Help

Creating Custom Analytics for Firewall

Grisha
New Contributor

4 weeks ago

Hi,

We would like to create custom analyses for firewall monitoring. When users turn off the firewall (System Preferences → Network → Firewall), Jamf Protect should trigger an alert. We have already built a custom analysis for the firewall:

$event.type IN {0, 3, 4} AND$event.path == "/Library/Preferences/com.apple.alf.plist" AND$event.file.contentsAsDict.globalstate != "1"


After the update to macOS 15 Sequoia, the plist file no longer exists, which is why we are trying to create a new custom analysis:

$event.type IN {0, 3, 4} AND$event.path == "/Library/Preferences/com.apple.networkextension.plist" 
$event.file.contentsAsDict.com.apple.ALF.ApplicationFirewall.Enabled != "1"


I searched on GitHub https://github.com/jamf/jamfprotect  but couldn’t find any relevant information.

The plist file contains several dictionaries, but we are only interested in the firewall section. Unfortunately, the analysis does not work. We suspect that the issue lies in the syntax. Could you please help us build this custom analysis correctly or provide tips on how we can check it via the terminal?

Thank you in advance!

0 Kudos
Reply
5 REPLIES 5

ThijsX
Valued Contributor
Valued Contributor

4 weeks ago

Hey @Grisha 

Thanks for posting this question!

Indeed there's a space and a operator missing in the syntax.

$event.type IN {0, 3, 4} AND
$event.path == "/Library/Preferences/com.apple.networkextension.plist" AND
$event.file.contentsAsDict.com.apple.ALF.ApplicationFirewall.Enabled != "1"

You could try the following?

 
$event.type IN {0, 3, 4} AND
$event.path == "/Library/Preferences/com.apple.networkextension.plist" AND
$event.file.contentsAsDict.com.apple.ALF.ApplicationFirewall[0].Enabled != "1"

If this does not work out, i can try to replicate it early next week?
 
 
0 Kudos
Reply

Grisha
New Contributor
In response to ThijsX

4 weeks ago

Thank you very much for your help. Unfortunately, it doesn’t work. I believe the problem is that the plist file contains a total of 4 or 5 keys named "Enabled," which makes it difficult to match properly. I look forward to your response.

 

0 Kudos
Reply

Shyamsundar
New Contributor III

4 weeks ago

On macOS Sequoia, a modification has been implemented in the Firewall management system. To ascertain the current Firewall status, kindly utilize the following command:

/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate | awk '{print $3}' |sed 's/\.$//'

 

0 Kudos
Reply

Grisha
New Contributor
In response to Shyamsundar

4 weeks ago

Thank you very much! Unfortunately, I cannot use the command in Custom Analytics. In Custom Analytics, I can only use predicates (https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Creating_Analytics.html). We want to monitor the firewall through Jamf Protect.

0 Kudos
Reply

JL85
New Contributor III

Sunday

Here is the document i got from MAC admin. This is how to help you to capture and write the needed custom analytic.

https://trusted.jamf.com/docs/tailored-event-monitoring-on-macos

0 Kudos
Reply