Jamf-Managed Analytics

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

Jamf Protect includes Jamf-managed analytics, created and maintained by Jamf, that you can use to monitor for threats in your environment.

Jamf-managed analytics are derived from the MITRE ATT&CK knowledge base and include the following capabilities:

  • Identify known malware and known malware heuristics to identify evolving variants.

  • Highlight indicators of compromise (IOCs) to help identify exploits, malware, privacy violations, and potentially unwanted programs (PUPs).

  • Audit a user’s elevated administrator privilege activity, USB devices, and screenshots.

Jamf-managed analytics are sorted into the following default categories:

  • Apple SecurityDetections that provide visibility into built-in macOS tools such as XProtect, Gatekeeper, and the Malware Removal Tool (MRT).
  • Common Attacker TechniquesDetections that monitor for common command combinations and high-level techniques.
  • Credential HarvestingDetections that monitor for attacker techniques used to gain access to passwords and other credential-based data on the system.
  • EvasionDetections targeting various stealth techniques attackers use to evade common anti-virus scanning and analysis tools or to blend in with normal macOS files and activities.
  • ExploitationDetections targeting the exploitation techniques of specific previously-discovered vulnerabilities.
  • Known Malicious FileDetections that monitor for activity involving specific file paths previously used by malware.
  • Living off the LandDetections focused on attacker commands that use the built-in functionality of the operating system in order to accomplish malicious objectives.
  • PersistenceDetections designed to notify when a new program is registered to run at startup.
  • Privilege EscalationDetections that monitor for techniques used to gain root access from a standard user account.
  • System TamperingInformational detections that monitor for the tampering of various built-in functionality as well as the tampering of some third-party software.
  • System VisibilityDetections that collect informational insight into various changes made to the operating system as well as common noteworthy activity.

To view all Jamf-managed analytics, go to Analytics > All Analytics in the Jamf Protect web app.