JAMF Logging to SIEM

fhansen
New Contributor II

Greetings. I need to be able to ingest Security related log data from JAMF Pro api. Does anyone have suggestions on the API endpoints that I should focus on?

 

Thanks

Frank

 

8 REPLIES 8

afarnsworth
Contributor

If you are on Jamf Cloud you have to pay for Premium Cloud (+$20k/year) in order to get complete log forwarding to a SIEM.

If you are on-prem it's free by just installing a connector on the server.

 

The API won't give you enough information to generate proper security events.

fhansen
New Contributor II

What if we have Jamf PRO?

 

 

Phantom5
Contributor II

Jamf Pro can be hosted either in Jamf Cloud or on premises. As @afarnsworth mentions, if your Jamf Pro is hosted on Jamf servers you have to go with a Premium subscription. If your Jamf Pro is hosted on your own servers, just install your SIEM connector to forward the logs you need.

We rely on DataDogHQ as our SIEM and we use a mix of agent and Jamf Pro APIs to log the events we need. For example we use the use the Jamf Pro API to collect all compliance information we can get from the device inventory, then we use the agent to collect information on events like change management, access log and Jamf Pro log.

ag4
New Contributor

Hi I have a requirement to send below logs to SIEM solution LogRhythm. Can you help me how to do it? Logrhythm agent wont support on Mac.

  1. Successful and failed authentication attempts
  2. Use of root privilege accounts, such as through su and sudo
  3. Denied inbound connections, e.g. those blocked by packet filter
  4. Command and shell history

fhansen
New Contributor II

Thanks for the info!

tlarkin
Honored Contributor

We don't use premium jamf cloud and we ingest data into our data cloud platform. We do this a few ways, we have an API collector that runs every so many hours and does an async pull of all device records. Then we also ingest many different webhooks for event data.

tom_s
New Contributor II

@tlarkin Any chance you could provide a few details on your implementation for this?
Thanks in advance!

memile
New Contributor

@tlarkin This would be helpful to our org as well if you're able to provide some more info.