jamfprotect
jamfprotect copied to clipboard
Jamf Connect UL predicate doesn't work due to log level
Hey all,
There's an issue with the following predicate in it's usage with Jamf Protect (though this applies to other predicates in this repo as well):
https://github.com/jamf/jamfprotect/blob/32096d0c425882ad558721162d41aabf357214ce/unified_log_filters/jamf_connect/cloud_idp_authentication_bypass_and_local_user_authentication.yaml#L4C4-L4C4
The output from the mentioned predicate is something like:
2024-01-03 13:29:13.068455-0500 0x3018d Debug 0x60010 44503 0 SecurityAgentHelper-arm64: (JamfConnectLogin) [com.jamf.connect.login:LoginUI] Local auth success, allowing login for user: testuser
This will not make it to the SIEM, since only messages with the default
level are flagged and forwarded and not messages with info
and debug
.