macOS Security and Splunk Integration Requirements

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

To integrate Jamf Protect with Splunk the following items are required:

  • A Splunk instance.

  • A self-signed certificate must be installed and fully trusted.

  • Use of a fully qualified domain name (FQDN) on the following:

    • Self-signed certificate

    • Security information and event management (SIEM) endpoint

  • Administrator access to a Jamf Protect instance.

  • The Jamf Protect add-on for Splunk installed.

  • The Splunk Common Information Model (CIM) installed.

Jamf Protect alerts and unified logs support the following Splunk CIM data models:

  • Alerts

  • Malware

Jamf Protect telemetry supports the following Splunk CIM data models.

  • Authentication

  • Change

  • Inventory

  • Endpoint

  • Network Sessions

  • Intrusion Detection

  • Performance

  • Vulnerabilities

For more information about the CIM data model, see the Splunk documentation.