Integrate Jamf EDR with Red Canary

Create a Jamf Protect API client ID to begin the Jamf integration process with Red Canary.

1. From your Jamf Protect dashboard, click the Administrative dropdown, and then click API Clients.
   

2. Click Create API Client.

   • Include Red Canary in the API client name to make tracking and troubleshooting easier.

   • Confirm that the API Client role is set to Full Admin. 

3. Copy and save the API client password.

   Note: This is the only time the password will be available in clear text.

4. Copy and save the Client ID.

5. With your API client ID copied, log in to Red Canary.

Red Canary requires a service account with the following access within Jamf Pro.

1. Within the Jamf Pro console click Settings in the top-right corner of the page.

2. In the systems settings section click Jamf Pro User Accounts and Groups.

3. Click New.

4. Select Create Standard Account and click Next.

5. From the Access Level pop-up menu, select  Full Access.

6. From the Privilege Set pop-up menu, select Custom.

7. Select the following permissions set.

   • Computers: Read

   • Static Computer Groups: Read and Update

     

     

8. Click Save.

Create a Red Canary analytic that will be used with Red Canary-configured Jamf plans. Due to the large telemetry requirements, Jamf plans must be specially configured to enable proper telemetry flow, and analytics will not be effective outside of the Red Canary managed Jamf plan.

1. From your Jamf Protect dashboard, click Analytics. 

2. Click the All Analytics tab.

   Note: An analytic is a configuration that tells an endpoint which events to log.

   

3. Click Create custom analytic.

   

4. Create a new Process Event Analytic by filling in the required fields.

   Field	What you'll fill in
   Analytic Name	Red Canary: Process
   Log Level	0 (Default)
   Categories	Red Canary Create a new category if Red Canary does not already exist.
   Severity	Informational (Default)
   Sensory Type	Process Event
   Filter Text View	(( $event.type  IN { 0, 1, 2 } ))

   

5. Click Save.

Create the group of analytics to determine what telemetry gets sent to Red Canary.

1. From your Jamf Protect dashboard, click Analytics.

2. Click the Analytic Sets tab.

3. Click +Create Analytic Set.

   

4. Enter a name for your Analytic Set.

5. From the Analytics in this set section, click the Custom tab.

6. Select the Red Canary: Process analytic set from Step 4.4.

   

7. Click Save.

Create the plan that will be deployed on your endpoints to start sending telemetry to Red Canary.

1. From your Jamf Protect dashboard, click the Configuration dropdown, and then click Plans.

2. Click Create Plan.
   

3. Enter a name for your Plan.

4. From the Analytic Sets dropdown, select the analytic set from Step 5.4.

   

Configure Jamf Protect to forward telemetry from your endpoints to the Red Canary collection facilities hosted by Amazon S3. This data forwarding allows Red Canary to analyze endpoint activity and enable threat detection. Endpoint telemetry will be created and managed by the Red Canary plan and Red Canary analytics created within Jamf in the prior steps.

1. From your Jamf Protect dashboard, click the Administrative dropdown, and then click Data.
   

2. Enable Amazon S3 Forwarding.

3. Enable Encrypt Forwarded Data.

4. Fill in the following fields:

   Field	What you'll fill in
   Amazon S3 Bucket Name	rc-jamf-protect-native-us-east-2
   Prefix	cust_name= Description: The Prefix has match the user’s external service namespace. This will be sent via email.
   IAM Role	arn:aws:iam::498172931776:role/ -jamf-protect-role Description: IAM Details will be provided to you in an email and will be of similar form as above with carrots removed and the user's namespace filled in.

   

5. Click Save.

6. JAMF will immediately attempt to verify the S3 bucket access. If it saves successfully that means it’s working, otherwise it’ll provide an error message

   1. If an error message is encountered first verify the Prefix field is properly configured with cust_name=subdomain_name.

   2. If the error persists, contact engineering to verify the IAM role was properly provisioned.

After configuring data forwarding, you’ll want to apply your Jamf Protect configurations onto endpoints. First, you’ll need to update Jamf Pro by synchronizing the Jamf Protect configured Jamf Plan into Jamf Pro. Learn more about synchronizing or uploading the plan from Jamf Protect to Jamf Pro.

Apply the Jamf Plan managed by Jamf Pro to the endpoints you want to monitor by assigning computers to this Jamf Plan. Learn more about assigning computers to the plan in Jamf Pro.

To enhance the endpoint isolation functionality follow Isolating and Deisolating Endpoints using Jamf.