Alerts

Alerts are how all detections from Jamf Protect analytics and Threat Prevention database matches are reported.

The Alerts page in Jamf Protect web app provides an easy way to view collected data from computers with the Jamf Protect agent.

You can sort and search all alerts using the following criteria:

  • Time Range

  • Created

  • Severity

  • Actions

  • Status

  • Computer

  • Event Type

  • Analytics

  • Tags

Note:

By default, Informational alerts and alerts with the Resolved status are not displayed.

Click on any item in the Alerts page to view its summary and collected data.

Alert Severity

The alert severity defines the level of seriousness of a Jamf Protect alert. The following severity levels are assigned to new alerts:

  • Informational (0)
    Note:

    Minimum severity level.

    Informational alerts are filtered from view by default and can be added to the Alerts page by toggling the Severity filter.

  • Low (1)

  • Medium (2)

  • High (3)

Severity is reported using the corresponding numerical values (0, 1, 2, 3) in alert data JSON. When querying alert data using the Jamf Protect API, make sure to use the numerical value. For an example, see the Export Alert Data API script example.

Alert Actions

Alert actions describe the actions reported by Jamf Protect. The following actions are recorded:
Prevented
(Threat Prevention only) Threat Prevention has blocked and quarantined a process that matches the threat database. For more information, see Threat Prevention.
SmartGroup

(Analytics only) An analytic with the Add to Jamf Pro Smart Group action enabled is detected and adds the computer to a smart computer group that uses the analytic as membership criteria in Jamf Pro. For more information, see Setting Up Analytic Remediation With Jamf Pro.

Alert Status

Alerts are assigned any of the following statuses:
  • New

  • In Progress

  • Resolved

  • Auto-Resolved

    This status is only used for threats that are prevented via Threat Prevention. For more information, see Threat Prevention.

Editing Alert Status

  1. In Jamf Protect, click Alerts.
  2. Click on the individual alert to view its summary. From the individual summary page, choose a new status from the Status pop-up menu.
  3. Select the checkbox beside which alert(s) to update from the Alerts dashboard.
    Note:

    You can change up to 100 alerts at a time.

    1. Click Change Status at the top of the screen.
    2. Assign a status from the pop-up menu.

Comparing Alerts

You can compare multiple alerts for further analysis.

  1. In Jamf Protect, click Alerts.
  2. Select the checkboxes beside which Alerts to compare.
  3. Click Compare at the top of the screen.
  4. View the Alerts detail pages to compare event data.

Data Retention

If you send your alert data to the Jamf Protect Cloud, you can configure data retention settings for your organization.

Data retention settings allow you to configure the following:

  • The number of days alerts are viewable in the Jamf Protect web app

  • The number of days alerts are simultaneously archived and encrypted in a Jamf-managed Amazon S3 bucket.

Keep the following in mind when configuring data retention settings:

  • By default, alerts are simultaneously viewable in-app and securely archived in a Jamf-managed Amazon S3 bucket for 365 days, unless the alert databases exceed 2 million entries.

  • Jamf Protect data is stored separately from other Jamf data, such as Jamf Pro data.

  • Data retention settings can only be changed once every 24 hours.

  • Alerts have a total retention of 2 million entries for Low, Medium, and High severity alerts and 2 million for Informational severity alerts.

  • If alerts exceed 2 million entries, the oldest alert entries will be continuously removed to keep both alert entries at 2 million or fewer.
    Note:

    Alert data is always stored for at least 24 hours, even if a single day of alert data exceeds 2 million entries.

Database Backups

Jamf maintains a backup of the following data for up to 30 days:

  • Alert data sent to the Jamf Protect Cloud

  • Server logs

Configuring Data Retention Settings

  1. In Jamf Protect, click Administrative > Data
  2. Click the Retention tab.
  3. Configure the In-App Alert Access settings.
  4. Configure the Long Term Alert Storage settings.
  5. Click Save.

Your data retention settings will now be used for all data sent to the Jamf Protect Cloud.

Note:

Data retention settings can only be changed once every 24 hours.