Creating a Jamf Protect Action Configuration for Elastic

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

In the macOS Security portal, use your HTTP endpoint address from Elastic as a data endpoint for the macOS Security data types you want to collect.

Requirements

In Elastic, install and enable the Jamf Protect integration for Elastic and choose collect logs using an HTTP endpoint. For instructions, see Installing and Enabling the Jamf Protect Integration for Elastic.

  1. In Jamf Protect, click Actions.
  2. Click Edit on an existing action configuration or click Create Action to create a new one.
  3. For each macOS Security data type, add a new data endpoint:
    1. In Data Endpoints, click + Add.
    2. Select HTTP.
    3. In URL, enter the full URL with port using this format: http[s]://{ELASTICAGENT_ADDRESS}:{AGENT_PORT}
    4. From Alerts, select the level of alerts want to collect.
    5. From Logs, select the data types you want to collect.
  4. Click Save.

The action configuration is updated and available to add to Jamf Protect plans in the macOS Security portal.