Splunk SOAR (f.k.a. Phantom)

How to enrich the endpoint tickets for MacOS Jamf Host Lookup?

brandylee1993
Explorer

How can I enrich the endpoint tickets, where the ticket is for a MacOS host, lookup the host in Jamf and return the following fields: Site, Username, and Full Name. Expected results for 'Site' include "NA - Retail" and "NA - Corp" among others.

Labels (1)
1 Solution

phanTom
SplunkTrust
SplunkTrust

@brandylee1993 hopefully you got your answer? Otherwise:

I can't see any JAMF app in Phantom but if it has an API (non OAUTH) then you can use the HTTP app to GET data from the API. 

If there is an OAUTH requirement then you will likely need to create an app to get the token and then query the API for the data you require. Then a Playbook could add this data to an existing ticket. 
I highly recommend running through the tutorial to see if i might be simple to build a JAMF app (https://docs.splunk.com/Documentation/Phantom/4.9/DevelopApps/Tutorial)

If this helped anyone, please add a Karma below!

View solution in original post

PazDak
Engager

Splunk released a Phantom App for Jamf a few weeks ago. I haven't really checked out much about it yet.

https://my.phantom.us/4.10/apps/?search=JAMF

0 Karma

phanTom
SplunkTrust
SplunkTrust

@brandylee1993 hopefully you got your answer? Otherwise:

I can't see any JAMF app in Phantom but if it has an API (non OAUTH) then you can use the HTTP app to GET data from the API. 

If there is an OAUTH requirement then you will likely need to create an app to get the token and then query the API for the data you require. Then a Playbook could add this data to an existing ticket. 
I highly recommend running through the tutorial to see if i might be simple to build a JAMF app (https://docs.splunk.com/Documentation/Phantom/4.9/DevelopApps/Tutorial)

If this helped anyone, please add a Karma below!

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...