Analytic Settings

The analytic severity defines the level of seriousness of a reported analytic. The following severity levels can be assigned:

The sensor type is the type of event the analytic is configured to monitor on a Mac computer. The following event types can be monitored:

• File Events (GPFSEvent)—

  Monitors files that are written, edited, or deleted from computers or mounted volumes.

• Process Events (GPProcessEvent)—

  Monitors processes that are launched or terminated on computers.

• Synthetic Click Events (GPSyntheticClickEvent)—

  Monitors programmatic mouse clicks used to dismiss notifications, approve actions, or interact with user prompts.

• Screenshot Events (GPScreenshotEvent)—

  Monitors a user's screenshot activity on computers, the path of the resulting screenshot, and the file metadata associated with the screenshot.

• USB Events (GPUSBEvent)—

  Monitors USB devices inserted into computers.

• Download Events (GPDownloadEvents)—

  Monitors files downloaded from the internet.

• Malware Removal Tool (MRT) Events—

  Monitors actions and logs from Malware Removal Tool (MRT), Apple's built-in application responsible for removing targeted files from macOS.

• Gatekeeper Events—

  Monitors actions and logs from Gatekeeper, Apple's built-in feature for enforcing code signing and verifying downloaded apps before opening them.

• Keylog Register Events—

  Monitors for new "event tap" registrations via the Core Graphics framework on macOS. Core Graphic event taps are often used by certain types of keylogging and accessibility software.

Predicates are logical statements, resulting in true or false values, that are the base logic of what an analytic monitors.

Predicate expressions use Apple’s NSPredicate syntax to define the logic that is evaluated, such as event and data types, tags, and context items. Predicates can be composed of a series of logical conditions, which can be grouped into additional conditions.

An analytic action determines how a detected analytic is reported to administrators. By default, all analytics create an alert that is sent to the Jamf Protect Cloud or a configured remote collection endpoint. You can also set up the Add to Jamf Pro Smart Group action, which allows you to use analytic detections as membership criteria for Jamf Pro smart groups. For more information, see Setting Up Analytic Remediation With Jamf Pro.

Tags are additional event-based identifiers you can apply to an analytic. When an analytic has tags, higher-level analytics with the same tag can read the preceding analytic's event data and context item statements. Tags can be any value and are only applied when the analytic predicate returns a value of true.

Tags are primarily used to chain analytics in sequential order. For more information, see Analytic Chains.

Context items provide an additional layer of conditions for an analytic to evaluate if the predicate returns as true. Context items contain a key-value pair and expression. Context items expressions use Apple's NSExpression syntax.

Some analytics monitor changes to a file made by an event. You can specify the path to the file you want to monitor, which allows Jamf Protect to store the file's content and compare file changes if an analytic returns a value of true.