Jamf Pro Logs

Connecting Jamf Pro logs to your Panther Console

Overview

Panther supports ingesting Jamf Pro logs via Amazon Web Services (AWS) S3 as a Data Transport.

A Jamf Premium Cloud add-on is required to connect Jamf Pro logs to Panther.

How to onboard Jamf Pro logs to Panther

To connect these logs into Panther:

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for “Jamf Pro,” then click its tile.

    • In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the AWS S3 Bucket option.

  4. Click Start Setup.

  5. Configure JAMF Pro to push logs to the Data Transport source.

    • See JAMF's documentation for instructions on how to push logs to a S3 bucket Panther can read from.

Supported log types

Jamfpro.Login

Login events into Jamf Pro itself.

Reference: Jamf Documentation on Event Logs.

fields:
  - name: ipAddress
    type: string
    description: IP Address that started the request
    indicators:
      - ip
  - name: username
    required: true
    description: Username of the account
    indicators:
      - username
    type: string
  - name: status
    required: true
    type: string
    description: The status of the login request
  - name: entryPoint
    required: true
    type: string
    description: The method used to login. Either Single Sign On, Universal API or Unknown
  - name: timestamp
    required: true
    type: timestamp
    description: Login timestamp
    isEventTime: true
    timeFormat: '%Y-%m-%dT%H:%M:%S,%f'

Jamfpro.ComplianceReporter

These are event logs from the Jamf Compliance Reporter monitoring tool. For more information, see the Jamf Compliance Reporter documentation.

fields:
   - name: _event_score
      required: true
      description: The score of the event.
      type: bigint
    - name: app_metric_info
      description: Application metric information. Only present for App metric events.
      type: object
      fields:
        - name: cpu_percentage
          description: The CPU percentage used by the application.
          type: float
        - name: cpu_time_seconds
          description: The CPU time used by the application.
          type: float
        - name: interrupt_wakeups
          description: The number of interrupt wakeups.
          type: bigint
        - name: platform_idle_wakeups
          description: The number of platform idle wakeups.
          type: bigint
        - name: resident_memory_size_mb
          description: The resident memory size in MB.
          type: float
        - name: virtual_memory_size_mb
          description: The virtual memory size in MB.
          type: float
    - name: arguments
      description: Arguments that were passed to the event.
      type: json
    - name: attributes
      description: Attributes or metadata associated with the event
      type: json
    - name: audio_video_device_info
      type: object
      fields:
        - name: audio_device_creator
          description: Creator of the audio device.
          type: string
        - name: audio_device_hog_mode
          description: Whether the audio device is in hog mode.
          type: bigint
        - name: audio_device_id
          description: ID of the audio device.
          type: string
        - name: audio_device_manufacturer
          description: Manufacturer of the audio device.
          type: string
        - name: audio_device_running
          description: Whether the audio device is running.
          type: bigint
        - name: audio_device_uuid
          description: UUID of the audio device.
          type: string
        - name: device_status
          description: Status of the device. "On" or "Off".
          type: string
    - name: audit_class_verification_info
      description: Audit class verification information. Only present for AUDIT_CLASS_VERIFICATION_EVENT events.
      type: object
      fields:
        - name: contents
          description: Contents of the file.
          type: string
        - name: osversion
          description: Version of the operating system.
          type: string
        - name: restored_default
          description: Whether the file was restored to default.
          type: boolean
        - name: status
          description: Status of the file.
          type: int
        - name: status_str
          description: String representation of the status of the file.
          type: string
    - name: compliancereporter_license_info
      description: Compliance Reporter license information. Only present for LICENSE_INFO_EVENT events.
      type: object
      fields:
        - name: email
          type: string
          indicators:
            - email
        - name: expiration_date
          type: timestamp
          timeFormats:
            - '%M/%d/%Y'
        - name: status
          type: string
        - name: time_seconds_epoch
          type: timestamp
          timeFormats:
            - unix
        - name: type
          type: string
        - name: version
          type: string
    - name: event_attributes
      description: Additional attributes or metadata associated with the event.
      type: json
    - name: exec_args
      description: Execution arguments passed to the event.
      type: object
      fields:
        - name: args
          description: Command line argument values listed in sequential order.
          type: json
        - name: args_compiled
          description: Comma-separated list of all command line arguments.
          type: string
    - name: exec_chain
      description: Chain of events originating from the same original action .
      type: json
    - name: exec_chain_child
      description: Child event in the chain of events originating from the same original action.
      type: object
      fields:
        - name: parent_path
          description: Path to the binary that directly caused this event.
          type: string
        - name: parent_pid
          description: Process ID of the process that directly caused this event.
          type: string
        - name: parent_uuid
          description: GUID of direct parent in execution chain. Correlates to exec_chain_parent.uuid field in parent event.
          type: string
    - name: exec_chain_parent
      description: Parent event in the chain of events originating from the same original action.
      type: object
      fields:
        - name: uuid
          description: GUID of child process to claim this event as it's direct parent. Correlates to exec_chain_child.parent.uuid field in parent event.
          type: string
    - name: exec_env
      description: Execution environment for the event.
      type: object
      fields:
        - name: env
          description: Key and value pairs for environmental variables for the context of the event.
          type: json
        - name: env_compiled
          description: Comma-separated list of all environmental variables for the context of the event.
          type: string
    - name: exit
      description: Exit information for the event. Only present for AUE_EXIT events.
      type: object
      fields:
        - name: return_value
          description: The return value of the event.
          type: bigint
        - name: status
          description: The status of the event.
          type: bigint
    - name: file_event_info
      description: File event information. Only present for COMPLIANCEREPORTER_TAMPER_EVENT events.
      type: object
      fields:
        - name: eventid_wrapped
          description: Whether the event ID was wrapped.
          type: boolean
        - name: hash
          description: SHA1 hash of the file.
          type: string
          indicators:
            - sha1
        - name: history_done
          description: Whether the history is done.
          type: boolean
        - name: item_change_owner
          description: Whether the item changed owner.
          type: boolean
        - name: item_cloned
          description: Whether the item was cloned.
          type: boolean
        - name: item_created
          description: Whether the item was created.
          type: boolean
        - name: item_extended_attribute_modified
          description: Whether the item's extended attributes were modified.
          type: boolean
        - name: item_finder_info_modified
          description: Whether the item's finder info was modified.
          type: boolean
        - name: item_inode_metadata_modified
          description: Whether the item's inode metadata was modified.
          type: boolean
        - name: item_is_directory
          description: Whether the item is a directory.
          type: boolean
        - name: item_is_file
          description: Whether the item is a file.
          type: boolean
        - name: item_is_hard_link
          description: Whether the item is a hard link.
          type: boolean
        - name: item_is_last_hard_link
          description: Whether the item is the last hard link.
          type: boolean
        - name: item_is_sym_link
          description: Whether the item is a symbolic link.
          type: boolean
        - name: item_removed
          description: Whether the item was removed.
          type: boolean
        - name: item_renamed
          description: Whether the item was renamed.
          type: boolean
        - name: item_updated
          description: Whether the item was updated.
          type: boolean
        - name: kernel_dropped
          description: Whether the kernel dropped the event.
          type: boolean
        - name: mount
          description: Whether the item was mounted.
          type: boolean
        - name: must_scan_sub_dir
          description: Whether the subdirectory must be scanned.
          type: boolean
        - name: none
          description: Whether the item was not modified.
          type: boolean
        - name: own_event
          description: Whether the event was owned.
          type: boolean
        - name: path
          description: Path to the file.
          type: string
        - name: root_changed
          description: Whether the root was changed.
          type: boolean
        - name: unmount
          description: Whether the item was unmounted.
          type: boolean
        - name: user_dropped
          description: Whether the user dropped the event.
          type: boolean
    - name: hardware_event_info
      description: Hardware event information. Only present for HARDWARE_EVENT events.
      type: object
      fields:
        - name: device_attributes
          description: Attributes of the device.
          type: json
        - name: device_class
          description: Class of the device.
          type: string
        - name: device_name
          description: Name of the device.
          type: string
        - name: device_status
          description: Status of the device.
          type: string
    - name: header
      required: true
      description: Header information for the event. This field contains essential metadata about the event, including event name, timestamp, and version.
      type: object
      fields:
        - name: action
          description: Action that caused the event. Only present in PROHIBITED_APP_BLOCKED events.
          type: string
        - name: event_id
          description: ID that identifies the type of audit event.
          type: string
        - name: event_modifier
          description: Modifier for the event. This field is unused and will always be 0.
          type: string
        - name: event_name
          required: true
          description: Name of the type of audit event.
          type: string
        - name: time_seconds_epoch
          required: true
          description: Unix epoch time when the event occurred.
          type: timestamp
          timeFormat: unix
          isEventTime: true
        - name: time_milliseconds_offset
          description: Millisecond offset to the time_seconds_epoch field.
          type: bigint
        - name: version
          description: Version of the header format.
          type: string
    - name: host_info
      required: true
      description: Information about the host where the event occurred.
      type: object
      fields:
        - name: host_name
          description: Network host name of the computer.
          type: string
        - name: host_uuid
          description: Hardware UUID of the logic board.
          type: string
        - name: osversion
          description: Version of the operating system.
          type: string
        - name: primary_mac_address
          description: Primary MAC address of the reporting computer.
          type: string
          indicators:
            - mac
        - name: serial_number
          description: Serial number of the reporting computer.
          type: string
    - name: identity
      description: Identity information for the event.
      type: object
      fields:
        - name: cd_hash
          description: Cd bundle hash of the application or binary performing the action.
          type: string
          indicators:
            - sha1
        - name: signer_id
          description: Signer ID of the application or binary performing the action.
          type: string
        - name: signer_id_truncated
          description: Whether the signer ID was truncated.
          type: boolean
        - name: signer_type
          description: Signer type of the application or binary performing the action.
          type: int
        - name: team_id
          description: Team ID of the application or binary performing the action.
          type: string
        - name: team_id_truncated
          description: Whether the team ID was truncated.
          type: boolean
    - name: path
      description: File paths involved with event.
      type: array
      element:
        type: string
    - name: process
      description: Information about the process that performed the action.
      type: object
      fields:
        - name: audit_id
          description: ID of the user that auditd is attributing the event to.
          type: string
          indicators:
            - actor_id
        - name: audit_user_name
          description: Name of the user that auditd is attributing the event to.
          type: string
          indicators:
            - username
        - name: effective_group_id
          description: ID of the group's privilege that the event was executed with.
          type: string
        - name: effective_group_name
          description: Name of the group's privilege that the event was executed with.
          type: string
        - name: effective_user_id
          description: ID of the user's privilege that the event was executed with.
          type: string
          indicators:
            - actor_id
        - name: effective_user_name
          description: Name of the user's privilege that the event was executed with.
          type: string
          indicators:
            - username
        - name: group_id
          description: ID of the group that originated this event.
          type: string
        - name: group_name
          description: Name of the group that originated this event.
          type: string
        - name: process_hash
          description: SHA1 hash of the binary file that was executed.
          type: string
          indicators:
            - sha1
        - name: process_id
          description: ID of the process performing the logged action.
          type: string
        - name: process_name
          description: Path to the process performing the logged action.
          type: string
        - name: process_information
          description: Information about the process that performed the action.
          type: json
        - name: responsible_process_id
          description: ID of the process that originated this event.
          type: string
        - name: responsible_process_name
          description: Name of the process that originated this event at the start of the process chain.
          type: string
        - name: session_id
          description: Session ID number the event originated from.
          type: string
          indicators:
            - trace_id
        - name: terminal_id
          description: Information about the terminal where the event originated.
          type: object
          fields:
            - name: addr
              description: Network address information for the terminal.
              type: array
              element:
                type: bigint
            - name: ip_address
              description: IP address of the controlling computer.
              type: string
              indicators:
                - ip
            - name: port
              description: Port number that the process is connecting to.
              type: bigint
            - name: type
              description: Type of connection (4 = IPv4, 6 = IPv6).
              type: bigint
        - name: user_id
          description: ID of the user that originated this event.
          type: string
          indicators:
            - actor_id
        - name: user_name
          description: Name of the user that originated this event.
          type: string
          indicators:
            - username
    - name: return
      description: Event output information.
      type: object
      fields:
        - name: description
          description: Description of the event output.
          type: string
        - name: error
          description: Event outcome error code.
          type: int
        - name: return_value
          description: Event outcome return value (if any) returned.
          type: int
    - name: signal_event_info
      description: Signal event information. Only present for SIGNAL_EVENT events.
      type: object
      fields:
        - name: signal
          description: Signal number.
          type: int
    - name: socket_inet
      description: Internet socket information.
      type: object
      fields:
        - name: addr
          description: Network address information for the socket.
          type: array
          element:
            type: bigint
        - name: family
          description: Address family of the socket.
          type: string
        - name: id
          description: ID of the socket.
          type: string
        - name: ip_address
          description: IP address of the socket.
          type: string
          indicators:
            - ip
        - name: port
          description: Port number that the process is connecting to.
          type: bigint
    - name: socket_unix
      description: Unix socket information.
      type: object
      fields:
        - name: family
          description: Address family of the socket.
          type: string
        - name: path
          description: Path of the socket.
          type: string
    - name: subject
      description: Subject information for the event.
      type: object
      fields:
        - name: audit_id
          description: ID of the user that auditd is attributing the event to.
          type: string
          indicators:
            - actor_id
        - name: audit_user_name
          description: Name of the user that auditd is attributing the event to.
          type: string
          indicators:
            - username
        - name: effective_group_id
          description: ID of the group's privilege that the event was executed with.
          type: string
        - name: effective_group_name
          description: Name of the group's privilege that the event was executed with.
          type: string
        - name: effective_user_id
          description: ID of the user's privilege that the event was executed with.
          type: string
          indicators:
            - actor_id
        - name: effective_user_name
          description: Name of the user's privilege that the event was executed with.
          type: string
          indicators:
            - username
        - name: group_id
          description: ID of the group that originated this event.
          type: string
        - name: group_name
          description: Name of the group that originated this event.
          type: string
        - name: process_hash
          description: SHA1 hash of the binary file that was executed.
          type: string
          indicators:
            - sha1
        - name: process_id
          description: ID of the process performing the logged action.
          type: string
        - name: process_name
          description: Path to the process performing the logged action.
          type: string
        - name: process_information
          description: Information about the process that performed the action.
          type: json
        - name: responsible_process_id
          description: ID of the process that originated this event.
          type: string
        - name: responsible_process_name
          description: Name of the process that originated this event at the start of the process chain.
          type: string
        - name: session_id
          description: Session ID number the event originated from.
          type: string
          indicators:
            - trace_id
        - name: terminal_id
          description: Information about the terminal where the event originated.
          type: object
          fields:
            - name: addr
              description: Network address information for the terminal.
              type: array
              element:
                type: bigint
            - name: ip_address
              description: IP address of the controlling computer.
              type: string
              indicators:
                - ip
            - name: port
              description: Port number that the process is connecting to.
              type: bigint
            - name: type
              description: Type of connection (4 = IPv4, 6 = IPv6).
              type: bigint
        - name: user_id
          description: ID of the user that originated this event.
          type: string
          indicators:
            - actor_id
        - name: user_name
          description: Name of the user that originated this event.
          type: string
          indicators:
            - username
    - name: texts
      description: Descriptions of the event.
      type: array
      element:
        type: string

Last updated

Was this helpful?