Help

How do I setup predicate for "Download" event in Jamf Protect?

changsk
New Contributor

Posted on ‎09-30-2024 01:55 AM

Dear all,

I'm attempting to configure a "Download" event in Jamf Protect's Analytics, but I seem to be having trouble with the predicate. The one I've used is ( ProcessName == "mdworker" CONTAINS FilePath ENDSWITH ".download" ), but it doesn't seem to be triggering the "Download" event in the Alerts as expected. I'm pretty sure I've set it up incorrectly.😅

Could anyone suggest the right predicate to use for a "Download" event?

Thank you. 

0 Kudos
Reply
5 REPLIES 5

JL85
New Contributor III

Posted on ‎09-30-2024 07:08 PM

it is better to raise case support. 

0 Kudos
Reply

AntMac
Contributor II

Posted on ‎09-30-2024 10:32 PM

Hi 
Are you able to elaborate on the types of download you are trying to monitor? If you are looking to monitor Curl downloads, there are some analytics available in the JAMF Protect Github for you to import. jamfprotect/custom_analytic_detections at main · jamf/jamfprotect (github.com)

0 Kudos
Reply

changsk
New Contributor

Posted on ‎10-01-2024 12:59 AM

Hello good day, 
We're aiming to establish a way to monitor any download events that occur on users' Macbooks (we're overseeing more than 30 Macbooks). We've sought advice from Jamf support, but unfortunately, we didn't received a clear solution on how to set this up. I've tried several predicates without success. Hence, I'm inquiring here to see if I can gather any relevant information.

0 Kudos
Reply

AntMac
Contributor II
In response to changsk

Posted on ‎10-01-2024 01:51 AM

Based on what you've originally put in your predicate example. It sounds like you want to just monitor safari downloads.

Couple of ways you could do it, but they may be pretty resource heavy on your clients.
Personally, I would be carefully considering what do I want to monitor? All download activity, particular extensions, particular signatures etc. Is an analytic the best way to achieve what I want?   

What response did you get back from JAMF support?

0 Kudos
Reply

changsk
New Contributor

Posted on ‎10-01-2024 03:10 AM

We want to track all download activities on the user's Macbook, such as package installer or extension installations, with alerts sent through Jamf Protect if possible. Jamf support was uncertain about the specific predicate needed for a download event, as it could be complex. They directed me to check GitHub for any relevant information. Additionally, they also recommended that I explore Jamf Nation to see if there are similar posts or if I could get assistance from others who have experience setting up for this specific event.

0 Kudos
Reply