Why is it important for Threat Hunting?
Jamf is the most prominent way to manage MacOS devices in an enterprise organization. As such, logs pulled from the Jamf API provide important information regarding the organizational MacOS devices being used, which is all the more important as these MacOS endpoints are usually not a part of a managed Active Directory network (as opposed to Windows enterprise fleets).
For example, the Jamf Computers API allows establishing a contextual list of all endpoints belonging to the organization, which enables detection of access to organizational resources or SaaS applications done from an unmanaged device.
Additional important contextual information pulled from the Jamf API includes user lists, policies, managed scripts, network segments and more.
Supported data types
- Mac Applications
- Network Segments
Sending data to Hunters
In order to intergate your JAMF instance with Hunters, you will need to follow these steps in order to create an appropriate user and an API key.
- Login to jamf and go to the Settings section
- Go to Accounts
it can be found in All settings or System Settings tabs and under Jamf Pro User Accounts & Groups
- Add new user
- Choose create account
Select Create Standard Account and then click Next
- Fill out the new user account form
Please make sure that:
a. Access level is Full Access
b. Privilege Set is Auditor
c. Access Status is Enabled
Copy the Username and Password for the next stage and click save
- Generate Authentication Key - generate a basic authentication token by encoding the
<username>:<password>in Base64 using the username and password from last step.
One way to do it is to open a (macos or linux) terminal and run this command:
echo -n "username:password" | base64
- Get API domain
copy the api host address from your browser address bar when in the jamf console