SIEM & XDR Integration

Many mid-to-large organizations utilize a SIEM and/or XDR in order to correlate digital events and activity generated across as many endpoints as possible. The more data, the better the chance of being able to identify patterns that could indicate an on-going attack. This is loosely known as threat hunting.

Thanks to the nature of Jamf's agent and cloud-based security products, these products obtain a rich set of data that includes both on-device and in-network signals. This data is available regardless of the device's physical location or network usage.

Security Events

Jamf security products generate security events when activity is detected that violates a threat policy or analytic. These events may be streamed to a listening SIEM/XDR/SOAR service for ingestion and analysis.

Depending upon deployment, these data streams will contain for

• Jamf Protect for macOS Data Forwarding

  • macOS endpoint threat activity
  • Alerts and Logs Dictionary

• Jamf Threat Defense Threat Events Stream

  • iOS/iPadOS and Android endpoint event activity
  • macOS, iOS/iPadOS, Android, and Windows network event activity

System Activity

Jamf Protect for macOS can obtain various system and user level activity for enriching your security view.
There are two native functions of the Jamf Protect macOS agent that should be configured to gather these events before they are sent to your SIEM/SOAR/XDR backend.

• Jamf Protect Telemetry for macOS
  • macOS endpoint system and user events
• Jamf Protect Unified Logging for macOS
  • macOS endpoint unified log streaming

Network Activity

Jamf can forward a raw feed of all DNS or HTTP-based network activity (based upon deployment) generated by corporate managed or BYO devices (work/managed apps only) to a third party data repository.

This data stream is extremely valuable to organizations to build out the sequence of events on the network across a large number of devices that may have lead to an attack. It can also be used to detect and signal Shadow IT usage across the organization.

• Jamf Network Traffic Stream
  • Network activity for all platforms with DNS or HTTP Proxy vectoring deployed.
  • Jamf Connect ZTNA Access stream is now available. Read more