You can configure Jamf Protect to run analytics in sequential order, which allows one analytic to use data collected from a previously run analytic.

Jamf Protect uses both an analytic's level and tags to establish analytic chains. Lower-level analytics run first, and then pass the following information to succeeding, higher-level, analytics:

  • Tags

  • Event data

  • Results of Context Item statements

The following diagram shows examples of how to create analytic chains:

Analytic chain example
Example:

When chaining analytics, you can use this example to understand the basic process. This example uses the same chaining method as analytics A, B, and C in the diagram above.

Level 0

LaunchAgent (analytic A) is an analytic that monitors file system events for any new files created in the following location: /Library/LaunchAgent. This analytic has the "Persistence" tag and context items, which define the path to the binary that is executed during the next startup by extracting it from the PLIST file and defining the following context key-value pair path: /the/path/to/the/autostart/binary.

KernelExtension (analytic B) is an analytic that monitors file system events for any new files created in the following location: /System/Library/Extensions. This analytic also has the "Persistence" tag and context items, which define the path of the binary that is executed during the next start up by extracting it from the PLIST file and defining the following context key-value pair: /the/path/to/the/autostart/binary.

Level 1

To chain an analytic after the level 0 analytics, you can create a level 1 analytic (analytic C) that monitors the following:

  • Events that are tagged with Persistence by an analytic

  • The binary path contained in the context item path is not properly signed

This analytic chain allows you to combine the logic for checking the signature of monitored files for two analytics into a separate analytic. As long as the analytic that checks for proper signing is at a higher level, it can evaluate lower-level analytics with the same tags and their configured context items.

Important:

Using tags ensures that only relevant items are evaluated by an analytic and prevent extraneous computation costs. In the example above, the analytic at level 1 will only compute signing information from items with the Persistence tag, which is added after the predicate of the level 0 analytics return a value of true.