- 16 Jul 2024
- 4 Minutes to read
- PDF
Integrate Jamf EDR with Red Canary
- Updated on 16 Jul 2024
- 4 Minutes to read
- PDF
Integrating Jamf EDR with Red Canary provides a comprehensive security solution for Apple environments. Please note that the integration of Jamf EDR requires the support of the Red Canary Technical Implementation Manager Team. To integrate Jamf EDR with Red Canary, follow the procedure below from beginning to end.
Prerequisites
Before you connect Jamf to Red Canary, make sure the following configuration requirements are met:
Red Canary Managed Detection & Response (MDR) requires Jamf Pro and Jamf Protect.
Jamf Pro and Jamf Protect must be deployed, configured, and enabled within your security environment.
The minimum supported macOS version is Catalina (version 10.15).
Your Red Canary contact must create an Amazon Web Service (AWS) role so Jamf can write telemetry to a Red Canary Amazon Simple Storage Service (S3) bucket. This will be provided by your implementation manager on your integration call.
Red Canary requires API access on Jamf Protect products and a service account on Jamf Pro to manage the integration.
Jamf Protect: API access is required to manage the Red Canary analytic which exports, grooms, and controls telemetry data flows from Jamf Protect.
Jamf Pro: A service account enables endpoint correlation and response actions.
Note: The Jamf Protect Red Canary plan should be scoped to all endpoints in Jamf Pro that the customer requires monitoring.
To avoid plans interacting with one other, the Jamf Protect Default plan should be de-scoped from these endpoints.
Step 1: Jamf–Create a Jamf Protect API client ID
Create a Jamf Protect API client ID to begin the Jamf integration process with Red Canary.
From your Jamf Protect dashboard, click the Administrative dropdown, and then click API Clients.
Click Create API Client.
Include Red Canary in the API client name to make tracking and troubleshooting easier.
Confirm that the API Client role is set to Full Admin.
Copy and save the API client password.
Note: This is the only time the password will be available in clear text.
Copy and save the Client ID.
With your API client ID copied, log in to Red Canary.
Step 2: Jamf–Create a Jamf Pro Service Account
Red Canary requires a service account with the following access within Jamf Pro.
Within the Jamf Pro console click Settings in the top-right corner of the page.
In the systems settings section click Jamf Pro User Accounts and Groups.
Click New.
Select Create Standard Account and click Next.
From the Access Level pop-up menu, select Full Access.
From the Privilege Set pop-up menu, select Custom.
Select the following permissions set.
Computers: Read
Static Computer Groups: Read and Update
Click Save.
Step 3: Jamf–Configure Jamf endpoint analytic
Create a Red Canary analytic that will be used with Red Canary-configured Jamf plans. Due to the large telemetry requirements, Jamf plans must be specially configured to enable proper telemetry flow, and analytics will not be effective outside of the Red Canary managed Jamf plan.
From your Jamf Protect dashboard, click Analytics.
Click the All Analytics tab.
Note: An analytic is a configuration that tells an endpoint which events to log.
Click Create custom analytic.
Create a new Process Event Analytic by filling in the required fields.
Field
What you'll fill in
Analytic Name
Red Canary: Process
Log Level
0 (Default)
Categories
Red Canary
Create a new category if Red Canary does not already exist.
Severity
Informational (Default)
Sensory Type
Process Event
Filter Text View
(( $event.type IN { 0, 1, 2 } ))
Click Save.
Step 4: Jamf–Create the Red Canary analytic set
Create the group of analytics to determine what telemetry gets sent to Red Canary.
From your Jamf Protect dashboard, click Analytics.
Click the Analytic Sets tab.
Click +Create Analytic Set.
Enter a name for your Analytic Set.
From the Analytics in this set section, click the Custom tab.
Select the Red Canary: Process analytic set from Step 4.4.
Click Save.
Step 5: Jamf–Create the Red Canary Managed plan
Create the plan that will be deployed on your endpoints to start sending telemetry to Red Canary.
From your Jamf Protect dashboard, click the Configuration dropdown, and then click Plans.
Click Create Plan.
Enter a name for your Plan.
From the Analytic Sets dropdown, select the analytic set from Step 5.4.
Step 6: Jamf–Configure your Jamf Protect data forwarding
Configure Jamf Protect to forward telemetry from your endpoints to the Red Canary collection facilities hosted by Amazon S3. This data forwarding allows Red Canary to analyze endpoint activity and enable threat detection. Endpoint telemetry will be created and managed by the Red Canary plan and Red Canary analytics created within Jamf in the prior steps.
From your Jamf Protect dashboard, click the Administrative dropdown, and then click Data.
Enable Amazon S3 Forwarding.
Enable Encrypt Forwarded Data.
Fill in the following fields:
Field
What you'll fill in
Amazon S3 Bucket Name
rc-jamf-protect-native-us-east-2
Prefix
cust_name=
Description: The Prefix has match the user’s external service namespace. This will be sent via email.
IAM Role
arn:aws:iam::498172931776:role/ -jamf-protect-role
Description: IAM Details will be provided to you in an email and will be of similar form as above with carrots removed and the user's namespace filled in.
Click Save.
JAMF will immediately attempt to verify the S3 bucket access. If it saves successfully that means it’s working, otherwise it’ll provide an error message
If an error message is encountered first verify the Prefix field is properly configured with cust_name=subdomain_name.
If the error persists, contact engineering to verify the IAM role was properly provisioned.
Step 7: Jamf–Synchronize or upload the plan from Jamf Protect to Jamf Pro
After configuring data forwarding, you’ll want to apply your Jamf Protect configurations onto endpoints. First, you’ll need to update Jamf Pro by synchronizing the Jamf Protect configured Jamf Plan into Jamf Pro. Learn more about synchronizing or uploading the plan from Jamf Protect to Jamf Pro.
Step 8: Jamf–Assign computers to the Jamf plan in Jamf Pro
Apply the Jamf Plan managed by Jamf Pro to the endpoints you want to monitor by assigning computers to this Jamf Plan. Learn more about assigning computers to the plan in Jamf Pro.
Step 9: Jamf–Assign Policies to Jamf Isolation Groups
To enhance the endpoint isolation functionality follow Isolating and Deisolating Endpoints using Jamf.