Jamf Security Cloud CEF log extension saved in IBM QRadar
Super Admin access to your organization in Jamf Security Cloud to retrieve the credentials for the AWS S3 bucket
- In QRadar, select Log Sources under the Data Sources section on the Admin tab.
- Click Add to add the new Jamf Security Cloud Log Source configuration.
- Enter the following values for the Jamf Security Cloud Log Source:
Log Source Name
WanderaSIEM
Log Source Type
Universal CEF
Protocol Configuration
Log File
Log Source Identifier
wandera
Service Type
AWS Bucket Name. In Jamf Security Cloud, navigate to Integrations > Data Streams, select Threat Events Stream, then click AWS S3 in the Streaming Target area.
AWS Access Key
In Jamf Security Cloud, navigate to Integrations > Data Streams, select Threat Events Stream, then click AWS S3 in the Streaming Target area.
AWS Secret Key
In Jamf Security Cloud, navigate to Integrations > Data Streams, select Threat Events Stream then click AWS S3 in the Streaming Target area.
Remote Directory
/
FTP File Pattern
*?\.txt\.gz
Start Time
12am
Recurrence
15m
EPS Throttle
Enabled
Processor
GZIP
Ignore Previously Processed File(s)
Disabled
Change Local Directory?
Disabled
Event Generator
LINEBYLINE
File Encoding
UTF-8
Enabled
Enabled
Credibility
5
Target Event Collector
Default
Coalescing Events
Disabled
Store Event Payload
Enabled
Log Source Extension
UniversalCEF_ext
Extension Use Condition
Parsing Enhancement
Groups
Enter the groups that you want Jamf Security Cloud to be a part of.
- You can use QRadar's optimized AWS S3 Rest API instead by entering the values in the following table:Note:
To use this feature you must have the Amazon AWS S3 REST API protocol configured for your QRadar account. If you do not have this, contact QRadar Support for access.
Log Source Name
WanderaSIEM
Log Source Type
Universal CEF
Protocol Configuration
Amazon AWS S3 REST API
Log Source Identifier
wandera
Signature Version
AWSSIGNATUREV4
Region Name
eu-west-1
Service Name
S3
Bucket Name
In Jamf Security Cloud, navigate to Integrations > Data Streams, select Threat Events Stream, then click AWS S3 in the Streaming Target area.
Endpoint URL
https://s3.amazonaws.com/[AWS Access Key]. In Jamf Security Cloud, navigate to Integrations > Data Streams , select Threat Events Stream, then click AWS S3 in the Streaming Target area.
AWS Secret Key
In Jamf Security Cloud, navigate to Integrations > Data Streams, select Threat Events Stream, then click AWS S3 in the Streaming Target area.
Directory Prefix
/
FTP File Pattern
*?\.txt\.gz
Event Format
LINEBYLINE
Use Proxy
Disabled
Automatically Acquire Server Certificates
No
Recurrence
15M
EPS Throttle
5000
Enabled
Enabled
Credibility
5
Target Event Collector
Default
Coalescing Events
Disabled
Store Event Payload
Enabled
Log Source Extension
UniversalCEF_ext
Extension Use Condition
Parsing Enhancement
Groups
Enter the groups that you want Jamf Security Cloud to be a part of.
- Click Save.
- Click Deploy Changes on the Admin tab.
The Status column for the newly created Jamf Security Cloud Log Source should display the value "Success", and security event should begin to populate the Log Activity view in QRadar.
If this does not happen within 1 hour, contact Jamf Support for assistance.