Jamf Protect Security Event Forwarding with a Webhook

This guide explains how to configure Jamf Protect Cloud to forward analytic and security events (e.g., screenshot detection, prevented execution, Gatekeeper blocks) to RunReveal using a webhook URL generated in the RunReveal UI.

jamf protect webhook-setup

Prerequisites

  • Jamf Protect Cloud admin access
    You need rights to configure action configurations and data endpoints.
  • RunReveal account with permissions to add sources and view logs (admin/editor)
    Ability to add sources and view logs.
  • Configured Jamf Protect analytics
    Ensure Jamf Protect is already generating events (e.g., screenshot captures, execution blocks, policy violations).

Step 1: Generate a Webhook Endpoint in RunReveal

  1. Navigate to Sources in RunReveal
  2. Click Add Source
  3. Select Jamf Protect and choose Webhook as the ingest type
  4. Save the source with a descriptive name to generate the unique webhook URL
  5. Copy the webhook endpoint URL provided

jamfprotect-webhook-setup

Step 2: Create Data Endpoint Action in Jamf Protect Cloud

  1. Log in to Jamf Protect Cloud Console
  2. Navigate to Settings → Action Configurations
  3. Click New to create a new action configuration
  4. Select Data Endpoint as the action type
  5. Provide a descriptive name (e.g., “RunReveal Webhook”)
  6. Configure the data endpoint settings:
    • Endpoint URL: Paste the RunReveal webhook URL you copied earlier
    • Method: POST
    • Headers: Set Content-Type to application/json
    • Authentication: None (authentication handled via the unique webhook URL)
    • Data Format: JSON

For more details, see the Creating an Action Configuration - JAMF macOS Security Portal.

Step 3: Select Analytic & Event Types to Forward

  • In Jamf Protect, you can attach your Data Endpoint Action to specific analytics or groups of analytics.
  • Common event types include:
    • GPScreenshotEvent (screen capture / MITRE T1113)
    • GPGatekeeperEvent (Gatekeeper enforcement)
    • GPPreventedExecutionEvent (execution blocked)
    • GPThreatMatchExecEvent (analytic match on process execution)
  • You can update your configuration later as monitoring needs evolve.

Security Event Type logs format:

{
  "caid": "CAID_HASH",
  "certid": "CERT_ID_HASH",
  "input": {
    "eventType": "GPScreenshotEvent",
    "host": {
      "hostname": "HOST_NAME",
      "ips": ["192.0.2.1"],
      "os": "Version 15.4.1 (Build 24E263)",
      "protectVersion": "7.0.0.9",
      "provisioningUDID": "UDID_VALUE",
      "serial": "SERIAL_NUMBER"
    },
    "match": {
      "event": {
        "path": "/Users/user/Documents/Screenshots/Screenshot 2025-05-12 at 11.15.48 AM (2).png",
        "timestamp": 1747062957.09414,
        "uuid": "EVENT_UUID"
      },
      "tags": ["MITREattack", "T1113", "ScreenCapture", "Collection"],
      "uuid": "MATCH_UUID"
    },
    "related": {
      "users": [{
        "name": "user",
        "uid": 501,
        "uuid": "USER_UUID_1"
      }]
    }
  }
}

Step 4: Validate Delivery

  1. Return to RunReveal and open your Jamf Protect Source page
  2. Confirm that events are arriving
  3. Search in Explorer or use Native AI Chat to inspect recent Jamf Protect analytic events

Troubleshooting

  • No events appearing in RunReveal
    • Check that your Jamf Protect Data Endpoint action is enabled and pointing to the correct RunReveal URL
    • Validate that Jamf Protect analytics are enabled and triggering events
    • Use a cURL test with sample JSON to confirm that your webhook URL accepts data