Skip to main content
Red Canary help

Integrate Jamf EDR with Red Canary

  • Updated .

This article leads you through the process of integrating Jamf EDR with Red Canary. Follow the procedure from beginning to end.

Estimated procedure time: 15 Minutes

Prerequisites

Before you connect Jamf to Red Canary, make sure the following configuration requirements are met:

  • Red Canary Managed Detection & Response (MDR) requires Jamf Pro and Jamf Protect.
  • Jamf Pro and Jamf Protect must be deployed, configured, and enabled within your security environment.
  • The minimum supported macOS version is Catalina (version 10.15).
  • Red Canary requires API access on Jamf Protect products and a service account on Jamf Pro to manage the integration.
    • Jamf Protect: API access is required to manage the Red Canary analytic which exports, grooms, and controls telemetry data flows from Jamf Protect.
    • Jamf Pro:  A service account enables endpoint correlation and response actions.

Step 1: Jamf–Create a Jamf Protect API client ID 

Create a Jamf Protect API client ID to begin the Jamf integration process with Red Canary.

  1. From your Jamf Protect dashboard, click the Administrative dropdown, and then click API Clients.
    2.png
  2. Click Create API Client.
    1. Include Red Canary in the API client name to make tracking and troubleshooting easier.
  3. Copy and save the API client password.
    Note: This is the only time the password will be available in clear text.
  4. Copy and save the Client ID.
  5. With your API client ID copied, log in to Red Canary.

Step 2: Jamf–Create a Jamf Pro Service Account

Red Canary requires a service account with the following access within Jamf Pro.

  1. Create a Jamf Pro user account.
  2. Under Jamf Pro Server Objects, enable the following:
    1. Computers: Read
    2. Static Computer Groups: Read and Update
      2.1.png2.2.png

Step 3: Red Canary–Provision Red Canary with Jamf

Reach out to a Red Canary representative to use the Red Canary provisioning portal to create an Amazon Web Service (AWS) role and configure the Jamf Protect Action configuration so Jamf can send telemetry to Red Canary. Learn more about provisioning Red Canary with Jamf EDR. 

Step 4: Jamf–Configure Jamf endpoint analytic

Create a Red Canary analytic that will be used with Red Canary-configured Jamf plans. Due to the large telemetry requirements, Jamf plans must be specially configured to enable proper telemetry flow, and analytics will not be effective outside of the Red Canary managed Jamf plan.

  1. From your Jamf Protect dashboard, click the Configuration dropdown, and then click Analytics. An analytic is a configuration that tells an endpoint which events to log.
    3.png
  2. Click Create Analytic.
    4.png
  3. Create a new Process Event Analytic by filling in the required fields.
    Field  What you'll fill out
    Analytic Name

    Red Canary: Process
    Log Level

    0 (Default)
    Categories

    Red Canary

    • Create a new category if Red Canary does not already exist.
    Severity

    Informational (Default)
    Sensory Type

    Process Event
    Filter Text View

    (( $event.type  IN { 0, 1, 2 } ))

    5.png
  4. Click Save.

Step 5: Jamf–Assign analytics to the Red Canary Managed plan 

Assign analytics within Jamf Protect to your Red Canary Managed plan. This process configures the Jamf endpoint software to send telemetry to Red Canary. These analytics will follow the custom action configuration created by Red Canary to properly groom your telemetry before exporting.

  1. From your Jamf Protect dashboard, click the Configuration dropdown, and then click Plans.

  2. Click Red Canary Plan. This plan will be created automatically during the provisioning process to streamline telemetry flow into Red Canary.
  3. Add Red Canary Analytic to the plan.
    1. This is the same analytic created in Configure Jamf endpoint analytics.
    2. The remaining analytics can be configured at your discretion. It may be beneficial to enable the Alert actions analytics.
    3. The Red Canary Plan is the only Jamf Plan for which Red Canary Analytics are to be used. This plan has been pre-configured with specific parameters to enable Red Canary telemetry flow. Using Red Canary Analytics with other plans isn’t supported.
  4. Click Save Plan Analytics.

Step 6: Jamf–Configure your Jamf Protect data forwarding

Configure Jamf Protect to forward telemetry from your endpoints to the Red Canary collection facilities hosted by Amazon S3. This data forwarding allows Red Canary to analyze endpoint activity and enable threat detection. Endpoint telemetry will be created and managed by the Red Canary plan and Red Canary analytics created within Jamf in the prior steps.

  1. From your Jamf Protect dashboard, click the Administrative dropdown, and then click Data.
    6.png
  2. Enable Amazon S3 Forwarding.
  3. Enable Encrypt Forwarded Data.
  4. Fill in the following fields:
    Field  What you'll fill out
    Amazon S3 Bucket Name

    rc-jamf-protect-native-us-east-2
    Prefix

    cust_name=<red canary namespace>

    Description: The Prefix has match the user’s external service namespace. This will be sent via email.
    IAM Role

    arn:aws:iam::498172931776:role/<red canary namespace>-jamf-protect-role

    Description: IAM Details will be provided to you in an email and will be of similar form as above with carrots removed and the user's namespace filled in.

    7.png
  5. Click Save.
  6. JAMF will immediately attempt to verify the S3 bucket access. If it saves successfully that means it’s working, otherwise it’ll provide an error message
    1. If an error message is encountered first verify the Prefix field is properly configured with cust_name=subdomain_name.
    2. If the error persists, contact engineering to verify the IAM role was properly provisioned.

Step 7: Jamf–Synchronize or upload the plan from Jamf Protect to Jamf Pro

After configuring data forwarding, you’ll want to apply your Jamf Protect configurations onto endpoints. First, we’ll need to update Jamf Pro by synchronizing the Jamf Protect configured Jamf Plan into Jamf Pro. Learn more about synchronizing or uploading the plan from Jamf Protect to Jamf Pro.

Step 8: Jamf–Assign computers to the Jamf plan in Jamf Pro

Apply the Jamf Plan managed by Jamf Pro to the endpoints you want to monitor by assigning computers to this Jamf Plan. Learn more about assigning computers to the plan in Jamf Pro.

Comments

0 comments

Please sign in to leave a comment.