Hey all,
There's an issue with the following predicate in it's usage with Jamf Protect (though this applies to other predicates in this repo as well):
https://github.com/jamf/jamfprotect/blob/32096d0c425882ad558721162d41aabf357214ce/unified_log_filters/jamf_connect/cloud_idp_authentication_bypass_and_local_user_authentication.yaml#L4C4-L4C4
The output from the mentioned predicate is something like:
2024-01-03 13:29:13.068455-0500 0x3018d Debug 0x60010 44503 0 SecurityAgentHelper-arm64: (JamfConnectLogin) [com.jamf.connect.login:LoginUI] Local auth success, allowing login for user: testuser
This will not make it to the SIEM, since only messages with the default level are flagged and forwarded and not messages with info and debug.
Hey all,
There's an issue with the following predicate in it's usage with Jamf Protect (though this applies to other predicates in this repo as well):
https://github.com/jamf/jamfprotect/blob/32096d0c425882ad558721162d41aabf357214ce/unified_log_filters/jamf_connect/cloud_idp_authentication_bypass_and_local_user_authentication.yaml#L4C4-L4C4
The output from the mentioned predicate is something like:
2024-01-03 13:29:13.068455-0500 0x3018d Debug 0x60010 44503 0 SecurityAgentHelper-arm64: (JamfConnectLogin) [com.jamf.connect.login:LoginUI] Local auth success, allowing login for user: testuserThis will not make it to the SIEM, since only messages with the
defaultlevel are flagged and forwarded and not messages withinfoanddebug.