If you use Jamf Protect and Jamf Pro, you can configure an analytic action to change the membership of a smart computer group in response to an analytic.
If configured, Jamf Protect will populate an extension attribute when a threat is detected, which a smart group in Jamf Pro will read and then change the membership of the smart group.
Jamf Pro administrators can then monitor computers in the smart group and remediate the threat. In addition, you can run a script using a policy in Jamf Pro to display an alert to users.
Setting up analytic remediation with Jamf Pro involves the following steps:
Configuring analytic action settings in Jamf Protect
Creating a Jamf Protect extension attribute in Jamf Pro
Creating a smart computer group using the extension attribute in Jamf Pro
Creating an end user alert dialog script and policy
Resetting the analytic detection on computers