Prohibited USB Insertion Detections, Predicate Issue.

Kivo
New Contributor II

Im having difficulty adjusting the predicate logic to get the desired result. 

Im following the workflow in the Jamf Protect documentation for creating a customized analytic for USB insertion Detections. Here is the example of the custom predicate Jamf provides. 

$event.type == 0 AND $event.device.removable == 1 AND $event.device.writable == 1 AND $event.device.vendorName != "SanDisk" AND $event.device.productName != "Cruzer Glide" AND NOT $event.device.serialNumber MATCHES "ABC[0-9][0-9]"

this is all well and good but I would like to have the one analytic to cover multiple USB devices here is the predicate logic that I have. 

$event.type == 0 AND $event.device.removable == 1 AND $event.device.writable == 1 AND $event.device.writable == 1 AND $event.device.vendorName != "Disk" OR "Flash DISK" AND $event.device.productName != "Disk" OR "Flash Disk"

With the above predicate logic I get no alerts at all from any USB insertion. When I have the vendorName as just "Disk" and productName as just "Disk" it will work properly to exclude that USB insertion that matches those parameters. As I said above, I would like to be able to have this one analytic catch multiple vendorName and productName.

I was not able to find any useful information about formulating these predicates so if anyone can point me in the right direction that would be awesome. 

Cheers! 

2 REPLIES 2

sydowl
New Contributor II

Hi - you need to spell out the variable names every time i.e. $event.device.vendorName != "Disk" OR $event.device.vendorName != "Flash DISK". Also, you may have to group the OR statements by putting them in ()

Kivo
New Contributor II

Thanks for the reply! Ill give this a go later today.