Skip to main content

Trying to figure out if Protect can provide similar insights to system, file, network events that Microsoft Defender ATP can provide.

Have just stood up Protect and wired it up to pass data into Splunk, but feel that this does not give the same level of insight into what is happening on the device as compared to ATP/Windows.

ATP has a timeline feature that allows you to drill down into each step a user makes on their system. This is crucial for our InfoSec team to be able to analyze alerts.

We are hoping that Protect can give us more insight into what is happening on our growing Mac fleet. 

Any advice is welcome and appreciated.

Hey @Endp0int ,

That's a fair ask and by integrating Jamf Protect with Splunk and using the available Jamf Protect Technical-add on for Splunk you should be able to get the in-depth insights as well.

Make sure to look into Telemetry that's available in Jamf Protect as well and configure the desired log levels.

Hopefully this already helps a bit! 

Hey @Endp0int ,

That's a fair ask and by integrating Jamf Protect with Splunk and using the available Jamf Protect Technical-add on for Splunk you should be able to get the in-depth insights as well.

Make sure to look into Telemetry that's available in Jamf Protect as well and configure the desired log levels.

Hopefully this already helps a bit! 


So maybe I am missing something, but the JAMF/Splunk Dashboards only look to pull alert information, is that correct? I feel like something might be misconfigured here, thoughts?

 

I also have telemetry setup for Level 2, with verbose logging, performance metrics, and diagnostic and crash files.

So maybe I am missing something, but the JAMF/Splunk Dashboards only look to pull alert information, is that correct? I feel like something might be misconfigured here, thoughts?

 


Creating a custom prevention list for an application allowed the dashboard to show the alert. Seems it's working as expected.

Reply


Terms & ConditionsCookie settings