Jamf Protect 搜尋與可視化範例

Jamf Protect 說明文件
Solution
Application
Content Type
技術說明文件
Utilities & Services
ft:locale
zh-TW

本節包含搜尋與可視化對範例,可用作在儀表板中顯示資料的起點。

以下範例使用基於從SplunkJamf Protect外掛程式收集的資料進行搜尋。

有關Splunk儀表板的更多資訊,請參閱Splunk儀表板和視覺化

基於事件類型的記錄和警示

Search (搜尋)可視化
eventtype="jamf_protect" input.host.hostname="*" severity_id>0
| dedup id
| stats count by event_name
| rename
    event_name AS "Event",
    count AS "Count"
| replace 
    "GPDownloadEvent" with "Download Event", 
    "GPFSEvent" with "File System Event", 
    "GPGatekeeperEvent" with "Gatekeeper Event", 
    "GPPreventedExecutionEvent" with "Custom Prevention", 
    "GPProcessEvent" with "Process Event", 
    "GPThreatMatchExecEvent" with "Threat Prevention", 
    "auth-mount" with "Device Controls" , 
    "GPClickEvent" with "Synthetic Click Event",
    "GPUSBEvent" with "USB Event"
    in Event

偵測到的分析數

Search (搜尋)可視化
source = "http:Jamf Protect" | stats count by input.eventType, input.match.facts{}.name | rename input.eventType AS "Event Type", input.match.facts{}.name AS "Event", count AS "Count" | sort Count desc | head 10

最熱門的10大事件類型明細

Search (搜尋)可視化
 eventtype=jamf_protect_alerts input.host.hostname="*" event_name!="GPUnifiedLogEvent"
| dedup id
| stats count by event_name, detection_name
| rename
    event_name AS "Event Type",
    detection_name AS "Event",
    count AS "Count" 
| sort Count desc 
| head 10

被 Gatekeeper 阻止的可執行檔

Search (搜尋)可視化
source = "http:Jamf Protect" input.eventType="GPGatekeeperEvent" | stats count by input.match.facts{}.name, input.match.event.path | rename input.match.facts{}.name AS "Block Type", input.match.event.path AS "Executable" | head 10