Not sure if this can be pulled by using Unified Logging, there are some examples available on Jamf's Open Source repository where it's using an Analytic.
You could adopt those to your needs.
I would recommend looking at using Telemetry as it's able to catch User and Group creation or removal out of the box.
And you are then specifically looking for this event.
https://learn.jamf.com/bundle/jamf-protect-documentation/page/Telemetry_Log_Data_Examples.html#ariai... -> AUE_create_user
This is great information, thanks for sharing.
I have telemetry Level 1 already enabled, however I am not seeing data in splunk. I see stuff in splunk from Unified logging, so the traffic is getting across. Any ideas? JAMF Protect is a new endeavor for us, maybe Im missing something.
I have Level 1 telemetry configured in the Plan associated with the devices. The Action in the "default plan" has our SIEM (Splunk) configured for Alert Data, Unified Log Data, and Telemetry Data. The devices are showing the correct plan, action, and telemetry log levels.
An example of an event I did this morning. I created an account on the device below, I can see the event in the /var/log/protect.log file but I am not seeing the event in Protect or Splunk.
The Jamf Protect splunk app was installed monday(?) by the splunk team.
I am seeing events, but no where near the volume I would expect. The only events that are populating are from unified logging. I am not seeing anything from telemetry.