Configuring an Action Configuration for a Google Security Operations Webhook

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

In the macOS Security portal, create an action configuration that uses your webhook ingestion feed from Google SecOps.

Requirements

An ingestion feed in Google SecOps that uses webhooks and the following feed values:

  • Secret key

  • Feed endpoint URL

  • API key

  1. In Jamf Protect, click Actions.
  2. Select an existing action configuration and then click Edit, or click Create Action to create a new action configuration.
  3. Add your Google SecOps webhook feed as a new data endpoint:
    1. In Data Endpoints, click + Add.
    2. Select HTTP.
    3. In the URL field, enter the Feed endpoint URL from Google SecOps.
    4. Click + Add HTTP Header and enter the following:
      API_KEY
      The API key used to authenticate to Google Security Operations
      SECRET
      The Secret key that you generated to authenticate the feed.
    5. From Collect Alerts, select the alert levels you want to collect.
    6. From Collect Logs, select additional macOS security data types to collect.
  4. Click Save.

Your Google SecOps ingestion feed is integrated with macOS Security and will begin to receive data from computers that have the action configuration added in their plan.

For more information about how to interpret your macOS Security data in Google SecOps, see the Field mapping reference in the Google Security Operations documentation.