Links

Jamf Pro Logs

Connecting Jamf Pro logs to your Panther Console

Overview

Panther supports ingesting Jamf Pro logs via Amazon Web Services (AWS) S3 as a Data Transport.
Note: A Jamf Premium Cloud add-on is required to connect Jamf Pro logs to Panther.

How to onboard Jamf Pro logs to Panther

To connect these logs into Panther:
  1. 1.
    Log in to the Panther Console.
  2. 2.
    In the left sidebar, click Configure > Log Sources.
  3. 3.
    Click Create New.
  4. 4.
    Search for the log type you want to onboard, then click its tile.
  5. 5.
    Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
  6. 6.
    Set up your Data Transport in the Panther Console.
    • Please follow Panther’s documentation for configuring the Data Transport option via an AWS S3 bucket.
  7. 7.
    Configure Jamf Pro to push logs to the Data Transport source.
    • See Jamf's documentation for instructions on how to push logs to a S3 bucket that's configured to allow Panther to read from.

Supported log types

Required fields in the schema are listed as "required: true" just below the "name" field.

Jamfpro.Login

Login events into Jamf Pro itself.
fields:
- name: ipAddress
type: string
description: IP Address that started the request
indicators:
- ip
- name: username
required: true
description: Username of the account
indicators:
- username
type: string
- name: status
required: true
type: string
description: The status of the login request
- name: entryPoint
required: true
type: string
description: The method used to login. Either Single Sign On, Universal API or Unknown
- name: timestamp
required: true
type: timestamp
description: Login timestamp
isEventTime: true
timeFormat: '%Y-%m-%dT%H:%M:%S,%f'