Posted on 08-31-2023 11:35 AM
As the subject says. Working on redirecting the logs for a user account generating event to SIEM.
Posted on 08-31-2023 12:23 PM
Hey @AJPinto
Not sure if this can be pulled by using Unified Logging, there are some examples available on Jamf's Open Source repository where it's using an Analytic.
https://github.com/jamf/jamfprotect/blob/main/custom_analytic_detections/user_created_by_dscl
You could adopt those to your needs.
I would recommend looking at using Telemetry as it's able to catch User and Group creation or removal out of the box.
https://learn.jamf.com/bundle/jamf-protect-documentation/page/Audit_Log_Levels_in_Telemetry.html
And you are then specifically looking for this event.
https://learn.jamf.com/bundle/jamf-protect-documentation/page/Telemetry_Log_Data_Examples.html#ariai... -> AUE_create_user
Posted on 08-31-2023 01:34 PM
This is great information, thanks for sharing.
I have telemetry Level 1 already enabled, however I am not seeing data in splunk. I see stuff in splunk from Unified logging, so the traffic is getting across. Any ideas? JAMF Protect is a new endeavor for us, maybe Im missing something.
Posted on 08-31-2023 11:19 PM
Right - have you created a Telemetry set and assigned that set to a Plan?
If so, make sure to check under actions you have added an HTTP Collection Endpoint for Telemetry as well.
09-01-2023 07:35 AM - edited 09-01-2023 07:38 AM
I have Level 1 telemetry configured in the Plan associated with the devices. The Action in the "default plan" has our SIEM (Splunk) configured for Alert Data, Unified Log Data, and Telemetry Data. The devices are showing the correct plan, action, and telemetry log levels.
An example of an event I did this morning. I created an account on the device below, I can see the event in the /var/log/protect.log file but I am not seeing the event in Protect or Splunk.
Posted on 09-01-2023 07:46 AM
@AJPinto Can you check if you see ANY data from Telemetry in Splunk? ex header.event_name=AUE or a CONTAINS AUE
Posted on 09-01-2023 07:47 AM
Also - have you checked out our newly released TA which this week has been updated to version 1.0 https://splunkbase.splunk.com/app/6912
Posted on 09-01-2023 08:22 AM
The Jamf Protect splunk app was installed monday(?) by the splunk team.
I am seeing events, but no where near the volume I would expect. The only events that are populating are from unified logging. I am not seeing anything from telemetry.