This article leads you through the process of integrating Jamf EDR with Red Canary. Follow the procedure from beginning to end.
Prerequisites
Before you connect Jamf to Red Canary, make sure the following configuration requirements are met:
- Red Canary Managed Detection & Response (MDR) requires Jamf Pro and Jamf Protect.
- Jamf Pro and Jamf Protect must be deployed, configured, and enabled within your security environment.
- The minimum supported macOS version is Catalina (version 10.15).
- Red Canary requires API access on Jamf Protect products and a service account on Jamf Pro to manage the integration.
- Jamf Protect: API access is required to manage the Red Canary analytic which exports, grooms, and controls telemetry data flows from Jamf Protect.
- Jamf Pro: A service account enables endpoint correlation and response actions.
Step 1: Jamf–Create a Jamf Protect API client ID
Create a Jamf Protect API client ID to begin the Jamf integration process with Red Canary.
- From your Jamf Protect dashboard, click the Administrative dropdown, and then click API Clients.
- Click Create API Client.
- Include Red Canary in the API client name to make tracking and troubleshooting easier.
- Confirm that the API Client role is set to Full Admin.
- Copy and save the API client password.
Note: This is the only time the password will be available in clear text. - Copy and save the Client ID.
- With your API client ID copied, log in to Red Canary.
Step 2: Jamf–Create a Jamf Pro Service Account
Red Canary requires a service account with the following access within Jamf Pro.
- Within the Jamf Pro console click Settings in the top-right corner of the page.
- In the systems settings section click Jamf Pro User Accounts and Groups.
- Click New.
- Select Create Standard Account and click Next.
- Select Full Access from the Access Level pop-up menu.
- Select Custom the Privilege Set pop-up menu.
- Select the following permissions set.
- Computers: Read
- Static Computer Groups: Read and Update
- Click Save.
Note: The next step (Step 3) is only for Red Canary Consulting Partners. If you are not a Consulting Partner please proceed to Step 4.
Step 3: Red Canary–Provision Red Canary with Jamf
Note: Step 3 is only for Red Canary Consulting Partners. If you are not a Consulting Partner please proceed to Step 4.
Reach out to a Red Canary representative to use the Red Canary provisioning portal to create an Amazon Web Service (AWS) role and configure the Jamf Protect Action configuration so Jamf can send telemetry to Red Canary.
- Log into the Red Canary provisioning portal.
- Click Create new request.
- Under the Request type dropdown, select Provision new environment.
- Fill in the following fields:
Field
What you'll fill in
or select… Four hours from now.
Engagement type
Select the appropriate engagement type.
Number of endpoints
The number of endpoints we expect to monitor in the environment. This number can be an estimate.
Customer contact email
The email address for a user contact who will be responsible for following setup instructions. The configuration instructions, if any, will be sent to this email address for the user to follow.
Organization name
The legal business name of the organization.
Desired subdomain name
The subdomain identifier that needs to be provisioned. Subdomain names are two or more lowercase alphanumeric characters.
Desired telemetry collection platform
Jam Pro/Protect
Customer website
The end user website, which Jamf will provision as the organization name.
Pro UI URL
The URL to access the Jamf Pro console (example: https://customer.jamfcloud.com).
Pro Username
The username Red Canary will use to access the Jamf Pro console and API.
Requirements:
- Account requires the following access:
- Computers: Read
- Static Computer Groups: Read, Update
Pro Password
The password Red Canary will use to access the Jamf Pro API
Protect UI URL
The URL to access the Jamf Protect console (example: https://customer.protect.jamfcloud.com).
Protect Username
The username/Client ID Red Canary will use to access the Jamf Protect console and API.
Requirements:
- You must create a Jamf Protect API Client ID
- Your account requires administrative access
Protect Password
The API Client Password Red Canary will use to access the Jamf Protect console and API.
Note: when copy and pasting this key from the Jamf Protect console, white space or new line characters may be inserted. Please verify key before closing the window as this key will not be shown again.
- Click Save. Once the request is submitted, the Red Canary engineering team will create an Amazon Web Service (AWS) role so Jamf can write telemetry to a Red Canary Amazon Simple Storage Service (S3) bucket.
When the role is created, you will receive an email with the AWS role and prefix field (subdomain name).
Step 4: Jamf–Configure Jamf endpoint analytic
Create a Red Canary analytic that will be used with Red Canary-configured Jamf plans. Due to the large telemetry requirements, Jamf plans must be specially configured to enable proper telemetry flow, and analytics will not be effective outside of the Red Canary managed Jamf plan.
- From your Jamf Protect dashboard, click Analytics.
- Click the All Analytics tab.
Note: An analytic is a configuration that tells an endpoint which events to log. - Click Create custom analytic.
- Create a new Process Event Analytic by filling in the required fields.
Field What you'll fill in Analytic Name Red Canary: Process
Log Level 0 (Default)
Categories Red Canary
- Create a new category if Red Canary does not already exist.
Severity Informational (Default)
Sensory Type Process Event
Filter Text View (( $event.type IN { 0, 1, 2 } ))
- Click Save.
Step 5: Jamf–Create the Red Canary analytic set
Create the group of analytics to determine what telemetry gets sent to Red Canary.
- From your Jamf Protect dashboard, click Analytics.
- Click the Analytic Sets tab.
- Click +Create Analytic Set.
- Enter a name for your Analytic Set.
- From the Analytics in this set section, click the Custom tab.
- Select the Red Canary: Process analytic set from Step 4.3.
- Click Save.
Step 6: Jamf–Create the Red Canary Managed plan
Create the plan that will be deployed on your endpoints to start sending telemetry to Red Canary.
- From your Jamf Protect dashboard, click the Configuration dropdown, and then click Plans.
- Click Create Plan.
- Enter a name for your Plan.
- From the Analytic Sets dropdown, select the analytic set from Step 5.3.
Step 7: Jamf–Configure your Jamf Protect data forwarding
Configure Jamf Protect to forward telemetry from your endpoints to the Red Canary collection facilities hosted by Amazon S3. This data forwarding allows Red Canary to analyze endpoint activity and enable threat detection. Endpoint telemetry will be created and managed by the Red Canary plan and Red Canary analytics created within Jamf in the prior steps.
- From your Jamf Protect dashboard, click the Administrative dropdown, and then click Data.
- Enable Amazon S3 Forwarding.
- Enable Encrypt Forwarded Data.
- Fill in the following fields:
Field What you'll fill in Amazon S3 Bucket Name rc-jamf-protect-native-us-east-2
Prefix cust_name=<red canary namespace>
Description: The Prefix has match the user’s external service namespace. This will be sent via email.
IAM Role arn:aws:iam::498172931776:role/<red canary namespace>-jamf-protect-role
Description: IAM Details will be provided to you in an email and will be of similar form as above with carrots removed and the user's namespace filled in.
- Click Save.
- JAMF will immediately attempt to verify the S3 bucket access. If it saves successfully that means it’s working, otherwise it’ll provide an error message
- If an error message is encountered first verify the Prefix field is properly configured with cust_name=subdomain_name.
- If the error persists, contact engineering to verify the IAM role was properly provisioned.
Step 8: Jamf–Synchronize or upload the plan from Jamf Protect to Jamf Pro
After configuring data forwarding, you’ll want to apply your Jamf Protect configurations onto endpoints. First, we’ll need to update Jamf Pro by synchronizing the Jamf Protect configured Jamf Plan into Jamf Pro. Learn more about synchronizing or uploading the plan from Jamf Protect to Jamf Pro.
Step 9: Jamf–Assign computers to the Jamf plan in Jamf Pro
Apply the Jamf Plan managed by Jamf Pro to the endpoints you want to monitor by assigning computers to this Jamf Plan. Learn more about assigning computers to the plan in Jamf Pro.
Step 10: Jamf–Assign Policies to Jamf Isolation Groups
To enhance the endpoint isolation functionality follow Isolate Jamf endpoints with SOAR scripts.
Comments
0 comments
Please sign in to leave a comment.