Jamf Protect for Microsoft Sentinel
Solution: Jamf Protect
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Jamf Software, LLC |
| Support Tier | Partner |
| Support Link | https://www.jamf.com/support/ |
| Categories | domains |
| Version | 3.3.0 |
| Author | Thijs Xhaflaire - thijs.xhaflaire@jamf.com |
| First Published | 2022-10-10 |
| Last Updated | 2025-09-02 |
| Solution Folder | Jamf Protect |
| Marketplace | Azure Marketplace · Rating: ★★★★★ 4.9/5 (2,096 ratings) · Popularity: 🟢 High (83%) |
The Jamf Protect solution for Microsoft Sentinel enables you to ingest Jamf Protect events forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.
Contents
Data Connectors
This solution provides 1 data connector(s):
Tables Used
This solution uses 4 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
jamfprotect_CL 🔶 |
- | Analytics |
jamfprotectalerts_CL |
Jamf Protect Push Connector | Analytics, Workbooks |
jamfprotecttelemetryv2_CL |
Jamf Protect Push Connector | Workbooks |
jamfprotectunifiedlogs_CL |
Jamf Protect Push Connector | Analytics, Workbooks |
🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Content Items
This solution includes 12 content item(s):
| Content Type | Count |
|---|---|
| Parsers | 5 |
| Analytic Rules | 3 |
| Playbooks | 3 |
| Workbooks | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| Jamf Protect - Alerts | High | - | jamfprotectalerts_CL |
| Jamf Protect - Network Threats | Informational | InitialAccess | jamfprotect_CL |
| Jamf Protect - Unified Logs | Informational | - | jamfprotectunifiedlogs_CL |
Workbooks
| Name | Tables Used |
|---|---|
| JamfProtectDashboard | jamfprotectalerts_CLjamfprotecttelemetryv2_CLjamfprotectunifiedlogs_CL |
Playbooks
| Name | Description | Tables Used |
|---|---|---|
| Jamf Protect - Remote lock computer with Jamf Pro | This Playbook can be used manually or in a Automation Rule to send an remote MDM command with Jamf P... | - |
| Jamf Protect - Set Alert to In Progress | This Jamf Protect Playbook can be used manually or in a Automation Rule to change the state of the A... | - |
| Jamf Protect - Set Alert to Resolved | This Jamf Protect Playbook can be used manually or in a Automation Rule to change the state of the A... | - |
Parsers
| Name | Description | Tables Used |
|---|---|---|
| JamfProtectAlerts | - | jamfprotectalerts_CL (read) |
| JamfProtectNetworkTraffic | - | jamfprotect_CL (read) |
| JamfProtectTelemetry | - | jamfprotecttelemetryv2_CL (read) |
| JamfProtectThreatEvents | - | jamfprotect_CL (read) |
| JamfProtectUnifiedLogs | - | jamfprotectunifiedlogs_CL (read) |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.3.0 | 02-09-2025 | Adding support for newly added event types in Telemetry, TCC_MODIFY,NETWORK_CONNECT, PTY_GRANT, PTY_CLOSE and some enhancements to mount and process object mapping. |
| 3.2.4 | 27-03-2025 | Resolving issues related to the new Push Connector and the DCE/DCRs. Removing support for Telemetry Legacy in this newer Push Connector. Removing Hunting Queries as they were not relevant anymore. Updated Analytic Rules and Workbooks to work with the updated parsers, the single parser got split up to be more useful to customers that only use certain features. |
| 3.2.1 | 24-02-2025 | Adding support for the newly released gatekeeper_user_override event and removing totalRetentionInDays from the Push Connector. |
| 3.2.0 | 04-02-2025 | Added new CCP Data Connector to the Solution. |
| 3.1.1 | 30-04-2024 | Repackaged for parser issue fix while reinstall. |
| 3.1.0 | 12-01-2024 | Improved data normalization in the parser JamfProtect, ParentProcess is better mapped now, productVersion has been added and more. Added new macOS Hunting Queries including recent malware IOCs. |
| 3.0.1 | 05-12-2023 | Minor tweak to parser related to signerType |
| 3.0.0 | 20-10-2023 | Added Parser for parsing jamfprotect_CL raw logs. |
| Modified existing Analytic Rules & Workbooks to make use of newly added parser in this release. | ||
| Added macOS Threat Hunting Hunting Queries for hunting macOS specific threats retrospectivly | ||
| Added Playbooks for interacting with the Jamf Protect and Jamf Pro API's, including Remote Locking a computer, and changes Alert statusses based on a Microsoft Sentinel incident. | ||
| 2.1.1 | 03-03-2023 | Updating Analytic Rules to include MITRE Tactics and Techniques. |
| 2.1.0 | 10-02-2023 | Added Data Connector for monitoring logs |
| Added Analytics Rules for automated incident creation within Microsoft Sentinel | ||
| Improved Workbook and added Endpoint Telemetry | ||
| 2.0.0 | 12-10-2022 | Initial Solution Release |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊