Skip to content

Commit

Permalink
Update Jamf Protect instructions (#2542)
Browse files Browse the repository at this point in the history 
* Update Jamf Protect instructions

* Apply suggestions from code review

* Fix typo
  • Loading branch information
@estherk15
estherk15 authored Nov 26, 2024
1 parent ff5d0c0 commit b31b102
Showing 1 changed file with 100 additions and 100 deletions.
200 changes: 100 additions & 100 deletions jamf_protect/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,146 +7,138 @@ Jamf Protect not only detects known malware, adware, but also prevents unknown t

## Setup

### Installation

Navigate to the [Integrations page][6] and search for the "Jamf Protect" tile.
### Prerequisites

- Datadog intake URL. Use the [Datadog API Logs documentation][7] and select your Datadog Site at the top of the page.
- Your [Datadog API and App keys][10].

### Determine your Datadog Intake URL

Using the [Datadog API Logs documentation][7], determine what your intake URL is by selecting your [Datadog Site][8] on the top right corner.
### Installation

Navigate to the [Integrations page][6] and search for the "Jamf Protect" tile.

### macOS Security Portal
1. Click **Actions**.
2. Click **Create Actions**.
3. **Name:** Datadog.
4. Click **Remote Alert Collection Endpoints**.

a. **URL:** `https://${DATADOG_INTAKE_URL}/api/v2/logs?ddsource=jamfprotect&service=alerts`
1. In Jamf Protect, click **Actions**.
2. Click **Create Actions**.
3. In the *Action Config Name* field, enter a name (such as `Datadog`).
4. (Optional) To collect alerts, click **Remote Alert Collection Endpoints** and add the following:

b. Set **Min Severity & Max Severity:**
a. **URL:** `https://${DATADOG_INTAKE_URL}/api/v2/logs?ddsource=jamfprotect&service=alerts`

c. Click **+ Add HTTP Header**.
```
i. Name: DD-API-KEY
ii. Value: <API_Key>
```
d. Click **+ Add HTTP Header**.
```
i. Name: DD-APPLICATION-KEY
ii. Value: <APPLICATION_KEY>
```
b. Set **Min Severity & Max Severity**.

5. Click **+ Unified Logs Collection Endpoints**.
c. Click **+ Add HTTP Header** twice and add the following HTML header fields:
```
Name: DD-API-KEY
Value: <API_Key>
```
```
Name: DD-APPLICATION-KEY
Value: <APPLICATION_KEY>
```
a. **URL:** `https://${DATADOG_INTAKE_URL}/api/v2/logs?ddsource=jamfprotect&service=unifiedlogs`
5. (Optional) To collect unified logs, click **+ Unified Logs Collection Endpoints** and add the following.
b. Click + **Add HTTP Header**.
```
i. Name: DD-API-KEY
ii. Value: <API_Key>
```
a. **URL:** `https://${DATADOG_INTAKE_URL}/api/v2/logs?ddsource=jamfprotect&service=unifiedlogs`
c. Click **+ Add HTTP Header**.
```
i. Name: DD-APPLICATION-KEY
ii. Value: <APPLICATION_KEY>
```
b. Click **+ Add HTTP Header** twice and add the following HTML header fields.
```
Name: DD-API-KEY
Value: <API_Key>
```
```
Name: DD-APPLICATION-KEY
Value: <APPLICATION_KEY>
```
6. Click **+ Telemetry Collection Endpoints**.
6. (Optional) To collect telemetry data, click **+ Telemetry Collection Endpoints**.
a. **URL:** `https://${DATADOG_INTAKE_URL}/api/v2/logs?ddsource=jamfprotect&service=telemetry`
b. Click **+ Add HTTP Header**.
```
i. Name: DD-API-KEY
ii. Value: <API_Key>
```
c. Click **+ Add HTTP Header**.
```
i. Name: DD-APPLICATION-KEY
ii. Value: <APPLICATION_KEY>
```
7. Click **Save**.
### Jamf Security Cloud
1. Click **Integrations** in the Threat Events Stream.
2. Click **Data Streams**.
3. Click **New Configuration**.
4. Select **Threat Events**.
a. Select **Generic HTTP**.
5. Click **Continue**.
a. **Configuration** **Name:** Datadog (Threat)
b. **Protocol:** **HTTPS**
c. **Server** **Hostname/IP:** `${DATADOG_INTAKE_URL}`
d. **Port:** **443**
e. **Endpoint:** `api/v2/logs?ddsource=jamfprotect&service=threatevents`
f. **Additional Headers:**
i. **Header Name:** DD-API-KEY
b. Click **+ Add HTTP Header** twice and add the following HTML header fields.
```
Name: DD-API-KEY
Value: <API_Key>
```
```
Name: DD-APPLICATION-KEY
Value: <APPLICATION_KEY>
```
7. Click **Save**.
### Update your plan to use configured Actions
1. Click **Plans**.
1. Find the plan assigned to devices.
1. Click **Edit** next to the name of the plan.
1. Select the Action from the *Action Configuration* dropdown menu. This is the Action config name that contains the Datadog configuration.
1. Click **Save**.
### (Optional) Jamf Security Cloud
1. Click **Integrations** in the Threat Events Stream.
2. Click **Data Streams**.
3. Click **New Configuration**.
4. Select **Threat Events**.
5. Select **Generic HTTP**.
6. Click **Continue**.
| **Configuration** | **Details** |
|--------------------------|-------------------------------------|
| **Name** | Datadog (Threat) |
| **Protocol** | HTTPS |
| **Server Hostname/IP** | `${DATADOG_INTAKE_URL}` |
| **Port** | 443 |
| **Endpoint** | `api/v2/logs?ddsource=jamfprotect&` |
6. Click **Create option "DD-API-KEY"**.
7. Click **Create option "DD-API-KEY"**.
```
i. **Header Value:** <API_Key>
ii. **Header Name**: DD-APPLICATION-KEY
Header Value: <API_Key>
Header Name: DD-APPLICATION-KEY
```
7. Click **Create option "DD-APPLICATION-KEY"**.
8. Click **Create option "DD-APPLICATION-KEY"**.
```
iii. **Header Value:** <APPLICATION_KEY>
Header Value: <APPLICATION_KEY>
```
1. Click **Test Configuration**.
9. Click **Test Configuration**.
10. If successful, click **Create Configuration**.
2. If successful, click **Create Configuration**.
### (Optional) Network Traffic Stream
### Network Traffic Stream
1. Click **Integrations**.
2. Click **Data Streams**.
3. Click **New Configuration**.
4. Select **Threat Events**.
1. Click **Integrations**.
2. Click **Data Streams**.
3. Click **New Configuration**.
4. Select **Threat Events**.
a. Select **Generic HTTP**.
5. Select **Generic HTTP**.
5. Click **Continue**.
a. **Configuration** **Name:** Datadog (Threat)
6. Click **Continue**.
a. **Configuration Name:** Datadog (Threat)
b. **Protocol:** **HTTPS**
b. **Protocol:** **HTTPS**
c. **Server** **Hostname/IP:** `${DATADOG_INTAKE_URL}`
c. **Server** **Hostname/IP:** `${DATADOG_INTAKE_URL}`
d. **Port:** **443**
d. **Port:** **443**
e. **Endpoint:** `api/v2/logs?ddsource=jamfprotect&service=networktraffic`
1. **Additional Headers:**
f. **Additional Headers:**
i. **Header Name:** DD-API-KEY
1. Click **Create option "DD-API-KEY"**.
1. Click **Create option "DD-API-KEY"**.
ii. **Header Value:** <API_Key>
ii. **Header Value:** <API_Key>
i. Header Name: DD-APPLICATION-KEY
iv. Click **Create option "DD-APPLICATION-KEY"**.
iv. Click **Create option "DD-APPLICATION-KEY"**.
i. Header Value: <APPLICATION_KEY>
6. Click **Test Configuration**.
7. If successful, click **Create Configuration**.
7. Click **Test Configuration**.
8. If successful, click **Create Configuration**.
### Validation
Expand Down Expand Up @@ -174,6 +166,12 @@ Jamf Protect does not include any events.
Need help? Contact [Datadog support][3].
## Further Reading
Additional helpful documentation, links, and articles:
[Jamf Documentation Integrating Datadog with Jamf Protect][9]
[1]: https://www.jamf.com/products/jamf-protect/
[2]: https://app.datadoghq.com/account/settings/agent/latest
[3]: https://docs.datadoghq.com/help/
Expand All @@ -182,3 +180,5 @@ Need help? Contact [Datadog support][3].
[6]: https://app.datadoghq.com/integrations
[7]: https://docs.datadoghq.com/api/latest/logs/#send-logs
[8]: https://docs.datadoghq.com/getting_started/site/
[9]: https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/SecurityIntegration_Datadog.html
[10]: https://docs.datadoghq.com/account_management/api-app-keys/

0 comments on commit b31b102

Please sign in to comment.