Редагувати

Поділитися через


Jamf Protect connector for Microsoft Sentinel

The Jamf Protect connector provides the capability to read raw event data from Jamf Protect in Microsoft Sentinel.

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute Description
Log Analytics table(s) jamfprotect_CL
Data collection rules support Not currently supported
Supported by Jamf Software, LLC

Query samples

Jamf Protect - All events.

jamfprotect_CL

| sort by TimeGenerated desc

Jamf Protect - All active endpoints.

jamfprotect_CL

| where notempty(input_host_hostname_s) 
| summarize Event = count() by input_host_hostname_s

| project-rename HostName = input_host_hostname_s

| sort by Event desc

Jamf Protect - Top 10 endpoints with Alerts

jamfprotect_CL

| where topicType_s == 'alert' and notempty(input_eventType_s) and notempty(input_host_hostname_s)

| summarize Event = count() by input_host_hostname_s

| project-rename HostName = input_host_hostname_s

| top 10 by Event

Vendor installation instructions

This connector reads data from the jamfprotect_CL table created by Jamf Protect in a Microsoft Analytics Workspace, if the data forwarding option is enabled in Jamf Protect then raw event data is sent to the Microsoft Sentinel Ingestion API.

Next steps

For more information, go to the related solution in the Azure Marketplace.