id: 374cd4de-269c-465e-93ac-b9ade4af4f28 Function: Title: Parser for Jamf Protect Security Cloud Network Traffic Events Version: '3.2.4' LastUpdated: '2025-03-25' Category: Microsoft Sentinel Parser FunctionName: JamfProtectNetworkTraffic FunctionAlias: JamfProtectNetworkTraffic FunctionQuery: | jamfprotect_CL | where event_metadata_product_s == "Network Traffic Stream" // ASIM - Common Fields | extend EventVendor = 'Jamf' | extend EventProduct = 'Jamf Protect - Network Traffic Stream' | project-rename | extend // Jamf Protect - Common Fields EventType = "query", EventSubType = "request", EventStartTime = unixtime_milliseconds_todatetime(tolong(event_receiptTime_d)), EventResult = case(event_blocked_b == "false", "Allowed", event_blocked_b == "true", "Prevented", ''), // Jamf Protect - Source User SrcUsermail=column_ifexists('event_user_email_s', ''), SrcUsername = column_ifexists('event_user_name_s', ''), // Jamf Protect - Source Device Hostnames DvcHostname = case(isnotempty(input_host_hostname_s), input_host_hostname_s, isnotempty(host_info_host_name_s), host_info_host_name_s, event_device_userDeviceName_s), DvcIpAddr = column_ifexists("event_source_ip_s", ""), DvcId = column_ifexists("event_device_externalId_g", ""), DvcOs = case(event_device_osType_s == "MAC_OS", "macOS", event_device_osType_s == "IOS", "iOS", event_device_osType_s == "ANDROID", "Android", "Other"), SrcDeviceType = case(event_device_osType_s == "MAC_OS", "Computer", event_device_osType_s == "IOS", "Mobile Device", event_device_osType_s == "ANDROID", "Mobile Device", "Other"), // Jamf Protect - DNS Specific DnsQuery = column_ifexists('event_hostName_s', ''), DvcAction = case(event_blocked_b == "false", "Allowed", event_blocked_b == "true", "Blocked", ''), DnsQueryName = column_ifexists('event_domain_s', ''), DstIpAddr = column_ifexists('event_destination_ips_s', ''), ThreatCategory = column_ifexists('event_eventType_description_s', ''), DnsQueryTypeName = column_ifexists('event_dns_recordType_s', ''), DnsResponseName = column_ifexists('event_dns_responseStatus_s', ''), ThreatOriginalRiskLevel = column_ifexists('event_threat_result_s', '') | project-keep TimeGenerated, EventVendor, EventProduct, EventType, EventSubType, EventStartTime, EventResult, DvcHostname, DvcIpAddr, DvcId, DvcOs, SrcDeviceType, SrcUsermail, SrcUsername, DnsQuery, DnsQueryName, DstIpAddr, DnsQueryTypeName, DvcAction, DnsResponseName, ThreatOriginalRiskLevel