Help

Protect able to provide a timeline of system, file, network events?

Endp0int
New Contributor

Posted on ‎10-24-2023 07:44 AM

Trying to figure out if Protect can provide similar insights to system, file, network events that Microsoft Defender ATP can provide.

Have just stood up Protect and wired it up to pass data into Splunk, but feel that this does not give the same level of insight into what is happening on the device as compared to ATP/Windows.

ATP has a timeline feature that allows you to drill down into each step a user makes on their system. This is crucial for our InfoSec team to be able to analyze alerts.

We are hoping that Protect can give us more insight into what is happening on our growing Mac fleet. 

Any advice is welcome and appreciated.

0 Kudos
4 REPLIES 4

ThijsX
Valued Contributor
Valued Contributor

Posted on ‎10-24-2023 07:49 AM

Hey @Endp0int ,

That's a fair ask and by integrating Jamf Protect with Splunk and using the available Jamf Protect Technical-add on for Splunk you should be able to get the in-depth insights as well.

Make sure to look into Telemetry that's available in Jamf Protect as well and configure the desired log levels.

Hopefully this already helps a bit! 

0 Kudos

Endp0int
New Contributor
In response to ThijsX

Posted on ‎11-27-2023 07:53 AM

So maybe I am missing something, but the JAMF/Splunk Dashboards only look to pull alert information, is that correct? I feel like something might be misconfigured here, thoughts?

Endp0int_0-1701100314609.png

 

0 Kudos

Endp0int
New Contributor
In response to Endp0int

Posted on ‎12-01-2023 02:25 PM

Creating a custom prevention list for an application allowed the dashboard to show the alert. Seems it's working as expected.

0 Kudos

Endp0int
New Contributor

Posted on ‎11-27-2023 12:11 PM

I also have telemetry setup for Level 2, with verbose logging, performance metrics, and diagnostic and crash files.

0 Kudos