Data Streams

Learn about data streams within Jamf security products

Threat Event Stream

The Threat Event Stream is a feature of Jamf Protect and Jamf Threat Defense, which detects and remediates endpoint threats including malicious network communications, device vulnerabilities, malware and risky apps. For more information on Jamf Threat Defense, see our product documentation.

The Threat Events Stream can send threat detection data in real-time as either Common Event Format (CEF)-encoded syslog or JSON-encoded HTTP events to your chosen destination such as your Security Information and Event Management (SIEM) solution. You can also choose to send CEF events to an Amazon Web Services (AWS) S3 bucket if this is your organization's preferred approach. The stream is protected with Transport Layer Security (TLS).

To help your data ingestion tool interpret the data, we've built a dictionary that provides event names, data types and example values. In addition to the dictionary, you will find a comprehensive list of event types to assist with data mapping.

Network Traffic Stream

The Network Traffic Stream collects web usage data from Jamf Protect, Jamf Threat Defense and Jamf Data Policy, allowing you to further use this data for monitoring of risky behaviour, Shadow IT and for threat hunting purposes.

The Network Traffic Stream enables organizations to stream, record, and review all network activity that is processed by the service's infrastructure via third-party log aggregators and analytics tools. Events are sent in real time in a CEF-encoded syslog or JSON-encoded HTTP over TLS to ensure that the data is securely transported.

Many log aggregators or data ingestion tools will require configuration to properly interpret the data and generate alerts or actionable tasks. We've built a dictionary that will help you understand the types of events that are generated by this data stream, including data types and example values.

{
    "event": {
      "metadata": {
        "schemaVersion": "1.0",
        "vendor": "Wandera",
        "product": "Threat Events Stream"
      },
      "timestamp": "2020-01-30T17:47:41.767Z",
      "alertId": "013b15c9-8f62-4bf1-948a-d82367af2a10",
      "account": {
        "customerId": "fb4567b6-4ee2-3c4c-abb9-4c78ec463b25",
        "parentId": "7c302632-7ac4-4234-8ada-11d76feb3730",
        "name": "Wandera Customer"
      },
      "device": {
        "deviceId": "09f81436-de17-441e-a631-0461252c629b",
        "os": "IOS 11.2.5",
        "deviceName": "Apple iPhone 11 (11.2.5)",
        "userDeviceName": "Apple iPhone 11",
        "externalId": "5087dc0e-876c-4b0e-95ea-5b543476e0c4"
      },
      "eventType": {
        "id": 213,
        "description": "Sideloaded App",
        "name": "SIDE_LOADED_APP_IN_INVENTORY"
      },
      "app": {
        "id": "com.apple.iBooks",
        "name": "Books",
        "version": "1.1",
        "sha1": "16336078972773bc6c8cef69d722c8c093ba727ddc5bb31eb2",
        "sha256": "16336078978a306dc23b67dae9df18bc2a0205e3ff0cbf97c46e76fd670f93fd142d7042"
      },
      "destination": {
        "name": "host",
        "ip": "ip",
        "port": 80
      },
      "source": {
        "ip": "1.2.3.4",
        "port": 3025
      },
      "location": "gb",
      "accessPoint": "AccessPoint",
      "accessPointBssid": "c6:9f:db:b1:73:5a",
      "severity": 6,
      "user": {
        "email": "[email protected]",
        "name": "John Doe"
      },
      "eventUrl": "https://radar.wandera.com/security/events/detail/013b15c9-8f62-4bf1-948a-d82367af2a10.SIDE_LOADED_APP_IN_INVENTORY?createdUtcMs=1580406461767",
      "action": "Detected"
    }
  }
CEF:0|Wandera|Network Traffic Stream|2.0|2|HTTPS Request|1|ParentId=d1b1b759-dae0-4bcc-af25-15acf0c6360d Category=Cloud & File Storage HttpProtocolVersion=HTTP/1.1 DeviceId=c3c2a357-a9b7-453e-b22c-273f1286334b Request=http://gateway.icloud.com:443 ThreatTypes= NetworkInterface=WIFI ThreatResult= dpt=443 DnsRecordType= CustomerId=a3d4b448-f8a8-42e3-81fc-ceb32b337c91 Method=CONNECT TotalSize=10006 Timestamp=2020-08-25T10:49:15.842Z Tld=com Ttl= UpstreamSize=2518 DestinationIP=17.248.144.42 SourceIP=88.78.54.78 spt=80 UserAgent=CloudKit/867 (17G80) Domain=icloud HostName=gateway.icloud.com DnsResponseStatus= DownstreamSize=127 [email protected] suser=John Doe rt=1615459748804 blocked=false OsType=IOS
{
    "event": {
        "account": {
          "customerId": "fb4567b6-4ee2-3c4c-abb9-4c78ec463b25",
          "parentId": "7c302632-7ac4-4234-8ada-11d76feb3730",
        },
        "device": {
          "deviceId": "09f81436-de17-441e-a631-0461252c629b",
          "osType": "IOS 11.2.5",
          "externalId": "54f1c122-33c0-4c22-a7fe-df7d966ceac4",
        },
        "source": {
          "ip": "1.2.3.4",
        },
        "destination": {
          "ips": [
            "74.125.193.99",
            "74.125.193.105",
            "74.125.193.103",
            "74.125.193.147",
            "74.125.193.106",
            "74.125.193.104"
          ],
        },
        "domain": "google",
        "tld": "com",
        "dns": {
            "responseStatus": "NOERROR",
            "ttl": 1024,
            "recordType": "A"
        },
        "timestamp": "2020-01-30T17:47:41.767Z",
        "networkInterface": null,
        "hostName": "www.google.com",
        "threat": {
            "result": "CLEAN",
            "types": []
        },
        "signatureId": {
            "id": "213",
            "name": "DNS Lookup"
        },
        "blocked": false,
        "receiptTime": 1663844902414,
        "user": {
            "email": "[email protected]",
            "name": "John Doe"
        },
        "metadata": {
            "schemaVersion": "1.0",
            "vendor": "Wandera",
            "product": "Network Traffic Stream"
        },
    }
  }
CEF:0|Wandera|Network Traffic Stream|2.0|2|HTTPS Request|1|ParentId=d1b1b759-dae0-4bcc-af25-15acf0c6360d Category=Cloud & File Storage HttpProtocolVersion=HTTP/1.1 DeviceId=c3c2a357-a9b7-453e-b22c-273f1286334b Request=http://gateway.icloud.com:443 ThreatTypes= NetworkInterface=WIFI ThreatResult= dpt=443 DnsRecordType= CustomerId=a3d4b448-f8a8-42e3-81fc-ceb32b337c91 Method=CONNECT TotalSize=10006 Timestamp=2020-08-25T10:49:15.842Z Tld=com Ttl= UpstreamSize=2518 DestinationIP=17.248.144.42 SourceIP=88.78.54.78 spt=80 UserAgent=CloudKit/867 (17G80) Domain=icloud HostName=gateway.icloud.com DnsResponseStatus= DownstreamSize=127 [email protected] suser=John Doe rt=1615459748804 blocked=false OsType=IOS

CEF:0|Wandera|Network Traffic Stream|2.0|3|DNS Lookup|1|ParentId=d1b1b759-dae0-4bcc-af25-15acf0c6360d Category= HttpProtocolVersion= DeviceId=c3c2a357-9fe7-41c4-ab36-f1c8b3f9a45e Request= ThreatTypes= NetworkInterface= ThreatResult=CLEAN dpt= DnsRecordType=A CustomerId=a3d4b448-6b8b-4a9e-8832-9ccf74991f8c Method= TotalSize= Timestamp=2020-08-25T11:12:17.670Z Tld=com Ttl=8323 UpstreamSize= DestinationIP=17.248.129.136,17.248.129.170,17.248.129.202,17.248.129.74,17.248.129.177,17.248.129.73,17.248.129.179,17.248.129.206 SourceIP=88.78.54.78 spt= UserAgent= Domain=icloud HostName=gateway.icloud.com DnsResponseStatus=NOERROR DownstreamSize= [email protected] suser=John Doe rt=1615459748804 blocked=false OsType=IOS

CEF:0|Wandera|Network Traffic Stream|2.0|1|HTTP Request|1|ParentId=d1b1b759-dae0-4bcc-af25-15acf0c6360d Category=Business & Industry HttpProtocolVersion=HTTP/1.1 DeviceId=c3c2a357-6198-4e03-b968-5e48c5d4d742 Request=http://serv1.apple.com/bag ThreatTypes= NetworkInterface=WIFI ThreatResult= dpt=80 DnsRecordType= CustomerId=a3d4b448-6b8b-4a9e-8832-9ccf74991f8c Method=GET TotalSize=5360 Timestamp=2020-08-25T12:13:43.703Z Tld=com Ttl= UpstreamSize=0 DestinationIP=128.241.218.115 SourceIP=88.78.54.78 spt=80 UserAgent=server-bag [iPhone OS,13.5.1,17F80,iPhone12,1] Domain=apple HostName=serv1.apple.com DnsResponseStatus= DownstreamSize=127 [email protected] suser=John Doe rt=1615459748804 blocked=false OsType=IOS