Modifying Alert Event Types

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

For macOS Security data, the base event type needs to be updated so that the correct index value is set.

This is not necessary for telemetry events.

  1. If you use Splunk Cloud do the following:
    1. Navigate to Settings > Event Types.
    2. Select App.
    3. Select Jamf Protect (TA-JamfProtect).
    4. Select jamf_protect.
    5. In the Search String field, enter: index=CORRECTINDEX sourcetype=jamf:protect:alertslogs
    6. Click Save.
  2. If you use Splunk Enterprise, do the following:
    1. Open the default/eventtypes.conf file and locate the jamf_protect settings.
    2. Copy the jamf_protect setting in the example below from the default/eventtypes.conf file.
      Example:
      [jamf_protect]
search = index=CORRECTINDEX sourcetype="jamf:protect:alerts"
    3. Paste the setting in the local/eventtypes.conf file. Replace index=CORRECTINDEX with the index that your jamf:protect data is in.
    4. Save the local/eventtypes.conf file.

The base event type index value should now match your desired index value.