SourcesSource TypesJAMF Protect

Jamf Protect Security Event and Telemetry with a Webhook

This guide explains how to set up Jamf Protect Cloud to forward telemetry and security events to RunReveal using a webhook url generated by the JAMF Protect source in the RunReveal UI.

jamf protect webhook-setup

Prerequisites

  • Jamf Protect Cloud admin access
    You need rights to configure telemetry forwarding and webhooks.
  • RunReveal account with permissions to add sources and view logs (admin/editor)
    Ability to add sources and view logs.
  • Telemetry/Security logging set up in JAMF Protect Cloud
    Decide which Jamf Protect data (telemetry, alerts, etc.) you want to send.

Step 1: Generate a Webhook Endpoint in RunReveal

  1. Navigate to Sources in RunReveal
  2. Click Add Source
  3. Select Jamf Protect and choose Webhook as the ingest type and save the source with a name to generate the unique webhook url.
  4. Copy the webhook endpoint URL provided

jamfprotect-webhook-setup

Step 2: Create Data Endpoint Action in Jamf Protect Cloud

  1. Log in to Jamf Protect Cloud Console
  2. Navigate to Settings → Action Configurations
  3. Click New to create a new action configuration
  4. Select Data Endpoint as the action type
  5. Provide a descriptive name (e.g., “RunReveal Webhook”)
  6. Configure the data endpoint settings:
    • Endpoint URL: Paste the RunReveal webhook URL you copied earlier
    • Method: POST
    • Headers: Set Content-Type to application/json
    • Authentication: None (authentication handled via webhook URL)
    • Data Format: JSON

For more details, see the Creating an Action Configuration - JAMF macOS Security Portal guide.

Step 3: Select Telemetry & Event Types to Forward

  • In Jamf Protect, you can typically choose:
    • Telemetry (system, process, network, file events)
    • Alerts (detections, policy violations)
    • Device status/events
    • User activity
  • You can always update your selection later as monitoring needs evolve.

Step 4: Validate Delivery

  1. Return to RunReveal, open your Jamf Protect Source page.
  2. Confirm that logs are arriving.
  3. Search within explorer or use Native AI Chat to inspect recent Jamf Protect events.

Troubleshooting

  • Missing Logs

    • Check that Jamf Protect webhook is enabled and pointed to RunReveal
    • Validate that events are generated in JAMF Protect Cloud and that you’ve selected your event types for the forwarder.

Helpful Links

JAMFKeeper Security