Jamf Protect can send macOS Security data directly to Splunk using HTTP Event Collectors. In Splunk, each Jamf Protect data type requires its own event collector, which corresponds to a data endpoint in an action configuration in your macOS Security portal.
- Alerts and Unified Logs
jamf:protect:alerts- Telemetry
jamf:protect:telemetry:v2Note:The deprecated version of telemetry uses
jamf:protect:telemetry.
Note:
The order in which you configure event collectors does not matter.
For more information about HTTP event collectors in Splunk see Set up and use HTTP Event Collector in Splunk Web from the Splunk documentation.