Skip to content

Commit

Permalink
x-pack/filebeat/input/entityanalytics/provider/jamf: add jamf provider (
Browse files Browse the repository at this point in the history
elastic#39996)

* add jamf api support package
* add jamf provider
  • Loading branch information
efd6 authored Jun 28, 2024
1 parent 38c90e9 commit 8bbcfcc
Show file tree
Hide file tree
Showing 16 changed files with 2,434 additions and 3 deletions.
3 changes: 2 additions & 1 deletion CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
- Fix concurrency/error handling bugs in the AWS S3 input that could drop data and prevent ingestion of large buckets. {pull}39131[39131]
- Fix EntraID query handling. {issue}39419[39419] {pull}39420[39420]
- Fix request trace filename handling in http_endpoint input. {pull}39410[39410]
- Fix filestream not correctly tracking the offset of a file when using the `include_message` parsser. {pull}39873[39873] {issue}39653[39653]
- Fix filestream not correctly tracking the offset of a file when using the `include_message` parser. {pull}39873[39873] {issue}39653[39653]
- Upgrade github.com/hashicorp/go-retryablehttp to mitigate CVE-2024-6104 {pull}40036[40036]

*Heartbeat*
Expand Down Expand Up @@ -288,6 +288,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
- Add ability to remove request trace logs from CEL input. {pull}39969[39969]
- Add ability to remove request trace logs from HTTPJSON input. {pull}40003[40003]
- Update CEL mito extensions to v1.13.0 {pull}40035[40035]
- Add Jamf entity analytics provider. {pull}39996[39996]

*Auditbeat*

Expand Down
178 changes: 176 additions & 2 deletions x-pack/filebeat/docs/inputs/input-entity-analytics.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ The following identity providers are supported:

- <<provider-activedirectory>>
- <<provider-azure-ad>>
- <<provider-jamf>>
- <<provider-okta>>

==== Configuration options
Expand Down Expand Up @@ -521,6 +522,179 @@ For Example, `http-request-trace-*.ndjson`.

Enabling this option compromises security and should only be used for debugging.

[id="provider-jamf"]
==== Jamf Computer Management (`jamf`)

The `jamf` provider allows the input to retrieve computer records from the
Jamf API.

[float]
==== How It Works

[float]
===== Overview

The Jamf provider periodically contacts the Jamf API, retrieving updates for
computers, updates its internal cache of managed computer metadata, and ships
updated metadata to Elasticsearch.

Fetching and shipping updates occurs in one of two processes: *full
synchronizations* and *incremental updates*. Full synchronizations will send
the entire list of computers in state, along with write markers to
indicate the start and end of the synchronization event. Incremental updates
will only send data for changed computers records during that event. Changes
on a user or device can come in many forms, whether it be a change to the
user's metadata, or a user was added or deleted.

[float]
===== API Interactions

The provider periodically retrieves changes to user/device metadata from the
Jamf computers-preview API. This is done through calls to:

- https://developer.jamf.com/jamf-pro/reference/get_preview-computers[/api/preview/computers]

Updates are tracked by the provider by retaining a record of the time of the last
noted update in the returned user list. During provider updates the Jamf provider
makes use of the Jamf API's query filtering to only request records updated at or
since the provider's recorded last update.

[float]
===== Sending Computer Metadata to Elasticsearch

During a full synchronization, all users/devices stored in state will be sent
to the output, while incremental updates will only send users and devices
that have been updated. Full synchronizations will be bounded on either side
by write marker documents, which will look something like this:

["source","json",subs="attributes"]
----
{
"@timestamp": "2022-11-04T09:57:19.786056-05:00",
"event": {
"action": "started",
"start": "2022-11-04T09:57:19.786056-05:00"
},
"labels": {
"identity_source": "jamf-1"
}
}
----

Documents will show the current state of the computer record.

Example document:

["source","json",subs="attributes"]
----
{
"device": {
"id": "5982CE36-4526-580B-B4B9-ECC6782535BC"
},
"event": {
"action": "device-discovered"
},
"jamf": {
"location": {
"username": "john.doe",
"position": "Unknown Developer"
},
"site": null,
"name": "acme-C07DM3AZQ6NV",
"udid": "5982CE36-4526-580B-B4B9-ECC6782535BC",
"serialNumber": "C07DM3AZQ6NV",
"operatingSystemVersion": "14.0",
"operatingSystemBuild": "23A344",
"operatingSystemSupplementalBuildVersion": null,
"operatingSystemRapidSecurityResponse": null,
"macAddress": "64:0B:D7:AA:E4:B2",
"assetTag": null,
"modelIdentifier": "Macmini9,1",
"mdmAccessRights": 0,
"lastContactDate": "2024-04-18T14:26:51.514Z",
"lastReportDate": "2024-06-19T15:54:37.692Z",
"lastEnrolledDate": "2023-02-22T10:46:17.199Z",
"ipAddress": null,
"managementId": "1a59c510-b3a9-41cb-8afa-3d4187ac60d0",
"isManaged": true
},
"labels": {
"identity_source": "jamf-1"
}
}
----

[float]
==== Configuration

Example configuration:

["source","yaml",subs="attributes"]
----
{beatname_lc}.inputs:
- type: entity-analytics
enabled: true
id: jamf-1
provider: jamf
dataset: "all"
sync_interval: "12h"
update_interval: "30m"
jamf_tenant: "JAMF_TENANT"
jamf_username: "JAMF_USERNAME"
jamf_password: "JAMF_PASSWORD"
----

The `jamf` provider supports the following configuration:

[float]
===== `jamf_tenant`

The Jamf tenant host. Field is required.

[float]
===== `jamf_username`

The Jamf username, used for authentication. Field is required.

[float]
===== `jamf_password`

The Jamf user password, used for authentication. Field is required.

[float]
===== `page_size`

The number of computer records to collect with each API request. Defaults to https://developer.jamf.com/jamf-pro/reference/get_preview-computers[API default].

[float]
===== `sync_interval`

The interval in which full synchronizations should occur. The interval must be
longer than the update interval (`update_interval`) Expressed as a duration
string (e.g., 1m, 3h, 24h). Defaults to `24h` (24 hours).

[float]
===== `update_interval`

The interval in which incremental updates should occur. The interval must be
shorter than the full synchronization interval (`sync_interval`). Expressed as a
duration string (e.g., 1m, 3h, 24h). Defaults to `15m` (15 minutes).

+==== `tracer.enabled`

It is possible to log HTTP requests and responses to the Jamf API to a local file-system for debugging configurations.
This option is enabled by setting `tracer.enabled` to true and setting the `tracer.filename` value.
Additional options are available to tune log rotation behavior. To delete existing logs, set `tracer.enabled`
to false without unsetting the filename option.

Enabling this option compromises security and should only be used for debugging.

[float]
==== `tracer.filename`

To differentiate the trace files generated from different input instances, a placeholder `*` can be added to the
filename and will be replaced with the input instance id. For Example, `http-request-trace-*.ndjson`.

[id="provider-okta"]
==== Okta User Identities (`okta`)

Expand Down Expand Up @@ -550,8 +724,8 @@ The Okta provider periodically contacts the Okta API, retrieving updates for
users and devices, updates its internal cache of user metadata, and ships
updated user/device metadata to Elasticsearch.

Fetching and shipping updates occurs in one of two processes: **full
synchronizations** and *incremental updates*. Full synchronizations will send
Fetching and shipping updates occurs in one of two processes: *full
synchronizations* and *incremental updates*. Full synchronizations will send
the entire list of users and devices in state, along with write markers to
indicate the start and end of the synchronization event. Incremental updates
will only send data for changed users and devices during that event. Changes
Expand Down
1 change: 1 addition & 0 deletions x-pack/filebeat/input/entityanalytics/input.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import (
// For provider registration.
_ "github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/activedirectory"
_ "github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/azuread"
_ "github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/jamf"
_ "github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/okta"
)

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
*.ndjson
Loading

0 comments on commit 8bbcfcc

Please sign in to comment.