Jamf Protect uses multiple methods to optimize how endpoint telemetry is monitored and reported. One method is inherent within the Jamf Protect application, which allows required macOS platform binaries and high-volume processes classified as safe and expected by Jamf Threat Labs. These required exceptions are managed and updated by Jamf.
Jamf Protect also provides specific environment exceptions with custom exception sets. Custom exception sets allow administrators to ignore events that are known to be safe. Using exception sets to ignore known-safe data has the following benefits:
Reduced load on the host computer's system resources, resulting in a smaller performance footprint.
Reduction of unnecessary data in the telemetry stream that may complicate or delay analysis.
Reduced costs related to the ingestion and storage of data in your SIEM or other collection tool.
For information about creating an exception set in Jamf Protect, see Creating an Exception Set.
To identify potential exception rules for your environment, use this general process:
Collect a sample of telemetry data for a group of your computers performing standard work processes for a period of time. You can collect this data locally via a log file, or send it directly to a SIEM tool.
Review the collected telemetry data and identify activity that you know and trust, that is unrelated to your compliance and security standards, or has too high of a volume of data to transfer and store.
Create and deploy custom exceptions using the data you have collected. Designate what data to ignore using the appropriate ignore rules.
- After deploying, verify that the exception sets are functioning as intended and that the expected activity is being ignored.Note:
Review the custom exception sets that you have implemented regularly to ensure that the rules remain relevant and update them as necessary.