Greetings. I need to be able to ingest Security related log data from JAMF Pro api. Does anyone have suggestions on the API endpoints that I should focus on?
Thanks
Frank
Question
JAMF Logging to SIEM
+3
+8If you are on Jamf Cloud you have to pay for Premium Cloud (+$20k/year) in order to get complete log forwarding to a SIEM.
If you are on-prem it's free by just installing a connector on the server.
The API won't give you enough information to generate proper security events.
+3If you are on Jamf Cloud you have to pay for Premium Cloud (+$20k/year) in order to get complete log forwarding to a SIEM.
If you are on-prem it's free by just installing a connector on the server.
The API won't give you enough information to generate proper security events.
What if we have Jamf PRO?
+9Jamf Pro can be hosted either in Jamf Cloud or on premises. As @afarnsworth mentions, if your Jamf Pro is hosted on Jamf servers you have to go with a Premium subscription. If your Jamf Pro is hosted on your own servers, just install your SIEM connector to forward the logs you need.
We rely on DataDogHQ as our SIEM and we use a mix of agent and Jamf Pro APIs to log the events we need. For example we use the use the Jamf Pro API to collect all compliance information we can get from the device inventory, then we use the agent to collect information on events like change management, access log and Jamf Pro log.
+31We don't use premium jamf cloud and we ingest data into our data cloud platform. We do this a few ways, we have an API collector that runs every so many hours and does an async pull of all device records. Then we also ingest many different webhooks for event data.
+2Jamf Pro can be hosted either in Jamf Cloud or on premises. As @afarnsworth mentions, if your Jamf Pro is hosted on Jamf servers you have to go with a Premium subscription. If your Jamf Pro is hosted on your own servers, just install your SIEM connector to forward the logs you need.
We rely on DataDogHQ as our SIEM and we use a mix of agent and Jamf Pro APIs to log the events we need. For example we use the use the Jamf Pro API to collect all compliance information we can get from the device inventory, then we use the agent to collect information on events like change management, access log and Jamf Pro log.
Hi I have a requirement to send below logs to SIEM solution LogRhythm. Can you help me how to do it? Logrhythm agent wont support on Mac.
- Successful and failed authentication attempts
- Use of root privilege accounts, such as through su and sudo
- Denied inbound connections, e.g. those blocked by packet filter
- Command and shell history
+3We don't use premium jamf cloud and we ingest data into our data cloud platform. We do this a few ways, we have an API collector that runs every so many hours and does an async pull of all device records. Then we also ingest many different webhooks for event data.
@tlarkin Any chance you could provide a few details on your implementation for this?
Thanks in advance!
+1We don't use premium jamf cloud and we ingest data into our data cloud platform. We do this a few ways, we have an API collector that runs every so many hours and does an async pull of all device records. Then we also ingest many different webhooks for event data.
I know this is an old thread, but if you see this, can you come back here and share anything with us? Thanks!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.