Built-in Analytics

Jamf Protect includes built-in analytics, created by Jamf, that can be used in Jamf Protect deployments. Built-in analytics can do the following:

  • Identify known malware and known malware heuristics to identify evolving variants.

  • Highlight indicators of compromise (IOCs) to help identify exploits, malware, privacy violations, and potentially unwanted programs (PUPs).

  • Audit your user’s use of elevated administrator privileges, USB devices, and screenshots.


Built-in analytics are derived from the MITRE ATT&CK knowledge base. For more information see the following resource from MITRE: https://attack.mitre.org

Built-in analytics are displayed in the Analytics tab Jamf Protect with any analytics you created. You can click on a built-in analytic to view its summary, click Update Actions to modify Actions, or click Copy to create a clone of the analytic.

The following analytic Summary page is an example:

Editing Built-in Analytic Actions

Built-in analytics have pre-configured actions, but you can edit the action of built-in analytics to suit your organization.

  1. In Jamf Protect, click Analytics.
  2. Select the Analytic you want to edit.
  3. In the Analytic Summary pane, click Update Actions.
  4. Select which actions you want to use for the built-in Analytic.
  5. Click Save.

Copying Built-in Analytics

You can copy a built-in analytic to make advanced changes. This is useful for users who do not want to create a new analytic but want to make changes to an existing analytic instead.

  1. In Jamf Protect, click Analytics.
  2. Click Analytics.
  3. Select to the analytic you want to copy.
  4. In the Analytic Summary pane, click Copy.
  5. Edit the analytic as needed.
 For more information on available analytic settings, see Creating Analytics.
  6. Click Save.

You can now add the copied analytic to plans for deployment.

Editing Analytic Severity

You can view and edit an analytic's severity to a different severity level instead of the severity assigned by Jamf Protect.

  1. In Jamf Protect, click Analytics.
  2. Select the analytic to update.
  3. From the analytic summary section, do the following:
    1. Click Edit Analytic
    2. Choose a new severity type from the Severity pop-up menu.
    3. Click Save .