Skip to content

SOAR Playbooks

Jump to bottom
Matt Taylor edited this page Oct 18, 2021 · 5 revisions

SOAR Playbooks

The SOAR playbooks contained within this repository are workflows designed to be executed on an endpoint by Jamf Pro, in response to an analytic detection Jamf Protect. This is achieved through the remediation integration between the two products, detailed here.

Leveraging this integration requires the endpoint to be enrolled in both Jamf Protect as well as a Jamf Pro environment.

The general flow of the operations that occur through this operation is as follows:

  1. A security event occurs on an endpoint
  2. The event is detected by Jamf Protect's analytic feature
  3. The Jamf Protect agent executes an action as a result of the positive detection that results in the endpoint being placed into a Smart Computer Group in Jamf Pro, whereby now it is eligible for scoping inclusion or exclusion of management objects such as Policies or Configuration Profiles
  4. The Jamf Pro management framework will proactively check for and execute pending management actions from these features

The SOAR playbooks available to implement via this integration will continue to grow and provide such capabilities as:

  • automatic acquisition and removal of files quarantined by Jamf Protect
  • automatic acquisition of specific artefacts off endpoints in response to a positive detection
  • mitigation and remediation activities, such as network isolation of an endpoint

The playbooks themselves are largely scripted workflows, although some are expected to involve other types of management such as Configuration Profiles.

Each SOAR playbook will soon have documentation for their implementation and usage.

SOAR Playbook Documentation

See below for documentation specific to each SOAR playbook contained within this repository. Reference information for variables and functions that are generic and operate across multiple playbooks can be found in the SOAR Playbooks: Common Variables and Functions wiki page.

Quarantined File Acquisition and Removal

This playbook provides the ability to acquire and optionally remove files quarantined by Jamf Protect in the event of a positive signature match of known malware by the Threat Prevention feature.

Required Jamf Protect Analytic:

In order for this playbook to execute a Custom Analytic must be created and deployed to endpoints to monitor for new files created in the /Library/Application Support/JamfProtect/Quarantine directory. The required predicate and settings for creating this Custom Analytic can be found here in this repository.

Variables specific to this playbook:

  • files - this variable will set whether to collect and/or remove just the most recently quarantined file or all files in the quarantine directory. Expected configuration is:
    • "all" = collect and/or remove all files
    • "latest" = collect and/or remove only the latest file added to the directory
  • deleteFile - this variable will set whether to delete the quarantined file(s) or leave them in the protected directory
    • "yes" = the quarantined file(s) will be deleted
    • "no" = the quarantined file(s) will not be deleted and will be left in place in the protected directory
Clone this wiki locally