SIEM & XDR Integration

Many mid-to-large organizations employ a SIEM and/or XDR in order to correlate digital events and activity generated across as many endpoints as possible. The more data, the better the chance of being able to identify patterns that could indicate an on-going attack. This is loosely known as threat hunting.

Thanks to the nature of Jamf's agent and cloud-based security products, these products are privvy to a rich set of data that includes both on-device and in-network signals. This data is available regardless of the device's physical location or network usage.

Security Events

Jamf security products generate security events when activity is detected that violates a threat policy or analytic. These events may be streamed to a listening SIEM/XDR service for ingestion and analysis.

Depending upon deployment, these data streams will contain for

• Jamf Protect Data Forwarding

  • macOS endpoint event activity

• Jamf Compliance Reporter Remote Logging

  • macOS endpoint compliance activity

• Jamf Threat Defense Threat Events Stream

  • iOS/iPadOS and Android endpoint event activity
  • macOS, iOS/iPadOS, Android, and Windows network event activity

Network Activity

Jamf can forward a raw feed of all DNS or HTTP-based network activity (based upon deployment) generated by corporate managed or BYO devices (work/managed apps only) to a third party data repository.

This data stream is extremely valuable to organizations to build out the sequence of events on the network across a large number of devices that may have lead to an attack. It can also be used to detect and signal Shadow IT usage across the organization.

• Jamf Network Traffic Stream
  • Network activity for all platforms with DNS or HTTP Proxy vectoring deployed.
  • Note: Private Access activity is not currently supported.