So we are just getting started with protect and have it in notify only mode. some of our devs create a cross platform toolchain which creates a disk image and mounts it to /Volumes/XXXX when they run make from their script all hell breaks loose with alerts about 'hidden script running on external volume' which is great but also a false positive. we want to keep the alert but white list the volume if its named something like TESTING..
Any suggestions ?
You can disable the Analytic that may cause false positives for the plan scoped to the developers computers, then clone the Analytic and modify it to your needs to exclude the volumes you trust.
Have a look at https://docs.jamf.com/jamf-protect/documentation/Creating_Analytics.html#ID-000037e3
Hopefully this helps a bit!
So i was able to modify the alert to whitelist the "build" volume they were mounting which killed the alerts BUT and here is the more serious issue it is still logging the events and due to the high speed repetitive nature of the build process accessing that volume over and over and over its pegging the processor on their machines.
In addition, i'll recommend to have a look to join the Protect beta. There are some features that may interest you regarding the case above.