Jamf Connect UL predicate doesn't work due to log level

[vc5047]

Hey all,

There's an issue with the following predicate in it's usage with Jamf Protect (though this applies to other predicates in this repo as well):

https://github.com/jamf/jamfprotect/blob/32096d0c425882ad558721162d41aabf357214ce/unified_log_filters/jamf_connect/cloud_idp_authentication_bypass_and_local_user_authentication.yaml#L4C4-L4C4

The output from the mentioned predicate is something like:

2024-01-03 13:29:13.068455-0500 0x3018d    Debug       0x60010              44503  0    SecurityAgentHelper-arm64: (JamfConnectLogin) [com.jamf.connect.login:LoginUI] Local auth success, allowing login for user: testuser

This will not make it to the SIEM, since only messages with the default level are flagged and forwarded and not messages with info and debug.

[golbiga]

@vc5047 We'll look into this and report back. Thanks for bringing this to our attention.

[txhaflaire]

@vc5047 We've created an product issue for this, once there's an update or workaround we will post an update here.