- Jamf Nation Community
- Products
- Jamf Pro
- Re: JAMF Logging to SIEM
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
JAMF Logging to SIEM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-07-2021 01:03 PM
Greetings. I need to be able to ingest Security related log data from JAMF Pro api. Does anyone have suggestions on the API endpoints that I should focus on?
Thanks
Frank
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-07-2021 01:45 PM
If you are on Jamf Cloud you have to pay for Premium Cloud (+$20k/year) in order to get complete log forwarding to a SIEM.
If you are on-prem it's free by just installing a connector on the server.
The API won't give you enough information to generate proper security events.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-08-2021 04:53 AM
What if we have Jamf PRO?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-08-2021 02:44 PM
Jamf Pro can be hosted either in Jamf Cloud or on premises. As @afarnsworth mentions, if your Jamf Pro is hosted on Jamf servers you have to go with a Premium subscription. If your Jamf Pro is hosted on your own servers, just install your SIEM connector to forward the logs you need.
We rely on DataDogHQ as our SIEM and we use a mix of agent and Jamf Pro APIs to log the events we need. For example we use the use the Jamf Pro API to collect all compliance information we can get from the device inventory, then we use the agent to collect information on events like change management, access log and Jamf Pro log.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-23-2021 04:19 AM
Hi I have a requirement to send below logs to SIEM solution LogRhythm. Can you help me how to do it? Logrhythm agent wont support on Mac.
- Successful and failed authentication attempts
- Use of root privilege accounts, such as through su and sudo
- Denied inbound connections, e.g. those blocked by packet filter
- Command and shell history
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-09-2021 04:23 AM
Thanks for the info!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-22-2021 06:39 PM
We don't use premium jamf cloud and we ingest data into our data cloud platform. We do this a few ways, we have an API collector that runs every so many hours and does an async pull of all device records. Then we also ingest many different webhooks for event data.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-10-2021 08:33 PM
@tlarkin Any chance you could provide a few details on your implementation for this?
Thanks in advance!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
I know this is an old thread, but if you see this, can you come back here and share anything with us? Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-20-2022 09:44 AM
@tlarkin This would be helpful to our org as well if you're able to provide some more info.
