Does anyone have a filter for when a user account is created for unified logging?

AJPinto
Honored Contributor III

As the subject says. Working on redirecting the logs for a user account generating event to SIEM.

7 REPLIES 7

ThijsX
Valued Contributor
Valued Contributor

Hey @AJPinto 

Not sure if this can be pulled by using Unified Logging, there are some examples available on Jamf's Open Source repository where it's using an Analytic.

https://github.com/jamf/jamfprotect/blob/main/custom_analytic_detections/user_created_by_dscl

You could adopt those to your needs.
I would recommend looking at using Telemetry as it's able to catch User and Group creation or removal out of the box.

https://learn.jamf.com/bundle/jamf-protect-documentation/page/Audit_Log_Levels_in_Telemetry.html

And you are then specifically looking for this event.

https://learn.jamf.com/bundle/jamf-protect-documentation/page/Telemetry_Log_Data_Examples.html#ariai... -> AUE_create_user

AJPinto
Honored Contributor III

This is great information, thanks for sharing. 

 

I have telemetry Level 1 already enabled, however I am not seeing data in splunk. I see stuff in splunk from Unified logging, so the traffic is getting across. Any ideas? JAMF Protect is a new endeavor for us, maybe Im missing something. 

ThijsX
Valued Contributor
Valued Contributor

Right - have you created a Telemetry set and assigned that set to a Plan?

If so, make sure to check under actions you have added an HTTP Collection Endpoint for Telemetry as well.

 

 

AJPinto
Honored Contributor III

I have Level 1 telemetry configured in the Plan associated with the devices. The Action in the "default plan" has our SIEM (Splunk) configured for Alert Data, Unified Log Data, and Telemetry Data. The devices are showing the correct plan, action, and telemetry log levels. 

 

AJPinto_3-1693578439061.png

AJPinto_6-1693578665895.png

AJPinto_2-1693578421419.png

AJPinto_4-1693578482721.png

An example of an event I did this morning. I created an account on the device below, I can see the event in the /var/log/protect.log file but I am not seeing the event in Protect or Splunk.

AJPinto_7-1693579091158.png

 

 

 

 

 

ThijsX
Valued Contributor
Valued Contributor

@AJPinto Can you check if you see ANY data from Telemetry in Splunk? ex header.event_name=AUE or a CONTAINS AUE

ThijsX
Valued Contributor
Valued Contributor

Also - have you checked out our newly released TA which this week has been updated to version 1.0 https://splunkbase.splunk.com/app/6912

AJPinto
Honored Contributor III

The Jamf Protect splunk app was installed monday(?) by the splunk team.

 

AJPinto_0-1693581504463.png

I am seeing events, but no where near the volume I would expect. The only events that are populating are from unified logging. I am not seeing anything from telemetry. 

AJPinto_2-1693581743097.png