Jamf Protect Logs
Ingest analytic and security events from Jamf Protect using object storage (AWS S3, S3 with a custom SQS queue, or MinIO-compatible buckets). For webhook delivery from Jamf Protect Cloud, see Jamf Protect via Webhook.
Ingest Methods
RunReveal offers the following ways to ingest JAMF Protect logs:
- AWS S3 Bucket
- AWS S3 Bucket with Custom SQS
- Jamf Protect via Webhook — stream events via webhook instead of object storage
MinIO and other S3-compatible storage use the same SNS notification pattern as AWS S3.
If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.
arn:aws:sns:<REGION>:253602268883:runreveal_jamfprotectReplace <REGION> with the AWS region where your S3 bucket is located (e.g., us-east-1, us-west-2, eu-west-1).
SNS topic & Custom SQS. Use the ARN above in your event notification tied to your S3 bucket—the topic name must match (runreveal_…; hyphens in the source id become underscores). For Custom SQS, set the queue URL and region in RunReveal; see AWS S3 Bucket with Custom SQS.
Note: BYOC, On-Prem, and BYODB customers must use their AWS account ID in the ARN instead of 253602268883.
Follow the AWS S3 Bucket and AWS S3 Bucket with Custom SQS guides for bucket policy, IAM, and notification setup. Point S3 event notifications at the SNS topic ARN above (or configure your custom queue and enter its URL in RunReveal).
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: jamf_protect_logs (46 columns)
jamf_protect_logs (46 columns)| Column | Type |
|---|---|
id | String |
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime64(3) |
eventTime | DateTime64(3) |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
| Column | Type |
|---|---|
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actorID | String |
username | String |
hostname | String |
hostOS | String |
protectVersion | String |
provisioningUDID | String |
eventPath | String |
processID | UInt32 |
eventTimestamp | Float64 |
severity | UInt8 |
matchUUID | String |
matchTags | Array(String) |
factDescription | String |
fact_name | String |
caid | String |
certID | String |
rawLog | String |
Troubleshooting
- No objects ingested — Confirm bucket notifications reach the SNS topic or SQS queue configured in RunReveal, and that RunReveal can read objects with the IAM role or credentials you provided.
- Wrong region — The
<REGION>segment in the SNS ARN must match the region where the bucket and topic are configured.