{ "name": "jamf_protect", "title": "Jamf Protect", "version": "3.1.0", "release": "ga", "description": "Receives events from Jamf Protect with Elastic Agent.", "type": "integration", "download": "/epr/jamf_protect/jamf_protect-3.1.0.zip", "path": "/package/jamf_protect/3.1.0", "icons": [ { "src": "/img/jamf_logo.svg", "path": "/package/jamf_protect/3.1.0/img/jamf_logo.svg", "title": "Jamf Logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.16.5 || ^9.0.0" } }, "owner": { "type": "partner", "github": "elastic/security-service-integrations" }, "categories": [ "security" ], "signature_path": "/epr/jamf_protect/jamf_protect-3.1.0.zip.sig", "format_version": "3.0.3", "readme": "/package/jamf_protect/3.1.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/jamfprotect_kibana.png", "path": "/package/jamf_protect/3.1.0/img/jamfprotect_kibana.png", "title": "Jamf Protect Kibana", "size": "1800x1138", "type": "image/png" }, { "src": "/img/jamfprotect_telemetry_kibana1.png", "path": "/package/jamf_protect/3.1.0/img/jamfprotect_telemetry_kibana1.png", "title": "Jamf Protect Kibana - Telemetry", "size": "2035x1281", "type": "image/png" }, { "src": "/img/jamfprotect_telemetry_kibana2.png", "path": "/package/jamf_protect/3.1.0/img/jamfprotect_telemetry_kibana2.png", "title": "Jamf Protect Kibana - Telemetry", "size": "2035x1281", "type": "image/png" } ], "assets": [ "/package/jamf_protect/3.1.0/LICENSE.txt", "/package/jamf_protect/3.1.0/changelog.yml", "/package/jamf_protect/3.1.0/manifest.yml", "/package/jamf_protect/3.1.0/validation.yml", "/package/jamf_protect/3.1.0/docs/README.md", "/package/jamf_protect/3.1.0/img/jamf_logo.svg", "/package/jamf_protect/3.1.0/img/jamfprotect_kibana.png", "/package/jamf_protect/3.1.0/img/jamfprotect_telemetry_kibana1.png", "/package/jamf_protect/3.1.0/img/jamfprotect_telemetry_kibana2.png", "/package/jamf_protect/3.1.0/data_stream/alerts/manifest.yml", "/package/jamf_protect/3.1.0/data_stream/alerts/sample_event.json", "/package/jamf_protect/3.1.0/data_stream/telemetry/manifest.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/sample_event.json", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/manifest.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/sample_event.json", "/package/jamf_protect/3.1.0/data_stream/web_threat_events/manifest.yml", "/package/jamf_protect/3.1.0/data_stream/web_threat_events/sample_event.json", "/package/jamf_protect/3.1.0/data_stream/web_traffic_events/manifest.yml", "/package/jamf_protect/3.1.0/data_stream/web_traffic_events/sample_event.json", "/package/jamf_protect/3.1.0/kibana/dashboard/jamf_protect-d23dda91-658e-4ab0-8e06-b42ce435e473.json", "/package/jamf_protect/3.1.0/kibana/dashboard/jamf_protect-e9b86210-c65c-11ee-882f-57f79af43d7f.json", "/package/jamf_protect/3.1.0/kibana/tag/jamf_protect-security-solution-default.json", "/package/jamf_protect/3.1.0/data_stream/alerts/fields/agent.yml", "/package/jamf_protect/3.1.0/data_stream/alerts/fields/base-fields.yml", "/package/jamf_protect/3.1.0/data_stream/alerts/fields/ecs.yml", "/package/jamf_protect/3.1.0/data_stream/alerts/fields/fields.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/fields/agent.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/fields/base-fields.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/fields/ecs.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/fields/fields.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/fields/agent.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/fields/base-fields.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/fields/fields.yml", "/package/jamf_protect/3.1.0/data_stream/web_threat_events/fields/agent.yml", "/package/jamf_protect/3.1.0/data_stream/web_threat_events/fields/base-fields.yml", "/package/jamf_protect/3.1.0/data_stream/web_threat_events/fields/ecs.yml", "/package/jamf_protect/3.1.0/data_stream/web_traffic_events/fields/agent.yml", "/package/jamf_protect/3.1.0/data_stream/web_traffic_events/fields/base-fields.yml", "/package/jamf_protect/3.1.0/data_stream/alerts/agent/stream/aws-s3.yml.hbs", "/package/jamf_protect/3.1.0/data_stream/alerts/agent/stream/http_endpoint.yml.hbs", "/package/jamf_protect/3.1.0/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml", "/package/jamf_protect/3.1.0/data_stream/alerts/elasticsearch/ingest_pipeline/gpunifiedlogevent.yml", "/package/jamf_protect/3.1.0/data_stream/alerts/elasticsearch/ingest_pipeline/gpusbevent.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/agent/stream/aws-s3.yml.hbs", "/package/jamf_protect/3.1.0/data_stream/telemetry/agent/stream/http_endpoint.yml.hbs", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/default.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_authentication.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_bios_uefi.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_btm_launch_item_add.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_btm_launch_item_remove.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_chroot.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_cs_invalidated.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_file_collection.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_gatekeeper_user_override.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_kextload.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_kextunload.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_log_collection.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_login_login.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_login_logout.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_lock.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_login.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_logout.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_lw_session_unlock.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_mount.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_network_connect.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_attribute_set.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_attribute_value_add.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_attribute_value_remove.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_create_group.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_create_user.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_delete_group.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_delete_user.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_disable_user.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_enable_user.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_group_add.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_group_remove.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_group_set.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_od_modify_password.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_openssh_login.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_openssh_logout.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_profile_add.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_profile_remove.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_pty_close.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_pty_grant.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_remount.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_screensharing_attach.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_screensharing_detach.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_settime.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_su.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_sudo.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_system_performance.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_tcc_modify.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_unmount.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_xp_malware_detected.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_xp_malware_remediated.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_instigator_object.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_object_process.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/agent/stream/aws-s3.yml.hbs", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/agent/stream/http_endpoint.yml.hbs", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/default.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_audit.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_accept.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_arguments.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_auth.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_bind_and_aue_connect.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_chdir.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_chroot.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_execve.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_exit.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_fork.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_kill.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_listen.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_logout.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_mount.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_pidfortask.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_posix_spawn.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_remove_from_group_and_aue_mac_set_proc.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_session.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_setpriority.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_socketpair.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_ssauthint.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_unmount.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_event.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_exec_chain_child_object.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_identity_object.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_process_object.yml", "/package/jamf_protect/3.1.0/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_system_performance_metrics.yml", "/package/jamf_protect/3.1.0/data_stream/web_threat_events/agent/stream/aws-s3.yml.hbs", "/package/jamf_protect/3.1.0/data_stream/web_threat_events/agent/stream/http_endpoint.yml.hbs", "/package/jamf_protect/3.1.0/data_stream/web_threat_events/elasticsearch/ingest_pipeline/default.yml", "/package/jamf_protect/3.1.0/data_stream/web_traffic_events/agent/stream/aws-s3.yml.hbs", "/package/jamf_protect/3.1.0/data_stream/web_traffic_events/agent/stream/http_endpoint.yml.hbs", "/package/jamf_protect/3.1.0/data_stream/web_traffic_events/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "Jamf Protect", "title": "Jamf Protect events", "description": "Receive Jamf Protect events.", "inputs": [ { "type": "http_endpoint", "vars": [ { "name": "listen_address", "type": "text", "title": "Listen Address", "description": "The bind address to listen for http endpoint connections. Set to `0.0.0.0` to bind to all available interfaces.", "multi": false, "required": true, "show_user": true, "default": "0.0.0.0" }, { "name": "secret_header", "type": "text", "title": "Secret Header", "description": "The header to check for a specific value specified by `secret.value`.", "multi": false, "required": false, "show_user": false }, { "name": "secret_value", "type": "password", "title": "Secret Value", "description": "The secret stored in the header name specified by `secret.header`.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "TLS", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "enabled: false\ncertificate: \"/etc/pki/client/cert.pem\"\nkey: \"/etc/pki/client/cert.key\"\n" } ], "title": "Receive Jamf Protect Events via HTTP Endpoint", "description": "Receiving Jamf Protect events." }, { "type": "aws-s3", "vars": [ { "name": "collect_s3_logs", "type": "bool", "title": "Collect logs via S3 Bucket", "description": "To Collect logs via S3 bucket enable the toggle switch. By default, it will collect logs via SQS Queue.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "bucket_arn", "type": "text", "title": "[S3] Bucket ARN", "description": "ARN of the AWS S3 bucket that will be polled for list operation. It is a required parameter for collecting logs via the AWS S3 Bucket unless you set an Access Point ARN. In case both configurations are added, this one takes precedence.", "multi": false, "required": false, "show_user": true }, { "name": "access_point_arn", "type": "text", "title": "[S3] Access Point ARN", "description": "ARN of the AWS S3 Access Point that will be polled for list operation. Mandatory if the \"Collect logs via S3 Bucket\" switch is on. It is a required parameter for collecting logs via the AWS S3 Bucket unless you set a Bucket ARN.", "multi": false, "required": false, "show_user": true }, { "name": "global_bucket_name", "type": "text", "title": "[Global][S3] Jamf Protect Bucket Name", "description": "Jamf Protect is an S3-compatible, globally distributed object storage. This parameter can replace Bucket ARN and Access Point ARN with a Bucket Name for collecting logs from Jamf Protect or another 3rd party S3-compatible service. This is a global setting which can be overriden by specific local bucket names for each data stream if required.\nUsing non-AWS S3 compatible buckets requires the use of Access Key ID and Secret Access Key for authentication. To specify the non-AWS S3 bucket name, use the non_aws_bucket_name config and the endpoint must be set to replace the default API endpoint.", "multi": false, "required": false, "show_user": true }, { "name": "access_key_id", "type": "password", "title": "Access Key ID", "description": "First part of access key.", "multi": false, "required": false, "show_user": true }, { "name": "secret_access_key", "type": "password", "title": "Secret Access Key", "description": "Second part of access key.", "multi": false, "required": false, "show_user": true }, { "name": "session_token", "type": "password", "title": "Session Token", "description": "Required when using temporary security credentials.", "multi": false, "required": false, "show_user": true }, { "name": "shared_credential_file", "type": "text", "title": "Shared Credential File", "description": "Directory of the shared credentials file.", "multi": false, "required": false, "show_user": false }, { "name": "credential_profile_name", "type": "text", "title": "Credential Profile Name", "description": "Profile name in shared credentials file.", "multi": false, "required": false, "show_user": false }, { "name": "role_arn", "type": "text", "title": "Role ARN", "description": "AWS IAM Role to assume.", "multi": false, "required": false, "show_user": false }, { "name": "endpoint", "type": "text", "title": "Endpoint", "description": "URL of the entry point for an AWS web service.", "multi": false, "required": false, "show_user": false, "default": "" }, { "name": "default_region", "type": "text", "title": "Default AWS Region", "description": "Default region to use prior to connecting to region specific services/endpoints if no AWS region is set from environment variable, credentials or instance profile. If none of the above are set and no default region is set as well, `us-east-1` is used. A region, either from environment variable, credentials or instance profile or from this default region setting, needs to be set when using regions in non-regular AWS environments such as AWS China or US Government Isolated.", "multi": false, "required": false, "show_user": false, "default": "" }, { "name": "fips_enabled", "type": "bool", "title": "Enable S3 FIPS", "description": "Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false } ], "title": "Collect Jamf Protect events via AWS S3, AWS SQS.", "description": "Collecting Jamf Protect events via AWS S3, AWS SQS." } ], "multiple": true } ], "data_streams": [ { "type": "logs", "dataset": "jamf_protect.alerts", "title": "Receives Alerts from Jamf Protect with Elastic Agent.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "http_endpoint", "vars": [ { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The port number the listener binds to.", "multi": false, "required": true, "show_user": true, "default": 9551 }, { "name": "url", "type": "text", "title": "URL", "description": "This option specifies which URL path to accept requests on. Defaults to /.", "multi": false, "required": false, "show_user": false, "default": "/" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "jamf_protect-alerts" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve custom fields for all ECS mappings.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "http_endpoint.yml.hbs", "title": "Jamf Protect Alerts", "description": "Receives Alerts from Jamf Protect with Elastic Agent.", "enabled": true, "ingestion_method": "Webhook" }, { "input": "aws-s3", "vars": [ { "name": "queue_url_alerts", "type": "text", "title": "[SQS] Queue URL", "description": "URL of the AWS SQS queue that messages will be received from.\nThis is only required if you want to collect logs via AWS SQS.\nThis is a Alerts data stream specific queue URL. In order to avoid data loss, do not configure the same SQS queue for more than one data stream.", "multi": false, "required": false, "show_user": true }, { "name": "bucket_list_prefix", "type": "text", "title": "[S3] Bucket Prefix", "description": "Prefix to apply for the list request to the S3 bucket.", "multi": false, "required": false, "show_user": true, "default": "protect-/alerts/" }, { "name": "jamf_protect_bucket_name", "type": "text", "title": "[Alerts][S3] Bucket Name", "description": "Jamf Protect is an S3-compatible, globally distributed object storage. This parameter can replace Bucket ARN with a Bucket Name for collecting logs or another 3rd party S3-compatible service. It will override the global Bucket Name if provided.", "multi": false, "required": false, "show_user": true }, { "name": "interval", "type": "text", "title": "[S3] Interval", "description": "Time interval for polling listing of the S3 bucket. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true, "default": "1m" }, { "name": "number_of_workers", "type": "integer", "title": "[S3/SQS] Number of Workers", "description": "Number of workers that will process the S3 objects listed.", "multi": false, "required": false, "show_user": true, "default": 5 }, { "name": "start_timestamp", "type": "text", "title": "[S3] Start Timestamp", "description": "If set, only read S3 objects with last modified timestamp newer than the given timestamp. Accepts a timestamp in `YYYY-MM-DDTHH:MM:SSZ` format. For example, \"2020-10-10T10:30:00Z\" (UTC) or \"2020-10-10T10:30:00Z+02:30\" (with zone offset).", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "[S3] Ignore Older Timespan", "description": "If set, ignore S3 objects whose Last-Modified time is before the ignore older timespan. Timespan is checked from the current time to S3 object's Last-Modified time. Accepts a duration like `48h`, `2h30m`.", "multi": false, "required": false, "show_user": false }, { "name": "visibility_timeout", "type": "text", "title": "[SQS] Visibility Timeout", "description": "The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Valid time units are h, m, s.", "multi": false, "required": false, "show_user": true, "default": "300s" }, { "name": "api_timeout", "type": "text", "title": "[SQS] API Timeout", "description": "The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Valid time units are h, m, s.", "multi": false, "required": false, "show_user": true, "default": "120s" }, { "name": "max_number_of_messages", "type": "integer", "title": "[SQS] Maximum Concurrent SQS Messages", "description": "Deprecated in agent version 8.16.0, this parameter is ignored if present, use number_of_workers instead. The maximum number of SQS messages that can be inflight at any time.", "multi": false, "required": false, "show_user": true, "default": 5 }, { "name": "file_selectors", "type": "yaml", "title": "[SQS] File Selectors", "description": "If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed.", "multi": false, "required": false, "show_user": false, "default": "- regex: 'protect-/alerts/.+'\n- regex: 'protect-/ulogs/.+'\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "jamf_protect.alerts" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve custom fields for all ECS mappings.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "aws-s3.yml.hbs", "title": "Jamf Protect Alerts", "description": "Collect Alerts from Jamf Protect via S3 or SQS.", "enabled": true, "ingestion_method": "AWS S3" } ], "package": "jamf_protect", "path": "alerts" }, { "type": "logs", "dataset": "jamf_protect.telemetry", "title": "Receives Telemetry from Jamf Protect with Elastic Agent.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "http_endpoint", "vars": [ { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The port number the listener binds to.", "multi": false, "required": true, "show_user": true, "default": 9550 }, { "name": "url", "type": "text", "title": "URL", "description": "This option specifies which URL path to accept requests on. Defaults to /.", "multi": false, "required": false, "show_user": false, "default": "/" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "jamf_protect-telemetry" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve custom fields for all ECS mappings.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "http_endpoint.yml.hbs", "title": "Jamf Protect Telemetry", "description": "Receives Telemetry from Jamf Protect with Elastic Agent.", "enabled": true, "ingestion_method": "Webhook" }, { "input": "aws-s3", "vars": [ { "name": "queue_url_telemetry", "type": "text", "title": "[SQS] Queue URL", "description": "URL of the AWS SQS queue that messages will be received from.\nThis is only required if you want to collect logs via AWS SQS.\nThis is a Telemetry data stream specific queue URL. In order to avoid data loss, do not configure the same SQS queue for more than one data stream.", "multi": false, "required": false, "show_user": true }, { "name": "bucket_list_prefix", "type": "text", "title": "[S3] Bucket Prefix", "description": "Prefix to apply for the list request to the S3 bucket.", "multi": false, "required": false, "show_user": true, "default": "protect-/telemetriesV2/" }, { "name": "jamf_protect_bucket_name", "type": "text", "title": "[Telemetry][S3] Bucket Name", "description": "Jamf Protect is an S3-compatible, globally distributed object storage. This parameter can replace Bucket ARN with a Bucket Name for collecting logs or another 3rd party S3-compatible service. It will override the global Bucket Name if provided.", "multi": false, "required": false, "show_user": true }, { "name": "interval", "type": "text", "title": "[S3] Interval", "description": "Time interval for polling listing of the S3 bucket. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true, "default": "1m" }, { "name": "number_of_workers", "type": "integer", "title": "[S3] Number of Workers", "description": "Number of workers that will process the S3 objects listed.", "multi": false, "required": false, "show_user": true, "default": 5 }, { "name": "start_timestamp", "type": "text", "title": "[S3] Start Timestamp", "description": "If set, only read S3 objects with last modified timestamp newer than the given timestamp. Accepts a timestamp in `YYYY-MM-DDTHH:MM:SSZ` format. For example, \"2020-10-10T10:30:00Z\" (UTC) or \"2020-10-10T10:30:00Z+02:30\" (with zone offset).", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "[S3] Ignore Older Timespan", "description": "If set, ignore S3 objects whose Last-Modified time is before the ignore older timespan. Timespan is checked from the current time to S3 object's Last-Modified time. Accepts a duration like `48h`, `2h30m`.", "multi": false, "required": false, "show_user": false }, { "name": "visibility_timeout", "type": "text", "title": "[SQS] Visibility Timeout", "description": "The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Valid time units are h, m, s.", "multi": false, "required": false, "show_user": true, "default": "300s" }, { "name": "api_timeout", "type": "text", "title": "[SQS] API Timeout", "description": "The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Valid time units are h, m, s.", "multi": false, "required": false, "show_user": true, "default": "120s" }, { "name": "max_number_of_messages", "type": "integer", "title": "[SQS] Maximum Concurrent SQS Messages", "description": "Deprecated in agent version 8.16.0, this parameter is ignored if present, use number_of_workers instead. The maximum number of SQS messages that can be inflight at any time.", "multi": false, "required": false, "show_user": true, "default": 5 }, { "name": "file_selectors", "type": "yaml", "title": "[SQS] File Selectors", "description": "If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed.", "multi": false, "required": false, "show_user": false, "default": "- regex: 'protect-/telemetries/.+'\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "jamf_protect-telemetry", "jamf_protect.telemetry" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve custom fields for all ECS mappings.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "aws-s3.yml.hbs", "title": "Jamf Protect Telemetry", "description": "Collect Telemetry from Jamf Protect via S3 or SQS.", "enabled": true, "ingestion_method": "AWS S3" } ], "package": "jamf_protect", "path": "telemetry" }, { "type": "logs", "dataset": "jamf_protect.telemetry_legacy", "title": "Jamf Protect Telemetry (Legacy).", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "http_endpoint", "vars": [ { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The port number the listener binds to.", "multi": false, "required": true, "show_user": true, "default": 9550 }, { "name": "url", "type": "text", "title": "URL", "description": "This option specifies which URL path to accept requests on. Defaults to /.", "multi": false, "required": false, "show_user": false, "default": "/" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "jamf_protect-telemetry-legacy" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve custom fields for all ECS mappings.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "http_endpoint.yml.hbs", "title": "Jamf Protect Telemetry (Legacy)", "description": "Receives Telemetry (Legacy) from Jamf Protect with Elastic Agent.", "enabled": true, "ingestion_method": "Webhook" }, { "input": "aws-s3", "vars": [ { "name": "queue_url_telemetry_legacy", "type": "text", "title": "[SQS] Queue URL", "description": "URL of the AWS SQS queue that messages will be received from.\nThis is only required if you want to collect logs via AWS SQS.\nThis is a Telemetry data stream specific queue URL. In order to avoid data loss, do not configure the same SQS queue for more than one data stream.", "multi": false, "required": false, "show_user": true }, { "name": "bucket_list_prefix", "type": "text", "title": "[S3] Bucket Prefix", "description": "Prefix to apply for the list request to the S3 bucket.", "multi": false, "required": false, "show_user": true, "default": "protect-/telemetries/" }, { "name": "jamf_protect_bucket_name", "type": "text", "title": "[Telemetry][S3] Bucket Name", "description": "Jamf Protect is an S3-compatible, globally distributed object storage. This parameter can replace Bucket ARN with a Bucket Name for collecting logs or another 3rd party S3-compatible service. It will override the global Bucket Name if provided.", "multi": false, "required": false, "show_user": true }, { "name": "interval", "type": "text", "title": "[S3] Interval", "description": "Time interval for polling listing of the S3 bucket. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true, "default": "1m" }, { "name": "number_of_workers", "type": "integer", "title": "[S3] Number of Workers", "description": "Number of workers that will process the S3 objects listed.", "multi": false, "required": false, "show_user": true, "default": 5 }, { "name": "start_timestamp", "type": "text", "title": "[S3] Start Timestamp", "description": "If set, only read S3 objects with last modified timestamp newer than the given timestamp. Accepts a timestamp in `YYYY-MM-DDTHH:MM:SSZ` format. For example, \"2020-10-10T10:30:00Z\" (UTC) or \"2020-10-10T10:30:00Z+02:30\" (with zone offset).", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "[S3] Ignore Older Timespan", "description": "If set, ignore S3 objects whose Last-Modified time is before the ignore older timespan. Timespan is checked from the current time to S3 object's Last-Modified time. Accepts a duration like `48h`, `2h30m`.", "multi": false, "required": false, "show_user": false }, { "name": "visibility_timeout", "type": "text", "title": "[SQS] Visibility Timeout", "description": "The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Valid time units are h, m, s.", "multi": false, "required": false, "show_user": true, "default": "300s" }, { "name": "api_timeout", "type": "text", "title": "[SQS] API Timeout", "description": "The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Valid time units are h, m, s.", "multi": false, "required": false, "show_user": true, "default": "120s" }, { "name": "max_number_of_messages", "type": "integer", "title": "[SQS] Maximum Concurrent SQS Messages", "description": "Deprecated in agent version 8.16.0, this parameter is ignored if present, use number_of_workers instead. The maximum number of SQS messages that can be inflight at any time.", "multi": false, "required": false, "show_user": true, "default": 5 }, { "name": "file_selectors", "type": "yaml", "title": "[SQS] File Selectors", "description": "If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed.", "multi": false, "required": false, "show_user": false, "default": "- regex: 'protect-/telemetries/.+'\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "jamf_protect-telemetry-legacy", "jamf_protect.telemetry-legacy" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve custom fields for all ECS mappings.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "aws-s3.yml.hbs", "title": "Jamf Protect Telemetry (Legacy)", "description": "Collect Telemetry (Legacy) from Jamf Protect via S3 or SQS.", "enabled": true, "ingestion_method": "AWS S3" } ], "package": "jamf_protect", "path": "telemetry_legacy" }, { "type": "logs", "dataset": "jamf_protect.web_threat_events", "title": "Receives Web Threat Events from Jamf Protect with Elastic Agent.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "http_endpoint", "vars": [ { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The port number the listener binds to.", "multi": false, "required": true, "show_user": true, "default": 9552 }, { "name": "url", "type": "text", "title": "URL", "description": "This option specifies which URL path to accept requests on. Defaults to /.", "multi": false, "required": false, "show_user": false, "default": "/" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "jamf_protect-web-threat-events" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve custom fields for all ECS mappings.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "content_type", "type": "text", "title": "Content types", "description": "By default the input expects the incoming POST to include a Content-Type of application/json to try to enforce the incoming data to be valid JSON. In certain scenarios when the source of the request is not able to do that, it can be overwritten with another value or set to null.", "multi": false, "required": true, "show_user": true, "default": [ "application/json;charset=UTF-8" ] } ], "template_path": "http_endpoint.yml.hbs", "title": "Jamf Protect Web Threat Events", "description": "Receives Web Threat Events from Jamf Protect with Elastic Agent.", "enabled": true, "ingestion_method": "Webhook" }, { "input": "aws-s3", "vars": [ { "name": "queue_url_webthreats", "type": "text", "title": "[SQS] Queue URL", "description": "URL of the AWS SQS queue that messages will be received from.\nThis is only required if you want to collect logs via AWS SQS.\nThis is a Threat Events data stream specific queue URL. In order to avoid data loss, do not configure the same SQS queue for more than one data stream.", "multi": false, "required": false, "show_user": true }, { "name": "bucket_list_prefix", "type": "text", "title": "[S3] Bucket Prefix", "description": "Prefix to apply for the list request to the S3 bucket.", "multi": false, "required": false, "show_user": true }, { "name": "jamf_protect_bucket_name", "type": "text", "title": "[Web Threats][S3] Bucket Name", "description": "Jamf Protect is an S3-compatible, globally distributed object storage. This parameter can replace Bucket ARN with a Bucket Name for collecting logs or another 3rd party S3-compatible service. It will override the global Bucket Name if provided.", "multi": false, "required": false, "show_user": true }, { "name": "interval", "type": "text", "title": "[S3] Interval", "description": "Time interval for polling listing of the S3 bucket. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true, "default": "1m" }, { "name": "number_of_workers", "type": "integer", "title": "[S3] Number of Workers", "description": "Number of workers that will process the S3 objects listed.", "multi": false, "required": false, "show_user": true, "default": 5 }, { "name": "start_timestamp", "type": "text", "title": "[S3] Start Timestamp", "description": "If set, only read S3 objects with last modified timestamp newer than the given timestamp. Accepts a timestamp in `YYYY-MM-DDTHH:MM:SSZ` format. For example, \"2020-10-10T10:30:00Z\" (UTC) or \"2020-10-10T10:30:00Z+02:30\" (with zone offset).", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "[S3] Ignore Older Timespan", "description": "If set, ignore S3 objects whose Last-Modified time is before the ignore older timespan. Timespan is checked from the current time to S3 object's Last-Modified time. Accepts a duration like `48h`, `2h30m`.", "multi": false, "required": false, "show_user": false }, { "name": "visibility_timeout", "type": "text", "title": "[SQS] Visibility Timeout", "description": "The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Valid time units are h, m, s.", "multi": false, "required": false, "show_user": true, "default": "300s" }, { "name": "api_timeout", "type": "text", "title": "[SQS] API Timeout", "description": "The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Valid time units are h, m, s.", "multi": false, "required": false, "show_user": true, "default": "120s" }, { "name": "max_number_of_messages", "type": "integer", "title": "[SQS] Maximum Concurrent SQS Messages", "description": "Deprecated in agent version 8.16.0, this parameter is ignored if present, use number_of_workers instead. The maximum number of SQS messages that can be inflight at any time.", "multi": false, "required": false, "show_user": true, "default": 5 }, { "name": "file_selectors", "type": "yaml", "title": "[SQS] File Selectors", "description": "If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed.", "multi": false, "required": false, "show_user": false } ], "template_path": "aws-s3.yml.hbs", "title": "Jamf Protect Web Threats", "description": "Collect Web Threat Events from Jamf Protect via S3 or SQS.", "enabled": true, "ingestion_method": "AWS S3" } ], "package": "jamf_protect", "path": "web_threat_events" }, { "type": "logs", "dataset": "jamf_protect.web_traffic_events", "title": "Receives Web Traffic Events from Jamf Protect with Elastic Agent.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "http_endpoint", "vars": [ { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The port number the listener binds to.", "multi": false, "required": true, "show_user": true, "default": 9553 }, { "name": "url", "type": "text", "title": "URL", "description": "This option specifies which URL path to accept requests on. Defaults to /.", "multi": false, "required": false, "show_user": false, "default": "/" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "jamf_protect-web-traffic-events" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve custom fields for all ECS mappings.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "content_type", "type": "text", "title": "Content types", "description": "By default the input expects the incoming POST to include a Content-Type of application/json to try to enforce the incoming data to be valid JSON. In certain scenarios when the source of the request is not able to do that, it can be overwritten with another value or set to null.", "multi": false, "required": true, "show_user": true, "default": [ "application/json;charset=UTF-8" ] } ], "template_path": "http_endpoint.yml.hbs", "title": "Jamf Protect Web Traffic Events", "description": "Receives Web Traffic Events from Jamf Protect with Elastic Agent.", "enabled": true, "ingestion_method": "Webhook" }, { "input": "aws-s3", "vars": [ { "name": "queue_url_webtraffic", "type": "text", "title": "[SQS] Queue URL", "description": "URL of the AWS SQS queue that messages will be received from.\nThis is only required if you want to collect logs via AWS SQS.\nThis is a Web Traffic data stream specific queue URL. In order to avoid data loss, do not configure the same SQS queue for more than one data stream.", "multi": false, "required": false, "show_user": true }, { "name": "bucket_list_prefix", "type": "text", "title": "[S3] Bucket Prefix", "description": "Prefix to apply for the list request to the S3 bucket.", "multi": false, "required": false, "show_user": true }, { "name": "jamf_protect_bucket_name", "type": "text", "title": "[Web Traffic][S3] Bucket Name", "description": "Jamf Protect is an S3-compatible, globally distributed object storage. This parameter can replace Bucket ARN with a Bucket Name for collecting logs or another 3rd party S3-compatible service. It will override the global Bucket Name if provided.", "multi": false, "required": false, "show_user": true }, { "name": "interval", "type": "text", "title": "[S3] Interval", "description": "Time interval for polling listing of the S3 bucket. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true, "default": "1m" }, { "name": "number_of_workers", "type": "integer", "title": "[S3] Number of Workers", "description": "Number of workers that will process the S3 objects listed.", "multi": false, "required": false, "show_user": true, "default": 5 }, { "name": "start_timestamp", "type": "text", "title": "[S3] Start Timestamp", "description": "If set, only read S3 objects with last modified timestamp newer than the given timestamp. Accepts a timestamp in `YYYY-MM-DDTHH:MM:SSZ` format. For example, \"2020-10-10T10:30:00Z\" (UTC) or \"2020-10-10T10:30:00Z+02:30\" (with zone offset).", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "[S3] Ignore Older Timespan", "description": "If set, ignore S3 objects whose Last-Modified time is before the ignore older timespan. Timespan is checked from the current time to S3 object's Last-Modified time. Accepts a duration like `48h`, `2h30m`.", "multi": false, "required": false, "show_user": false }, { "name": "visibility_timeout", "type": "text", "title": "[SQS] Visibility Timeout", "description": "The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Valid time units are h, m, s.", "multi": false, "required": false, "show_user": true, "default": "300s" }, { "name": "api_timeout", "type": "text", "title": "[SQS] API Timeout", "description": "The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Valid time units are h, m, s.", "multi": false, "required": false, "show_user": true, "default": "120s" }, { "name": "max_number_of_messages", "type": "integer", "title": "[SQS] Maximum Concurrent SQS Messages", "description": "Deprecated in agent version 8.16.0, this parameter is ignored if present, use number_of_workers instead. The maximum number of SQS messages that can be inflight at any time.", "multi": false, "required": false, "show_user": true, "default": 5 }, { "name": "file_selectors", "type": "yaml", "title": "[SQS] File Selectors", "description": "If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed.", "multi": false, "required": false, "show_user": false } ], "template_path": "aws-s3.yml.hbs", "title": "Jamf Protect Web Traffic", "description": "Collect Web Traffic Events from Jamf Protect via S3 or SQS.", "enabled": true, "ingestion_method": "AWS S3" } ], "package": "jamf_protect", "path": "web_traffic_events" } ] }