Integrating Jamf Protect with Microsoft Sentinel

Jamf Protect now integrates with Microsoft Sentinel—learn about the benefits and features of this integration in this blog.

August 24 2023 by

Thijs Xhaflaire

Aaron Webb

Katie John

Matt Taylor

People shaking hands

Jamf Protect, our leading endpoint security solution for Mac and mobile devices, has recently announced its integration with Microsoft Sentinel, a cloud-native security information and event management (SIEM) solution. This integration enables organizations to seamlessly monitor and protect their Mac fleet through the Microsoft Sentinel platform, providing a unified view of security events across all endpoints and facilitating a more effective response to threats.

The Jamf Protect data forwarding integration with Microsoft Sentinel makes it easy for organizations to implement and configure the integration. With this integration, we'll discuss the newest features found in the latest version, 3.0.0, such as the new:

  • Playbooks
  • Hunting queries
  • Parser

Not to forget updated Workbooks and Analytic rules that help organizations to leverage the strengths of both solutions to gain better visibility into security events while streamlining and automating incident response.

What are the benefits of Jamf Protect SIEM integration with Microsoft Sentinel?

One of the key benefits is the ability to centrally manage and monitor Mac endpoints alongside other devices, such as Windows and Linux machines. Microsoft Sentinel provides a unified view of security events across all endpoints, allowing security teams to identify threats and respond to them quickly and effectively. By integrating with Jamf Protect, organizations can also gain additional insight into their Mac endpoints and protect against threats specific to those devices.

The integration also enables organizations to automate incident response workflows, reducing the time it takes to detect and respond to threats. For example, if Jamf Protect detects malware on a Mac device, it can automatically trigger an alert or incident in Microsoft Sentinel, which can then initiate a response, such as suspending a user in Microsoft Azure AD in case malicious activity has been detected. This integration streamlines the incident response process and reduces the risk of human error.

Another benefit of the Jamf Protect SIEM integration with Microsoft Sentinel is the ability to leverage Microsoft’s threat intelligence capabilities. Microsoft Sentinel ingests threat intelligence from various sources, such as the Microsoft Intelligent Security Graph, and can use this information to identify and respond to threats more effectively.

Which new features are included in v3.0.0 of the integration?

The Jamf Protect SIEM integration with Microsoft Sentinel is a powerful solution for organizations looking to secure their Mac endpoints and gain better visibility into security events across all devices. By integrating Jamf Protect with Microsoft Sentinel, organizations can automate incident response workflows, leverage threat intelligence and gain a unified view of security events, all while streamlining the management and monitoring of their Mac fleet.

That said, here's a rundown of the new and updated features available since its inception earlier this year.


Say goodbye to manual intervention during threats!

Explained by Microsoft as being “collections of procedures that can be run from Microsoft Sentinel in response to an entire incident, to an individual alert, or to a specific entity.The Playbooks feature provides an automated response that runs after an incident has been created or another condition has been met. With it, security teams effortlessly define customized sequences of actions, empowering them to automate swift and effective responses to mitigate security incidents quickly using the power of the Jamf API.

Some examples of Playbooks included are:

  • Remote lock a computer with Jamf Pro
    • Based upon the host entities in the Microsoft Sentinel incident, it locks the device using a remote command
    • Workflow generates a randomized, 6-digit passcode which will be stored within the incident itself
  • Update alert statuses in Jamf Protect
    • Mirrors the Microsoft Sentinel incident state and once set to active, will change the status to in progress
  • Automatically resolve alerts in Jamf Protect
    • Mirrors the Microsoft Sentinel incident state and once set to closed, updates it to resolved

Hunting queries

Proactively discover potential threats across your endpoints by combining Jamf Protect’s Alert, Telemetry and Network event data and Microsoft Sentinel’s Hunting Queries. Doing so allows security researchers to hunt for threats retrospectively in time, ensuring that threats nor malware did not occur before they became known.

For example, you will find two samples that hunt for DazzleSpy and JokerSpy respectively, with coverage already provided by Jamf Protect, but allow security researchers to run this query at a previous point in time, checking for a prior existence of the threat.


Experience enhanced data parsing capabilities with the newly added parser that matches fields to the Advanced Security Information Model (ASIM). Data extracted and interpreted from an expanded array of sources enables comprehensive threat detection and analysis. Make better, more informed decisions using accurate and real-time information gleaned from a holistic view of your environment's security landscape.

Map events from the following streams:

  • Jamf Protect Alerts
    • Including Threat Prevention
    • Including Analytics
    • Including Device Controls
  • Jamf Protect Telemetry
  • Jamf Protect Web Protection
    • Network Traffic Stream
    • Threat Event Stream


Visualize complex data effortlessly with updated Workbooks. The intuitive interface transforms raw information into actionable insights through dynamic charts, graphs and metrics. Empower your security and IT teams to quickly assess, interpret and respond to threats, bolstering your defense strategy with a user-friendly, data-driven approach.

Workbooks already existed in previous versions of the solution, but have received a significant update that adds more value, such as:

  • Utilizes the newly added parser for querying
  • Added system performance metrics to granularly review performance across all endpoints
  • Log Parsers are now able to review not only the jamf.log but others as well

Analytic rules

Stay ahead of emerging risks and stay in control of your cybersecurity posture with Analytic rules. The earlier version of Jamf Protect for Microsoft Sentinel contained Analytic rules for automated incident creation, allowing responders to act up on that.

Updates to the Analytic rules have refined them to be more precise while also making use of the newly added parser feature.

Where can admins get this integration?

If you’re interested in implementing the Jamf Protect SIEM integration with Microsoft Sentinel, it’s as easy as visiting the Azure Marketplace listing and following the installation and configuration steps. With this integration, you can protect your Mac endpoints alongside other devices and gain better insight into security events across your entire organization.

Additionally, you can find Jamf Protect for Microsoft Sentinel in the Government Marketplace and Microsoft Sentinel Content Hub.

Security teams' finger on the pulse of your security posture

Embrace the future of cybersecurity – where automation, proactive discovery, deep data insight and visual clarity converge to create an unparalleled defense against digital adversaries.

Jamf Protect seamlessly integrates with Microsoft Sentinel using native data forwarding to Log analytics, maximizing the power of both solutions. Strengthen your security posture by combining the robust capabilities of Microsoft Sentinel with the advanced Apple endpoint security features of Jamf Protect.

Already using Jamf Protect for Microsoft Sentinel? Upgrade to version 3.0.0 from within the Microsoft Sentinel Content Hub today to unlock more value and increased functionality!

Demonstration of features

For a walkthrough of the features and use of this integration, please see the video below:

Attending the Jamf Nation User Conference this year?

Check out our threat hunting and incident response session with Jamf Protect + Microsoft Sentinel!

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.