset Namespace: Namespace associated with the feed.
Ingestion Labels: Labels applied to all events from this feed.

Create an API key for a webhook feed

Go to Google Cloud console > Credentials.

Go to Credentials
Click Create credentials, and then select API key.
Restrict the API key access to the Google Security Operations API.

Set up Jamf Security Cloud for a webhook feed

In the Jamf Security Cloud application, go to Integrations > Data Streams.
Click New Configuration.
Select Threat Events > Generic HTTP > Continue.
In the HTTP Connection Configuration section, select https as the default protocol.
Enter your server hostname in the Server Hostname/IP field, such as us-chronicle.googleapis.com.
Enter your server port in the Port field, such as 443.
Enter your web endpoint in the Endpoint field. (This is the Endpoint Information field that you copied from the webhook feed setup. It's already in the required format.)
In the Additional headers section, enter the following settings, where each header is a custom, case-sensitive header that you manually enter:
- Header name: X-goog-api-key and click Create option X-goog-api-key
- Header value insert: API_KEY (The API key to authenticate to Google SecOps.)
- Header name: X-Webhook-Access-Key and click Create option X-Webhook-Access-Key
- Header value insert: SECRET (The secret key that you generated to authenticate the feed.)
Click Test Configuration.
If successful, click Create Configuration.

For more information about Google SecOps feeds, see Create and manage feeds using the feed management UI. For information about requirements for each feed type, see Feed configuration API.

Supported Jamf Threat Events log formats

The Jamf Threat Events parser supports logs in JSON format.

Supported Jamf Threat Events sample logs

JSON

{
  "event": {
    "metadata": {
      "schemaVersion": "1.0",
      "vendor": "Jamf",
      "product": "Threat Events Stream"
    },
    "timestamp": "2023-01-11T13:10:40.410Z",
    "alertId": "debd2e4b-9da1-454e-952d-18a00b42ffce",
    "account": {
      "customerId": "dummycustomerid",
      "parentId": "dummyparentid",
      "name": "Jamf Internal Test Accounts (root) - Jamf - CE Security Team"
    },
    "device": {
      "deviceId": "e9671102-5ccf-4e66-a6b3-b117ba257d5f",
      "os": "UNKNOWN 13.2.1",
      "deviceName": "Mac (13.2.1)",
      "userDeviceName": "darrow",
      "externalId": "0c221ae4-50af-5e39-8275-4424cc87ab8e"
    },
    "eventType": {
      "id": "303",
      "description": "Risky Host/Domain - Malware",
      "name": "ACCESS_BAD_HOST"
    },
    "app": {
      "id": "ru.freeapps.calc",
      "name": "MyFreeCalculator",
      "version": "10.4",
      "sha1": "c3499c2729730a7f807efb8676a92dcb6f8a3f8f",
      "sha256": "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545"
    },
    "destination": {
      "name": "dummy.domain.org",
      "ip": "0000:1111:2222:3333:4444:5",
      "port": "80"
    },
    "source": {
      "ip": "198.51.100.1",
      "port": "243"
    },
    "location": "GB",
    "accessPoint": null,
    "accessPointBssid": "23:8f:cf:00:9d:23",
    "severity": 8,
    "user": {
      "email": "test.user@domain.io",
      "name": "Test User"
    },
    "eventUrl": "dummy.domain.com",
    "action": "Blocked"
  }
}

Field mapping reference

The following table explains how the Google SecOps parser maps Jamf Threat Events logs fields to Google SecOps Unified Data Model (UDM) fields.

Field mapping reference: Event Identifier to Event Type

The following table lists the JAMF_THREAT_EVENTS log types and their corresponding UDM event types.

Event Identifier	Event Type	Security Category
`MALICIOUS_APP_IN_INVENTORY`	`SCAN_UNCATEGORIZED`	`SOFTWARE_MALICIOUS, SOFTWARE_PUA`
`ADWARE_APP_IN_INVENTORY`	`SCAN_UNCATEGORIZED`	`SOFTWARE_MALICIOUS, SOFTWARE_PUA`
`BANKER_MALWARE_APP_IN_INVENTORY`	`SCAN_UNCATEGORIZED`	`SOFTWARE_MALICIOUS, SOFTWARE_PUA`
`POTENTIALLY_UNWANTED_APP_IN_INVENTORY`	`SCAN_UNCATEGORIZED`	`SOFTWARE_MALICIOUS, SOFTWARE_PUA`
`RANSOMWARE_APP_IN_INVENTORY`	`SCAN_UNCATEGORIZED`	`SOFTWARE_MALICIOUS, SOFTWARE_PUA`
`ROOTING_MALWARE_APP_IN_INVENTORY`	`SCAN_UNCATEGORIZED`	`SOFTWARE_MALICIOUS, SOFTWARE_PUA`
`SMS_MALWARE_APP_IN_INVENTORY`	`SCAN_UNCATEGORIZED`	`SOFTWARE_MALICIOUS, SOFTWARE_PUA`
`SPYWARE_APP_IN_INVENTORY`	`SCAN_UNCATEGORIZED`	`SOFTWARE_MALICIOUS, SOFTWARE_PUA`
`TROJAN_MALWARE_APP_IN_INVENTORY`	`SCAN_UNCATEGORIZED`	`SOFTWARE_MALICIOUS, SOFTWARE_PUA`
`THIRD_PARTY_APP_STORES_IN_INVENTORY`	`SCAN_UNCATEGORIZED`	`SOFTWARE_MALICIOUS, SOFTWARE_PUA`
`ADMIN_APP_IN_INVENTORY`	`SCAN_UNCATEGORIZED`	`SOFTWARE_MALICIOUS, SOFTWARE_PUA`
`SIDE_LOADED_APP_IN_INVENTORY`	`SCAN_UNCATEGORIZED`	`SOFTWARE_MALICIOUS, SOFTWARE_PUA`
`VULNERABLE_APP_IN_INVENTORY`	`SCAN_UNCATEGORIZED`	`SOFTWARE_MALICIOUS, SOFTWARE_PUA`
`SSL_TRUST_COMPROMISE`	`SCAN_NETWORK`	`NETWORK_SUSPICIOUS`
`JAILBREAK`	`SCAN_UNCATEGORIZED`	`EXPLOIT`
`IOS_PROFILE`	`SCAN_UNCATEGORIZED`
`OUTDATED_OS`	`SCAN_VULN_HOST`	`SOFTWARE_MALICIOUS`
`OUTDATED_OS_LOW`	`SCAN_VULN_HOST`	`SOFTWARE_MALICIOUS`
`OUT_OF_DATE_OS`	`SCAN_UNCATEGORIZED`
`LOCK_SCREEN_DISABLED`	`SCAN_UNCATEGORIZED`
`STORAGE_ENCRYPTION_DISABLED`	`SCAN_UNCATEGORIZED`
`UNKNOWN_SOURCES_ENABLED`	`SCAN_UNCATEGORIZED`
`DEVELOPER_MODE_ENABLED`	`SCAN_UNCATEGORIZED`
`USB_DEBUGGING_ENABLED`	`SCAN_UNCATEGORIZED`
`USB_APP_VERIFICATION_DISABLED`	`SCAN_UNCATEGORIZED`
`FIREWALL_DISABLED`	`SCAN_UNCATEGORIZED`	`POLICY_VIOLATION`
`USER_PASSWORD_DISABLED`	`SCAN_UNCATEGORIZED`
`ANTIVIRUS_DISABLED`	`SCAN_UNCATEGORIZED`
`APP_INACTIVITY`	`SCAN_UNCATEGORIZED`
`MISSING_ANDROID_SECURITY_PATCHES`	`SCAN_UNCATEGORIZED`
`ACCESS_SPAM_HOST`	`SCAN_HOST`	`NETWORK_SUSPICIOUS`
`ACCESS_PHISHING_HOST`	`SCAN_HOST`	`PHISHING`
`ACCESS_BAD_HOST`	`SCAN_HOST`	`NETWORK_MALICIOUS`
`RISKY_APP_DOWNLOAD`	`SCAN_UNCATEGORIZED`	`SOFTWARE_SUSPICIOUS`
`ACCESS_CRYPTOJACKING_HOST`	`SCAN_HOST`	`NETWORK_SUSPICIOUS`
`SSL_MITM_TRUSTED_VALID_CERT`	`SCAN_NETWORK`	`NETWORK_SUSPICIOUS`
`SSL_MITM_UNTRUSTED_VALID_CERT`	`SCAN_NETWORK`	`NETWORK_SUSPICIOUS`
`SSL_STRIP_MITM`	`SCAN_NETWORK`	`NETWORK_MALICIOUS`
`SSL_MITM_UNTRUSTED_INVALID_CERT`	`SCAN_NETWORK`	`NETWORK_MALICIOUS`
`SSL_MITM_TRUSTED_INVALID_CERT`	`SCAN_NETWORK`	`NETWORK_MALICIOUS`
`LEAK_CREDIT_CARD`	`SCAN_UNCATEGORIZED`	`ACL_VIOLATION`
`LEAK_PASSWORD`	`SCAN_UNCATEGORIZED`	`ACL_VIOLATION`
`LEAK_EMAIL`	`SCAN_UNCATEGORIZED`	`ACL_VIOLATION`
`LEAK_USERID`	`SCAN_UNCATEGORIZED`	`ACL_VIOLATION`
`LEAK_LOCATION`	`SCAN_UNCATEGORIZED`	`ACL_VIOLATION`

Field mapping reference: JAMF_THREAT_EVENTS

The following table lists the log fields of the JAMF_THREAT_EVENTS log type and their corresponding UDM fields.

Log field	UDM mapping	Logic
`event.account.parentId`	`about.resource_ancestors.product_object_id`
`event.account.name`	`about.resource.name`
`event.account.customerId`	`about.resource.product_object_id`
	`is_alert`	The `is_alert` UDM field is set to `TRUE`.
`event.timestamp`	`metadata.event_timestamp`
`event.eventType.name`	`metadata.product_event_type`
`event.alertId`	`metadata.product_log_id`
`event.metadata.product`	`metadata.product_name`
`event.metadata.vendor`	`metadata.vendor_name`
`event.source.port`	`princiap.port`
`event.device.deviceName`	`principal.asset.assetid`
`event.location`	`principal.asset.location.country_or_region`
	`principal.asset.platform_software.platform`	`The platform_name` is extracted from the `event.device.deviceName` log field using a Grok pattern. If the `platform_name` value is equal to `Mac`, then the `principal.asset.platform_software.platform` UDM field is set to `MAC`.
`event.device.os`	`principal.asset.platform_software.platform_version`
`event.device.deviceId`	`principal.asset.product_object_id`
`event.source.ip`	`principal.ip`
`event.accessPointBssid`	`principal.mac`
`event.user.email`	`principal.user.email_addresses`
`event.user.name`	`principal.user.user_display_name`
`sourceUserName`	`principal.user.user_display_name`
`event.device.externalId`	`principal.asset.attribute.labels [event_device_externalId]`
`event.device.userDeviceName`	`principal.asset.attribute.labels [event_device_userDeviceName]`
`event.accessPoint`	`principal.labels [event_accessPoint]`
`event.action`	`security_result.action`	The `security_result.action` UDM field is set to one of the following values: `ALLOW` if the `event.action` log field value is equal to `Resolved` or `Detected`. `BLOCK` if the `event.action` log field value is equal to `Blocked`.
`event.action`	`security_result.action_details`
`event.eventType.name`	`security_result.category_details`
`event.eventType.description`	`security_result.description`
`event.severity`	`security_result.severity_details`
`event.eventType.id`	`security_result.threat_id`
`event.eventType.name`	`security_result.threat_name`
`event.eventUrl`	`security_result.url_back_to_product`
`event.destination.port`	`target.port`
`event.app.name`	`target.application`
`event.app.name`	`target.file.full_path`
`event.app.sha1`	`target.file.sha1`
`event.app.sha256`	`target.file.sha256`
`event.destination.ip`	`target.ip`
`event.destination.name`	`target.url`
`event.app.version`	`target.labels [event_app_version]`
`event.app.id`	`target.labels [event_app_id]`
`event.metadata.schemaVersion`	`about.labels [event_metadata_schemaVersion]`

What's next

Data ingestion to Google SecOps

Need more help? Get answers from Community members and Google SecOps professionals.