You can forward data collected by the Jamf Protect Cloud to an Amazon S3 bucket.
- Computers that are configured to send data (via an action configuration) to the Jamf Protect Cloud.
- An Amazon S3 bucket to store your Jamf Protect data
- An identity access management (IAM) role with the following:
- Permission to upload Jamf Protect data to an Amazon S3 bucket
- Jamf's AWS account as a trusted entity.
Creating an Amazon S3 Bucket.
- In the AWS console, select Create new S3 bucket. You may also choose to use an existing S3 bucket.
- Provide a name for AWS KMS alias or choose an existing AWS KMS Key.
- Leave the other settings as default and click Next.
- Choose Event type, add Data events as required, and click Next.
- Review the settings in Review and create and click Create trail.
- In the AWS console, search for "Amazon S3 Buckets".
- Click the newly created log bucket and select the folder AWS Logs. Then click Copy S3 URI and save it for use in the following steps.
Forwarding Jamf Protect logs to S3 bucket.
- In Jamf Protect, click Administrative > Data
- Use the Amazon S3 Forwarding switch to enable data forwarding.
- Select the Encrypt Forwarded Data checkbox to ensure all data forwarded from the Jamf Protect Cloud is encrypted.
- Enter the name of an Amazon S3 bucket to send data to.
- (Optional) Enter a prefix name to use for all forwarded Jamf Protect data objects.
- Enter the IAM Role that Jamf Protect will assume when it forwards data to your Amazon S3 bucket. This value should be in Amazon Resource Name (ARN) format.
Configuring a feed in Chronicle Instance
To configure a feed in Chronicle,
- From your Chronicle instance page, select Settings from the main menu at top left of your screen.
2. Click on Feeds where you can find the data feeds that you have configured as well as the default feeds that Google provided.
3. From the Feeds page, click ADD NEW at top of the screen. The ADD FEED window appears.
4. In Set Properties tab, select SOURCE TYPE as from the dropdown menu.
5. Select the Log Type as Jamf Protect from the dropdown menu.
6. Click Next.
7.In Input Parameters tab, paste the region, S3 URI, Access Key ID & Secret key that you copied from configuration tab of a storage bucket
8. Click Next.
9. In Finalize tab, click Submit. Jamf Protect logs have been ingested successfully.