Jamf Protect Search and Visualization Examples

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

This section contains examples of search and visualization pairs that can be used as a starting point to display your data in a dashboard.

The following examples use searches based on data collected from Jamf Protect for Splunk.

For more information about Splunk dashboards, see Dashboards and Visualizations from the Splunk.

Logs and Alerts by Event Types

SearchVisualization
eventtype="jamf_protect" input.host.hostname="*" severity_id>0
| dedup id
| stats count by event_name
| rename
    event_name AS "Event",
    count AS "Count"
| replace 
    "GPDownloadEvent" with "Download Event", 
    "GPFSEvent" with "File System Event", 
    "GPGatekeeperEvent" with "Gatekeeper Event", 
    "GPPreventedExecutionEvent" with "Custom Prevention", 
    "GPProcessEvent" with "Process Event", 
    "GPThreatMatchExecEvent" with "Threat Prevention", 
    "auth-mount" with "Device Controls" , 
    "GPClickEvent" with "Synthetic Click Event",
    "GPUSBEvent" with "USB Event"
    in Event

Detected Analytics Count

SearchVisualization
source = "http:Jamf Protect" | stats count by input.eventType, input.match.facts{}.name | rename input.eventType AS "Event Type", input.match.facts{}.name AS "Event", count AS "Count" | sort Count desc | head 10

Top 10 Event Type Breakdown

SearchVisualization
 eventtype=jamf_protect_alerts input.host.hostname="*" event_name!="GPUnifiedLogEvent"
| dedup id
| stats count by event_name, detection_name
| rename
    event_name AS "Event Type",
    detection_name AS "Event",
    count AS "Count" 
| sort Count desc 
| head 10

Executables Blocked by Gatekeeper

SearchVisualization
source = "http:Jamf Protect" input.eventType="GPGatekeeperEvent" | stats count by input.match.facts{}.name, input.match.event.path | rename input.match.facts{}.name AS "Block Type", input.match.event.path AS "Executable" | head 10