Telemetry Exception Rules

Jamf Protect Documentation

Solution

Application

Content Type

Technical Documentation

Utilities & Services

ft:locale

en-US

When creating a custom exception set, add a new rule and choose the "Ignore for Telemetry" exception type. The Ignore for pop-up menu will populate with the related telemetry ignore rules.

Note:

These custom exception types do not apply to the deprecated version of telemetry.

Ignore for Telemetry - Exec Process: This is for process execution (exec) events and is the target process being executed.
Ignore for Telemetry - Source Process: This is the process that caused the underlying activity being monitored and reported as a telemetry event.
Ignore for Telemetry - Source Parent Process: This is the parent process that directly created the source process.
Ignore for Telemetry - Source Responsible Process: This is the process that is responsible for the source process existing and is responsible for the chain of activity leading to its creation.
Ignore for Telemetry - Network: This is for network events and is the source process making the network connection.

After selecting the desired custom ignore type for telemetry, configure the following subsequent ignore rules:


Telemetry Ignore Rule	Ignore Rule Sub-field	Telemetry Message Field	Description
App Signing Info	Team ID	Exec process exceptions: `event.exec.target.team_id` Source process exceptions: `process.team_id`
App Signing Info	Signing ID	Exec process exceptions:`event.exec.target.signing_id` Source process exceptions: `process.signing_id`
Team ID		Exec process exceptions: `event.exec.target.team_id` Source process exceptions: `process.team_id`
Process Path		Exec process exceptions: `event.exec.target.executable.path` Source process exceptions: `process.executable.path`
Platform Binary		Exec process exceptions: `event.exec.target.signing_id` Source process exceptions: `process.signing_id`	The `event.exec.target.is_platform_binary` or `process.is_platform_binary` fields must be true in the telemetry message.
User		Exec process exceptions: `event.exec.target.audit_token.euid` Source process exceptions: `process.audit_token.euid`	The ID of the effective user will be checked for a match against the username provided in the ignore rule.
Group		Exec process exceptions:`event.exec.target.audit_token.egid` Source process exceptions: `process.audit_token.egid`	The ID of the effective user group will be checked for a match against the user group name provided in the ignore rule.