Jamf Protect via Webhook
Collect analytic and security events from Jamf Protect Cloud — including screenshot detection, prevented execution, and Gatekeeper blocks — by forwarding them to RunReveal via webhook. For S3-based ingestion, see Jamf Protect Logs.
Prerequisites
- Jamf Protect Cloud admin access — configure action configurations and data endpoints.
- RunReveal account with permission to add sources and view logs.
- Jamf Protect analytics producing events you want to forward.
Step 1: Generate a Webhook Endpoint in RunReveal
- Open Sources in RunReveal and click Add Source.
- Select Jamf Protect via Webhook (or JAMF Protect with webhook ingest).
- Save the source with a clear name to generate the webhook URL.
- Copy the webhook endpoint URL.
Step 2: Create a Data Endpoint Action in Jamf Protect Cloud
- Log in to Jamf Protect Cloud.
- Go to Settings → Action Configurations.
- Click New and choose Data Endpoint.
- Name it (e.g. “RunReveal Webhook”).
- Set Endpoint URL to your RunReveal webhook URL, Method POST, Content-Type
application/json, and Data Format JSON.
See Creating an Action Configuration in Jamf’s documentation.
Step 3: Attach Analytics
Attach your Data Endpoint action to the analytics or groups you want. Common event types include GPScreenshotEvent, GPGatekeeperEvent, GPPreventedExecutionEvent, and GPThreatMatchExecEvent.
Example security event payload
{
"caid": "CAID_HASH",
"certid": "CERT_ID_HASH",
"input": {
"eventType": "GPScreenshotEvent",
"host": {
"hostname": "HOST_NAME",
"ips": ["192.0.2.1"],
"os": "Version 15.4.1 (Build 24E263)",
"protectVersion": "7.0.0.9",
"provisioningUDID": "UDID_VALUE",
"serial": "SERIAL_NUMBER"
},
"match": {
"event": {
"path": "/Users/user/Documents/Screenshots/example.png",
"timestamp": 1747062957.09414,
"uuid": "EVENT_UUID"
},
"tags": ["MITREattack", "T1113", "ScreenCapture", "Collection"],
"uuid": "MATCH_UUID"
}
}
}Step 4: Validate Delivery
Open your source in RunReveal, confirm events are arriving, and query them in Explorer or Native AI Chat.
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: jamf_protect_webhook_logs (73 columns)
jamf_protect_webhook_logs (73 columns)| Column | Type |
|---|---|
id | String |
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime64(3) |
eventTime | DateTime64(3) |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actorID | String |
username | String |
hostname | String |
rawLog | String |
hostOS | String |
protectVersion | String |
provisioningUDID | String |
serial | String |
| Column | Type |
|---|---|
actionType | Int32 |
eventType | Int32 |
globalSeqNum | Int64 |
machTime | Int64 |
seqNum | Int64 |
version | Int32 |
timestamp | Int64 |
timestampReceivedISO | String |
processPath | String |
processPid | Int32 |
processUsername | String |
processSigningId | String |
processCdHash | String |
processExecutablePath | String |
processExecutableSha1 | String |
processExecutableSha256 | String |
execArgs | Array(String) |
execDyldPath | String |
execTargetPath | String |
execTargetPid | Int32 |
execTargetUsername | String |
execTargetSigningId | String |
parentProcessPath | String |
parentProcessPid | Int32 |
parentProcessSigningId | String |
responsibleProcessPath | String |
responsibleProcessPid | Int32 |
responsibleProcessSigningId | String |
threadId | Int64 |
threadUUID | String |
clientId | String |
hd | String |
certId | String |
metadataProduct | String |
metadataSchemaVersion | String |
metadataVendor | String |
Troubleshooting
- No events — Verify the Data Endpoint action is enabled, analytics are firing, and the URL matches your RunReveal webhook.
- 401/403 from RunReveal — Check bearer token or URL if your org requires them.