From 66be14371e740daae669152efbe395a4abef8137 Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Fri, 17 Apr 2026 11:17:41 +0200 Subject: [PATCH 01/10] Add managed field support --- .../test-inventory.json-expected.json | 22 ++++++++++++++----- .../elasticsearch/ingest_pipeline/default.yml | 4 ++++ .../data_stream/inventory/fields/ecs.yml | 11 ++++++++++ 3 files changed, 31 insertions(+), 6 deletions(-) create mode 100644 packages/jamf_pro/data_stream/inventory/fields/ecs.yml diff --git a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json index aca13119512..c5cf6144ca8 100644 --- a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json +++ b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json @@ -133,11 +133,14 @@ "kind": "asset" }, "host": { - "id": "5982CE36-4526-580B-B4B9-ECC6782535BC", - "name": "acme-C07DM3AZQ6NV", "address": [ "89.160.20.156" ], + "entity": { + "attributes": { + "managed": true + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -150,9 +153,11 @@ "region_iso_code": "SE-E", "region_name": "Östergötland County" }, + "id": "5982CE36-4526-580B-B4B9-ECC6782535BC", "ip": [ "89.160.20.156" - ] + ], + "name": "acme-C07DM3AZQ6NV" }, "jamf_pro": { "inventory": { @@ -224,11 +229,14 @@ "kind": "asset" }, "host": { - "id": "5982CE36-4526-580B-B4B9-ECC6782535BC", - "name": "acme-C07DM3AZQ6NV", "address": [ "89.160.20.156" ], + "entity": { + "attributes": { + "managed": true + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -241,9 +249,11 @@ "region_iso_code": "SE-E", "region_name": "Östergötland County" }, + "id": "5982CE36-4526-580B-B4B9-ECC6782535BC", "ip": [ "89.160.20.156" - ] + ], + "name": "acme-C07DM3AZQ6NV" }, "jamf_pro": { "inventory": { diff --git a/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml index 894a48dfb55..b28d5c7ffbb 100644 --- a/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml @@ -127,6 +127,10 @@ processors: copy_from: jamf_pro.inventory.general.last_ip_address_geo ignore_empty_value: true ignore_failure: true +- set: + field: host.entity.attributes.managed + copy_from: jamf_pro.inventory.general.remote_management.managed + ignore_empty_value: true - set: field: os.name copy_from: jamf_pro.inventory.operating_system.name diff --git a/packages/jamf_pro/data_stream/inventory/fields/ecs.yml b/packages/jamf_pro/data_stream/inventory/fields/ecs.yml new file mode 100644 index 00000000000..c12e60e508a --- /dev/null +++ b/packages/jamf_pro/data_stream/inventory/fields/ecs.yml @@ -0,0 +1,11 @@ +- name: host + type: group + fields: + - name: entity + type: group + fields: + - name: attributes + type: group + fields: + - name: managed + type: boolean From ae592a1f34d7318e7c851ff9676c0311bd00c303 Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Fri, 17 Apr 2026 11:19:51 +0200 Subject: [PATCH 02/10] Add host.os.version field support --- .../test-computer-added.json-expected.json | 8 +-- .../test-computer-check-in.json-expected.json | 8 +-- ...ter-inventory-completed.json-expected.json | 8 +-- ...-patch-policy-completed.json-expected.json | 8 +-- ...omputer-policy-finished.json-expected.json | 8 +-- ...push-capability-changed.json-expected.json | 8 +-- ...-mobile-device-check-in.json-expected.json | 8 +-- ...evice-command-completed.json-expected.json | 8 +-- ...-mobile-device-enrolled.json-expected.json | 8 +-- ...ice-inventory-completed.json-expected.json | 8 +-- ...mobile-device-push-sent.json-expected.json | 8 +-- ...obile-device-unenrolled.json-expected.json | 8 +-- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../test-inventory.json-expected.json | 52 +++++++++---------- .../elasticsearch/ingest_pipeline/default.yml | 15 +++--- 15 files changed, 85 insertions(+), 82 deletions(-) diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-added.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-added.json-expected.json index e8ece18b0be..8fe20b71291 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-added.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-added.json-expected.json @@ -26,7 +26,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "92.5786" + } }, "jamf_pro": { "events": { @@ -61,9 +64,6 @@ } } }, - "os": { - "version": "92.5786" - }, "related": { "user": [ "John Doe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-check-in.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-check-in.json-expected.json index 0e97f69a15f..71fcbd65f88 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-check-in.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-check-in.json-expected.json @@ -28,7 +28,10 @@ "ip": [ "89.160.20.156" ], - "name": "YMXA8" + "name": "YMXA8", + "os": { + "version": "87.2388" + } }, "jamf_pro": { "events": { @@ -67,9 +70,6 @@ } } }, - "os": { - "version": "87.2388" - }, "related": { "user": [ "John Doe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-inventory-completed.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-inventory-completed.json-expected.json index 05d93a4a234..744966ae3a8 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-inventory-completed.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-inventory-completed.json-expected.json @@ -26,7 +26,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "57.4997" + } }, "jamf_pro": { "events": { @@ -61,9 +64,6 @@ } } }, - "os": { - "version": "57.4997" - }, "related": { "user": [ "John Doe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-patch-policy-completed.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-patch-policy-completed.json-expected.json index faffe32e370..da2881271c8 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-patch-policy-completed.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-patch-policy-completed.json-expected.json @@ -28,7 +28,10 @@ "ip": [ "89.160.20.156" ], - "name": "2ECRW" + "name": "2ECRW", + "os": { + "version": "17.1406" + } }, "jamf_pro": { "events": { @@ -73,9 +76,6 @@ } } }, - "os": { - "version": "17.1406" - }, "related": { "user": [ "John Doe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-policy-finished.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-policy-finished.json-expected.json index e24d4b8e2ca..d8b920f297d 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-policy-finished.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-policy-finished.json-expected.json @@ -28,7 +28,10 @@ "ip": [ "89.160.20.156" ], - "name": "GBTN2" + "name": "GBTN2", + "os": { + "version": "37.5296" + } }, "jamf_pro": { "events": { @@ -67,9 +70,6 @@ } } }, - "os": { - "version": "37.5296" - }, "related": { "user": [ "John Doe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-push-capability-changed.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-push-capability-changed.json-expected.json index 0672cdff027..115e9d68047 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-push-capability-changed.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-push-capability-changed.json-expected.json @@ -26,7 +26,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "27.2234" + } }, "jamf_pro": { "events": { @@ -61,9 +64,6 @@ } } }, - "os": { - "version": "27.2234" - }, "related": { "user": [ "John Doe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-check-in.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-check-in.json-expected.json index 8d1f8395c6e..0f0dcbcd95b 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-check-in.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-check-in.json-expected.json @@ -26,7 +26,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "04.8092" + } }, "jamf_pro": { "events": { @@ -59,9 +62,6 @@ } } }, - "os": { - "version": "04.8092" - }, "related": { "user": [ "John Doe" diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-command-completed.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-command-completed.json-expected.json index 10984b6e802..97c3aeda4f2 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-command-completed.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-command-completed.json-expected.json @@ -26,7 +26,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "99.4028" + } }, "jamf_pro": { "events": { @@ -59,9 +62,6 @@ } } }, - "os": { - "version": "99.4028" - }, "related": { "user": [ "John Doe" diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-enrolled.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-enrolled.json-expected.json index 8df395c2d69..91f938d6bd8 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-enrolled.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-enrolled.json-expected.json @@ -26,7 +26,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "85.9454" + } }, "jamf_pro": { "events": { @@ -59,9 +62,6 @@ } } }, - "os": { - "version": "85.9454" - }, "related": { "user": [ "John Doe" diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-inventory-completed.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-inventory-completed.json-expected.json index fd532fc97d7..93859c48fdc 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-inventory-completed.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-inventory-completed.json-expected.json @@ -26,7 +26,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "67.8497" + } }, "jamf_pro": { "events": { @@ -59,9 +62,6 @@ } } }, - "os": { - "version": "67.8497" - }, "related": { "user": [ "John Doe" diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-push-sent.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-push-sent.json-expected.json index c6a425149be..87e551aa7d5 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-push-sent.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-push-sent.json-expected.json @@ -26,7 +26,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "11.3415" + } }, "jamf_pro": { "events": { @@ -59,9 +62,6 @@ } } }, - "os": { - "version": "11.3415" - }, "related": { "user": [ "John Doe" diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-unenrolled.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-unenrolled.json-expected.json index 8b07b0a392e..99c045c3ad3 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-unenrolled.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-unenrolled.json-expected.json @@ -26,7 +26,10 @@ }, "ip": [ "89.160.20.156" - ] + ], + "os": { + "version": "34.8068" + } }, "jamf_pro": { "events": { @@ -59,9 +62,6 @@ } } }, - "os": { - "version": "34.8068" - }, "related": { "user": [ "John Doe" diff --git a/packages/jamf_pro/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_pro/data_stream/events/elasticsearch/ingest_pipeline/default.yml index ba5f90bae83..38bb403a693 100644 --- a/packages/jamf_pro/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_pro/data_stream/events/elasticsearch/ingest_pipeline/default.yml @@ -124,12 +124,12 @@ processors: - set: if: ctx.jamf_pro.events.event.os_version != null - field: os.version + field: host.os.version copy_from: jamf_pro.events.event.os_version - set: if: ctx.jamf_pro.events.event.computer?.os_version != null - field: os.version + field: host.os.version copy_from: jamf_pro.events.event.computer.os_version diff --git a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json index c5cf6144ca8..37403415706 100644 --- a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json +++ b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json @@ -157,7 +157,10 @@ "ip": [ "89.160.20.156" ], - "name": "acme-C07DM3AZQ6NV" + "name": "acme-C07DM3AZQ6NV", + "os": { + "platform": "Mac" + } }, "jamf_pro": { "inventory": { @@ -212,9 +215,6 @@ "udid": "5982CE36-4526-580B-B4B9-ECC6782535BC" } }, - "os": { - "platform": "Mac" - }, "related": { "ip": [ "89.160.20.156" @@ -253,7 +253,10 @@ "ip": [ "89.160.20.156" ], - "name": "acme-C07DM3AZQ6NV" + "name": "acme-C07DM3AZQ6NV", + "os": { + "platform": "Mac" + } }, "jamf_pro": { "inventory": { @@ -316,9 +319,6 @@ "udid": "5982CE36-4526-580B-B4B9-ECC6782535BC" } }, - "os": { - "platform": "Mac" - }, "related": { "ip": [ "89.160.20.156" @@ -339,7 +339,12 @@ "id": "21ED95A7-FF9D-52BD-A55B-36D54585083A", "mac": [ "88-4D-7C-74-6F-22" - ] + ], + "os": { + "full": "sonoma", + "name": "macOS", + "version": "14.7.2" + } }, "jamf_pro": { "inventory": { @@ -429,11 +434,6 @@ }, "udid": "21ED95A7-FF9D-52BD-A55B-36D54585083A" } - }, - "os": { - "full": "sonoma", - "name": "macOS", - "version": "14.7.2" } }, { @@ -444,7 +444,12 @@ "kind": "asset" }, "host": { - "id": "21ED95A7-FF9D-52BD-A55B-36D54585083A" + "id": "21ED95A7-FF9D-52BD-A55B-36D54585083A", + "os": { + "full": "sonoma", + "name": "macOS", + "version": "14.7.0" + } }, "jamf_pro": { "inventory": { @@ -471,11 +476,6 @@ }, "udid": "21ED95A7-FF9D-52BD-A55B-36D54585083A" } - }, - "os": { - "full": "sonoma", - "name": "macOS", - "version": "14.7.0" } }, { @@ -486,7 +486,12 @@ "kind": "asset" }, "host": { - "id": "21ED95A7-FF9D-52BD-A55B-36D54585083A" + "id": "21ED95A7-FF9D-52BD-A55B-36D54585083A", + "os": { + "full": "sonoma", + "name": "macOS", + "version": "14.0.0" + } }, "jamf_pro": { "inventory": { @@ -513,11 +518,6 @@ }, "udid": "21ED95A7-FF9D-52BD-A55B-36D54585083A" } - }, - "os": { - "full": "sonoma", - "name": "macOS", - "version": "14.0.0" } } ] diff --git a/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml index b28d5c7ffbb..837f5224c87 100644 --- a/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml @@ -132,7 +132,7 @@ processors: copy_from: jamf_pro.inventory.general.remote_management.managed ignore_empty_value: true - set: - field: os.name + field: host.os.name copy_from: jamf_pro.inventory.operating_system.name ignore_empty_value: true - script: @@ -203,17 +203,20 @@ processors: ctx.jamf_pro.inventory.operating_system.version = normalize(ctx.jamf_pro.inventory.operating_system.version); String name = full_name(ctx.jamf_pro.inventory.operating_system.version); if (name != '') { - if (ctx.os == null) { - ctx.os = [:]; + if (ctx.host == null) { + ctx.host = [:]; } - ctx.os.full = name; + if (ctx.host.os == null) { + ctx.host.os = [:]; + } + ctx.host.os.full = name; } - set: - field: os.version + field: host.os.version copy_from: jamf_pro.inventory.operating_system.version ignore_empty_value: true - set: - field: os.platform + field: host.os.platform copy_from: jamf_pro.inventory.general.platform ignore_empty_value: true - set: From a3d3480163d10d1bb1e8c7e1a60a868c63d88c9b Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Fri, 17 Apr 2026 11:21:46 +0200 Subject: [PATCH 03/10] Add host.entity.lifecycle.last_activity field support --- .../pipeline/test-computer-added.json-expected.json | 5 +++++ .../test-computer-check-in.json-expected.json | 5 +++++ ...st-computer-inventory-completed.json-expected.json | 5 +++++ ...computer-patch-policy-completed.json-expected.json | 5 +++++ .../test-computer-policy-finished.json-expected.json | 5 +++++ ...omputer-push-capability-changed.json-expected.json | 5 +++++ .../test-device-added-to-dep.json-expected.json | 7 +++++++ .../pipeline/test-jss-shutdown.json-expected.json | 7 +++++++ .../test/pipeline/test-jss-startup.json-expected.json | 7 +++++++ .../test-mobile-device-check-in.json-expected.json | 5 +++++ ...mobile-device-command-completed.json-expected.json | 5 +++++ .../test-mobile-device-enrolled.json-expected.json | 5 +++++ ...bile-device-inventory-completed.json-expected.json | 5 +++++ .../test-mobile-device-push-sent.json-expected.json | 5 +++++ .../test-mobile-device-unenrolled.json-expected.json | 5 +++++ ...st-patch-software-title-updated.json-expected.json | 7 +++++++ .../test/pipeline/test-push-sent.json-expected.json | 7 +++++++ .../test-rest-api-operation.json-expected.json | 7 +++++++ .../pipeline/test-scep-challenge.json-expected.json | 7 +++++++ ...roup-computer-membership-change.json-expected.json | 7 +++++++ ...mobile-device-membership-change.json-expected.json | 7 +++++++ ...rt-group-user-membership-change.json-expected.json | 7 +++++++ .../events/elasticsearch/ingest_pipeline/default.yml | 5 +++++ packages/jamf_pro/data_stream/events/fields/ecs.yml | 11 +++++++++++ .../test/pipeline/test-inventory.json-expected.json | 6 ++++++ .../elasticsearch/ingest_pipeline/default.yml | 4 ++++ .../jamf_pro/data_stream/inventory/fields/ecs.yml | 5 +++++ 27 files changed, 161 insertions(+) create mode 100644 packages/jamf_pro/data_stream/events/fields/ecs.yml diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-added.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-added.json-expected.json index 8fe20b71291..fd627f116ba 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-added.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-added.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-check-in.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-check-in.json-expected.json index 71fcbd65f88..63554a42b95 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-check-in.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-check-in.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-inventory-completed.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-inventory-completed.json-expected.json index 744966ae3a8..73b15cb6e10 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-inventory-completed.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-inventory-completed.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-patch-policy-completed.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-patch-policy-completed.json-expected.json index da2881271c8..bdd10571f03 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-patch-policy-completed.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-patch-policy-completed.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-policy-finished.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-policy-finished.json-expected.json index d8b920f297d..1e420e32daa 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-policy-finished.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-policy-finished.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-push-capability-changed.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-push-capability-changed.json-expected.json index 115e9d68047..12cfd832643 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-push-capability-changed.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-push-capability-changed.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-device-added-to-dep.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-device-added-to-dep.json-expected.json index e013be533f8..494b40bcd03 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-device-added-to-dep.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-device-added-to-dep.json-expected.json @@ -8,6 +8,13 @@ "action": "DeviceAddedToDEP", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-jss-shutdown.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-jss-shutdown.json-expected.json index c46b8d290a2..b8a3aba7d05 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-jss-shutdown.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-jss-shutdown.json-expected.json @@ -8,6 +8,13 @@ "action": "JSSShutdown", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-jss-startup.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-jss-startup.json-expected.json index 7a5fbdd8cdb..307dd93208b 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-jss-startup.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-jss-startup.json-expected.json @@ -8,6 +8,13 @@ "action": "JSSStartup", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-check-in.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-check-in.json-expected.json index 0f0dcbcd95b..0d6f65d2b17 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-check-in.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-check-in.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-command-completed.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-command-completed.json-expected.json index 97c3aeda4f2..55b2aeb8645 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-command-completed.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-command-completed.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-enrolled.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-enrolled.json-expected.json index 91f938d6bd8..62b04117ce8 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-enrolled.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-enrolled.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-inventory-completed.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-inventory-completed.json-expected.json index 93859c48fdc..9be8a3c922f 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-inventory-completed.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-inventory-completed.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-push-sent.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-push-sent.json-expected.json index 87e551aa7d5..ffe21c5521b 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-push-sent.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-push-sent.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-unenrolled.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-unenrolled.json-expected.json index 99c045c3ad3..e4c29088ec2 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-unenrolled.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-mobile-device-unenrolled.json-expected.json @@ -12,6 +12,11 @@ "address": [ "89.160.20.156" ], + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + }, "geo": { "city_name": "Linköping", "continent_name": "Europe", diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-patch-software-title-updated.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-patch-software-title-updated.json-expected.json index a2e076bdb15..7f7690502fa 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-patch-software-title-updated.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-patch-software-title-updated.json-expected.json @@ -8,6 +8,13 @@ "action": "PatchSoftwareTitleUpdated", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-push-sent.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-push-sent.json-expected.json index 02b7cf0b157..bed623ad05b 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-push-sent.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-push-sent.json-expected.json @@ -8,6 +8,13 @@ "action": "PushSent", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-rest-api-operation.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-rest-api-operation.json-expected.json index 9b19b063566..a9f9dbd01b5 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-rest-api-operation.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-rest-api-operation.json-expected.json @@ -8,6 +8,13 @@ "action": "RestAPIOperation", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-scep-challenge.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-scep-challenge.json-expected.json index 97959b0c726..c6b198c2a7d 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-scep-challenge.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-scep-challenge.json-expected.json @@ -8,6 +8,13 @@ "action": "SCEPChallenge", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-computer-membership-change.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-computer-membership-change.json-expected.json index e12f346726b..6aaaa3b4c10 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-computer-membership-change.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-computer-membership-change.json-expected.json @@ -8,6 +8,13 @@ "action": "SmartGroupComputerMembershipChange", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-mobile-device-membership-change.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-mobile-device-membership-change.json-expected.json index ff026170e59..a3553fc08fa 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-mobile-device-membership-change.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-mobile-device-membership-change.json-expected.json @@ -8,6 +8,13 @@ "action": "SmartGroupMobileDeviceMembershipChange", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-user-membership-change.json-expected.json b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-user-membership-change.json-expected.json index 8cd500f0bc9..d6e83619d3a 100644 --- a/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-user-membership-change.json-expected.json +++ b/packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-smart-group-user-membership-change.json-expected.json @@ -8,6 +8,13 @@ "action": "SmartGroupUserMembershipChange", "kind": "event" }, + "host": { + "entity": { + "lifecycle": { + "last_activity": "2024-09-04T09:57:52.001Z" + } + } + }, "jamf_pro": { "events": { "event": { diff --git a/packages/jamf_pro/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_pro/data_stream/events/elasticsearch/ingest_pipeline/default.yml index 38bb403a693..dd51553df6a 100644 --- a/packages/jamf_pro/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_pro/data_stream/events/elasticsearch/ingest_pipeline/default.yml @@ -74,6 +74,11 @@ processors: formats: - UNIX_MS +- set: + field: host.entity.lifecycle.last_activity + copy_from: jamf_pro.events.webhook.event_timestamp + ignore_empty_value: true + ############## # IP src # ############## diff --git a/packages/jamf_pro/data_stream/events/fields/ecs.yml b/packages/jamf_pro/data_stream/events/fields/ecs.yml new file mode 100644 index 00000000000..f87859a659e --- /dev/null +++ b/packages/jamf_pro/data_stream/events/fields/ecs.yml @@ -0,0 +1,11 @@ +- name: host + type: group + fields: + - name: entity + type: group + fields: + - name: lifecycle + type: group + fields: + - name: last_activity + type: date diff --git a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json index 37403415706..fecf852cf44 100644 --- a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json +++ b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json @@ -139,6 +139,9 @@ "entity": { "attributes": { "managed": true + }, + "lifecycle": { + "last_activity": "2024-04-18T14:26:51.514Z" } }, "geo": { @@ -235,6 +238,9 @@ "entity": { "attributes": { "managed": true + }, + "lifecycle": { + "last_activity": "2024-04-18T14:26:51.514Z" } }, "geo": { diff --git a/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml index 837f5224c87..1b9af981e0f 100644 --- a/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml @@ -131,6 +131,10 @@ processors: field: host.entity.attributes.managed copy_from: jamf_pro.inventory.general.remote_management.managed ignore_empty_value: true +- set: + field: host.entity.lifecycle.last_activity + copy_from: jamf_pro.inventory.general.last_contact_time + ignore_empty_value: true - set: field: host.os.name copy_from: jamf_pro.inventory.operating_system.name diff --git a/packages/jamf_pro/data_stream/inventory/fields/ecs.yml b/packages/jamf_pro/data_stream/inventory/fields/ecs.yml index c12e60e508a..b8266b4799a 100644 --- a/packages/jamf_pro/data_stream/inventory/fields/ecs.yml +++ b/packages/jamf_pro/data_stream/inventory/fields/ecs.yml @@ -9,3 +9,8 @@ fields: - name: managed type: boolean + - name: lifecycle + type: group + fields: + - name: last_activity + type: date From dbff70cc3e42873ea3041cc538bb40807d8f7188 Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Fri, 17 Apr 2026 11:33:13 +0200 Subject: [PATCH 04/10] Add user.group field support --- ...tory-groups-memberships.json-expected.json | 28 +++++++++++++++++++ .../test-inventory.json-expected.json | 24 ++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 20 +++++++++++++ 3 files changed, 72 insertions(+) diff --git a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory-groups-memberships.json-expected.json b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory-groups-memberships.json-expected.json index e2a02ba8eb2..93d9305feb1 100644 --- a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory-groups-memberships.json-expected.json +++ b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory-groups-memberships.json-expected.json @@ -32,6 +32,20 @@ "id": "3", "udid": "5982CE36-4526-580B-B4B9-ECC6782535BC" } + }, + "user": { + "group": { + "id": [ + "1", + "4", + "5" + ], + "name": [ + "All Managed Clients", + "Computers with updates", + "All Managed Computers" + ] + } } }, { @@ -66,6 +80,20 @@ "id": "4", "udid": "DBAEF5A6-82D5-5327-A480-A904F42F3F98" } + }, + "user": { + "group": { + "id": [ + "1", + "5", + "7" + ], + "name": [ + "All Managed Clients", + "All Managed Computers", + "App Installed: Microsoft Outlook" + ] + } } } ] diff --git a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json index fecf852cf44..0aeff00c7fa 100644 --- a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json +++ b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-inventory.json-expected.json @@ -70,6 +70,18 @@ ], "udid": "D6DD5611-B15A-5AA1-B498-52A4CB17D18D" } + }, + "user": { + "group": { + "id": [ + "1", + "4" + ], + "name": [ + "All Managed Clients", + "Computers with updates" + ] + } } }, { @@ -440,6 +452,18 @@ }, "udid": "21ED95A7-FF9D-52BD-A55B-36D54585083A" } + }, + "user": { + "group": { + "id": [ + "1", + "5" + ], + "name": [ + "All Managed Clients", + "Zero Touch Devices" + ] + } } }, { diff --git a/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml index 1b9af981e0f..8c4668b52fd 100644 --- a/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml @@ -235,6 +235,26 @@ processors: field: user.full_name copy_from: jamf_pro.inventory.user_and_location.realname ignore_empty_value: true +- foreach: + field: jamf_pro.inventory.group_memberships + if: ctx.jamf_pro.inventory?.group_memberships != null + processor: + append: + field: user.group.name + value: '{{{_ingest._value.group_name}}}' + allow_duplicates: false + ignore_missing: true + ignore_failure: true +- foreach: + field: jamf_pro.inventory.group_memberships + if: ctx.jamf_pro.inventory?.group_memberships != null + processor: + append: + field: user.group.id + value: '{{{_ingest._value.group_id}}}' + allow_duplicates: false + ignore_missing: true + ignore_failure: true - append: field: related.user value: '{{{user.email}}}' From 558e9d71aefd9ea374df02322dd8f038f71944e9 Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Fri, 17 Apr 2026 15:07:18 +0200 Subject: [PATCH 05/10] Add user.entity.relationships.administered_by field support --- .../pipeline/test-entity-administered_by.json | 113 +++++++++++++ ...-entity-administered_by.json-expected.json | 150 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 21 +++ .../data_stream/inventory/fields/ecs.yml | 18 +++ .../data_stream/inventory/fields/fields.yml | 2 + packages/jamf_pro/docs/README.md | 5 + 6 files changed, 309 insertions(+) create mode 100644 packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered_by.json create mode 100644 packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered_by.json-expected.json diff --git a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered_by.json b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered_by.json new file mode 100644 index 00000000000..5d662f255ae --- /dev/null +++ b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered_by.json @@ -0,0 +1,113 @@ +{ + "events": [ + { + "message": { + "id": "20", + "udid": "C3D4E5F6-A7B8-9012-CDEF-012345678902", + "general": { + "name": "test-device-admins", + "lastIpAddress": "89.160.20.156", + "platform": "Mac", + "remoteManagement": { + "managed": true + }, + "supervised": true, + "mdmCapable": { + "capable": true, + "capableUsers": [] + }, + "managementId": "c3d4e5f6-a7b8-9012-cdef-012345678902", + "reportDate": "2024-06-19T15:54:37.692Z", + "enrolledViaAutomatedDeviceEnrollment": false, + "declarativeDeviceManagementEnabled": false, + "userApprovedMdm": false, + "itunesStoreAccountActive": false, + "extensionAttributes": [] + }, + "diskEncryption": null, + "localUserAccounts": [ + { + "uid": "501", + "username": "alice", + "email": "alice@example.com", + "fullName": "Alice Example", + "admin": true, + "homeDirectory": "/Users/alice", + "homeDirectorySizeMb": 50000, + "fileVault2Enabled": true, + "userAccountType": "localUser", + "passwordMinLength": 8, + "passwordMaxAge": 90, + "passwordMinComplexCharacters": 1, + "passwordHistoryDepth": 5, + "passwordRequireAlphanumeric": true, + "azureActiveDirectoryId": null, + "userAzureActiveDirectoryId": null, + "computerAzureActiveDirectoryId": null, + "userGuid": null + }, + { + "uid": "502", + "username": "bob", + "fullName": "Bob Example", + "admin": false, + "homeDirectory": "/Users/bob", + "homeDirectorySizeMb": 30000, + "fileVault2Enabled": false, + "userAccountType": "localUser", + "passwordMinLength": 8, + "passwordMaxAge": 90, + "passwordMinComplexCharacters": 1, + "passwordHistoryDepth": 5, + "passwordRequireAlphanumeric": true, + "azureActiveDirectoryId": null, + "userAzureActiveDirectoryId": null, + "computerAzureActiveDirectoryId": null, + "userGuid": null + }, + { + "uid": "503", + "username": "carol", + "email": "carol@example.com", + "fullName": "Carol Example", + "admin": true, + "homeDirectory": "/Users/carol", + "homeDirectorySizeMb": 40000, + "fileVault2Enabled": true, + "userAccountType": "localUser", + "passwordMinLength": 12, + "passwordMaxAge": 60, + "passwordMinComplexCharacters": 2, + "passwordHistoryDepth": 10, + "passwordRequireAlphanumeric": true, + "azureActiveDirectoryId": null, + "userAzureActiveDirectoryId": null, + "computerAzureActiveDirectoryId": null, + "userGuid": null + } + ], + "purchasing": null, + "printers": null, + "storage": null, + "applications": null, + "userAndLocation": null, + "configurationProfiles": null, + "services": null, + "plugins": null, + "hardware": null, + "certificates": null, + "attachments": null, + "packageReceipts": null, + "fonts": null, + "security": null, + "operatingSystem": null, + "licensedSoftware": null, + "softwareUpdates": null, + "groupMemberships": null, + "extensionAttributes": null, + "contentCaching": null, + "ibeacons": null + } + } + ] +} diff --git a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered_by.json-expected.json b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered_by.json-expected.json new file mode 100644 index 00000000000..99f0d59a8a3 --- /dev/null +++ b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered_by.json-expected.json @@ -0,0 +1,150 @@ +{ + "expected": [ + { + "ecs": { + "version": "8.17.0" + }, + "event": { + "kind": "asset" + }, + "host": { + "address": [ + "89.160.20.156" + ], + "entity": { + "attributes": { + "managed": true + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "id": "C3D4E5F6-A7B8-9012-CDEF-012345678902", + "ip": [ + "89.160.20.156" + ], + "name": "test-device-admins", + "os": { + "platform": "Mac" + } + }, + "jamf_pro": { + "inventory": { + "general": { + "declarative_device_management_enabled": false, + "enrolled_via_automated_device_enrollment": false, + "itunes_store_account_active": false, + "last_ip_address": "89.160.20.156", + "last_ip_address_geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "management_id": "c3d4e5f6-a7b8-9012-cdef-012345678902", + "mdm_capable": { + "capable": true + }, + "name": "test-device-admins", + "platform": "Mac", + "remote_management": { + "managed": true + }, + "report_date": "2024-06-19T15:54:37.692Z", + "supervised": true, + "user_approved_mdm": false + }, + "id": "20", + "local_user_accounts": [ + { + "admin": true, + "email": "alice@example.com", + "file_vault2enabled": true, + "full_name": "Alice Example", + "home_directory": "/Users/alice", + "home_directory_size_mb": 50000, + "password_history_depth": 5, + "password_max_age": 90, + "password_min_complex_characters": 1, + "password_min_length": 8, + "password_require_alphanumeric": true, + "uid": "501", + "user_account_type": "localUser", + "username": "alice" + }, + { + "admin": false, + "file_vault2enabled": false, + "full_name": "Bob Example", + "home_directory": "/Users/bob", + "home_directory_size_mb": 30000, + "password_history_depth": 5, + "password_max_age": 90, + "password_min_complex_characters": 1, + "password_min_length": 8, + "password_require_alphanumeric": true, + "uid": "502", + "user_account_type": "localUser", + "username": "bob" + }, + { + "admin": true, + "email": "carol@example.com", + "file_vault2enabled": true, + "full_name": "Carol Example", + "home_directory": "/Users/carol", + "home_directory_size_mb": 40000, + "password_history_depth": 10, + "password_max_age": 60, + "password_min_complex_characters": 2, + "password_min_length": 12, + "password_require_alphanumeric": true, + "uid": "503", + "user_account_type": "localUser", + "username": "carol" + } + ], + "udid": "C3D4E5F6-A7B8-9012-CDEF-012345678902" + } + }, + "related": { + "ip": [ + "89.160.20.156" + ] + }, + "user": { + "entity": { + "attributes": { + "administered_by": [ + { + "email": "alice@example.com", + "user_id": "501", + "username": "alice" + }, + { + "email": "carol@example.com", + "user_id": "503", + "username": "carol" + } + ] + } + } + } + } + ] +} diff --git a/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml index 8c4668b52fd..430899c7383 100644 --- a/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml @@ -255,6 +255,27 @@ processors: allow_duplicates: false ignore_missing: true ignore_failure: true +- script: + tag: script_collect_admin_accounts + lang: painless + if: ctx.jamf_pro.inventory?.local_user_accounts != null + source: |- + List admins = new ArrayList(); + for (def acct : ctx.jamf_pro.inventory.local_user_accounts) { + if (acct.admin == true) { + Map entry = new HashMap(); + if (acct.uid != null && acct.uid != "") entry.put("user_id", acct.uid); + if (acct.username != null && acct.username != "") entry.put("username", acct.username); + if (acct.email != null && acct.email != "") entry.put("email", acct.email); + if (!entry.isEmpty()) admins.add(entry); + } + } + if (!admins.isEmpty()) { + if (ctx.user == null) ctx.user = [:]; + if (ctx.user.entity == null) ctx.user.entity = [:]; + if (ctx.user.entity.attributes == null) ctx.user.entity.attributes = [:]; + ctx.user.entity.attributes.administered_by = admins; + } - append: field: related.user value: '{{{user.email}}}' diff --git a/packages/jamf_pro/data_stream/inventory/fields/ecs.yml b/packages/jamf_pro/data_stream/inventory/fields/ecs.yml index b8266b4799a..d190ab19854 100644 --- a/packages/jamf_pro/data_stream/inventory/fields/ecs.yml +++ b/packages/jamf_pro/data_stream/inventory/fields/ecs.yml @@ -14,3 +14,21 @@ fields: - name: last_activity type: date +- name: user + type: group + fields: + - name: entity + type: group + fields: + - name: attributes + type: group + fields: + - name: administered_by + type: group + fields: + - name: user_id + type: keyword + - name: username + type: keyword + - name: email + type: keyword diff --git a/packages/jamf_pro/data_stream/inventory/fields/fields.yml b/packages/jamf_pro/data_stream/inventory/fields/fields.yml index 1e147c51fcd..b3952d9dd78 100644 --- a/packages/jamf_pro/data_stream/inventory/fields/fields.yml +++ b/packages/jamf_pro/data_stream/inventory/fields/fields.yml @@ -47,6 +47,8 @@ type: keyword - name: admin type: boolean + - name: email + type: keyword - name: purchasing type: group fields: diff --git a/packages/jamf_pro/docs/README.md b/packages/jamf_pro/docs/README.md index bbf9f4d552c..ca2aedca534 100644 --- a/packages/jamf_pro/docs/README.md +++ b/packages/jamf_pro/docs/README.md @@ -204,6 +204,8 @@ The following non-ECS fields are used in inventory documents: | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| host.entity.attributes.managed | | boolean | +| host.entity.lifecycle.last_activity | | date | | input.type | Input type | keyword | | jamf_pro.inventory.applications.bundle_id | | keyword | | jamf_pro.inventory.applications.external_version_id | | keyword | @@ -374,6 +376,8 @@ The following non-ECS fields are used in inventory documents: | jamf_pro.inventory.user_and_location.realname | | keyword | | jamf_pro.inventory.user_and_location.room | | keyword | | jamf_pro.inventory.user_and_location.username | | keyword | +| user.entity.attributes.administered_by.user_id | | keyword | +| user.entity.attributes.administered_by.username | | keyword | ### Events @@ -505,6 +509,7 @@ The following non-ECS fields are used in real-time event documents: | data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| host.entity.lifecycle.last_activity | | date | | input.type | | keyword | | jamf_pro.events.event.alternate_mac_address | | keyword | | jamf_pro.events.event.asset_tag | | keyword | From c4ca659bc1de0ea5eb7a9914e5a05e657e39d7dd Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Fri, 17 Apr 2026 15:25:42 +0200 Subject: [PATCH 06/10] Bump version and add changelog --- packages/jamf_pro/changelog.yml | 5 +++++ packages/jamf_pro/manifest.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/jamf_pro/changelog.yml b/packages/jamf_pro/changelog.yml index 673c1fa7b2e..2ed56f41567 100644 --- a/packages/jamf_pro/changelog.yml +++ b/packages/jamf_pro/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Add support for ECS entity fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/99999 - version: "1.1.0" changes: - description: Add `host.id` and `host.name` fields to the inventory data stream. diff --git a/packages/jamf_pro/manifest.yml b/packages/jamf_pro/manifest.yml index 7b053ec5ab8..c3bffbdcd0c 100644 --- a/packages/jamf_pro/manifest.yml +++ b/packages/jamf_pro/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.5 name: jamf_pro title: "Jamf Pro" -version: "1.1.0" +version: "1.2.0" source: license: "Elastic-2.0" description: "Collect logs and inventory data from Jamf Pro with Elastic Agent" From cb6b0fc05dd74368971bd3a188ab7ce35e79b78b Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Fri, 17 Apr 2026 15:31:41 +0200 Subject: [PATCH 07/10] Update changelog --- packages/jamf_pro/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/jamf_pro/changelog.yml b/packages/jamf_pro/changelog.yml index 2ed56f41567..5bb7b5b8d39 100644 --- a/packages/jamf_pro/changelog.yml +++ b/packages/jamf_pro/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Add support for ECS entity fields. type: enhancement - link: https://github.com/elastic/integrations/pull/99999 + link: https://github.com/elastic/integrations/pull/18503 - version: "1.1.0" changes: - description: Add `host.id` and `host.name` fields to the inventory data stream. From 6938ae5fa2d057ab2036bd95294be9256ac20145 Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Fri, 17 Apr 2026 16:10:39 +0200 Subject: [PATCH 08/10] Update docs with latest fields --- packages/jamf_pro/docs/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/jamf_pro/docs/README.md b/packages/jamf_pro/docs/README.md index ca2aedca534..1bfdda6d92a 100644 --- a/packages/jamf_pro/docs/README.md +++ b/packages/jamf_pro/docs/README.md @@ -305,6 +305,7 @@ The following non-ECS fields are used in inventory documents: | jamf_pro.inventory.local_user_accounts.admin | | boolean | | jamf_pro.inventory.local_user_accounts.azure_active_directory_id | | keyword | | jamf_pro.inventory.local_user_accounts.computer_azure_active_directory_id | | keyword | +| jamf_pro.inventory.local_user_accounts.email | | keyword | | jamf_pro.inventory.local_user_accounts.file_vault2enabled | | boolean | | jamf_pro.inventory.local_user_accounts.full_name | | keyword | | jamf_pro.inventory.local_user_accounts.fullname | | keyword | @@ -376,6 +377,7 @@ The following non-ECS fields are used in inventory documents: | jamf_pro.inventory.user_and_location.realname | | keyword | | jamf_pro.inventory.user_and_location.room | | keyword | | jamf_pro.inventory.user_and_location.username | | keyword | +| user.entity.attributes.administered_by.email | | keyword | | user.entity.attributes.administered_by.user_id | | keyword | | user.entity.attributes.administered_by.username | | keyword | From cd3d839dca7b31eb1560eb05fa5c267e6695de12 Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Tue, 21 Apr 2026 08:51:01 +0200 Subject: [PATCH 09/10] Rename invalid test filenames --- ...tity-administered_by.json => test-entity-administered-by.json} | 0 ...pected.json => test-entity-administered-by.json-expected.json} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/{test-entity-administered_by.json => test-entity-administered-by.json} (100%) rename packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/{test-entity-administered_by.json-expected.json => test-entity-administered-by.json-expected.json} (100%) diff --git a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered_by.json b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered-by.json similarity index 100% rename from packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered_by.json rename to packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered-by.json diff --git a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered_by.json-expected.json b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered-by.json-expected.json similarity index 100% rename from packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered_by.json-expected.json rename to packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered-by.json-expected.json From 2507ac3b936002feb2f4ab1956e868c0787b88c9 Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Thu, 23 Apr 2026 18:28:25 +0200 Subject: [PATCH 10/10] Rename subfields of relationships fields --- .../test-entity-administered-by.json-expected.json | 12 ++++++++---- .../elasticsearch/ingest_pipeline/default.yml | 6 ++++-- .../jamf_pro/data_stream/inventory/fields/ecs.yml | 4 ++-- packages/jamf_pro/docs/README.md | 4 ++-- 4 files changed, 16 insertions(+), 10 deletions(-) diff --git a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered-by.json-expected.json b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered-by.json-expected.json index 99f0d59a8a3..168a386371f 100644 --- a/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered-by.json-expected.json +++ b/packages/jamf_pro/data_stream/inventory/_dev/test/pipeline/test-entity-administered-by.json-expected.json @@ -133,13 +133,17 @@ "administered_by": [ { "email": "alice@example.com", - "user_id": "501", - "username": "alice" + "user": { + "id": "501", + "name": "alice" + } }, { "email": "carol@example.com", - "user_id": "503", - "username": "carol" + "user": { + "id": "503", + "name": "carol" + } } ] } diff --git a/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml index 430899c7383..32735b5d032 100644 --- a/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_pro/data_stream/inventory/elasticsearch/ingest_pipeline/default.yml @@ -264,8 +264,10 @@ processors: for (def acct : ctx.jamf_pro.inventory.local_user_accounts) { if (acct.admin == true) { Map entry = new HashMap(); - if (acct.uid != null && acct.uid != "") entry.put("user_id", acct.uid); - if (acct.username != null && acct.username != "") entry.put("username", acct.username); + Map userObj = new HashMap(); + if (acct.uid != null && acct.uid != "") userObj.put("id", acct.uid); + if (acct.username != null && acct.username != "") userObj.put("name", acct.username); + if (!userObj.isEmpty()) entry.put("user", userObj); if (acct.email != null && acct.email != "") entry.put("email", acct.email); if (!entry.isEmpty()) admins.add(entry); } diff --git a/packages/jamf_pro/data_stream/inventory/fields/ecs.yml b/packages/jamf_pro/data_stream/inventory/fields/ecs.yml index d190ab19854..0d20ef32ff9 100644 --- a/packages/jamf_pro/data_stream/inventory/fields/ecs.yml +++ b/packages/jamf_pro/data_stream/inventory/fields/ecs.yml @@ -26,9 +26,9 @@ - name: administered_by type: group fields: - - name: user_id + - name: user.id type: keyword - - name: username + - name: user.name type: keyword - name: email type: keyword diff --git a/packages/jamf_pro/docs/README.md b/packages/jamf_pro/docs/README.md index 1bfdda6d92a..80f37c27167 100644 --- a/packages/jamf_pro/docs/README.md +++ b/packages/jamf_pro/docs/README.md @@ -378,8 +378,8 @@ The following non-ECS fields are used in inventory documents: | jamf_pro.inventory.user_and_location.room | | keyword | | jamf_pro.inventory.user_and_location.username | | keyword | | user.entity.attributes.administered_by.email | | keyword | -| user.entity.attributes.administered_by.user_id | | keyword | -| user.entity.attributes.administered_by.username | | keyword | +| user.entity.attributes.administered_by.user.id | | keyword | +| user.entity.attributes.administered_by.user.name | | keyword | ### Events