In the macOS Security portal, alerts are generated by a variety of features, including analytics, threat prevention database matches, removable storage control events, and tamper prevention events. You can also generate alerts by creating custom analytics. See Creating Custom Analytics for more information.
Alerts notify you of events that indicate specific behaviors—potentially suspicious or risky—happening on enrolled computers and can be generated from a single event, or from multiple events. You can review the criteria that generated the alert by clicking the link in the Description column of the alert table to view the Alert Details page.
You can customize which event data attributes are included in the alert data within an action configuration. See Action Configurations for macOS Security for more information.
The Alerts page displays alert data that is sent from the Jamf Protect Cloud. If you configure your endpoints to not use the Jamf Protect Cloud, alert data for those endpoints will not appear on the Alerts page. You can choose to not send endpoint data to the Jamf Protect Cloud, and instead send it to a third-party SIEM (Security Information and Event Management) tool or a data analysis tool such as Microsoft Sentinel or Splunk. You can also choose to send endpoint data to both the Jamf Protect Cloud and a third-party SIEM.
You can sort and filter all alerts using the following criteria:
Created
Event Type
Severity
Actions
Status
Computer
Computer UUID
Tags
Analytics
Plan
Additionally, you can customize the displayed alerts further by using the filter option adjacent to the column titles.
By default, the alerts page does not display Informational alerts and alerts in Resolved status.
Click an alert to view the alert summary and its collected data.