Analytic Chains

You can configure Jamf Protect to run Analytics in sequential order, which allows one Analytic to use data collected from a previously ran Analytic.

Jamf Protect uses both an Analytic's level and tags to establish a chain. Lower-level Analytics run first, and then pass the following information to succeeding, higher-level, Analytics:

  • Tags

  • Event data

  • Results of Context Item statements

The following diagram shows examples of how to create Analytic chains:

Example:

When chaining analytics, you can use this example to understand the basic process. This example uses the same chaining method as Analytics E, F, and G in the diagram above.

Level 0

"LaunchAgent" (Analytic E) is an Analytic that monitors file system events for any new files created in the following location: /Library/LaunchAgent. This Analytic has the "Persistence" tag and context items, which define the path to the binary that is executed during the next startup by extracting it from the PLIST file and defining the following context key-value pair path: /the/path/to/the/autostart/binary.

"KernelExtension" (Analytic F) is an Analytic that monitors file system events for any new files created in the following location: /System/Library/Extensions. This Analytic also has the "Persistence" tag and context items, which define the path of the binary that is executed during the next start up by extracting it from the PLIST file and defining the following context key-value pair: /the/path/to/the/autostart/binary.

Level 1

To chain an Analytic after the level 0 Analytics, you can create a level 1 Analytic (Analytic G) that monitors the following:

  • Events that are tagged with "Persistence" by an Analytic

  • The binary path contained in the context item "path" is not properly signed

As a result, this Analytic chain allows you to combine the logic for checking the signature of monitored files for two Analytics into a separate Analytic. As long as the Analytic that checks for proper signing is at a higher level, it can evaluate lower-level Analytics with the same tags and their configured Context Items.

Important:

Using tags ensures that only relevant items are evaluated by an Analytic and prevent extraneous computation costs. In the example above, the Analytic at level 1 will only compute signing information from items with the "Persistence" tag, which is added after the predicate of the level 0 Analytics return a value of true.

Creating an Analytic Chain

  1. In Jamf Protect, click Analytics.
  2. Select the analytic you want to be first in the chain and click Edit.
    1. Enter 0 in the Level field.
    2. Enter relevant tags in the Tags field.
  3. Click Save.
  4. For each succeeding analytic you want to run, configure the following:
    1. Enter 1 or greater for each analytic.
    2. Enter the same tags that you entered for the preceding analytic.
  5. Click Save.