Importing Jamf Security Cloud Events into Splunk

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

To import Jamf Security Cloud events from the AWS S3 bucket, you must make changes to your Splunk AWS inputs.conf file.

Requirements

Confirm that the following file exists on your Splunk instance: $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/inputs.conf. If it does not, you must create it before beginning this process.

  1. Create a new stanza based on the following template:
    [aws_s3://WanderaS3Bucket]
is_secure = true
host_name = s3-eu-west-1.amazonaws.com
aws_account = <Configuration_AWS_Account_Name>
bucket_name = <AWS_S3_Bucket_URL>
polling_interval = 1800
key_name = 
recursion_depth = -1
max_items = 10000
max_retries = 100
character_set = UTF-8
disabled = 0
ct_blacklist = ^$
initial_scan_datetime = default
interval = 30
sourcetype = aws:s3
  2. Set the aws_account and bucket_name values as follows:
    • aws_accountJamf
    • bucket_name

      The URL of the AWS S3 bucket. In Jamf Security Cloud, navigate to Integrations > Data Streams, select Threat Events Stream, then click AWS S3.

    If you want to make further changes to the values in this file, consult the Configure Generic S3 inputs for the Splunk Add-on for AWS documentation from Splunk.

  3. Save the changes to the file.

The new input appears on the Inputs list. Splunk will silently monitor, import, and index new events as soon as they appear on the the S3 bucket.