Jamf Nation Community

don-f · ‎10-13-2023

Hello,

I am looking to create a custom analytic that will alert when a software installation occurs. I found this: custom_analytic_detections/app_bundle_installed

It does work and creates alerts, however it alerts on everything installed and there are multiple alerts for each item.

Is there a way to filter out System or Root level installs? That way Jamf patches/pushes don't trigger alerts?

Thanks,

Don

ThijsX · ‎10-13-2023

@don-f Technically you could use Exception Sets to ignore alerting if it's being installed by a managed service/app (process) you trust.

Or you could modify the Analytic itself to have it not triggered (process.signingInfo as example)

don-f · ‎10-13-2023

We figured that might be the case. And I was hoping you'd reach out! It really does work well. We just got bombarded with alerts for system/Jamf updates. I am extremely new to this. So not sure on how to go about that.

ThijsX · ‎10-13-2023

Have you tried going into one of the Alerts you would like to supress, and look into the exceptions section in the Alert itself?

See example below, you could do it on App Signing Info, if you would do TeamID you would safelist all the executables that are signed by a particular TeamID which might be to broad

don-f · ‎10-13-2023

Oh - nice. Hadn't looked at that. I will though. I should be able to create an exception list for all of the "standard" installs. Then it would only hit on, well, others. lol. Perfect. Thanks!

ThijsX · ‎10-13-2023

@don-f Well that or even better, you could easily safelist in that case the responsible process for installing the app bundle, Jamf as example!

don-f · ‎10-13-2023

That would be even better. Save me time from going through every app and adding. Thanks for the ideas.

Jamf Nation Community

Software Installation reporting