Creating Custom Analytics

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

Custom analytics are helpful when you have unique security needs that are not covered by the standard Jamf-managed analytics. You can create and deploy custom analytics to monitor for specific activities and events. Jamf Protect's custom analytics use predicate-based filters to identify and alert you to suspicious activities.

Consider the following items to avoid excessive alerts when using custom analytics:

  • Evaluate whether the required data is already collected by the telemetry feature. For more information about the types of information collected by telemetry, see the Jamf Protect Telemetry Data Model Documentation.

    Learning Hub Login Required

    To access this content, log in to the Jamf Learning Hub with a valid Jamf ID.

  • Ensure that your custom analytics use specific and targeted rules.

  • Test the predicates thoroughly in a beta environment before deploying them to a production environment.

  • Be considerate of resource limitations so that you do not overburden the system.
    Flowchart of informational boxes informing how to know when to use custom analytics

For examples of custom analytics that you can deploy and use as a starting point, see the Jamf Protect open source GitHub repository from Jamf Protect: jamf / jamfprotect (GitHub).

Requirements

  • An understanding of filtering and sorting logic, such as the NSPredicate and NSExpression classes, to evaluate events and processes on macOS. For more information, see NSPredicate from the Apple Developer website.

  • An understanding of the event and process you want to monitor on computers

  1. In Jamf Protect, click Analytics.
  2. Click All Analytics.
  3. Click Create Custom Analytic at the top of the screen.
  4. Do the following in the Analytic Description section:
    1. Complete the Name and Description fields.
    2. Enter the analytic's level in the Level field.

      0 is the default level.

    3. Select categories to associate with the analytic in the Categories pop-up menu.
  5. In the Analytic Severity section, choose a severity level from the Severity pop-up menu.
  6. In the Analytic Filter section, create the filter for the analytic.
    1. Choose a sensor type from the Sensor Type pop-up menu.
    2. Write the analytic predicate.

      You can use either the Filter Query Builder View to help you build the filter or Filter Text View to enter the predicate in NSPredicate syntax. The Analytic Documentation help page lists supported attributes for each sensor type.

      Example:If you want to detect when a user writes a file to a removable device, the predicate would monitor file events and contain the following three conditions, where "== 1" is used to express that a Boolean expression is true.
      $event.isNew == 1 AND
$event.path BEGINSWITH[cd] "/Volumes/" AND
$event.file.onRemovableMedia == 1

      The following is an example of how predicate example above is configured in Jamf Protect:

  7. In the Analytic Action section, do the following:
    1. Select Add to Jamf Pro Smart Group and enter a value in the Identifier field to use the analytic as criteria for Jamf Pro.
    2. Add any relevant tags.

      Tags are used to create analytic chains in tandem with analytic levels.

    Note:

    Additional data settings, such as alert data storage and collection endpoints, are determined by an action configuration specific to your deployment. For more information, see Action Configurations for macOS Security.

  8. (Optional) Click Add Context Item to configure additional context items.
  9. (Optional) Click Add Snapshot File to add a file to monitor for changes.
  10. Click Save.

You can now add your custom analytic to an analytic set.