How to make data-driven decisions to prioritise and operationalise your Jamf deployment.
https://www.youtube.com/watch?v=BZcrl69nxoE
@ooftee
There is plenty of existing documentation for this, see below.
https://www.youtube.com/watch?v=4tsV-wZE6aw
https://learn.jamf.com/bundle/technical-paper-splunk-current/page/Jamf_Pro_Webhooks_for_Splunk.html
We had to use the URL format https://http-inputs-XXXX.splunkcloud.com/services/collector/raw
The suggested one https://http-inputs-XXXX.splunkcloud.com/services/collector/event never worked
Format the Header Authentication like this {"Authorization":"Splunk 2f75XXXX-XXXX-XXXX-XXXX-XXXXXXXX9e68"}
Use this script to export all the policies name and IDs
NOTE: Index and source name may vary in your environment.
Timechart of all different versions over time
index="jamf" computerOS.version=*
| timechart span=1d dc(computer_meta.id) as version by computerOS.version
Refine by merging all Ventura and Monterey versions
index="jamf" computerOS.version=12.* | timechart span=1d dc(computer_meta.id) as Monterey
| appendcols
[search index="jamf" computerOS.version=13.* | timechart span=1d dc(computer_meta.id) as Ventura | fields Ventura]
Smart group allows you to report in splunk on atributes that might not be collected by the add-in or webhooks like EDR status. If you can create a jamf smart group, splunk can report on it.
index="jamf" groupMembership.groupId=820
| timechart span=24h dc(computer_meta.id) as Total
API monitoring is great feature of wehbooks, it can’t be done from anywhere else.
index="jamf" source="http:jamf_webhook" "webhook.webhookEvent"=RestAPIOperation
| stats count by event.authorizedUsername, event.restAPIOperationType, event.objectTypeName
As we have imported the policies' names we can now use wildcards to find things like the total of successful patches.
index="jamf" source="http:jamf_webhook" policyName="Patch -*" event.successful="true" | stats count
index="jamf" source="http:jamf_webhook" "webhook.webhookEvent"=DeviceAddedToDEP
index="jamf" source="http:jamf_webhook" "webhook.webhookEvent"=RestAPIOperation
| search "event.restAPIOperationType"=PUT OR "event.restAPIOperationType"=POST
index="jamf" source="http:jamf_webhook"
| eventstats count(eval('event.successful'=="true")) as "POL_Success" by policyName
| eventstats count(eval('event.successful'=="false")) as "POL_Failure" by policyName
| eval POL_Percent=round(POL_Failure/POL_Success*100,2)
| eventstats avg("POL_Percent") by policyName
| search POL_Percent > 4