Creating Analytics

Advanced administrators can create their own Analytics to deploy to macOS computers.

Notes: Creating an Analytic requires an understanding of the following advanced topics and processes:

  • An understanding of filtering and sorting logic, such as the NSPredicate and NSExpression classes, to evaluate events and processes on macOS
    For more information, see the following documentation from Apple: https://developer.apple.com/documentation/foundation/nspredicate

  • An understanding of the event and process you want to monitor on computers

Creating an Analytic

  1. In Jamf Protect, navigate to Analytics.

  2. Click Create Analytic at the top of the screen.

  3. Do the following in the Analytic Description section:

    1. Complete the Name and Description fields.

    2. Enter the Analytic's level in the Level field. 0 is the default level.
      If you are chaining the Analytic with other Analytics, see Chaining Analytics.

    3. Select categories to associate with the Analytic in the Categories pop-up menu.

  4. In the Analytic Filter section, do the following:

    1. Select a sensor type from the Sensor Type pop-up menu.

    2. Write the Analytic's predicate. You can use the in-app Analytic documentation to help you create a predicate statement.

      Example: If you want perform an detect when a user writes a file to a removable device, the predicate would monitor file events and contain the following three conditions, where "== 1" is used to express that a boolean expression is true.

      $event.isNew == 1 AND

      $event.path BEGINSWITH[cd] "/Volumes/" AND

      $event.file.onRemovableMedia == 1

      The following is an example of how predicate example above is configured in Jamf Protect:
      images/download/attachments/81548805/PredicateExample.png

  5. Select one or more of the following actions for the Analytic:

    • Alert—Sends an alert message to Jamf Protect or a configured endpoint, such as a SIEM system.

    • Log—Sends logs from computers to Jamf Protect or a configured endpoint, such as a SIEM system.

    • Cache—Determines if data collected from events that Jamf Protect monitors is stored on computers in the macOS Console app.

    • Add to Jamf Pro Smart Group—Adds a computer to a pre-configured Jamf Pro smart group.
      For instructions on how to configure this feature, see Remediating Detections with Jamf Pro.

    Note: Further Action settings, such as alert and log data storage and collection endpoints, are determined by an Action configuration specific to your deployment. For more information, see Configuring Actions.

  6. (Optional) Add any relevant tags, which can be passed to succeeding Analytics. For more information, see Chaining Analytics.

  7. (Optional) Click Add Context Item to configure additional context items.

  8. (Optional) Click Add Snapshot File to add a file to monitor for changes.

  9. Click Save.

You can now add your Analytic to plans for deployment.

Adding Analytics to a Plan

You can add and edit which Analytics are included in a plan. Analytics are not automatically added to plans, and you must manually add them when the following occurs:

  • You create a new plan

  • You create a new Analytic you want to include in a plan

  • Jamf adds a new built-in Analytic you want to include in a plan

Complete the following steps to add Analytics to a plan:

  1. In Jamf Protect, click Plans.

  2. Select the plan you want to add Analytics to.

  3. Click the Analytics tab.

  4. Choose which Analytics you want to add to your plan. To select all currently available Analytics, select the checkbox at the top of the Analytics list.

    Note: When Jamf releases new built-in Analytics or you create new Analytics, you must manually update each existing plan to include the new Analytics.

    images/download/attachments/81555125/AddAnalyticstoPlan.png

  5. Click Save Plan Analytics.

The plan now includes the added Analytics. Changes to a plan are automatically sent to computers with the plan installed. You can also switch a computer's plan by selecting the computer in the Computers tab. For more information on switching plans, see the Viewing and Managing Computers section of this guide.

Related Information

For related information, see the following sections of this guide:

  • About Analytics
    Learn about the complete composition of Jamf Protect Analytics.

  • Actions
    Learn about action configurations and how to configure actions for your deployments.

  • Plans
    Learn about Jamf Protect plans.

For related information on predicate syntax, see the Predicate Programming Guide from Apple.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.