Jamf Pro Logs
Connecting Jamf Pro logs to your Panther Console
Overview
Panther supports ingesting Jamf Pro logs via Amazon Web Services (AWS) S3 as a Data Transport.
A Jamf Premium Cloud add-on is required to connect Jamf Pro logs to Panther.
How to onboard Jamf Pro logs to Panther
To connect these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Jamf Pro,” then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the AWS S3 Bucket option.
Click Start Setup.
Configure JAMF Pro to push logs to the Data Transport source.
See JAMF's documentation for instructions on how to push logs to a S3 bucket Panther can read from.
Supported log types
Jamfpro.Login
Login events into Jamf Pro itself.
Reference: Jamf Documentation on Event Logs.
fields:
- name: ipAddress
type: string
description: IP Address that started the request
indicators:
- ip
- name: username
required: true
description: Username of the account
indicators:
- username
type: string
- name: status
required: true
type: string
description: The status of the login request
- name: entryPoint
required: true
type: string
description: The method used to login. Either Single Sign On, Universal API or Unknown
- name: timestamp
required: true
type: timestamp
description: Login timestamp
isEventTime: true
timeFormat: '%Y-%m-%dT%H:%M:%S,%f'Jamfpro.ComplianceReporter
Jamfpro.ComplianceReporter is in open beta starting with Panther version 1.87, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
These are event logs from the Jamf Compliance Reporter monitoring tool. For more information, see the Jamf Compliance Reporter documentation.
fields:
- name: _event_score
required: true
description: The score of the event.
type: bigint
- name: app_metric_info
description: Application metric information. Only present for App metric events.
type: object
fields:
- name: cpu_percentage
description: The CPU percentage used by the application.
type: float
- name: cpu_time_seconds
description: The CPU time used by the application.
type: float
- name: interrupt_wakeups
description: The number of interrupt wakeups.
type: bigint
- name: platform_idle_wakeups
description: The number of platform idle wakeups.
type: bigint
- name: resident_memory_size_mb
description: The resident memory size in MB.
type: float
- name: virtual_memory_size_mb
description: The virtual memory size in MB.
type: float
- name: arguments
description: Arguments that were passed to the event.
type: json
- name: attributes
description: Attributes or metadata associated with the event
type: json
- name: audio_video_device_info
type: object
fields:
- name: audio_device_creator
description: Creator of the audio device.
type: string
- name: audio_device_hog_mode
description: Whether the audio device is in hog mode.
type: bigint
- name: audio_device_id
description: ID of the audio device.
type: string
- name: audio_device_manufacturer
description: Manufacturer of the audio device.
type: string
- name: audio_device_running
description: Whether the audio device is running.
type: bigint
- name: audio_device_uuid
description: UUID of the audio device.
type: string
- name: device_status
description: Status of the device. "On" or "Off".
type: string
- name: audit_class_verification_info
description: Audit class verification information. Only present for AUDIT_CLASS_VERIFICATION_EVENT events.
type: object
fields:
- name: contents
description: Contents of the file.
type: string
- name: osversion
description: Version of the operating system.
type: string
- name: restored_default
description: Whether the file was restored to default.
type: boolean
- name: status
description: Status of the file.
type: int
- name: status_str
description: String representation of the status of the file.
type: string
- name: compliancereporter_license_info
description: Compliance Reporter license information. Only present for LICENSE_INFO_EVENT events.
type: object
fields:
- name: email
type: string
indicators:
- email
- name: expiration_date
type: timestamp
timeFormats:
- '%M/%d/%Y'
- name: status
type: string
- name: time_seconds_epoch
type: timestamp
timeFormats:
- unix
- name: type
type: string
- name: version
type: string
- name: event_attributes
description: Additional attributes or metadata associated with the event.
type: json
- name: exec_args
description: Execution arguments passed to the event.
type: object
fields:
- name: args
description: Command line argument values listed in sequential order.
type: json
- name: args_compiled
description: Comma-separated list of all command line arguments.
type: string
- name: exec_chain
description: Chain of events originating from the same original action .
type: json
- name: exec_chain_child
description: Child event in the chain of events originating from the same original action.
type: object
fields:
- name: parent_path
description: Path to the binary that directly caused this event.
type: string
- name: parent_pid
description: Process ID of the process that directly caused this event.
type: string
- name: parent_uuid
description: GUID of direct parent in execution chain. Correlates to exec_chain_parent.uuid field in parent event.
type: string
- name: exec_chain_parent
description: Parent event in the chain of events originating from the same original action.
type: object
fields:
- name: uuid
description: GUID of child process to claim this event as it's direct parent. Correlates to exec_chain_child.parent.uuid field in parent event.
type: string
- name: exec_env
description: Execution environment for the event.
type: object
fields:
- name: env
description: Key and value pairs for environmental variables for the context of the event.
type: json
- name: env_compiled
description: Comma-separated list of all environmental variables for the context of the event.
type: string
- name: exit
description: Exit information for the event. Only present for AUE_EXIT events.
type: object
fields:
- name: return_value
description: The return value of the event.
type: bigint
- name: status
description: The status of the event.
type: bigint
- name: file_event_info
description: File event information. Only present for COMPLIANCEREPORTER_TAMPER_EVENT events.
type: object
fields:
- name: eventid_wrapped
description: Whether the event ID was wrapped.
type: boolean
- name: hash
description: SHA1 hash of the file.
type: string
indicators:
- sha1
- name: history_done
description: Whether the history is done.
type: boolean
- name: item_change_owner
description: Whether the item changed owner.
type: boolean
- name: item_cloned
description: Whether the item was cloned.
type: boolean
- name: item_created
description: Whether the item was created.
type: boolean
- name: item_extended_attribute_modified
description: Whether the item's extended attributes were modified.
type: boolean
- name: item_finder_info_modified
description: Whether the item's finder info was modified.
type: boolean
- name: item_inode_metadata_modified
description: Whether the item's inode metadata was modified.
type: boolean
- name: item_is_directory
description: Whether the item is a directory.
type: boolean
- name: item_is_file
description: Whether the item is a file.
type: boolean
- name: item_is_hard_link
description: Whether the item is a hard link.
type: boolean
- name: item_is_last_hard_link
description: Whether the item is the last hard link.
type: boolean
- name: item_is_sym_link
description: Whether the item is a symbolic link.
type: boolean
- name: item_removed
description: Whether the item was removed.
type: boolean
- name: item_renamed
description: Whether the item was renamed.
type: boolean
- name: item_updated
description: Whether the item was updated.
type: boolean
- name: kernel_dropped
description: Whether the kernel dropped the event.
type: boolean
- name: mount
description: Whether the item was mounted.
type: boolean
- name: must_scan_sub_dir
description: Whether the subdirectory must be scanned.
type: boolean
- name: none
description: Whether the item was not modified.
type: boolean
- name: own_event
description: Whether the event was owned.
type: boolean
- name: path
description: Path to the file.
type: string
- name: root_changed
description: Whether the root was changed.
type: boolean
- name: unmount
description: Whether the item was unmounted.
type: boolean
- name: user_dropped
description: Whether the user dropped the event.
type: boolean
- name: hardware_event_info
description: Hardware event information. Only present for HARDWARE_EVENT events.
type: object
fields:
- name: device_attributes
description: Attributes of the device.
type: json
- name: device_class
description: Class of the device.
type: string
- name: device_name
description: Name of the device.
type: string
- name: device_status
description: Status of the device.
type: string
- name: header
required: true
description: Header information for the event. This field contains essential metadata about the event, including event name, timestamp, and version.
type: object
fields:
- name: action
description: Action that caused the event. Only present in PROHIBITED_APP_BLOCKED events.
type: string
- name: event_id
description: ID that identifies the type of audit event.
type: string
- name: event_modifier
description: Modifier for the event. This field is unused and will always be 0.
type: string
- name: event_name
required: true
description: Name of the type of audit event.
type: string
- name: time_seconds_epoch
required: true
description: Unix epoch time when the event occurred.
type: timestamp
timeFormat: unix
isEventTime: true
- name: time_milliseconds_offset
description: Millisecond offset to the time_seconds_epoch field.
type: bigint
- name: version
description: Version of the header format.
type: string
- name: host_info
required: true
description: Information about the host where the event occurred.
type: object
fields:
- name: host_name
description: Network host name of the computer.
type: string
- name: host_uuid
description: Hardware UUID of the logic board.
type: string
- name: osversion
description: Version of the operating system.
type: string
- name: primary_mac_address
description: Primary MAC address of the reporting computer.
type: string
indicators:
- mac
- name: serial_number
description: Serial number of the reporting computer.
type: string
- name: identity
description: Identity information for the event.
type: object
fields:
- name: cd_hash
description: Cd bundle hash of the application or binary performing the action.
type: string
indicators:
- sha1
- name: signer_id
description: Signer ID of the application or binary performing the action.
type: string
- name: signer_id_truncated
description: Whether the signer ID was truncated.
type: boolean
- name: signer_type
description: Signer type of the application or binary performing the action.
type: int
- name: team_id
description: Team ID of the application or binary performing the action.
type: string
- name: team_id_truncated
description: Whether the team ID was truncated.
type: boolean
- name: path
description: File paths involved with event.
type: array
element:
type: string
- name: process
description: Information about the process that performed the action.
type: object
fields:
- name: audit_id
description: ID of the user that auditd is attributing the event to.
type: string
indicators:
- actor_id
- name: audit_user_name
description: Name of the user that auditd is attributing the event to.
type: string
indicators:
- username
- name: effective_group_id
description: ID of the group's privilege that the event was executed with.
type: string
- name: effective_group_name
description: Name of the group's privilege that the event was executed with.
type: string
- name: effective_user_id
description: ID of the user's privilege that the event was executed with.
type: string
indicators:
- actor_id
- name: effective_user_name
description: Name of the user's privilege that the event was executed with.
type: string
indicators:
- username
- name: group_id
description: ID of the group that originated this event.
type: string
- name: group_name
description: Name of the group that originated this event.
type: string
- name: process_hash
description: SHA1 hash of the binary file that was executed.
type: string
indicators:
- sha1
- name: process_id
description: ID of the process performing the logged action.
type: string
- name: process_name
description: Path to the process performing the logged action.
type: string
- name: process_information
description: Information about the process that performed the action.
type: json
- name: responsible_process_id
description: ID of the process that originated this event.
type: string
- name: responsible_process_name
description: Name of the process that originated this event at the start of the process chain.
type: string
- name: session_id
description: Session ID number the event originated from.
type: string
indicators:
- trace_id
- name: terminal_id
description: Information about the terminal where the event originated.
type: object
fields:
- name: addr
description: Network address information for the terminal.
type: array
element:
type: bigint
- name: ip_address
description: IP address of the controlling computer.
type: string
indicators:
- ip
- name: port
description: Port number that the process is connecting to.
type: bigint
- name: type
description: Type of connection (4 = IPv4, 6 = IPv6).
type: bigint
- name: user_id
description: ID of the user that originated this event.
type: string
indicators:
- actor_id
- name: user_name
description: Name of the user that originated this event.
type: string
indicators:
- username
- name: return
description: Event output information.
type: object
fields:
- name: description
description: Description of the event output.
type: string
- name: error
description: Event outcome error code.
type: int
- name: return_value
description: Event outcome return value (if any) returned.
type: int
- name: signal_event_info
description: Signal event information. Only present for SIGNAL_EVENT events.
type: object
fields:
- name: signal
description: Signal number.
type: int
- name: socket_inet
description: Internet socket information.
type: object
fields:
- name: addr
description: Network address information for the socket.
type: array
element:
type: bigint
- name: family
description: Address family of the socket.
type: string
- name: id
description: ID of the socket.
type: string
- name: ip_address
description: IP address of the socket.
type: string
indicators:
- ip
- name: port
description: Port number that the process is connecting to.
type: bigint
- name: socket_unix
description: Unix socket information.
type: object
fields:
- name: family
description: Address family of the socket.
type: string
- name: path
description: Path of the socket.
type: string
- name: subject
description: Subject information for the event.
type: object
fields:
- name: audit_id
description: ID of the user that auditd is attributing the event to.
type: string
indicators:
- actor_id
- name: audit_user_name
description: Name of the user that auditd is attributing the event to.
type: string
indicators:
- username
- name: effective_group_id
description: ID of the group's privilege that the event was executed with.
type: string
- name: effective_group_name
description: Name of the group's privilege that the event was executed with.
type: string
- name: effective_user_id
description: ID of the user's privilege that the event was executed with.
type: string
indicators:
- actor_id
- name: effective_user_name
description: Name of the user's privilege that the event was executed with.
type: string
indicators:
- username
- name: group_id
description: ID of the group that originated this event.
type: string
- name: group_name
description: Name of the group that originated this event.
type: string
- name: process_hash
description: SHA1 hash of the binary file that was executed.
type: string
indicators:
- sha1
- name: process_id
description: ID of the process performing the logged action.
type: string
- name: process_name
description: Path to the process performing the logged action.
type: string
- name: process_information
description: Information about the process that performed the action.
type: json
- name: responsible_process_id
description: ID of the process that originated this event.
type: string
- name: responsible_process_name
description: Name of the process that originated this event at the start of the process chain.
type: string
- name: session_id
description: Session ID number the event originated from.
type: string
indicators:
- trace_id
- name: terminal_id
description: Information about the terminal where the event originated.
type: object
fields:
- name: addr
description: Network address information for the terminal.
type: array
element:
type: bigint
- name: ip_address
description: IP address of the controlling computer.
type: string
indicators:
- ip
- name: port
description: Port number that the process is connecting to.
type: bigint
- name: type
description: Type of connection (4 = IPv4, 6 = IPv6).
type: bigint
- name: user_id
description: ID of the user that originated this event.
type: string
indicators:
- actor_id
- name: user_name
description: Name of the user that originated this event.
type: string
indicators:
- username
- name: texts
description: Descriptions of the event.
type: array
element:
type: stringLast updated