Skip to content

Commit

Permalink
Fixed input.datset as that got reverted by resolving a merge conflict
Browse files Browse the repository at this point in the history
  • Loading branch information
@txhaflaire
txhaflaire committed Apr 23, 2024
1 parent 9f03c6a commit aa05ebf
Show file tree
Hide file tree
Showing 7 changed files with 503 additions and 144 deletions.
152 changes: 84 additions & 68 deletions packages/jamf_protect/data_stream/alerts/sample_event.json
View file

Large diffs are not rendered by default.

90 changes: 90 additions & 0 deletions packages/jamf_protect/data_stream/telemetry/sample_event.json
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,37 @@
{
"@timestamp": "2024-02-06T16:01:34.442Z",
"agent": {
"ephemeral_id": "dad97e85-bc2e-4717-9fa3-fb745891af01",
"id": "bc9c17bf-519a-4e37-80cd-633fcea278e7",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.2"
},
"data_stream": {
"dataset": "jamf_protect.telemetry",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "bc9c17bf-519a-4e37-80cd-633fcea278e7",
"snapshot": false,
"version": "8.12.2"
},
"error": {
"code": "0"
},
"event": {
"action": "aue_posix_spawn",
"agent_id_status": "verified",
"category": [
"authentication"
],
"code": "43190",
"dataset": "jamf_protect.telemetry",
"ingested": "2024-04-23T10:56:04Z",
"kind": "event",
"outcome": "success",
"type": [
Expand All @@ -28,6 +48,72 @@
"version": "Version 14.2.1 (Build 23C71)"
}
},
"input": {
"type": "http_endpoint"
},
"jamf_protect": {
"telemetry": {
"arguments": {
"child": {
"pid": 70851
}
},
"dataset": "audit",
"exec_args": {
"args_compiled": "/usr/bin/profiles,status,-type,enrollment"
},
"exec_chain_parent": {
"uuid": "87F2E500-EDF1-4F12-A489-C5E05B0F523E"
},
"exec_env": {
"env": {
"compiled": "PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin"
}
},
"header": {
"event_modifier": "0",
"version": "11"
},
"host_info": {
"host": {
"uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91"
}
},
"identity": {
"cd_hash": "a2c787fe5e26ead7c68909e45a75edced4147c68",
"signer": {
"id_truncated": "false",
"type": "0"
}
},
"path": [
"/usr/bin/profiles",
"/usr/bin/profiles"
],
"return": {
"description": "success"
},
"subject": {
"effective": {
"group": {
"id": "0",
"name": "wheel"
}
},
"process": {
"name": "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater",
"pid": 70848
},
"session": {
"id": "100016"
},
"terminal_id": {
"port": 0,
"type": "4"
}
}
}
},
"process": {
"args": [
"/usr/bin/profiles",
Expand Down Expand Up @@ -69,6 +155,10 @@
"root"
]
},
"tags": [
"forwarded",
"jamf_protect-telemetry"
],
"user": {
"id": "0",
"name": [
Expand Down
2 changes: 1 addition & 1 deletion packages/jamf_protect/data_stream/web_threat_events/fields/base-fields.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
- name: event.dataset
type: constant_keyword
description: Name of the dataset.
value: jamf_protect.web-threat-events
value: jamf_protect.web_threat_events
- name: event.module
type: constant_keyword
description: Event module.
Expand Down
31 changes: 28 additions & 3 deletions packages/jamf_protect/data_stream/web_threat_events/sample_event.json
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,17 @@
{
"@timestamp": "2024-04-23T10:56:49.443Z",
"agent": {
"ephemeral_id": "2dcceb44-0411-44a3-9a4c-db8fb2cb2982",
"id": "bc9c17bf-519a-4e37-80cd-633fcea278e7",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.2"
},
"data_stream": {
"dataset": "jamf_protect.web_threat_events",
"namespace": "ep",
"type": "logs"
},
"destination": {
"address": "ip",
"domain": "host",
Expand All @@ -7,14 +20,21 @@
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "bc9c17bf-519a-4e37-80cd-633fcea278e7",
"snapshot": false,
"version": "8.12.2"
},
"event": {
"action": "Detected",
"agent_id_status": "verified",
"category": [
"host"
],
"dataset": "jamf_protect.web_threat_events",
"id": "013b15c9-8f62-4bf1-948a-d82367af2a10",
"ingested": "2024-04-23T10:56:59Z",
"kind": "alert",
"module": "jamf_protect",
"provider": "Jamf Protect",
"reason": "Sideloaded App",
"severity": 6,
Expand All @@ -38,8 +58,9 @@
"full": "IOS 11.2.5"
}
},
"jamf_protect": {},
"message": "{\"event\":{\"metadata\":{\"schemaVersion\":\"1.0\",\"vendor\":\"Jamf\",\"product\":\"Threat Events Stream\"},\"timestamp\":\"2020-01-30T17:47:41.767Z\",\"alertId\":\"013b15c9-8f62-4bf1-948a-d82367af2a10\",\"account\":{\"customerId\":\"fb4567b6-4ee2-3c4c-abb9-4c78ec463b25\",\"parentId\":\"7c302632-7ac4-4234-8ada-11d76feb3730\",\"name\":\"Customer\"},\"device\":{\"deviceId\":\"09f81436-de17-441e-a631-0461252c629b\",\"os\":\"IOS 11.2.5\",\"deviceName\":\"Apple iPhone 11 (11.2.5)\",\"userDeviceName\":\"Apple iPhone 11\",\"externalId\":\"5087dc0e-876c-4b0e-95ea-5b543476e0c4\"},\"eventType\":{\"id\":213,\"description\":\"Sideloaded App\",\"name\":\"SIDE_LOADED_APP_IN_INVENTORY\"},\"app\":{\"id\":\"com.apple.iBooks\",\"name\":\"Books\",\"version\":\"1.1\",\"sha1\":\"16336078972773bc6c8cef69d722c8c093ba727ddc5bb31eb2\",\"sha256\":\"16336078978a306dc23b67dae9df18bc2a0205e3ff0cbf97c46e76fd670f93fd142d7042\"},\"destination\":{\"name\":\"host\",\"ip\":\"ip\",\"port\":80},\"source\":{\"ip\":\"1.2.3.4\",\"port\":3025},\"location\":\"gb\",\"accessPoint\":\"AccessPoint\",\"accessPointBssid\":\"c6:9f:db:b1:73:5a\",\"severity\":6,\"user\":{\"email\":\"user@mail.com\",\"name\":\"John Doe\"},\"eventUrl\":\"https://radar.wandera.com/security/events/detail/013b15c9-8f62-4bf1-948a-d82367af2a10.SIDE_LOADED_APP_IN_INVENTORY?createdUtcMs=1580406461767\",\"action\":\"Detected\"}}",
"input": {
"type": "http_endpoint"
},
"observer": {
"product": "Jamf Protect",
"vendor": "Jamf"
Expand All @@ -54,6 +75,10 @@
"source": {
"port": 3025
},
"tags": [
"forwarded",
"jamf_protect-web-threat-events"
],
"user": {
"email": "user@mail.com",
"name": "John Doe"
Expand Down
2 changes: 1 addition & 1 deletion packages/jamf_protect/data_stream/web_traffic_events/fields/base-fields.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
- name: event.dataset
type: constant_keyword
description: Name of the dataset.
value: jamf_protect.web-traffic-events
value: jamf_protect.web_traffic_events
- name: event.module
type: constant_keyword
description: Event module.
Expand Down
32 changes: 29 additions & 3 deletions packages/jamf_protect/data_stream/web_traffic_events/sample_event.json
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,17 @@
{
"@timestamp": "2024-04-23T10:57:43.694Z",
"agent": {
"ephemeral_id": "2406e751-8911-444c-81ba-b9684c820fbc",
"id": "bc9c17bf-519a-4e37-80cd-633fcea278e7",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.2"
},
"data_stream": {
"dataset": "jamf_protect.web_traffic_events",
"namespace": "ep",
"type": "logs"
},
"dns": {
"answers": {
"ttl": 101,
Expand All @@ -14,14 +27,21 @@
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "bc9c17bf-519a-4e37-80cd-633fcea278e7",
"snapshot": false,
"version": "8.12.2"
},
"event": {
"action": "DNS Lookup",
"agent_id_status": "verified",
"category": [
"host",
"network"
],
"dataset": "jamf_protect.web_traffic_events",
"ingested": "2024-04-23T10:57:53Z",
"kind": "event",
"module": "jamf_protect",
"outcome": [
"success"
],
Expand All @@ -40,10 +60,12 @@
]
}
},
"input": {
"type": "http_endpoint"
},
"interface": {
"name": "WIFI"
},
"jamf_protect": {},
"observer": {
"product": "Jamf Protect",
"vendor": "Jamf"
Expand All @@ -54,8 +76,12 @@
"rule": {
"name": "DNS Lookup"
},
"tags": [
"forwarded",
"jamf_protect-web-traffic-events"
],
"user": {
"email": "user@acme.com",
"email": "hjilling@icloud.com",
"name": "07a5a2ae-16de-4767-831e-0ea8b7c3abe4"
}
}

0 comments on commit aa05ebf

Please sign in to comment.