Integrate Jamf EDR with Red Canary
    • 16 Jul 2024
    • 4 Minutes to read
    • PDF

    Integrate Jamf EDR with Red Canary

    • PDF

    Article summary

    Integrating Jamf EDR with Red Canary provides a comprehensive security solution for Apple environments. Please note that the integration of Jamf EDR requires the support of the Red Canary Technical Implementation Manager Team. To integrate Jamf EDR with Red Canary, follow the procedure below from beginning to end.

    Prerequisites

    Before you connect Jamf to Red Canary, make sure the following configuration requirements are met:

    • Red Canary Managed Detection & Response (MDR) requires Jamf Pro and Jamf Protect.

    • Jamf Pro and Jamf Protect must be deployed, configured, and enabled within your security environment.

    • The minimum supported macOS version is Catalina (version 10.15).

    • Your Red Canary contact must create an Amazon Web Service (AWS) role so Jamf can write telemetry to a Red Canary Amazon Simple Storage Service (S3) bucket. This will be provided by your implementation manager on your integration call.

    • Red Canary requires API access on Jamf Protect products and a service account on Jamf Pro to manage the integration.

      • Jamf Protect: API access is required to manage the Red Canary analytic which exports, grooms, and controls telemetry data flows from Jamf Protect.

      • Jamf Pro: A service account enables endpoint correlation and response actions.

    Note: The Jamf Protect Red Canary plan should be scoped to all endpoints in Jamf Pro that the customer requires monitoring. 

    To avoid plans interacting with one other, the Jamf Protect Default plan should be de-scoped from these endpoints.

    Step 1: Jamf–Create a Jamf Protect API client ID

    Create a Jamf Protect API client ID to begin the Jamf integration process with Red Canary.

    1. From your Jamf Protect dashboard, click the Administrative dropdown, and then click API Clients.
      2.png

    2. Click Create API Client.

      • Include Red Canary in the API client name to make tracking and troubleshooting easier.

      • Confirm that the API Client role is set to Full Admin. 

    3. Copy and save the API client password.

      Note: This is the only time the password will be available in clear text.

    4. Copy and save the Client ID.

    5. With your API client ID copied, log in to Red Canary.

    Step 2: Jamf–Create a Jamf Pro Service Account

    Red Canary requires a service account with the following access within Jamf Pro.

    1. Within the Jamf Pro console click Settings in the top-right corner of the page.

    2. In the systems settings section click Jamf Pro User Accounts and Groups.

    3. Click New.

    4. Select Create Standard Account and click Next.

    5. From the Access Level pop-up menu, select  Full Access.

    6. From the Privilege Set pop-up menu, select Custom.

    7. Select the following permissions set.

      • Computers: Read

      • Static Computer Groups: Read and Update

        clip2.jpg

        clip1.jpg

    8. Click Save.

    Step 3: Jamf–Configure Jamf endpoint analytic

    Create a Red Canary analytic that will be used with Red Canary-configured Jamf plans. Due to the large telemetry requirements, Jamf plans must be specially configured to enable proper telemetry flow, and analytics will not be effective outside of the Red Canary managed Jamf plan.

    1. From your Jamf Protect dashboard, click Analytics

    2. Click the All Analytics tab.

      Note: An analytic is a configuration that tells an endpoint which events to log.

      New_1.png

    3. Click Create custom analytic.

      New_2.png

    4. Create a new Process Event Analytic by filling in the required fields.

      Field 

      What you'll fill in

      Analytic Name

      Red Canary: Process

      Log Level

      0 (Default)

      Categories

      Red Canary

      • Create a new category if Red Canary does not already exist.

      Severity

      Informational (Default)

      Sensory Type

      Process Event

      Filter Text View

      (( $event.type  IN { 0, 1, 2 } ))

      New_3.png New_4.png

    5. Click Save.

    Step 4: Jamf–Create the Red Canary analytic set

    Create the group of analytics to determine what telemetry gets sent to Red Canary.

    1. From your Jamf Protect dashboard, click Analytics.

    2. Click the Analytic Sets tab.

    3. Click +Create Analytic Set.

      New_5.png

    4. Enter a name for your Analytic Set.

    5. From the Analytics in this set section, click the Custom tab.

    6. Select the Red Canary: Process analytic set from Step 4.4.

      New_6.png

    7. Click Save.

    Step 5: Jamf–Create the Red Canary Managed plan

    Create the plan that will be deployed on your endpoints to start sending telemetry to Red Canary.

    1. From your Jamf Protect dashboard, click the Configuration dropdown, and then click Plans.

    2. Click Create Plan.
      New_7.png

    3. Enter a name for your Plan.

    4. From the Analytic Sets dropdown, select the analytic set from Step 5.4.

      New_8.png

    Step 6: Jamf–Configure your Jamf Protect data forwarding

    Configure Jamf Protect to forward telemetry from your endpoints to the Red Canary collection facilities hosted by Amazon S3. This data forwarding allows Red Canary to analyze endpoint activity and enable threat detection. Endpoint telemetry will be created and managed by the Red Canary plan and Red Canary analytics created within Jamf in the prior steps.

    1. From your Jamf Protect dashboard, click the Administrative dropdown, and then click Data.
      6.png

    2. Enable Amazon S3 Forwarding.

    3. Enable Encrypt Forwarded Data.

    4. Fill in the following fields:

      Field 

      What you'll fill in

      Amazon S3 Bucket Name

      rc-jamf-protect-native-us-east-2

      Prefix

      cust_name=

      Description: The Prefix has match the user’s external service namespace. This will be sent via email.

      IAM Role

      arn:aws:iam::498172931776:role/ -jamf-protect-role

      Description: IAM Details will be provided to you in an email and will be of similar form as above with carrots removed and the user's namespace filled in.

      7.png

    5. Click Save.

    6. JAMF will immediately attempt to verify the S3 bucket access. If it saves successfully that means it’s working, otherwise it’ll provide an error message

      1. If an error message is encountered first verify the Prefix field is properly configured with cust_name=subdomain_name.

      2. If the error persists, contact engineering to verify the IAM role was properly provisioned.

    Step 7: Jamf–Synchronize or upload the plan from Jamf Protect to Jamf Pro

    After configuring data forwarding, you’ll want to apply your Jamf Protect configurations onto endpoints. First, you’ll need to update Jamf Pro by synchronizing the Jamf Protect configured Jamf Plan into Jamf Pro. Learn more about synchronizing or uploading the plan from Jamf Protect to Jamf Pro.

    Step 8: Jamf–Assign computers to the Jamf plan in Jamf Pro

    Apply the Jamf Plan managed by Jamf Pro to the endpoints you want to monitor by assigning computers to this Jamf Plan. Learn more about assigning computers to the plan in Jamf Pro.

    Step 9: Jamf–Assign Policies to Jamf Isolation Groups

    To enhance the endpoint isolation functionality follow Isolating and Deisolating Endpoints using Jamf.


    Was this article helpful?