Creating Analytics

Advanced administrators can create their own analytics to deploy to macOS computers.

Creating an analytic requires an understanding of the following advanced topics and processes:

  • An understanding of filtering and sorting logic, such as the NSPredicate and NSExpression classes, to evaluate events and processes on macOS For more information, see NSPredicate from the Apple Developer website.

  • An understanding of the event and process you want to monitor on computers

  1. In Jamf Protect, click Analytics.
  2. Click Create Analytic at the top of the screen.
  3. Do the following in the Analytic Description section:
    1. Complete the Name and Description fields.
    2. Enter the analytic's level in the Level field.

      0 is the default level.

    3. Select categories to associate with the Analytic in the Categories pop-up menu.
  4. In the Analytic Severity section, choose a severity level from the Severity pop-up menu.
  5. In the Analytic Filter section, do the following:
    1. Choose a sensor type from the Sensor Type pop-up menu.
    2. Write the analytic predicate.
      You can use the in-app Analytic documentation to help you create a predicate statement.
      Example: If you want to detect when a user writes a file to a removable device, the predicate would monitor file events and contain the following three conditions, where "== 1" is used to express that a boolean expression is true.
      $event.isNew == 1 AND
      $event.path BEGINSWITH[cd] "/Volumes/" AND
      $event.file.onRemovableMedia == 1

      The following is an example of how predicate example above is configured in Jamf Protect:

  6. In the Analytic Action section, do the following:
    1. Select Add to Jamf Pro Smart Group and enter a value in the identifier field to use the analytic as critieria for a Jamf Pro. For more information, see Setting Up Analytic Remediation With Jamf Pro.
    2. Add any relevant tags, which can be passed to succeeding analytics.

    Additional data settings, such as alert data storage and collection endpoints, are determined by an Action configuration specific to your deployment. For more information, see Creating an Action Configuration.

  7. (Optional) Click Add Context Item to configure additional context items.
  8. (Optional) Click Add Snapshot File to add a file to monitor for changes.
  9. Click Save.

You can now add your analytic to plans for deployment.