Jamf Protect - if file is created

Question

Hi all,I hope someone can help me to find a solution.Within FireEye HX I could create an alert with "fileWriteEvent/fileName starts-with xxx"I try to rebuild this within Jamf Protect.I have created a custom analytic with the following analytic filter: (($event.isNew == 1 OR $event.type == 0) AND$event.prevFile == "protecttest")I have also added this to a smart group called "protect-ProtectTest". I have created a smart group with the criteria Jamf Protect smart groups like protect-ProtectTest and assigned this smart group to a policy where a script removes the group from the client: rm /Library/Application\ Support/JamfProtect/groups/protect-ProtectTestI don't know where my fault is that it doesn't work.I hope for your answers or hints what I did wrong.Thx, Mario.

ThijsX · Accepted Answer

Hey @mario_magnus

Well technically you could but i won't recommend it as that may cause system performance impact on machine that are having a high I/O disk activity.

I would limit it to only monitor paths that are writeable by a end-user or application.
With specifying [cd] in the predicate we are making it case and diacritic insensitive.

Hopefully this is helpful!

Cheers,
Thijs

ThijsX · Answer

Hi @mario11

Not sure if i'm understanding the use case but you could monitor file creation in provided paths by using these example predicates

$event.isNewFile == 1 AND 

$event.path MATCHES[cd] "(:?/System|/Users/[\\\\w_\\\\.\\\\-]{1,83})?/Library/Logs/DiagnosticReports/.*\\\\.ips"

Monitors new files in a specific path and a specific file extension

$event.type == 1 AND

$event.path ==[cd] "/private/var/db/PanicReporter/current.panic"

Monitors new files in a specific path and a specific file name and extension

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded