Complementing Splunk SIEM with Jamf Pro inventory

Splunk Enterprise is a self-hosted version of Splunk — a security information and event management (SIEM) solution that allows organizations to collect, index, report, and present data from multiple sources. Since fdew months there is a new option in Splunk to connect with Jamf Pro, an Apple Device Management, MDM and Inventory solution.

Once desired data is in Splunk, it’s simple to start searching across log, event and other data. This time with Splunk, we’ll look how inventory data is pulled from Jamf Pro into Splunk Enterprise with a dedicated Splunk Add-on.

For this tutorial, we will set up a test instance of Splunk Enterprise running on Ubuntu 20.04LTS. Splunk Enterprise requires Python and will be able to install on Windows, Linux, and for test purpose will even run on macOS.

The current version of Splunk Enterprise is 8.0.5; the environment is running in Python 2.7 — note this version is EOL(end of life) — Splunk Enterprise already warns you about the future change to a Python 3.x environment. Be aware of planning for some extra maintenance shortly.

The friendly folks at Jamf have written an excellent technical paper how to integrate Splunk with Jamf Pro to pull data from an “Advanced Computer/Mobile Search” — https://docs.jamf.com/technical-papers/jamf-pro/splunk/10.9.0/Introduction.html

This posting is intended to accompany that guide.

A note! This article assumes you’re a bit familiar with Jamf components such as advanced search, display inventory settings, add a user for Jamf Pro API access .

Create a Splunk Account

Installing Splunk Enterprise on Ubuntu is remarkably simple, to get hands-on the deb file to install, you need to register an account. Also note our Splunk Enterprise deployment runs in a limited 60-day trial time and will expire — for the procurement of a Splunk license reach out to a Splunk sales contact on their website.

1. Go to Splunk website here
2. To create your Splunk Account, provide all details.
3. Press the “Create Your Account Button”
4. Wait a moment, see your Email inbox, then validate your email address.
5. Log in with your credentials.
6. Navigate to the “Get started” section here.
7. Click the “Get Started With Splunk Enterprise” button.

The full documentation for Splunk Enterprise is here.
The Jamf Pro technical paper, as mentioned earlier, is here.

A Note! Steps to begin with Splunk Cloud are explained at the beginning of another post on Splunk here.

Installing Splunk Enterprise in Ubuntu

Splunk does provide base instructions to install Splunk enterprise on all supported platforms. As it’s the most simple setup, we’ll use Ubuntu 20.04 LTS in our example.

1. Download the Linux Installation Package — download the .deb file

2. Copy over the .deb file via ssh to the Ubuntu Server

3. Install Splunk Enterprise with dpkg from the .deb file

sudo dpkg -i /tmp/splunk-8.0.5-a1a6394cc5ae-linux-2.6-amd64.deb

run dpkg to install Splunk Enterprise

4. Enable Splunk at boot

sudo /opt/splunk/bin/splunk enable boot-start

5. Agree to the license

Agree to the license

6. Create admin user to login to Splunk Enterprise

Set up admin user and password, required for Splunk Enterprise web interface login

7. Start the Service

sudo service splunk start

Sign in to Splunk Enterprise

All following steps can be performed in the Splunk web interface.

1. In your webbrowser go to your Splunk Enterprise instance, this is running on port 8000 (i.e. splunk.example.com:8000)
2. Log in with the admin/password created in Terminal a moment ago

Install the Jamf Add-on

The Jamf Pro add-on is pulling data at a pre-defined interval.

Here is a quick walk-thru on how to install the Jamf Pro Add-On for Splunk from the Splunk web interface.

1. Navigate to “Find more Apps” menu
2. Search for “jamf”
3. Click the “install” button
4. Login with your registered Splunk Account
5. Install the Add-on
6. Restart Splunk Enterprise to complete the installation
7. Log in to Splunk again, see the Jamf Add on now available

Add Splunk Apps as Add-on

Search for Jamf, login with Splunk account, install the “Jamf Pro Add-on for Splunk”

Weit until installing Add-on has finished, restart required

Advanced Search in Jamf Pro

You can quickly define which data is pulled from Jamf Pro by Splunk — for this, a new “Advanced Search” needs to be created and saved in Jamf. Splunk will retrieve all displayed inventory data from this saved search in a defined interval.

1. Log in to Jamf Pro
2. Create an “Advanced Search”
3. In “Display” section for this saved search, enable inventory fields to be pulled by Splunk
4. Save the search with a unique name (needed later in Splunk Add-on conf.)

Add inventory fields you want to get pulled by Splunk

Setup Jamf Pro Splunk Add-on

Prerequisite: for the next step to work you must have created a dedicated user account in Jamf Pro (auditor role) that allows Splunk connect to the Jamf Pro API (read more about Jamf Pro API here).

1. Navigate to the Jamf Pro Add-On in the Splunk Enterprise web interface
2. Click the “Create New Input” button
3. Set a meaningful Name and define the interval how often Splunk will retrieve inventory data
4. In the Sheet provide all details requested: Jamf Pro FQDN — JSS URL, Username/Password, API Call Name (Computers, Mobile Devices), Search Name (corresponding to the advanced search saved in Jamf Pro)
5. Save the settings
6. Validate your settings

After a short moment, you can start the search in Splunk Enterprise to find inventory data retrieved from Jamf Pro. From here you can explore full search and query features from Splunk.

Create Splunk input, validate settings

Search for aggregated data, use known field names from Jamf Inventory

Summary

This article is written complementary to the Jamf Technical Paper for Splunk (see more links below), and helps speed up testing some exciting features for those folks new to Splunk. If your Organization already use Splunk as a SIEM solution, the quick setup for macOS/iOS/iPadOS/tvOS inventory aggregation for Splunk is a welcome detail to have.

A ashort note about interval based Inventory pull from the Jamf Pro Add-on — this always will fetch full inventory. To see “differential” data about only inventory changes for proper historical change tracking will require significant extra work. Building a nice Dashboards representation for inventory in Splunk will also keep you busy for a while — it is certainly doable and worth it. An option to work with Jamf WebHooks is also a improvment to look into here.

In the circumstances, a “differential” inventory change tracking for macOS & iOS/iPadOS/tvOS is highly desired, a Google Santa, Osquery or other agent-based macOS endpoint event aggregation is planned out to integrate with a Splunk SIEM setup. Have a look at how to leverage Splunk as data store with Zentral — an open-source solution for infrastructure monitoring and endpoint event stream processing.

Also, don’t hesitate to contact us on further questions on all above, and discuss how an individual deployment could look like.

For more info

• Splunk Jamf Pro Add-on: https://splunkbase.splunk.com/app/4729/
• Jamf technical paper: https://docs.jamf.com/technical-papers/jamf-pro/splunk/10.9.0/Installing_and_Configuring_the_Jamf_Pro_Add-on_for_Splunk.html
• Splunk Dashboard tutorial: https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchTutorial/Aboutdashboards
• Article how Enable Splunk as backend for Zentral
• Zentral open source: https://github.com/zentralopensource/zentral