Hey everyone! Long time reader, first time poster.
I am trying to configure a custom analytic in Jamf Protect, that will create an alert, similar to the default analytics, in the "Alert's" pane. This one is a little too robust, in terms of what its creating alerts on. Basically, we are trying to create an analytic that can be used to audit against installed .app software on endpoints, as a way to maintain and ensure compliance with the software allow list. The predicate doesn't need to do anything other than alert when an application is installed. We want it to ONLY alert on the primary .app, and not a bunch of child folders or .apps associated with it. Any ideas on the best way to modify that predicate?
$event.type == 7 AND
$event.isNewDirectory == 1 AND
$event.path ENDSWITH[cd] ".app" AND NOT ($event.path CONTAINS ".Trash" OR $event.path BEGINSWITH "/Library/InstallerSandboxes/.PKInstallSandboxManager")
