Help

Does anyone have a filter for when a user account is created for unified logging?

AJPinto
Honored Contributor II

Posted on ‎08-31-2023 11:35 AM

As the subject says. Working on redirecting the logs for a user account generating event to SIEM.

0 Kudos
7 REPLIES 7

ThijsX
Valued Contributor
Valued Contributor

Posted on ‎08-31-2023 12:23 PM

Hey @AJPinto 

Not sure if this can be pulled by using Unified Logging, there are some examples available on Jamf's Open Source repository where it's using an Analytic.

https://github.com/jamf/jamfprotect/blob/main/custom_analytic_detections/user_created_by_dscl

You could adopt those to your needs.
I would recommend looking at using Telemetry as it's able to catch User and Group creation or removal out of the box.

https://learn.jamf.com/bundle/jamf-protect-documentation/page/Audit_Log_Levels_in_Telemetry.html

And you are then specifically looking for this event.

https://learn.jamf.com/bundle/jamf-protect-documentation/page/Telemetry_Log_Data_Examples.html#ariai... -> AUE_create_user

0 Kudos

AJPinto
Honored Contributor II
In response to ThijsX

Posted on ‎08-31-2023 01:34 PM

This is great information, thanks for sharing. 

 

I have telemetry Level 1 already enabled, however I am not seeing data in splunk. I see stuff in splunk from Unified logging, so the traffic is getting across. Any ideas? JAMF Protect is a new endeavor for us, maybe Im missing something. 

0 Kudos

ThijsX
Valued Contributor
Valued Contributor
In response to AJPinto

Posted on ‎08-31-2023 11:19 PM

Right - have you created a Telemetry set and assigned that set to a Plan?

If so, make sure to check under actions you have added an HTTP Collection Endpoint for Telemetry as well.

 

 

0 Kudos

AJPinto
Honored Contributor II
In response to ThijsX

‎09-01-2023 07:35 AM - edited ‎09-01-2023 07:38 AM

I have Level 1 telemetry configured in the Plan associated with the devices. The Action in the "default plan" has our SIEM (Splunk) configured for Alert Data, Unified Log Data, and Telemetry Data. The devices are showing the correct plan, action, and telemetry log levels. 

 

AJPinto_3-1693578439061.png

AJPinto_6-1693578665895.png

AJPinto_2-1693578421419.png

AJPinto_4-1693578482721.png

An example of an event I did this morning. I created an account on the device below, I can see the event in the /var/log/protect.log file but I am not seeing the event in Protect or Splunk.

AJPinto_7-1693579091158.png

 

 

 

 

 

0 Kudos

ThijsX
Valued Contributor
Valued Contributor

Posted on ‎09-01-2023 07:46 AM

@AJPinto Can you check if you see ANY data from Telemetry in Splunk? ex header.event_name=AUE or a CONTAINS AUE

0 Kudos

ThijsX
Valued Contributor
Valued Contributor

Posted on ‎09-01-2023 07:47 AM

Also - have you checked out our newly released TA which this week has been updated to version 1.0 https://splunkbase.splunk.com/app/6912

0 Kudos

AJPinto
Honored Contributor II
In response to ThijsX

Posted on ‎09-01-2023 08:22 AM

The Jamf Protect splunk app was installed monday(?) by the splunk team.

 

AJPinto_0-1693581504463.png

I am seeing events, but no where near the volume I would expect. The only events that are populating are from unified logging. I am not seeing anything from telemetry. 

AJPinto_2-1693581743097.png

 

 

0 Kudos