diff --git a/packages/jamf_pro/changelog.yml b/packages/jamf_pro/changelog.yml index 673c1fa7b2e..5bb7b5b8d39 100644 --- a/packages/jamf_pro/changelog.yml +++ b/packages/jamf_pro/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Add support for ECS entity fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/18503 - version: "1.1.0" changes: - description: Add `host.id` and `host.name` fields to the inventory data stream. diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-added.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-added.json-expected.json index e8ece18b0be..fd627f116ba 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-added.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-added.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -26,7 +31,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "92.5786" + } }, "jamf_pro": { "events": { @@ -61,9 +69,6 @@ } } }, - "os": { - "version": "92.5786" - }, "related": { "user": [ "John Doe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-check-in.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-check-in.json-expected.json index 0e97f69a15f..63554a42b95 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-check-in.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-check-in.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -28,7 +33,10 @@ "ip": [ "89.160.20.156" ], - "name": "YMXA8" + "name": "YMXA8", + "os": { + "version": "87.2388" + } }, "jamf_pro": { "events": { @@ -67,9 +75,6 @@ } } }, - "os": { - "version": "87.2388" - }, "related": { "user": [ "John Doe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-inventory-completed.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-inventory-completed.json-expected.json index 05d93a4a234..73b15cb6e10 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-inventory-completed.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-inventory-completed.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -26,7 +31,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "57.4997" + } }, "jamf_pro": { "events": { @@ -61,9 +69,6 @@ } } }, - "os": { - "version": "57.4997" - }, "related": { "user": [ "John Doe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-patch-policy-completed.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-patch-policy-completed.json-expected.json index faffe32e370..bdd10571f03 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-patch-policy-completed.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-patch-policy-completed.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -28,7 +33,10 @@ "ip": [ "89.160.20.156" ], - "name": "2ECRW" + "name": "2ECRW", + "os": { + "version": "17.1406" + } }, "jamf_pro": { "events": { @@ -73,9 +81,6 @@ } } }, - "os": { - "version": "17.1406" - }, "related": { "user": [ "John Doe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-policy-finished.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-policy-finished.json-expected.json index e24d4b8e2ca..1e420e32daa 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-policy-finished.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-policy-finished.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -28,7 +33,10 @@ "ip": [ "89.160.20.156" ], - "name": "GBTN2" + "name": "GBTN2", + "os": { + "version": "37.5296" + } }, "jamf_pro": { "events": { @@ -67,9 +75,6 @@ } } }, - "os": { - "version": "37.5296" - }, "related": { "user": [ "John Doe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-push-capability-changed.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-push-capability-changed.json-expected.json index 0672cdff027..12cfd832643 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-push-capability-changed.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-push-capability-changed.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -26,7 +31,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "27.2234" + } }, "jamf_pro": { "events": { @@ -61,9 +69,6 @@ } } }, - "os": { - "version": "27.2234" - }, "related": { "user": [ "John Doe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-device-added-to-dep.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-device-added-to-dep.json-expected.json index e013be533f8..494b40bcd03 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-device-added-to-dep.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-device-added-to-dep.json-expected.json @@ -8,6 +8,13 @@ "action": "DeviceAddedToDEP", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-jss-shutdown.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-jss-shutdown.json-expected.json index c46b8d290a2..b8a3aba7d05 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-jss-shutdown.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-jss-shutdown.json-expected.json @@ -8,6 +8,13 @@ "action": "JSSShutdown", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-jss-startup.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-jss-startup.json-expected.json index 7a5fbdd8cdb..307dd93208b 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-jss-startup.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-jss-startup.json-expected.json @@ -8,6 +8,13 @@ "action": "JSSStartup", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-check-in.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-check-in.json-expected.json index 8d1f8395c6e..0d6f65d2b17 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-check-in.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-check-in.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -26,7 +31,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "04.8092" + } }, "jamf_pro": { "events": { @@ -59,9 +67,6 @@ } } }, - "os": { - "version": "04.8092" - }, "related": { "user": [ "John Doe" diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-command-completed.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-command-completed.json-expected.json index 10984b6e802..55b2aeb8645 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-command-completed.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-command-completed.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -26,7 +31,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "99.4028" + } }, "jamf_pro": { "events": { @@ -59,9 +67,6 @@ } } }, - "os": { - "version": "99.4028" - }, "related": { "user": [ "John Doe" diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-enrolled.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-enrolled.json-expected.json index 8df395c2d69..62b04117ce8 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-enrolled.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-enrolled.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -26,7 +31,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "85.9454" + } }, "jamf_pro": { "events": { @@ -59,9 +67,6 @@ } } }, - "os": { - "version": "85.9454" - }, "related": { "user": [ "John Doe" diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-inventory-completed.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-inventory-completed.json-expected.json index fd532fc97d7..9be8a3c922f 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-inventory-completed.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-inventory-completed.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -26,7 +31,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "67.8497" + } }, "jamf_pro": { "events": { @@ -59,9 +67,6 @@ } } }, - "os": { - "version": "67.8497" - }, "related": { "user": [ "John Doe" diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-push-sent.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-push-sent.json-expected.json index c6a425149be..ffe21c5521b 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-push-sent.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-push-sent.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -26,7 +31,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "11.3415" + } }, "jamf_pro": { "events": { @@ -59,9 +67,6 @@ } } }, - "os": { - "version": "11.3415" - }, "related": { "user": [ "John Doe" diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-unenrolled.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-unenrolled.json-expected.json index 8b07b0a392e..e4c29088ec2 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-unenrolled.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-unenrolled.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -26,7 +31,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "34.8068" + } }, "jamf_pro": { "events": { @@ -59,9 +67,6 @@ } } }, - "os": { - "version": "34.8068" - }, "related": { "user": [ "John Doe" diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-patch-software-title-updated.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-patch-software-title-updated.json-expected.json index a2e076bdb15..7f7690502fa 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-patch-software-title-updated.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-patch-software-title-updated.json-expected.json @@ -8,6 +8,13 @@ "action": "PatchSoftwareTitleUpdated", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-push-sent.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-push-sent.json-expected.json index 02b7cf0b157..bed623ad05b 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-push-sent.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-push-sent.json-expected.json @@ -8,6 +8,13 @@ "action": "PushSent", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-rest-api-operation.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-rest-api-operation.json-expected.json index 9b19b063566..a9f9dbd01b5 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-rest-api-operation.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-rest-api-operation.json-expected.json @@ -8,6 +8,13 @@ "action": "RestAPIOperation", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-scep-challenge.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-scep-challenge.json-expected.json index 97959b0c726..c6b198c2a7d 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-scep-challenge.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-scep-challenge.json-expected.json @@ -8,6 +8,13 @@ "action": "SCEPChallenge", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-computer-membership-change.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-computer-membership-change.json-expected.json index e12f346726b..6aaaa3b4c10 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-computer-membership-change.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-computer-membership-change.json-expected.json @@ -8,6 +8,13 @@ "action": "SmartGroupComputerMembershipChange", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-mobile-device-membership-change.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-mobile-device-membership-change.json-expected.json index ff026170e59..a3553fc08fa 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-mobile-device-membership-change.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-mobile-device-membership-change.json-expected.json @@ -8,6 +8,13 @@ "action": "SmartGroupMobileDeviceMembershipChange", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-user-membership-change.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-user-membership-change.json-expected.json index 8cd500f0bc9..d6e83619d3a 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-user-membership-change.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-user-membership-change.json-expected.json @@ -8,6 +8,13 @@ "action": "SmartGroupUserMembershipChange", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_pro/data_stream/events/elasticsearch/ingest_pipeline/default.yml index ba5f90bae83..dd51553df6a 100644 --- a/packages/jamf_pro/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_pro/data_stream/events/elasticsearch/ingest_pipeline/default.yml @@ -74,6 +74,11 @@ processors: formats: - UNIX_MS +- set: + field: host.entity.lifecycle.last_activity + copy_from: jamf_pro.events.webhook.event_timestamp + ignore_empty_value: true + ############## # IP src # ############## @@ -124,12 +129,12 @@ processors: - set: if: ctx.jamf_pro.events.event.os_version != null - field: os.version + field: host.os.version copy_from: jamf_pro.events.event.os_version - set: if: ctx.jamf_pro.events.event.computer?.os_version != null - field: os.version + field: host.os.version copy_from: jamf_pro.events.event.computer.os_version diff --git a/packages/jamf_pro/data_stream/events/fields/ecs.yml b/packages/jamf_pro/data_stream/events/fields/ecs.yml new file mode 100644 index 00000000000..f87859a659e --- /dev/null +++ b/packages/jamf_pro/data_stream/events/fields/ecs.yml @@ -0,0 +1,11 @@ +- name: host + type: group + fields: + - name: entity + type: group + fields: + - name: lifecycle + type: group + fields: + - name: last_activity + type: date diff --git a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered-by.json b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered-by.json new file mode 100644 index 00000000000..5d662f255ae --- /dev/null +++ b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered-by.json @@ -0,0 +1,113 @@ +{ + "events": [ + { + "message": { + "id": "20", + "udid": "C3D4E5F6-A7B8-9012-CDEF-012345678902", + "general": { + "name": "test-device-admins", + "lastIpAddress": "89.160.20.156", + "platform": "Mac", + "remoteManagement": { + "managed": true + }, + "supervised": true, + "mdmCapable": { + "capable": true, + "capableUsers": [] + }, + "managementId": "c3d4e5f6-a7b8-9012-cdef-012345678902", + "reportDate": "2024-06-19T15:54:37.692Z", + "enrolledViaAutomatedDeviceEnrollment": false, + "declarativeDeviceManagementEnabled": false, + "userApprovedMdm": false, + "itunesStoreAccountActive": false, + "extensionAttributes": [] + }, + "diskEncryption": null, + "localUserAccounts": [ + { + "uid": "501", + "username": "alice", + "email": "alice@example.com", + "fullName": "Alice Example", + "admin": true, + "homeDirectory": "/Users/alice", + "homeDirectorySizeMb": 50000, + "fileVault2Enabled": true, + "userAccountType": "localUser", + "passwordMinLength": 8, + "passwordMaxAge": 90, + "passwordMinComplexCharacters": 1, + "passwordHistoryDepth": 5, + "passwordRequireAlphanumeric": true, + "azureActiveDirectoryId": null, + "userAzureActiveDirectoryId": null, + "computerAzureActiveDirectoryId": null, + "userGuid": null + }, + { + "uid": "502", + "username": "bob", + "fullName": "Bob Example", + "admin": false, + "homeDirectory": "/Users/bob", + "homeDirectorySizeMb": 30000, + "fileVault2Enabled": false, + "userAccountType": "localUser", + "passwordMinLength": 8, + "passwordMaxAge": 90, + "passwordMinComplexCharacters": 1, + "passwordHistoryDepth": 5, + "passwordRequireAlphanumeric": true, + "azureActiveDirectoryId": null, + "userAzureActiveDirectoryId": null, + "computerAzureActiveDirectoryId": null, + "userGuid": null + }, + { + "uid": "503", + "username": "carol", + "email": "carol@example.com", + "fullName": "Carol Example", + "admin": true, + "homeDirectory": "/Users/carol", + "homeDirectorySizeMb": 40000, + "fileVault2Enabled": true, + "userAccountType": "localUser", + "passwordMinLength": 12, + "passwordMaxAge": 60, + "passwordMinComplexCharacters": 2, + "passwordHistoryDepth": 10, + "passwordRequireAlphanumeric": true, + "azureActiveDirectoryId": null, + "userAzureActiveDirectoryId": null, + "computerAzureActiveDirectoryId": null, + "userGuid": null + } + ], + "purchasing": null, + "printers": null, + "storage": null, + "applications": null, + "userAndLocation": null, + "configurationProfiles": null, + "services": null, + "plugins": null, + "hardware": null, + "certificates": null, + "attachments": null, + "packageReceipts": null, + "fonts": null, + "security": null, + "operatingSystem": null, + "licensedSoftware": null, + "softwareUpdates": null, + "groupMemberships": null, + "extensionAttributes": null, + "contentCaching": null, + "ibeacons": null + } + } + ] +} diff --git a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered-by.json-expected.json b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered-by.json-expected.json new file mode 100644 index 00000000000..168a386371f --- /dev/null +++ b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered-by.json-expected.json @@ -0,0 +1,154 @@ +{ + "expected": [ + { + "ecs": { + "version": "8.17.0" + }, + "event": { + "kind": "asset" + }, + "host": { + "address": [ + "89.160.20.156" + ], + "entity": { + "attributes": { + "managed": true + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "id": "C3D4E5F6-A7B8-9012-CDEF-012345678902", + "ip": [ + "89.160.20.156" + ], + "name": "test-device-admins", + "os": { + "platform": "Mac" + } + }, + "jamf_pro": { + "inventory": { + "general": { + "declarative_device_management_enabled": false, + "enrolled_via_automated_device_enrollment": false, + "itunes_store_account_active": false, + "last_ip_address": "89.160.20.156", + "last_ip_address_geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "management_id": "c3d4e5f6-a7b8-9012-cdef-012345678902", + "mdm_capable": { + "capable": true + }, + "name": "test-device-admins", + "platform": "Mac", + "remote_management": { + "managed": true + }, + "report_date": "2024-06-19T15:54:37.692Z", + "supervised": true, + "user_approved_mdm": false + }, + "id": "20", + "local_user_accounts": [ + { + "admin": true, + "email": "alice@example.com", + "file_vault2enabled": true, + "full_name": "Alice Example", + "home_directory": "/Users/alice", + "home_directory_size_mb": 50000, + "password_history_depth": 5, + "password_max_age": 90, + "password_min_complex_characters": 1, + "password_min_length": 8, + "password_require_alphanumeric": true, + "uid": "501", + "user_account_type": "localUser", + "username": "alice" + }, + { + "admin": false, + "file_vault2enabled": false, + "full_name": "Bob Example", + "home_directory": "/Users/bob", + "home_directory_size_mb": 30000, + "password_history_depth": 5, + "password_max_age": 90, + "password_min_complex_characters": 1, + "password_min_length": 8, + "password_require_alphanumeric": true, + "uid": "502", + "user_account_type": "localUser", + "username": "bob" + }, + { + "admin": true, + "email": "carol@example.com", + "file_vault2enabled": true, + "full_name": "Carol Example", + "home_directory": "/Users/carol", + "home_directory_size_mb": 40000, + "password_history_depth": 10, + "password_max_age": 60, + "password_min_complex_characters": 2, + "password_min_length": 12, + "password_require_alphanumeric": true, + "uid": "503", + "user_account_type": "localUser", + "username": "carol" + } + ], + "udid": "C3D4E5F6-A7B8-9012-CDEF-012345678902" + } + }, + "related": { + "ip": [ + "89.160.20.156" + ] + }, + "user": { + "entity": { + "attributes": { + "administered_by": [ + { + "email": "alice@example.com", + "user": { + "id": "501", + "name": "alice" + } + }, + { + "email": "carol@example.com", + "user": { + "id": "503", + "name": "carol" + } + } + ] + } + } + } + } + ] +} diff --git a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory-groups-memberships.json-expected.json b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory-groups-memberships.json-expected.json index e2a02ba8eb2..93d9305feb1 100644 --- a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory-groups-memberships.json-expected.json +++ b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory-groups-memberships.json-expected.json @@ -32,6 +32,20 @@ "id": "3", "udid": "5982CE36-4526-580B-B4B9-ECC6782535BC" } + }, + "user": { + "group": { + "id": [ + "1", + "4", + "5" + ], + "name": [ + "All Managed Clients", + "Computers with updates", + "All Managed Computers" + ] + } } }, { @@ -66,6 +80,20 @@ "id": "4", "udid": "DBAEF5A6-82D5-5327-A480-A904F42F3F98" } + }, + "user": { + "group": { + "id": [ + "1", + "5", + "7" + ], + "name": [ + "All Managed Clients", + "All Managed Computers", + "App Installed: Microsoft Outlook" + ] + } } } ] diff --git a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json index aca13119512..0aeff00c7fa 100644 --- a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json +++ b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json @@ -70,6 +70,18 @@ ], "udid": "D6DD5611-B15A-5AA1-B498-52A4CB17D18D" } + }, + "user": { + "group": { + "id": [ + "1", + "4" + ], + "name": [ + "All Managed Clients", + "Computers with updates" + ] + } } }, { @@ -133,11 +145,17 @@ "kind": "asset" }, "host": { - "id": "5982CE36-4526-580B-B4B9-ECC6782535BC", - "name": "acme-C07DM3AZQ6NV", "address": [ "89.160.20.156" ], + "entity": { + "attributes": { + "managed": true + }, + "lifecycle": { + "last_activity": "2024-04-18T14:26:51.514Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -150,9 +168,14 @@ "region_iso_code": "SE-E", "region_name": "Östergötland County" }, + "id": "5982CE36-4526-580B-B4B9-ECC6782535BC", "ip": [ "89.160.20.156" - ] + ], + "name": "acme-C07DM3AZQ6NV", + "os": { + "platform": "Mac" + } }, "jamf_pro": { "inventory": { @@ -207,9 +230,6 @@ "udid": "5982CE36-4526-580B-B4B9-ECC6782535BC" } }, - "os": { - "platform": "Mac" - }, "related": { "ip": [ "89.160.20.156" @@ -224,11 +244,17 @@ "kind": "asset" }, "host": { - "id": "5982CE36-4526-580B-B4B9-ECC6782535BC", - "name": "acme-C07DM3AZQ6NV", "address": [ "89.160.20.156" ], + "entity": { + "attributes": { + "managed": true + }, + "lifecycle": { + "last_activity": "2024-04-18T14:26:51.514Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -241,9 +267,14 @@ "region_iso_code": "SE-E", "region_name": "Östergötland County" }, + "id": "5982CE36-4526-580B-B4B9-ECC6782535BC", "ip": [ "89.160.20.156" - ] + ], + "name": "acme-C07DM3AZQ6NV", + "os": { + "platform": "Mac" + } }, "jamf_pro": { "inventory": { @@ -306,9 +337,6 @@ "udid": "5982CE36-4526-580B-B4B9-ECC6782535BC" } }, - "os": { - "platform": "Mac" - }, "related": { "ip": [ "89.160.20.156" @@ -329,7 +357,12 @@ "id": "21ED95A7-FF9D-52BD-A55B-36D54585083A", "mac": [ "88-4D-7C-74-6F-22" - ] + ], + "os": { + "full": "sonoma", + "name": "macOS", + "version": "14.7.2" + } }, "jamf_pro": { "inventory": { @@ -420,10 +453,17 @@ "udid": "21ED95A7-FF9D-52BD-A55B-36D54585083A" } }, - "os": { - "full": "sonoma", - "name": "macOS", - "version": "14.7.2" + "user": { + "group": { + "id": [ + "1", + "5" + ], + "name": [ + "All Managed Clients", + "Zero Touch Devices" + ] + } } }, { @@ -434,7 +474,12 @@ "kind": "asset" }, "host": { - "id": "21ED95A7-FF9D-52BD-A55B-36D54585083A" + "id": "21ED95A7-FF9D-52BD-A55B-36D54585083A", + "os": { + "full": "sonoma", + "name": "macOS", + "version": "14.7.0" + } }, "jamf_pro": { "inventory": { @@ -461,11 +506,6 @@ }, "udid": "21ED95A7-FF9D-52BD-A55B-36D54585083A" } - }, - "os": { - "full": "sonoma", - "name": "macOS", - "version": "14.7.0" } }, { @@ -476,7 +516,12 @@ "kind": "asset" }, "host": { - "id": "21ED95A7-FF9D-52BD-A55B-36D54585083A" + "id": "21ED95A7-FF9D-52BD-A55B-36D54585083A", + "os": { + "full": "sonoma", + "name": "macOS", + "version": "14.0.0" + } }, "jamf_pro": { "inventory": { @@ -503,11 +548,6 @@ }, "udid": "21ED95A7-FF9D-52BD-A55B-36D54585083A" } - }, - "os": { - "full": "sonoma", - "name": "macOS", - "version": "14.0.0" } } ] diff --git a/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml index 894a48dfb55..32735b5d032 100644 --- a/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml @@ -128,7 +128,15 @@ processors: ignore_empty_value: true ignore_failure: true - set: - field: os.name + field: host.entity.attributes.managed + copy_from: jamf_pro.inventory.general.remote_management.managed + ignore_empty_value: true +- set: + field: host.entity.lifecycle.last_activity + copy_from: jamf_pro.inventory.general.last_contact_time + ignore_empty_value: true +- set: + field: host.os.name copy_from: jamf_pro.inventory.operating_system.name ignore_empty_value: true - script: @@ -199,17 +207,20 @@ processors: ctx.jamf_pro.inventory.operating_system.version = normalize(ctx.jamf_pro.inventory.operating_system.version); String name = full_name(ctx.jamf_pro.inventory.operating_system.version); if (name != '') { - if (ctx.os == null) { - ctx.os = [:]; + if (ctx.host == null) { + ctx.host = [:]; } - ctx.os.full = name; + if (ctx.host.os == null) { + ctx.host.os = [:]; + } + ctx.host.os.full = name; } - set: - field: os.version + field: host.os.version copy_from: jamf_pro.inventory.operating_system.version ignore_empty_value: true - set: - field: os.platform + field: host.os.platform copy_from: jamf_pro.inventory.general.platform ignore_empty_value: true - set: @@ -224,6 +235,49 @@ processors: field: user.full_name copy_from: jamf_pro.inventory.user_and_location.realname ignore_empty_value: true +- foreach: + field: jamf_pro.inventory.group_memberships + if: ctx.jamf_pro.inventory?.group_memberships != null + processor: + append: + field: user.group.name + value: '{{{_ingest._value.group_name}}}' + allow_duplicates: false + ignore_missing: true + ignore_failure: true +- foreach: + field: jamf_pro.inventory.group_memberships + if: ctx.jamf_pro.inventory?.group_memberships != null + processor: + append: + field: user.group.id + value: '{{{_ingest._value.group_id}}}' + allow_duplicates: false + ignore_missing: true + ignore_failure: true +- script: + tag: script_collect_admin_accounts + lang: painless + if: ctx.jamf_pro.inventory?.local_user_accounts != null + source: |- + List admins = new ArrayList(); + for (def acct : ctx.jamf_pro.inventory.local_user_accounts) { + if (acct.admin == true) { + Map entry = new HashMap(); + Map userObj = new HashMap(); + if (acct.uid != null && acct.uid != "") userObj.put("id", acct.uid); + if (acct.username != null && acct.username != "") userObj.put("name", acct.username); + if (!userObj.isEmpty()) entry.put("user", userObj); + if (acct.email != null && acct.email != "") entry.put("email", acct.email); + if (!entry.isEmpty()) admins.add(entry); + } + } + if (!admins.isEmpty()) { + if (ctx.user == null) ctx.user = [:]; + if (ctx.user.entity == null) ctx.user.entity = [:]; + if (ctx.user.entity.attributes == null) ctx.user.entity.attributes = [:]; + ctx.user.entity.attributes.administered_by = admins; + } - append: field: related.user value: '{{{user.email}}}' diff --git a/packages/jamf_pro/data_stream/inventory/fields/ecs.yml b/packages/jamf_pro/data_stream/inventory/fields/ecs.yml new file mode 100644 index 00000000000..0d20ef32ff9 --- /dev/null +++ b/packages/jamf_pro/data_stream/inventory/fields/ecs.yml @@ -0,0 +1,34 @@ +- name: host + type: group + fields: + - name: entity + type: group + fields: + - name: attributes + type: group + fields: + - name: managed + type: boolean + - name: lifecycle + type: group + fields: + - name: last_activity + type: date +- name: user + type: group + fields: + - name: entity + type: group + fields: + - name: attributes + type: group + fields: + - name: administered_by + type: group + fields: + - name: user.id + type: keyword + - name: user.name + type: keyword + - name: email + type: keyword diff --git a/packages/jamf_pro/data_stream/inventory/fields/fields.yml b/packages/jamf_pro/data_stream/inventory/fields/fields.yml index 1e147c51fcd..b3952d9dd78 100644 --- a/packages/jamf_pro/data_stream/inventory/fields/fields.yml +++ b/packages/jamf_pro/data_stream/inventory/fields/fields.yml @@ -47,6 +47,8 @@ type: keyword - name: admin type: boolean + - name: email + type: keyword - name: purchasing type: group fields: diff --git a/packages/jamf_pro/docs/README.md b/packages/jamf_pro/docs/README.md index bbf9f4d552c..80f37c27167 100644 --- a/packages/jamf_pro/docs/README.md +++ b/packages/jamf_pro/docs/README.md @@ -204,6 +204,8 @@ The following non-ECS fields are used in inventory documents: | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| host.entity.attributes.managed | | boolean | +| host.entity.lifecycle.last_activity | | date | | input.type | Input type | keyword | | jamf_pro.inventory.applications.bundle_id | | keyword | | jamf_pro.inventory.applications.external_version_id | | keyword | @@ -303,6 +305,7 @@ The following non-ECS fields are used in inventory documents: | jamf_pro.inventory.local_user_accounts.admin | | boolean | | jamf_pro.inventory.local_user_accounts.azure_active_directory_id | | keyword | | jamf_pro.inventory.local_user_accounts.computer_azure_active_directory_id | | keyword | +| jamf_pro.inventory.local_user_accounts.email | | keyword | | jamf_pro.inventory.local_user_accounts.file_vault2enabled | | boolean | | jamf_pro.inventory.local_user_accounts.full_name | | keyword | | jamf_pro.inventory.local_user_accounts.fullname | | keyword | @@ -374,6 +377,9 @@ The following non-ECS fields are used in inventory documents: | jamf_pro.inventory.user_and_location.realname | | keyword | | jamf_pro.inventory.user_and_location.room | | keyword | | jamf_pro.inventory.user_and_location.username | | keyword | +| user.entity.attributes.administered_by.email | | keyword | +| user.entity.attributes.administered_by.user.id | | keyword | +| user.entity.attributes.administered_by.user.name | | keyword | ### Events @@ -505,6 +511,7 @@ The following non-ECS fields are used in real-time event documents: | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| host.entity.lifecycle.last_activity | | date | | input.type | | keyword | | jamf_pro.events.event.alternate_mac_address | | keyword | | jamf_pro.events.event.asset_tag | | keyword | diff --git a/packages/jamf_pro/manifest.yml b/packages/jamf_pro/manifest.yml index 7b053ec5ab8..c3bffbdcd0c 100644 --- a/packages/jamf_pro/manifest.yml +++ b/packages/jamf_pro/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.5 name: jamf_pro title: "Jamf Pro" -version: "1.1.0" +version: "1.2.0" source: license: "Elastic-2.0" description: "Collect logs and inventory data from Jamf Pro with Elastic Agent"