Posted on 01-19-2022 12:39 PM
Im having difficulty adjusting the predicate logic to get the desired result.
Im following the workflow in the Jamf Protect documentation for creating a customized analytic for USB insertion Detections. Here is the example of the custom predicate Jamf provides.
$event.type == 0 AND $event.device.removable == 1 AND $event.device.writable == 1 AND $event.device.vendorName != "SanDisk" AND $event.device.productName != "Cruzer Glide" AND NOT $event.device.serialNumber MATCHES "ABC[0-9][0-9]"
this is all well and good but I would like to have the one analytic to cover multiple USB devices here is the predicate logic that I have.
$event.type == 0 AND $event.device.removable == 1 AND $event.device.writable == 1 AND $event.device.writable == 1 AND $event.device.vendorName != "Disk" OR "Flash DISK" AND $event.device.productName != "Disk" OR "Flash Disk"
With the above predicate logic I get no alerts at all from any USB insertion. When I have the vendorName as just "Disk" and productName as just "Disk" it will work properly to exclude that USB insertion that matches those parameters. As I said above, I would like to be able to have this one analytic catch multiple vendorName and productName.
I was not able to find any useful information about formulating these predicates so if anyone can point me in the right direction that would be awesome.
Posted on 01-23-2022 04:17 PM
Hi - you need to spell out the variable names every time i.e. $event.device.vendorName != "Disk" OR $event.device.vendorName != "Flash DISK". Also, you may have to group the OR statements by putting them in ()
Posted on 01-24-2022 09:05 AM
Thanks for the reply! Ill give this a go later today.