Im having difficulty adjusting the predicate logic to get the desired result.
Im following the workflow in the Jamf Protect documentation for creating a customized analytic for USB insertion Detections. Here is the example of the custom predicate Jamf provides.
$event.type == 0 AND $event.device.removable == 1 AND $event.device.writable == 1 AND $event.device.vendorName != "SanDisk" AND $event.device.productName != "Cruzer Glide" AND NOT $event.device.serialNumber MATCHES "ABC[0-9][0-9]"
this is all well and good but I would like to have the one analytic to cover multiple USB devices here is the predicate logic that I have.
$event.type == 0 AND $event.device.removable == 1 AND $event.device.writable == 1 AND $event.device.writable == 1 AND $event.device.vendorName != "Disk" OR "Flash DISK" AND $event.device.productName != "Disk" OR "Flash Disk"
With the above predicate logic I get no alerts at all from any USB insertion. When I have the vendorName as just "Disk" and productName as just "Disk" it will work properly to exclude that USB insertion that matches those parameters. As I said above, I would like to be able to have this one analytic catch multiple vendorName and productName.
I was not able to find any useful information about formulating these predicates so if anyone can point me in the right direction that would be awesome.
Cheers!
