Custom Analytics in Protect Overview

Mar 21, 2025

Mindmap

Lecture Notes: Custom Analytics in Protect

Introduction

  • Presenters: Richard & Aaron
  • Topic: Custom Analytics within Protect
  • Objective: Demystify creating custom analytics for monitoring and enhancing solutions in local environments.

Overview of Protect

  • Protect offers ways to:
    • Monitor reports
    • Block malicious activity

Components of Protect

  1. Analytics

    • Set of rules to detect suspicious activity on macOS.
    • Alerts raised in Protect and optionally a third-party SIM.
    • Built-in J managed analytics (156 available).
    • Option for custom analytics.

  2. Telemetry

    • Reports system and user events (e.g., SSH logins, running processes).
    • Can forward logs to third-party SIM.

  3. Advanced Threat Controls

    • Monitors and blocks unsafe activities.
    • Targets misuse of macOS built-in processes.

  4. Unified Logs

    • Filters and forwards logs to third-party SIM.

Creating Custom Analytics

  • Purpose: Tailor analytics to specific organizational needs.
  • Skills Required:
    • NS Predicate: Logical statements for monitoring.
    • Regular Expressions: Useful for pattern matching.
    • Understanding of monitored events/processes.

Process of Creation

  1. Name and Description

    • Assign a descriptive name.

  2. Define Event Type

    • Events include file system changes, downloads, Gatekeeper events.

  3. Predicate Construction

    • Central to the analytic—logical statement defining activity.
    • Use existing attributes and data types.

Data Types in Analytics

  • Simple Types: Number, Dates, Boolean.
  • String Types: Paths, various operations like lowercase conversion, path extraction.
  • Enums: Predefined values indicating activity.
  • Complex Types: User and Process objects with sub-attributes.

Key Components of a Predicate

  1. Operators: Use to compare values (e.g., =, !=, >, <).
  2. Boolean Logic: AND, OR, NOT for combining conditions.
  3. String Matching: Case and diacritic insensitivity, contains, begins with, wildcards.
  4. Arrays and Aggregates: Count, includes, aggregate operations.

Example Predicates

  • Monitoring host file modifications.
  • Detecting cURL executions.
  • Identifying launchctl commands with malicious intent.
  • Spotting screenshots and launch agents.

Advanced Concept: Analytic Chaining

  • Purpose: Run a sequence of analytics in order based on level numbers.
  • Uses $tag variable for passing data between levels.
  • Simplifies complex analytics by breaking them into smaller, manageable parts.

Resources and Further Learning

  • GitHub repository for example analytics.
  • NS Predicate documentation.
  • Highspot page for additional resources on analytics and predicates.

Conclusion

  • Interactive sessions and labs available.
  • Encouragement to explore and test custom analytics.
  • Open Q&A session.