Creating an Action Configuration

You can create multiple action configurations in Jamf Protect and then add them to a plan.

  1. In Jamf Protect, click Actions.
  2. Click Create Actions Config at the top of the screen.
  3. Give your action configuration a name and description.
  4. Configure Cloud Collection Options.
    1. Select Send Alert Data to Jamf Protect to send alerts to the Jamf Protect Cloud.

      You can also choose a severity range to limit which alerts are sent to the cloud. By default, the minimum severity is set to Low.

    2. Select Forward Unified Log Data to a Third Party Storage Solution to determine if unified log is data collected by the Jamf Protect.
      Note:

      Unified log data is not displayed in the Jamf Protect web app. To view this data, you must enable data forwarding to an Amazon S3 bucket or Azure Sentinel. For more information, see Data Forwarding to a Third Party Storage Solution.

  5. Configure the Alert Collection Endpoints settings to send data to one or more remote collection endpoints.

    You can send data directly to an existing security analytics or orchestration layer, such as a security information and events management (SIEM) system. Depending on your collection endpoint environment, you can use the same endpoint for all alert data collection or separate endpoints for different alert severity levels. In addition to configuring one or more endpoints, you can also configure multiple HTTPS headers that an endpoint may require for authentication.

    Best Practice:

    You can send alerts with different severity levels to different endpoints. For example, you can send informational alerts (formerly logs) to one endpoint and all other alerts (low, medium, high) to a different endpoint.

  6. Configure the verbosity of data collection by the Jamf Protect agent. You can control the verbosity of all data collection per event type. By default, Jamf Protect collects all available metadata, but you can exclude certain data attributes to suit your environment.
    Note:

    If you intend to use Jamf Protect to stream a large volume of events to another system for analysis, some data attributes may be expensive to collect. For example, if you have created and deployed an Analytic that remotely logs all file creation events, collecting signing information for all files will cause a high operation cost for your data collection endpoint.

  7. Click Save.

You can now add your action configuration to a plan for deployment. If you edit an action configuration, changes will be automatically applied to computers assigned the action as part of their plan the next time they check in with Jamf Protect.