Jamf Protect enhances endpoint security of Apple’s built-in security features by increasing visibility, preventions, controls and remediation capabilities. Jamf Protect adapts to your environment and minimizes risk for your users, endpoints and company data by flagging concerns across Mac and mobile devices. It provides security features like Behavioral analytics, Customized analytics, Threat hunting and The MITRE ATT&CK framework. For more details, see the official Jamf Protect web page: https://www.jamf.com/products/jamf-protect/ .
NetWitness Platform XDR enables the log collection from Jamf Protect by utilizing either the Jamf Protect GraphQL API or the AWS S3 bucket storage facility. The table below provides an overview of the specific events that are forwarded to either Jamf Protect GraphQL API or AWS S3 storage. This list will assist you in selecting an appropriate NetWitness plugin collection method for a particular type of Jamf Protect event. For more information on integrations, please refer to the documentation links provided at the end of this blog.
| Jamf Protect Event Types |
Jamf Protect GraphQL API |
AWS S3 bucket forwarding |
| Alerts |
Allowed |
Allowed |
| Audit |
Allowed |
Not Allowed |
| Computer List |
Allowed |
Not Allowed |
| Telemetry |
Not Allowed |
Allowed |
Events are collected in JSON format. Customers should enable jamf log parser in NetWitness log decoder to parse the collected events. We support parsing of alerts, audit, computer list and telemetry events.
Documentation:
Netwitness JAMF Protect GraphQL Plugin
Netwitness S3 universal Plugin
Log Collector Package on Netwitness Live: 1. "JAMF Protect GraphQL Collector Configuration"
2. "AWS S3 Universal"
Log Parser on Netwitness Live: jamf