Microsoft Sentinel

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

macOS Security data collected by the Jamf Protect Cloud can be forwarded to your organization's Microsoft Sentinel workspace.

For access to templates for curated workbooks, detailed endpoint and event data, and analytic rules for automated incident creation, install the Jamf Protect for Microsoft Sentinel integration on the Microsoft Azure Marketplace or in the Microsoft Sentinel Content Hub.

Requirements

  • Computers that are configured to send data (via an action configuration) to the Jamf Protect Cloud

  • Access to a Log Analytics workspace for Microsoft Sentinel

  1. In the Azure marketplace, complete the following steps to obtain the values you need to configure and install the latest Jamf Protect for Microsoft Sentinel integration:
    1. From your Jamf Protect workspace, click Create.
    2. Select your subscription.
    3. Select your resource group.
    4. Under Instance Details, select the desired workspace.
    5. Review each of the configuration settings pages to ensure that your information is correct and that the information is for the correct workspace.
    6. Click Review and Create. The Microsoft Sentinel integration performs validation of the provided information.
    7. If validation is successful, click Create.

      The deployment may take a couple minutes. Once the deployment is successful you will receive a notification.

    8. When the deployment is complete, navigate to the Microsoft Sentinel service dashboard.
    9. Select the Jamf Protect workspace to view the Jamf Protect Microsoft Sentinel Overview page.
    10. Navigate to Content Hub.
    11. In the search bar, enter Jamf Protect and click Enter to search.
    12. Select the Jamf Protect content row.

      Information about the integration appears in the sidebar.

    13. In the sidebar, click Manage.

      The Content hub management screen displays information about the current integration as well as any configuration information that is missing.

    14. Click Jamf Protect Push Connector. The Data connector page appears.
    15. In the sidebar, click Open connector page.
    16. Click Deploy Jamf Protect connector resources.

      This may take a couple minutes. You will see the values for the Push Connector repopulate with new custom values.

    17. Locate and note the following values, which you will need to copy and enter into Jamf Protect.

      • Tenant ID (Directory ID)

      • Entra Application ID

      • Entra Application Secret

      • DCE Uri

      • DCR Immutable ID

      • Any relevant stream ID (Telemetry, Alerts, Unified Logs)

  2. In Jamf Protect, click Administrative > Data.
  3. Enable the Microsoft Sentinel toggle to allow data forwarding.
  4. Enter or paste the values previously obtained from the Azure Marketplace Microsoft Sentinel application, into their corresponding fields within Jamf Protect.
    Note:

    The DCR Immutable ID is the same for all streams (Alerts/Unified Logs/Telemetry).

  5. Click Save.

Any data that is sent to the Jamf Protect Cloud will now be forwarded to Microsoft Sentinel.

If you are using the Jamf Security Cloud portal, you can also configure Jamf Security Cloud to send events to Microsoft Sentinel. For more information, see Configuring a Jamf Security Cloud Data Stream Using Microsoft Sentinel.