Help

Jamf Protect - if file is created

Go to solution
mario_magnus
New Contributor II

Posted on ‎03-21-2023 07:57 AM

Hi all,
I hope someone can help me to find a solution.
Within FireEye HX I could create an alert with "fileWriteEvent/fileName starts-with xxx"
I try to rebuild this within Jamf Protect.
I have created a custom analytic with the following analytic filter: 

(($event.isNew == 1 OR $event.type == 0) AND
$event.prevFile == "protecttest")

I have also added this to a smart group called "protect-ProtectTest". I have created a smart group with the criteria Jamf Protect smart groups like protect-ProtectTest and assigned this smart group to a policy where a script removes the group from the client: rm /Library/Application\ Support/JamfProtect/groups/protect-ProtectTest

I don't know where my fault is that it doesn't work.

I hope for your answers or hints what I did wrong.

Thx, Mario.

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
ThijsX
Valued Contributor
Valued Contributor

Posted on ‎03-22-2023 12:32 AM

Hey @mario_magnus 

Well technically you could but i won't recommend it as that may cause system performance impact on machine that are having a high I/O disk activity.

I would limit it to only monitor paths that are writeable by a end-user or application.
With specifying [cd] in the predicate we are making it case and diacritic insensitive.

Hopefully this is helpful!

Cheers,
Thijs

View solution in original post

3 REPLIES 3

Go to solution
ThijsX
Valued Contributor
Valued Contributor

Posted on ‎03-21-2023 09:27 AM

Hi @mario 

Not sure if i'm understanding the use case but you could monitor file creation in provided paths by using these example predicates

$event.isNewFile == 1 AND 
$event.path MATCHES[cd] "(:?/System|/Users/[\\w_\\.\\-]{1,83})?/Library/Logs/DiagnosticReports/.*\\.ips"

Monitors new files in a specific path and a specific file extension

 

$event.type == 1 AND
$event.path ==[cd] "/private/var/db/PanicReporter/current.panic"

Monitors new files in a specific path and a specific file name and extension

0 Kudos

Go to solution
mario_magnus
New Contributor II

Posted on ‎03-21-2023 12:02 PM

Hi @ThijsX 

thanks for your reply...

The problem that I have is, that I don't know where the file would be created.

Could I use the / as target or path - to check the whole system?
Could you explain what does the "cd" stand for? I either missed it in the manual or I couldn't find it.

0 Kudos

Go to solution
ThijsX
Valued Contributor
Valued Contributor

Posted on ‎03-22-2023 12:32 AM

Hey @mario_magnus 

Well technically you could but i won't recommend it as that may cause system performance impact on machine that are having a high I/O disk activity.

I would limit it to only monitor paths that are writeable by a end-user or application.
With specifying [cd] in the predicate we are making it case and diacritic insensitive.

Hopefully this is helpful!

Cheers,
Thijs