Jamf Protect is a comprehensive security solution designed specifically for Apple endpoints, including macOS, iOS and iPadOS endpoints and other supported platforms. Jamf Protect enhances Apple's built-in security features and provides real-time detection of malicious applications, scripts, and user activities.
Jamf Protect not only detects known malware, adware, but also prevents unknown threats and blocks command and control traffic and risky domains. Furthermore, it provides granular insights into endpoint activity, ensuring endpoint health and compliance, and supports incident response with automated workflows. This integration will collect logs from Jamf Protect events which can be analyzed using Datadog. This integration monitors Jamf Protect logs for both macOS Security and Jamf Security Cloud.
- Datadog intake URL. Use the Datadog API Logs documentation and select your Datadog Site at the top of the page.
- Your Datadog API and App keys.
Navigate to the Integrations page and search for the "Jamf Protect" tile.
-
In Jamf Protect, click Actions.
-
Click Create Actions.
-
In the Action Config Name field, enter a name (such as
Datadog). -
(Optional) To collect alerts, click Remote Alert Collection Endpoints and add the following:
a. URL:
https://${DATADOG_INTAKE_URL}/api/v2/logs?ddsource=jamfprotect&service=alertsb. Set Min Severity & Max Severity.
c. Click + Add HTTP Header twice and add the following HTML header fields:
Name: DD-API-KEY Value: <API_Key>Name: DD-APPLICATION-KEY Value: <APPLICATION_KEY> -
(Optional) To collect unified logs, click + Unified Logs Collection Endpoints and add the following.
a. URL:
https://${DATADOG_INTAKE_URL}/api/v2/logs?ddsource=jamfprotect&service=unifiedlogsb. Click + Add HTTP Header twice and add the following HTML header fields.
Name: DD-API-KEY Value: <API_Key>Name: DD-APPLICATION-KEY Value: <APPLICATION_KEY> -
(Optional) To collect telemetry data, click + Telemetry Collection Endpoints.
a. URL:
https://${DATADOG_INTAKE_URL}/api/v2/logs?ddsource=jamfprotect&service=telemetryb. Click + Add HTTP Header twice and add the following HTML header fields.
Name: DD-API-KEY Value: <API_Key>Name: DD-APPLICATION-KEY Value: <APPLICATION_KEY> -
Click Save.
- Click Plans.
- Find the plan assigned to devices.
- Click Edit next to the name of the plan.
- Select the Action from the Action Configuration dropdown menu. This is the Action config name that contains the Datadog configuration.
- Click Save.
-
Click Integrations in the Threat Events Stream.
-
Click Data Streams.
-
Click New Configuration.
-
Select Threat Events.
-
Select Generic HTTP.
-
Click Continue.
Configuration Details Name Datadog (Threat) Protocol HTTPS Server Hostname/IP ${DATADOG_INTAKE_URL}Port 443 Endpoint api/v2/logs?ddsource=jamfprotect& -
Click Create option "DD-API-KEY".
Header Value: <API_Key> Header Name: DD-APPLICATION-KEY -
Click Create option "DD-APPLICATION-KEY".
Header Value: <APPLICATION_KEY> -
Click Test Configuration.
-
If successful, click Create Configuration.
-
Click Integrations.
-
Click Data Streams.
-
Click New Configuration.
-
Select Threat Events.
-
Select Generic HTTP.
-
Click Continue. a. Configuration Name: Datadog (Threat)
b. Protocol: HTTPS
c. Server Hostname/IP:
${DATADOG_INTAKE_URL}d. Port: 443
e. Endpoint:
api/v2/logs?ddsource=jamfprotect&service=networktrafficf. Additional Headers:
i. **Header Name:** DD-API-KEY 1. Click **Create option "DD-API-KEY"**. ii. **Header Value:** <API_Key> i. Header Name: DD-APPLICATION-KEY iv. Click **Create option "DD-APPLICATION-KEY"**. i. Header Value: <APPLICATION_KEY> -
Click Test Configuration.
-
If successful, click Create Configuration.
Navigate to the Logs Explorer and search for source:jamfprotect to validate you are receiving logs.
The Jamf Protect integration allows you to send Jamf Audit Logs to Datadog.
Jamf Protect does not include any metrics.
Jamf Protect does not include any service checks.
Jamf Protect does not include any events.
Need help? Contact Datadog support.
Additional helpful documentation, links, and articles: