Creating an Ingestion Feed in Google Security Operations Using Amazon S3

Jamf Protect Documentation

Solution

Application

Content Type

Technical Documentation

Utilities & Services

ft:locale

en-US

You can send macOS Security data to Google Security Operations (formerly Google Chronicle) by creating an ingestion feed that uses Amazon S3.

Requirements

Administrator access to your organization's Google Security Operations instance.
A Google Cloud project configured in your Google SecOps and the Chronicle API enabled for the project.
For more information, see Configure a Google Cloud project for Google SecOps in the Google Security Operations documentation.
A connection between Google Cloud services and your Google SecOps instance.
For more information, see Link a Google Security Operations instance to Google Cloud services in the Google Security Operations documentation.

In the macOS Security portal, set up data forwarding to an Amazon S3 bucket.
For instructions, see Forwarding macOS Security Data to Amazon S3.
Note:
Data forwarding requires your macOS Security data to be stored in the Jamf Protect Cloud. In your macOS Security action configurations, make sure the data types you want to forward are collected by Jamf Protect Cloud.
In Google SecOps, create the ingestion feed.
For instructions, see the Set up an ingestion feed in Google SecOps using Amazon S3 from the Google Security Operations documentation.

Your Google SecOps ingestion feed is integrated with macOS Security and will begin to receive data from computers that have the action configuration added in their plan.

For more information about how to interpret your macOS Security data in Google SecOps, see the Field mapping reference in the Google Security Operations documentation.