LogoLogo
Knowledge BaseCommunityRelease NotesRequest Demo
  • Overview
  • Quick Start
    • Onboarding Guide
  • Data Sources & Transports
    • Supported Logs
      • 1Password Logs
      • Apache Logs
      • AppOmni Logs
      • Asana Logs
      • Atlassian Logs
      • Auditd Logs
      • Auth0 Logs
      • AWS Logs
        • AWS ALB
        • AWS Aurora
        • AWS CloudFront
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS Config
        • AWS EKS
        • AWS GuardDuty
        • AWS Security Hub
        • Amazon Security Lake
        • AWS S3
        • AWS Transit Gateway
        • AWS VPC
        • AWS WAF
      • Azure Monitor Logs
      • Bitwarden Logs
      • Box Logs
      • Carbon Black Logs
      • Cisco Umbrella Logs
      • Cloudflare Logs
      • CrowdStrike Logs
        • CrowdStrike Falcon Data Replicator
        • CrowdStrike Event Streams
      • Docker Logs
      • Dropbox Logs
      • Duo Security Logs
      • Envoy Logs
      • Fastly Logs
      • Fluentd Logs
      • GCP Logs
      • GitHub Logs
      • GitLab Logs
      • Google Workspace Logs
      • Heroku Logs
      • Jamf Pro Logs
      • Juniper Logs
      • Lacework Logs
        • Lacework Alert Channel Webhook
        • Lacework Export
      • Material Security Logs
      • Microsoft 365 Logs
      • Microsoft Entra ID Audit Logs
      • Microsoft Graph Logs
      • MongoDB Atlas Logs
      • Netskope Logs
      • Nginx Logs
      • Notion Logs
      • Okta Logs
      • OneLogin Logs
      • Orca Security Logs (Beta)
      • Osquery Logs
      • OSSEC Logs
      • Proofpoint Logs
      • Push Security Logs
      • Rapid7 Logs
      • Salesforce Logs
      • SentinelOne Logs
      • Slack Logs
      • Snowflake Audit Logs (Beta)
      • Snyk Logs
      • Sophos Logs
      • Sublime Security Logs
      • Suricata Logs
      • Sysdig Logs
      • Syslog Logs
      • Tailscale Logs
      • Teleport Logs
      • Tenable Vulnerability Management Logs
      • Thinkst Canary Logs
      • Tines Logs
      • Tracebit Logs
      • Windows Event Logs
      • Wiz Logs
      • Zeek Logs
      • Zendesk Logs
      • Zoom Logs
      • Zscaler Logs
        • Zscaler ZIA
        • Zscaler ZPA
    • Custom Logs
      • Log Schema Reference
      • Transformations
      • Script Log Parser (Beta)
      • Fastmatch Log Parser
      • Regex Log Parser
      • CSV Log Parser
    • Data Transports
      • HTTP Source
      • AWS Sources
        • S3 Source
        • CloudWatch Logs Source
        • SQS Source
          • SNS Source
        • EventBridge
      • Google Cloud Sources
        • Cloud Storage (GCS) Source
        • Pub/Sub Source
      • Azure Blob Storage Source
    • Monitoring Log Sources
    • Ingestion Filters
      • Raw Event Filters
      • Normalized Event Filters (Beta)
    • Data Pipeline Tools
      • Chronosphere Onboarding Guide
      • Cribl Onboarding Guide
      • Fluent Bit Onboarding Guide
        • Fluent Bit Configuration Examples
      • Fluentd Onboarding Guide
        • General log forwarding via Fluentd
        • MacOS System Logs to S3 via Fluentd
        • Syslog to S3 via Fluentd
        • Windows Event Logs to S3 via Fluentd (Legacy)
        • GCP Audit to S3 via Fluentd
      • Observo Onboarding Guide
      • Tarsal Onboarding Guide
    • Tech Partner Log Source Integrations
  • Detections
    • Using Panther-managed Detections
      • Detection Packs
    • Rules and Scheduled Rules
      • Writing Python Detections
        • Python Rule Caching
        • Data Models
        • Global Helper Functions
      • Modifying Detections with Inline Filters (Beta)
      • Derived Detections (Beta)
        • Using Derived Detections to Avoid Merge Conflicts
      • Using the Simple Detection Builder
      • Writing Simple Detections
        • Simple Detection Match Expression Reference
        • Simple Detection Error Codes
    • Correlation Rules (Beta)
      • Correlation Rule Reference
    • PyPanther Detections (Beta)
      • Creating PyPanther Detections
      • Registering, Testing, and Uploading PyPanther Detections
      • Managing PyPanther Detections in the Panther Console
      • PyPanther Detections Style Guide
      • pypanther Library Reference
      • Using the pypanther Command Line Tool
    • Signals
    • Policies
    • Testing
      • Data Replay (Beta)
    • Framework Mapping and MITRE ATT&CK® Matrix
  • Cloud Security Scanning
    • Cloud Resource Attributes
      • AWS
        • ACM Certificate
        • CloudFormation Stack
        • CloudWatch Log Group
        • CloudTrail
        • CloudTrail Meta
        • Config Recorder
        • Config Recorder Meta
        • DynamoDB Table
        • EC2 AMI
        • EC2 Instance
        • EC2 Network ACL
        • EC2 SecurityGroup
        • EC2 Volume
        • EC2 VPC
        • ECS Cluster
        • EKS Cluster
        • ELBV2 Application Load Balancer
        • GuardDuty Detector
        • GuardDuty Detector Meta
        • IAM Group
        • IAM Policy
        • IAM Role
        • IAM Root User
        • IAM User
        • KMS Key
        • Lambda Function
        • Password Policy
        • RDS Instance
        • Redshift Cluster
        • Route 53 Domains
        • Route 53 Hosted Zone
        • S3 Bucket
        • WAF Web ACL
  • Alerts & Destinations
    • Alert Destinations
      • Amazon SNS Destination
      • Amazon SQS Destination
      • Asana Destination
      • Blink Ops Destination
      • Custom Webhook Destination
      • Discord Destination
      • GitHub Destination
      • Google Pub/Sub Destination (Beta)
      • Incident.io Destination
      • Jira Cloud Destination
      • Jira Data Center Destination (Beta)
      • Microsoft Teams Destination
      • Mindflow Destination
      • OpsGenie Destination
      • PagerDuty Destination
      • Rapid7 Destination
      • ServiceNow Destination (Custom Webhook)
      • Slack Bot Destination
      • Slack Destination (Webhook)
      • Splunk Destination (Beta)
      • Tines Destination
      • Torq Destination
    • Assigning and Managing Alerts
      • Managing Alerts in Slack
    • Alert Runbooks
      • Panther-managed Policies Runbooks
        • AWS CloudTrail Is Enabled In All Regions
        • AWS CloudTrail Sending To CloudWatch Logs
        • AWS KMS CMK Key Rotation Is Enabled
        • AWS Application Load Balancer Has Web ACL
        • AWS Access Keys Are Used Every 90 Days
        • AWS Access Keys are Rotated Every 90 Days
        • AWS ACM Certificate Is Not Expired
        • AWS Access Keys not Created During Account Creation
        • AWS CloudTrail Has Log Validation Enabled
        • AWS CloudTrail S3 Bucket Has Access Logging Enabled
        • AWS CloudTrail Logs S3 Bucket Not Publicly Accessible
        • AWS Config Is Enabled for Global Resources
        • AWS DynamoDB Table Has Autoscaling Targets Configured
        • AWS DynamoDB Table Has Autoscaling Enabled
        • AWS DynamoDB Table Has Encryption Enabled
        • AWS EC2 AMI Launched on Approved Host
        • AWS EC2 AMI Launched on Approved Instance Type
        • AWS EC2 AMI Launched With Approved Tenancy
        • AWS EC2 Instance Has Detailed Monitoring Enabled
        • AWS EC2 Instance Is EBS Optimized
        • AWS EC2 Instance Running on Approved AMI
        • AWS EC2 Instance Running on Approved Instance Type
        • AWS EC2 Instance Running in Approved VPC
        • AWS EC2 Instance Running On Approved Host
        • AWS EC2 Instance Running With Approved Tenancy
        • AWS EC2 Instance Volumes Are Encrypted
        • AWS EC2 Volume Is Encrypted
        • AWS GuardDuty is Logging to a Master Account
        • AWS GuardDuty Is Enabled
        • AWS IAM Group Has Users
        • AWS IAM Policy Blocklist Is Respected
        • AWS IAM Policy Does Not Grant Full Administrative Privileges
        • AWS IAM Policy Is Not Assigned Directly To User
        • AWS IAM Policy Role Mapping Is Respected
        • AWS IAM User Has MFA Enabled
        • AWS IAM Password Used Every 90 Days
        • AWS Password Policy Enforces Complexity Guidelines
        • AWS Password Policy Enforces Password Age Limit Of 90 Days Or Less
        • AWS Password Policy Prevents Password Reuse
        • AWS RDS Instance Is Not Publicly Accessible
        • AWS RDS Instance Snapshots Are Not Publicly Accessible
        • AWS RDS Instance Has Storage Encrypted
        • AWS RDS Instance Has Backups Enabled
        • AWS RDS Instance Has High Availability Configured
        • AWS Redshift Cluster Allows Version Upgrades
        • AWS Redshift Cluster Has Encryption Enabled
        • AWS Redshift Cluster Has Logging Enabled
        • AWS Redshift Cluster Has Correct Preferred Maintenance Window
        • AWS Redshift Cluster Has Sufficient Snapshot Retention Period
        • AWS Resource Has Minimum Number of Tags
        • AWS Resource Has Required Tags
        • AWS Root Account Has MFA Enabled
        • AWS Root Account Does Not Have Access Keys
        • AWS S3 Bucket Name Has No Periods
        • AWS S3 Bucket Not Publicly Readable
        • AWS S3 Bucket Not Publicly Writeable
        • AWS S3 Bucket Policy Does Not Use Allow With Not Principal
        • AWS S3 Bucket Policy Enforces Secure Access
        • AWS S3 Bucket Policy Restricts Allowed Actions
        • AWS S3 Bucket Policy Restricts Principal
        • AWS S3 Bucket Has Versioning Enabled
        • AWS S3 Bucket Has Encryption Enabled
        • AWS S3 Bucket Lifecycle Configuration Expires Data
        • AWS S3 Bucket Has Logging Enabled
        • AWS S3 Bucket Has MFA Delete Enabled
        • AWS S3 Bucket Has Public Access Block Enabled
        • AWS Security Group Restricts Ingress On Administrative Ports
        • AWS VPC Default Security Group Restricts All Traffic
        • AWS VPC Flow Logging Enabled
        • AWS WAF Has Correct Rule Ordering
        • AWS CloudTrail Logs Encrypted Using KMS CMK
      • Panther-managed Rules Runbooks
        • AWS CloudTrail Modified
        • AWS Config Service Modified
        • AWS Console Login Failed
        • AWS Console Login Without MFA
        • AWS EC2 Gateway Modified
        • AWS EC2 Network ACL Modified
        • AWS EC2 Route Table Modified
        • AWS EC2 SecurityGroup Modified
        • AWS EC2 VPC Modified
        • AWS IAM Policy Modified
        • AWS KMS CMK Loss
        • AWS Root Activity
        • AWS S3 Bucket Policy Modified
        • AWS Unauthorized API Call
    • Tech Partner Alert Destination Integrations
  • Investigations & Search
    • Search
      • Search Filter Operators
    • Data Explorer
      • Data Explorer SQL Search Examples
        • CloudTrail logs queries
        • GitHub Audit logs queries
        • GuardDuty logs queries
        • Nginx and ALB Access logs queries
        • Okta logs queries
        • S3 Access logs queries
        • VPC logs queries
    • Visualization and Dashboards
      • Custom Dashboards (Beta)
      • Panther-Managed Dashboards
    • Standard Fields
    • Saved and Scheduled Searches
      • Templated Searches
        • Behavioral Analytics and Anomaly Detection Template Macros (Beta)
      • Scheduled Search Examples
    • Search History
    • Data Lakes
      • Snowflake
        • Snowflake Configuration for Optimal Search Performance
      • Athena
  • PantherFlow (Beta)
    • PantherFlow Quick Reference
    • PantherFlow Statements
    • PantherFlow Operators
      • Datatable Operator
      • Extend Operator
      • Join Operator
      • Limit Operator
      • Project Operator
      • Range Operator
      • Sort Operator
      • Search Operator
      • Summarize Operator
      • Union Operator
      • Visualize Operator
      • Where Operator
    • PantherFlow Data Types
    • PantherFlow Expressions
    • PantherFlow Functions
      • Aggregation Functions
      • Date/time Functions
      • String Functions
      • Array Functions
      • Math Functions
      • Control Flow Functions
      • Regular Expression Functions
      • Snowflake Functions
      • Data Type Functions
      • Other Functions
    • PantherFlow Example Queries
      • PantherFlow Examples: Threat Hunting Scenarios
      • PantherFlow Examples: SOC Operations
      • PantherFlow Examples: Panther Audit Logs
  • Enrichment
    • Custom Lookup Tables
      • Creating a GreyNoise Lookup Table
      • Lookup Table Examples
        • Using Lookup Tables: 1Password UUIDs
      • Lookup Table Specification Reference
    • Identity Provider Profiles
      • Okta Profiles
      • Google Workspace Profiles
    • Anomali ThreatStream
    • IPinfo
    • Tor Exit Nodes
    • TrailDiscover (Beta)
  • Panther AI (Beta)
    • Managing Panther AI Response History
  • System Configuration
    • Role-Based Access Control
    • Identity & Access Integrations
      • Azure Active Directory SSO
      • Duo SSO
      • G Suite SSO
      • Okta SSO
        • Okta SCIM
      • OneLogin SSO
      • Generic SSO
    • Panther Audit Logs
      • Querying and Writing Detections for Panther Audit Logs
      • Panther Audit Log Actions
    • Notifications and Errors (Beta)
      • System Errors
    • Panther Deployment Types
      • SaaS
      • Cloud Connected
        • Configuring Snowflake for Cloud Connected
        • Configuring AWS for Cloud Connected
        • Pre-Deployment Tools
      • Legacy Configurations
        • Snowflake Connected (Legacy)
        • Customer-configured Snowflake Integration (Legacy)
        • Self-Hosted Deployments (Legacy)
          • Runtime Environment
  • Panther Developer Workflows
    • Panther Developer Workflows Overview
    • Using panther-analysis
      • Public Fork
      • Private Clone
      • Panther Analysis Tool
        • Install, Configure, and Authenticate with the Panther Analysis Tool
        • Panther Analysis Tool Commands
        • Managing Lookup Tables and Enrichment Providers with the Panther Analysis Tool
      • CI/CD for Panther Content
        • Deployment Workflows Using Panther Analysis Tool
          • Managing Panther Content via CircleCI
          • Managing Panther Content via GitHub Actions
        • Migrating to a CI/CD Workflow
    • Panther API
      • REST API (Beta)
        • Alerts
        • Alert Comments
        • API Tokens
        • Data Models
        • Globals
        • Log Sources
        • Queries
        • Roles
        • Rules
        • Scheduled Rules
        • Simple Rules
        • Policies
        • Users
      • GraphQL API
        • Alerts & Errors
        • Cloud Account Management
        • Data Lake Queries
        • Log Source Management
        • Metrics
        • Schemas
        • Token Rotation
        • User & Role Management
      • API Playground
    • Terraform
      • Managing AWS S3 Log Sources with Terraform
      • Managing HTTP Log Sources with Terraform
    • pantherlog Tool
    • Converting Sigma Rules
  • Resources
    • Help
      • Operations
      • Security and Privacy
        • Security Without AWS External ID
      • Glossary
      • Legal
    • Panther System Architecture
Powered by GitBook
On this page
  • Overview
  • How to onboard Jamf Pro logs to Panther
  • Supported log types
  • Jamfpro.Login
  • Jamfpro.ComplianceReporter

Was this helpful?

  1. Data Sources & Transports
  2. Supported Logs

Jamf Pro Logs

Connecting Jamf Pro logs to your Panther Console

PreviousHeroku LogsNextJuniper Logs

Last updated 1 month ago

Was this helpful?

Overview

Panther supports ingesting Jamf Pro logs via Amazon Web Services (AWS) S3 as a .

A is required to connect Jamf Pro logs to Panther.

How to onboard Jamf Pro logs to Panther

To connect these logs into Panther:

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for “Jamf Pro,” then click its tile.

    • In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the AWS S3 Bucket option.

  4. Click Start Setup.

  5. Follow .

  6. Configure JAMF Pro to push logs to the Data Transport source.

    • See for instructions on how to push logs to a S3 bucket Panther can read from.

Supported log types

Jamfpro.Login

Login events into Jamf Pro itself.

fields:
  - name: ipAddress
    type: string
    description: IP Address that started the request
    indicators:
      - ip
  - name: username
    required: true
    description: Username of the account
    indicators:
      - username
    type: string
  - name: status
    required: true
    type: string
    description: The status of the login request
  - name: entryPoint
    required: true
    type: string
    description: The method used to login. Either Single Sign On, Universal API or Unknown
  - name: timestamp
    required: true
    type: timestamp
    description: Login timestamp
    isEventTime: true
    timeFormat: '%Y-%m-%dT%H:%M:%S,%f'

Jamfpro.ComplianceReporter

fields:
   - name: _event_score
      required: true
      description: The score of the event.
      type: bigint
    - name: app_metric_info
      description: Application metric information. Only present for App metric events.
      type: object
      fields:
        - name: cpu_percentage
          description: The CPU percentage used by the application.
          type: float
        - name: cpu_time_seconds
          description: The CPU time used by the application.
          type: float
        - name: interrupt_wakeups
          description: The number of interrupt wakeups.
          type: bigint
        - name: platform_idle_wakeups
          description: The number of platform idle wakeups.
          type: bigint
        - name: resident_memory_size_mb
          description: The resident memory size in MB.
          type: float
        - name: virtual_memory_size_mb
          description: The virtual memory size in MB.
          type: float
    - name: arguments
      description: Arguments that were passed to the event.
      type: json
    - name: attributes
      description: Attributes or metadata associated with the event
      type: json
    - name: audio_video_device_info
      type: object
      fields:
        - name: audio_device_creator
          description: Creator of the audio device.
          type: string
        - name: audio_device_hog_mode
          description: Whether the audio device is in hog mode.
          type: bigint
        - name: audio_device_id
          description: ID of the audio device.
          type: string
        - name: audio_device_manufacturer
          description: Manufacturer of the audio device.
          type: string
        - name: audio_device_running
          description: Whether the audio device is running.
          type: bigint
        - name: audio_device_uuid
          description: UUID of the audio device.
          type: string
        - name: device_status
          description: Status of the device. "On" or "Off".
          type: string
    - name: audit_class_verification_info
      description: Audit class verification information. Only present for AUDIT_CLASS_VERIFICATION_EVENT events.
      type: object
      fields:
        - name: contents
          description: Contents of the file.
          type: string
        - name: osversion
          description: Version of the operating system.
          type: string
        - name: restored_default
          description: Whether the file was restored to default.
          type: boolean
        - name: status
          description: Status of the file.
          type: int
        - name: status_str
          description: String representation of the status of the file.
          type: string
    - name: compliancereporter_license_info
      description: Compliance Reporter license information. Only present for LICENSE_INFO_EVENT events.
      type: object
      fields:
        - name: email
          type: string
          indicators:
            - email
        - name: expiration_date
          type: timestamp
          timeFormats:
            - '%M/%d/%Y'
        - name: status
          type: string
        - name: time_seconds_epoch
          type: timestamp
          timeFormats:
            - unix
        - name: type
          type: string
        - name: version
          type: string
    - name: event_attributes
      description: Additional attributes or metadata associated with the event.
      type: json
    - name: exec_args
      description: Execution arguments passed to the event.
      type: object
      fields:
        - name: args
          description: Command line argument values listed in sequential order.
          type: json
        - name: args_compiled
          description: Comma-separated list of all command line arguments.
          type: string
    - name: exec_chain
      description: Chain of events originating from the same original action .
      type: json
    - name: exec_chain_child
      description: Child event in the chain of events originating from the same original action.
      type: object
      fields:
        - name: parent_path
          description: Path to the binary that directly caused this event.
          type: string
        - name: parent_pid
          description: Process ID of the process that directly caused this event.
          type: string
        - name: parent_uuid
          description: GUID of direct parent in execution chain. Correlates to exec_chain_parent.uuid field in parent event.
          type: string
    - name: exec_chain_parent
      description: Parent event in the chain of events originating from the same original action.
      type: object
      fields:
        - name: uuid
          description: GUID of child process to claim this event as it's direct parent. Correlates to exec_chain_child.parent.uuid field in parent event.
          type: string
    - name: exec_env
      description: Execution environment for the event.
      type: object
      fields:
        - name: env
          description: Key and value pairs for environmental variables for the context of the event.
          type: json
        - name: env_compiled
          description: Comma-separated list of all environmental variables for the context of the event.
          type: string
    - name: exit
      description: Exit information for the event. Only present for AUE_EXIT events.
      type: object
      fields:
        - name: return_value
          description: The return value of the event.
          type: bigint
        - name: status
          description: The status of the event.
          type: bigint
    - name: file_event_info
      description: File event information. Only present for COMPLIANCEREPORTER_TAMPER_EVENT events.
      type: object
      fields:
        - name: eventid_wrapped
          description: Whether the event ID was wrapped.
          type: boolean
        - name: hash
          description: SHA1 hash of the file.
          type: string
          indicators:
            - sha1
        - name: history_done
          description: Whether the history is done.
          type: boolean
        - name: item_change_owner
          description: Whether the item changed owner.
          type: boolean
        - name: item_cloned
          description: Whether the item was cloned.
          type: boolean
        - name: item_created
          description: Whether the item was created.
          type: boolean
        - name: item_extended_attribute_modified
          description: Whether the item's extended attributes were modified.
          type: boolean
        - name: item_finder_info_modified
          description: Whether the item's finder info was modified.
          type: boolean
        - name: item_inode_metadata_modified
          description: Whether the item's inode metadata was modified.
          type: boolean
        - name: item_is_directory
          description: Whether the item is a directory.
          type: boolean
        - name: item_is_file
          description: Whether the item is a file.
          type: boolean
        - name: item_is_hard_link
          description: Whether the item is a hard link.
          type: boolean
        - name: item_is_last_hard_link
          description: Whether the item is the last hard link.
          type: boolean
        - name: item_is_sym_link
          description: Whether the item is a symbolic link.
          type: boolean
        - name: item_removed
          description: Whether the item was removed.
          type: boolean
        - name: item_renamed
          description: Whether the item was renamed.
          type: boolean
        - name: item_updated
          description: Whether the item was updated.
          type: boolean
        - name: kernel_dropped
          description: Whether the kernel dropped the event.
          type: boolean
        - name: mount
          description: Whether the item was mounted.
          type: boolean
        - name: must_scan_sub_dir
          description: Whether the subdirectory must be scanned.
          type: boolean
        - name: none
          description: Whether the item was not modified.
          type: boolean
        - name: own_event
          description: Whether the event was owned.
          type: boolean
        - name: path
          description: Path to the file.
          type: string
        - name: root_changed
          description: Whether the root was changed.
          type: boolean
        - name: unmount
          description: Whether the item was unmounted.
          type: boolean
        - name: user_dropped
          description: Whether the user dropped the event.
          type: boolean
    - name: hardware_event_info
      description: Hardware event information. Only present for HARDWARE_EVENT events.
      type: object
      fields:
        - name: device_attributes
          description: Attributes of the device.
          type: json
        - name: device_class
          description: Class of the device.
          type: string
        - name: device_name
          description: Name of the device.
          type: string
        - name: device_status
          description: Status of the device.
          type: string
    - name: header
      required: true
      description: Header information for the event. This field contains essential metadata about the event, including event name, timestamp, and version.
      type: object
      fields:
        - name: action
          description: Action that caused the event. Only present in PROHIBITED_APP_BLOCKED events.
          type: string
        - name: event_id
          description: ID that identifies the type of audit event.
          type: string
        - name: event_modifier
          description: Modifier for the event. This field is unused and will always be 0.
          type: string
        - name: event_name
          required: true
          description: Name of the type of audit event.
          type: string
        - name: time_seconds_epoch
          required: true
          description: Unix epoch time when the event occurred.
          type: timestamp
          timeFormat: unix
          isEventTime: true
        - name: time_milliseconds_offset
          description: Millisecond offset to the time_seconds_epoch field.
          type: bigint
        - name: version
          description: Version of the header format.
          type: string
    - name: host_info
      required: true
      description: Information about the host where the event occurred.
      type: object
      fields:
        - name: host_name
          description: Network host name of the computer.
          type: string
        - name: host_uuid
          description: Hardware UUID of the logic board.
          type: string
        - name: osversion
          description: Version of the operating system.
          type: string
        - name: primary_mac_address
          description: Primary MAC address of the reporting computer.
          type: string
          indicators:
            - mac
        - name: serial_number
          description: Serial number of the reporting computer.
          type: string
    - name: identity
      description: Identity information for the event.
      type: object
      fields:
        - name: cd_hash
          description: Cd bundle hash of the application or binary performing the action.
          type: string
          indicators:
            - sha1
        - name: signer_id
          description: Signer ID of the application or binary performing the action.
          type: string
        - name: signer_id_truncated
          description: Whether the signer ID was truncated.
          type: boolean
        - name: signer_type
          description: Signer type of the application or binary performing the action.
          type: int
        - name: team_id
          description: Team ID of the application or binary performing the action.
          type: string
        - name: team_id_truncated
          description: Whether the team ID was truncated.
          type: boolean
    - name: path
      description: File paths involved with event.
      type: array
      element:
        type: string
    - name: process
      description: Information about the process that performed the action.
      type: object
      fields:
        - name: audit_id
          description: ID of the user that auditd is attributing the event to.
          type: string
          indicators:
            - actor_id
        - name: audit_user_name
          description: Name of the user that auditd is attributing the event to.
          type: string
          indicators:
            - username
        - name: effective_group_id
          description: ID of the group's privilege that the event was executed with.
          type: string
        - name: effective_group_name
          description: Name of the group's privilege that the event was executed with.
          type: string
        - name: effective_user_id
          description: ID of the user's privilege that the event was executed with.
          type: string
          indicators:
            - actor_id
        - name: effective_user_name
          description: Name of the user's privilege that the event was executed with.
          type: string
          indicators:
            - username
        - name: group_id
          description: ID of the group that originated this event.
          type: string
        - name: group_name
          description: Name of the group that originated this event.
          type: string
        - name: process_hash
          description: SHA1 hash of the binary file that was executed.
          type: string
          indicators:
            - sha1
        - name: process_id
          description: ID of the process performing the logged action.
          type: string
        - name: process_name
          description: Path to the process performing the logged action.
          type: string
        - name: process_information
          description: Information about the process that performed the action.
          type: json
        - name: responsible_process_id
          description: ID of the process that originated this event.
          type: string
        - name: responsible_process_name
          description: Name of the process that originated this event at the start of the process chain.
          type: string
        - name: session_id
          description: Session ID number the event originated from.
          type: string
          indicators:
            - trace_id
        - name: terminal_id
          description: Information about the terminal where the event originated.
          type: object
          fields:
            - name: addr
              description: Network address information for the terminal.
              type: array
              element:
                type: bigint
            - name: ip_address
              description: IP address of the controlling computer.
              type: string
              indicators:
                - ip
            - name: port
              description: Port number that the process is connecting to.
              type: bigint
            - name: type
              description: Type of connection (4 = IPv4, 6 = IPv6).
              type: bigint
        - name: user_id
          description: ID of the user that originated this event.
          type: string
          indicators:
            - actor_id
        - name: user_name
          description: Name of the user that originated this event.
          type: string
          indicators:
            - username
    - name: return
      description: Event output information.
      type: object
      fields:
        - name: description
          description: Description of the event output.
          type: string
        - name: error
          description: Event outcome error code.
          type: int
        - name: return_value
          description: Event outcome return value (if any) returned.
          type: int
    - name: signal_event_info
      description: Signal event information. Only present for SIGNAL_EVENT events.
      type: object
      fields:
        - name: signal
          description: Signal number.
          type: int
    - name: socket_inet
      description: Internet socket information.
      type: object
      fields:
        - name: addr
          description: Network address information for the socket.
          type: array
          element:
            type: bigint
        - name: family
          description: Address family of the socket.
          type: string
        - name: id
          description: ID of the socket.
          type: string
        - name: ip_address
          description: IP address of the socket.
          type: string
          indicators:
            - ip
        - name: port
          description: Port number that the process is connecting to.
          type: bigint
    - name: socket_unix
      description: Unix socket information.
      type: object
      fields:
        - name: family
          description: Address family of the socket.
          type: string
        - name: path
          description: Path of the socket.
          type: string
    - name: subject
      description: Subject information for the event.
      type: object
      fields:
        - name: audit_id
          description: ID of the user that auditd is attributing the event to.
          type: string
          indicators:
            - actor_id
        - name: audit_user_name
          description: Name of the user that auditd is attributing the event to.
          type: string
          indicators:
            - username
        - name: effective_group_id
          description: ID of the group's privilege that the event was executed with.
          type: string
        - name: effective_group_name
          description: Name of the group's privilege that the event was executed with.
          type: string
        - name: effective_user_id
          description: ID of the user's privilege that the event was executed with.
          type: string
          indicators:
            - actor_id
        - name: effective_user_name
          description: Name of the user's privilege that the event was executed with.
          type: string
          indicators:
            - username
        - name: group_id
          description: ID of the group that originated this event.
          type: string
        - name: group_name
          description: Name of the group that originated this event.
          type: string
        - name: process_hash
          description: SHA1 hash of the binary file that was executed.
          type: string
          indicators:
            - sha1
        - name: process_id
          description: ID of the process performing the logged action.
          type: string
        - name: process_name
          description: Path to the process performing the logged action.
          type: string
        - name: process_information
          description: Information about the process that performed the action.
          type: json
        - name: responsible_process_id
          description: ID of the process that originated this event.
          type: string
        - name: responsible_process_name
          description: Name of the process that originated this event at the start of the process chain.
          type: string
        - name: session_id
          description: Session ID number the event originated from.
          type: string
          indicators:
            - trace_id
        - name: terminal_id
          description: Information about the terminal where the event originated.
          type: object
          fields:
            - name: addr
              description: Network address information for the terminal.
              type: array
              element:
                type: bigint
            - name: ip_address
              description: IP address of the controlling computer.
              type: string
              indicators:
                - ip
            - name: port
              description: Port number that the process is connecting to.
              type: bigint
            - name: type
              description: Type of connection (4 = IPv4, 6 = IPv6).
              type: bigint
        - name: user_id
          description: ID of the user that originated this event.
          type: string
          indicators:
            - actor_id
        - name: user_name
          description: Name of the user that originated this event.
          type: string
          indicators:
            - username
    - name: texts
      description: Descriptions of the event.
      type: array
      element:
        type: string

Reference: .

These are event logs from the Jamf Compliance Reporter monitoring tool. For more information, see the .

Data Transport
Jamf Premium Cloud add-on
Panther’s documentation for configuring an S3 Source
JAMF's documentation
Jamf Documentation on Event Logs
Jamf Compliance Reporter documentation