Analytics

An analytic is a rule that detects a threat or unwanted behavior on macOS computers and are central to security in Jamf Protect. Jamf Protect allows you to deploy built-in analytics, created by Jamf, or create your own analytics using the in-app reference page.

All analytics include the following settings:

  • Analytic Description

    Metadata that identifies and explains the function of the analytic

  • Analytic Filter

    Defines the processes that an analytic monitors by using configurable event types and predicate logic

  • Analytic Actions

    Defines what action Jamf Protect takes if a specific analytic's predicate logic returns a value of "True". Actions include the creation of a log entry or an alert. For more information, see Configuring an Action Configuration.

  • (Optional) Analytic Context Items

    Defines additional conditions that an analytic evaluates in addition to an analytic's core predicate logic

  • (Optional) Snapshot Files

    Defines a specific file to monitor for changes

Analytic Descriptions

An Analytic description includes the following information:

  • Analytic Name

    Identifier that is displayed and reported when the analytic is triggered

  • Level

    Determines the order in which an analytic runs. Analytics with the lowest numeric value run first. By default, analytics are assigned a value of 0, and there is no upper-limit for an analytic's level.

    Note:

    If an analytic depends on another analytic's results to successfully run, make sure to set the second analytic to a higher level. For more information about sequencing analytics, see Analytic Chains.

  • Categories

    Additional identifiers that allow you to sort and search for analytics in Jamf Protect. Categories do not impact an analytic's function.

  • Description

    Plain-text description of an analytic's function for users.

Sensor Types

The sensor type is the type of event the analytic is configured to monitor on a Mac computer. The following event types can be monitored: 


  • File Events (GPFSEvent)

    Monitors files that are written, edited, or deleted from computers or mounted volumes.

  • Process Events (GPProcessEvent)

    Monitors processes that are launched or terminated on computers.

  • Synthetic Click Events (GPSyntheticClickEvent)

    Monitors programmatic mouse clicks used to dismiss notifications, approve actions, or interact with user prompts.

  • Screenshot Events (GPScreenshotEvent)

    Monitors a user's screenshot activity on computers, the path of the resulting screenshot, and the file metadata associated with the screenshot.

  • USB Events (GPUSBEvent)

    Monitors USB devices inserted into computers.

  • Download Events (GPDownloadEvents)

    Monitors files downloaded from the internet.

  • Malware Removal Tool (MRT) Events

    Monitors actions and logs from MRT, Apple's built-in application responsible for removing targeted files from macOS.

  • Gatekeeper Events

    Monitors actions and logs from Gatekeeper, Apple's built-in feature for enforcing code signing and verifying downloaded apps before opening them.

  • Keylog Register Events

    Monitors for new "event tap" registrations via the Core Graphics framework on macOS. Core Graphic event taps are often used by certain types of keylogging and accessibility software. For more information, see Quartz Event Services from the Apple Developer website.

Predicates

Predicates are logical statements, resulting in true or false values, that are the base logic that defines an analytic's function.

Predicate expressions use Apple’s NSPredicate syntax to define the logic that is evaluated using the data models, such as event and data types, tags, and context items. Predicates can be composed of a series of logical conditions, which can be grouped into additional conditions.

For more information on predicate expressions, see NSPredicate from the Apple Developer website.

Note:

Writing predicate expressions and creating analytics is for advanced administrators. For more information, see Creating Analytics.

Analytic Actions

The analytic action determines how a detected Analytic is reported to administrators. Each analytic must have at least one action. The following actions can be configured:
  • Alert

    Sends an alert message to Jamf Protect or a configured endpoint, such as a SIEM solution.

  • Log

    Sends logs from computers to Jamf Protect or a configured endpoint, such as a SIEM solution.

  • Cache

    Determines if data collected from events that Jamf Protect monitors is stored on computers in the macOS Console app.

  • Add to Jamf Pro Smart Group

    Adds a computer to a pre-configured Jamf Pro smart group.


Tags

Tags are additional event-based identifiers you can apply to an analytic. When an analytic has tags, higher-level analytics with the same tag can read the preceding analytic's event data and context item statements. Tags can be any value and are only applied when the analytic predicate returns a value of true.

Tags are primarily used to chain analytics in sequential order. For more information, see Analytic Chains.

Analytic Context Items

Context items provide an additional layer of conditions for an analytic to evaluate if the predicate returns as true. Context items contain a key-value pair and expression.

For more information on writing your own expression statement for a Jamf Protect context item, see NSExpression from the Apple Developer website.

Snapshot Files

Some analytics monitor changes to a file made by an event. You can specify the path to the file you want to monitor, which allows Jamf Protect to store the file's content and compare file changes if an analytic returns a value of true.