Solutions/Jamf Protect/Parsers/JamfProtectAlerts.yaml (20 lines of code) (raw):
id: b1044d58-6384-454e-b51d-5750fda0698c
Function:
Title: Parser for Jamf Protect Alerts
Version: '3.2.4'
LastUpdated: '2025-03-25'
Category: Microsoft Sentinel Parser
FunctionName: JamfProtectAlerts
FunctionAlias: JamfProtectAlerts
FunctionQuery: |
jamfprotectalerts_CL
| extend
ActingProcessCreationTime = unixtime_seconds_todatetime(tolong(input.related.processes[array_length(input.related.processes) - 1].startTimestamp)),
ParentProcessCreationTime = iff(
array_length(input.related.processes) > 1,
unixtime_seconds_todatetime(tolong(input.related.processes[0].startTimestamp)),
datetime(null)
),
TargetProcessCreationTime = unixtime_seconds_todatetime(todouble(input.related.processes[0].startTimestamp)),
TargetUserId = coalesce(input.related.users[1].uid, input.related.users[0].uid),
TargetUsername = coalesce(input.related.users[1].name, input.related.users[0].name)