[JAMF] Add JAMF integration's datasets and module type to enable analyzer (#180628)

x-pack/plugins/security_solution/common/experimental_features.ts

@@ -208,6 +208,11 @@ export const allowedExperimentalValues = Object.freeze({
    */
   crowdstrikeDataInAnalyzerEnabled: false,
 
+  /**
+   * Enables experimental JAMF integration data to be available in Analyzer
+   */
+  jamfDataInAnalyzerEnabled: false,
+
   /**
    * Enables experimental "Updates" tab in the prebuilt rule upgrade flyout.
    * This tab shows the JSON diff between the installed prebuilt rule

x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_resolver.tsx

@@ -17,10 +17,12 @@ export const useIsInvestigateInResolverActionEnabled = (ecsData?: Ecs) => {
   const crowdstrikeDataInAnalyzerEnabled = useIsExperimentalFeatureEnabled(
     'crowdstrikeDataInAnalyzerEnabled'
   );
+  const jamfDataInAnalyzerEnabled = useIsExperimentalFeatureEnabled('jamfDataInAnalyzerEnabled');
   return useMemo(() => {
     const fileBeatModules = [
       ...(sentinelOneDataInAnalyzerEnabled ? ['sentinel_one_cloud_funnel', 'sentinel_one'] : []),
       ...(crowdstrikeDataInAnalyzerEnabled ? ['crowdstrike'] : []),
+      ...(jamfDataInAnalyzerEnabled ? ['jamf_protect'] : []),
     ] as const;
 
     const agentType = get(['agent', 'type', 0], ecsData);
@@ -40,5 +42,10 @@ export const useIsInvestigateInResolverActionEnabled = (ecsData?: Ecs) => {
       processEntityIds != null && processEntityIds.length === 1 && firstProcessEntityId !== '';
 
     return isAcceptedAgentType && hasProcessEntityId;
-  }, [crowdstrikeDataInAnalyzerEnabled, ecsData, sentinelOneDataInAnalyzerEnabled]);
+  }, [
+    crowdstrikeDataInAnalyzerEnabled,
+    ecsData,
+    sentinelOneDataInAnalyzerEnabled,
+    jamfDataInAnalyzerEnabled,
+  ]);
 };

x-pack/plugins/security_solution/server/endpoint/routes/resolver/entity/utils/supported_schemas.ts

@@ -36,12 +36,18 @@ export const getSupportedSchemas = (
 ): SupportedSchema[] => {
   const sentinelOneDataInAnalyzerEnabled = experimentalFeatures?.sentinelOneDataInAnalyzerEnabled;
   const crowdstrikeDataInAnalyzerEnabled = experimentalFeatures?.crowdstrikeDataInAnalyzerEnabled;
+  const jamfDataInAnalyzerEnabled = experimentalFeatures?.jamfDataInAnalyzerEnabled;
 
   const supportedFileBeatDataSets = [
     ...(sentinelOneDataInAnalyzerEnabled
       ? ['sentinel_one_cloud_funnel.event', 'sentinel_one.alert']
       : []),
-    ...(crowdstrikeDataInAnalyzerEnabled ? ['crowdstrike.falcon', 'crowdstrike.fdr'] : []),
+    ...(crowdstrikeDataInAnalyzerEnabled
+      ? ['crowdstrike.falcon', 'crowdstrike.fdr', 'crowdstrike.alert']
+      : []),
+    ...(jamfDataInAnalyzerEnabled
+      ? ['jamf_protect.alerts', 'jamf_protect.web-threat-events', 'jamf_protect.web-traffic-events']
+      : []),
   ];
 
   return [

x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/descendants.ts

@@ -65,10 +65,10 @@ export class DescendantsQuery extends BaseResolverQuery {
               },
             },
             {
-              term: { 'event.category': 'process' },
+              terms: { 'event.category': ['process'] },
             },
             {
-              term: { 'event.kind': 'event' },
+              terms: { 'event.kind': ['event', 'alert'] },
             },
           ],
         },

x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/lifecycle.ts

@@ -58,10 +58,10 @@ export class LifecycleQuery extends BaseResolverQuery {
               },
             },
             {
-              term: { 'event.category': 'process' },
+              terms: { 'event.category': ['process'] },
             },
             {
-              term: { 'event.kind': 'event' },
+              terms: { 'event.kind': ['event', 'alert'] },
             },
           ],
         },