-
Notifications
You must be signed in to change notification settings - Fork 26
Custom Analytic Detections
Jamf Protect's Analytics feature provide the ability to generically detect unwanted or malicious behaviour on Mac endpoints through logical analysis of events occurring across the system.
Jamf Protect's sensor is able to monitor for such events as:
- File Events (GPFSEvent) — Monitors files that are written, edited, or deleted from computers or mounted volumes
- Process Events (GPProcessEvent) — Monitors processes that are launched or terminated on computers
- Synthetic Click Events (GPSyntheticClickEvent) — Monitors programmatic mouse clicks used to dismiss notifications, approve actions, or interact with user prompts
- Screenshot Events (GPScreenshotEvent) — Monitors a user's screenshot activity on computers, the path of the resulting screenshot, and the file metadata associated with the screenshot
- USB Events (GPUSBEvent) — Monitors USB devices inserted into computers
- Download Events (GPDownloadEvents) — Monitors files downloaded from the internet
- Malware Removal Tool (MRT) Events — Monitors actions and logs from MRT, Apple's built-in application responsible for removing targeted files from macOS
- Gatekeeper Events — Monitors actions and logs from Gatekeeper, Apple's built-in feature for enforcing code signing and verifying downloaded apps before opening them
- Keylog Register Events — Monitors for new "event tap" registrations via the Core Graphics framework on macOS. Core Graphic event taps are often used by certain types of keylogging and accessibility software. For more information, see Quartz Event Services from the Apple Developer website
Analytic detections function through the application of predicates against information captured regarding the above types of events. Predicates are logical statements, resulting in true or false values, that are the base logic that defines an analytic's function.
Predicate expressions use Apple’s NSPredicate syntax to define the logic that is evaluated using the data models, such as event and data types, tags, and context items. Predicates can be composed of a series of logical conditions, which can be grouped into additional conditions.
In addition to the Analytics provided and managed by Jamf's Detections Team, customers are able to create and deploy Custom Analytics with the same feature functionality.
Contained within this repository are predicates that can be used to create Custom Analytics that offer extended visibility and detection of events across macOS. Within each Custom Analytic object is:
- A predicate expression
- The required Sensor Event Type
- The recommended Analytic Level setting
- The recommended Severity
More information on each of these settings can be found here.
Instructions for creating a Custom Analytic using the resources in this repository can be found here.
When creating a Custom Analytic from this repository it is helpful to use the Filter Text View option inside the Analytic Filter builder to simply paste in the predicate expression rather than build it using the Filter Query Builder View.