all right can everyone hear me okay thumbs up awesome thanks for coming along uh today you're going to hear from Richard and Aaron uh together they work in essentially our education and enablement armor Jam helping customers and our partners tackle some of the more complex uh topics in our solutions that we have today they're going to trat a little bit about custom analytics really cool feature within protect that helps you extend um all the things that you're provided by je but uh extending and enhancing them for what you're looking for in your environment uh this isn't my talk so I'm going to get off stage and welcome up Richard and Aaron Round of Applause so good morning everyone um hope you had a good evening last night at the party so um yes so hopefully we're going to try and demystify custom analytics so we assume that you're all using protect and you're all using the built-in analytics uh hopefully we can just go through the process of creating a custom one and try and demystify it so my name is Richards um I'm a trainer at J and we have my name is Aaron McDonald I am a technical enablement manager at Jam we like as Matt said we both work for our partners exactly so you got two for the price of one so um the agenda or the idea is to basically go through um how to build a customer analytic what's invol involved so we're going to do initial overview what the analytics are and then we're kind of going to do a deep dive into things like events um data types um and the Heart of the analytic is the predicate basically so that kind of hopefully explain what's involved and then right at the end we discover a concept called analytic chaining so let's start with the overview um So within protect um we have a number of ways to monitor reports um and also potentially block malicious activity so we're going to concentrate on analytics so if you're new to protect an analytic is basically a set of rules you can enforce that will look for any defined malicious activity on the computer on Mac OS and optionally if you got J Pro remediate that um that issue but we have other services available um Telemetry um Telemetry allows you to report um system and user events on your computer so things like people logging into to the system via maybe SSH or someone running a processor route that would get logged and you can forward that to a thirdparty Sim um Advanced threet controls um these behave slightly like analytics um this is quite new uh so advaned threet controls basically um allow the system or allow protect to monitor for what Jack threet Labs considers unsafe activity and it's typically um kind of Bad actors using built-in processes bu build in tools with Mac OS to do bad things so maybe SSH sessions or things like that basically so Advanced effect controls can monitor this and and kind of auto block um that activity and then finally finally we've got unified logs um so unified logs is essential login system Mac OS uh and protect kind of filter those logs and again you can pass those logs to a third party Sim so we've got a number of ways to report um and handle malicious activity but we're going to kind of focus on the Analytics so in a nutshell yeah as I mentioned analytics are basically a set of rules that detect suspicious activity on the computer uh when activity is detected it raises an alert inside jack protect and optionally a third party Sim and then as an administrator you can investigate that and analyze what's happened and then optionally remediate it kind of through J Pro um so out the box um there are what called J manage Analytics so these are the built-in ones uh last count there was 156 so each one of these will detect certain activity um but you can create custom ones um and there's many reasons you might want to create custom analytics um every organization's environment is unique different so you might be looking at for a certain activity maybe one of the J ones you want to tweak slightly to to kind of tweak it to your environment um and also J um has a GitHub repository um where where they host a lot of other analytics you can kind outload basically so there's many reasons why it might be useful to create these custom ones so when you go down the route of um creating these there's a few skills um that will be useful the main one is something called NS predicate so this is um the heart of the uh analytic U this is basically a logical statement that defines whether the activity your monitoring has actually occurred basically so that's probably the main skill but things like regular expressions um if anyone everyone's done anyone has ever done the 400 training course you'll come across this um but regular expressions are quite useful for things like pattern matching against directory structures and file names okay and also having an understanding of the event or process you want to monitor okay so hopefully we can clear some of this up as we go through so to create the analytic um it's pretty straightforward um obviously you do this inside J protect there's a like a interface and as you go through you can kind of Define a number of items so for instance you can give it a name a descriptive name um each analytic has a level which we'll come back to but the levels basically allow you to chain a sequence of analytics together basically into into one sequence so we come back to that um you can you can set the um severity Etc there's a description you can set um and then finally when we get to the bottom one second there you go okay at the heart of it we've got um the um description or or the file the event that you're going to monitor so every analytic can have an event that you monitor so it could be a fast system event you want to monitor or a download event so that's the activity it's going to monitor and then below that you have the um the predicate itself okay so this is the heart of it so this is what you basically use to define the activity uh you want to look at basically and it's above other bunch of settings uh you got the smart Group which is basically remediation Etc and then if I go to the bottom uh you've got fers called snapshots which basically allow you to Define additional criteria so it adds another layer of conditions that can further qualify what the analytics is looking for and there's also a snapshot option um and snapshot basically allows you to capture the contents of a file because sometimes you might you might be interested in what's change inside a file so for instance there might be a preference file and you want to know what keys have been added or removed so protect can capture that that content and then you can use the the predicate to have a look at what's changed okay so let's start with uh the events so the events are basically the sensors or the um events that the analytic can monitor so there quite a few events we can set up most most common one is file system events so a lot of time you're looking for changes in files preferences basically um so that's probably one of the most common ones U but we've got things like download events we can monitor we can monitor like gatekeeper events um and each one of these will have a set of data that's collected set of attributes okay so if I go to the next slide um so as an example um if you select the file system event um that would capture quite a bit quite a lot of detail about what happened on the file system so for instance it could be the path of the file that got changed um how the file was changed was it deleted was it modified was it a new file there a time stamp when it happened and even things like what user was involved and what process was involved you know maybe know the file was modified by a finder or maybe it's Modified by a malicious process basically so all this data is available and we can then use that data in the predicate to then kind of qualify where a particular event um was detected okay and there are other ones U we've got kind of various other um um events we can monitor basically and each each one of these we return kind of different types of data okay so some less and some more okay so you got things like screenshot events you got like download events um at the end you've got the last one is gatekeeper events and again these will capture what happened at that particular point in time basically okay so when you create the analytic um you you set the event type and there's some really good documentation so inside the protect um web interface if you go to the administration section there's some really good documentation that defines all the event types and it defines then what data is captured okay so it's all built in at your fingertips which is quite handy when you're creating uh the analytic so you set the event type and then we start capturing data now each piece of data has a particular type U and that type defines how you compare against it so for instance um there are some you know there are some some some attributes that have um a simple type they store one value some attributes of of data gets collected will will have multiple values and some attributes will return other more complex objects okay so all this data we can capture but understanding the type will then dictate how you access that data and compare it so starting with some of the simpler ones um so very simple ones you know some types of just numbers uh we have date objects so typically for the time stamps um there's quite a few attributes like like logical statements so they're they're basically booleans so so for instance do we have a new file do we have a deleted file so within the predicate so we use ones and zeros for true and false so they're the simpler ones so as an example if we take something like the file system event um there's a number of attributes get collected so for instance is new file as a Boolean so it would turn one if a file was created or Z Z if it wasn't um we capture the uuid of the user that's involved which should be a number and even something like the Tim stamp which would be like a date object okay so they're the simple ones but then it get something more complex so the second type are strings so a lot lot of data that's captured are basically strings so for instance paths to files um and with strings um we get a lot of sub attributes that gives us a bit more information about that string so as an example with the fastest event um there's a path object that gives us the path of the file that You' got modified deleted Etc but there are sub attributes on that string so for instance there's a length attribute T the length of the string uh you can convert the string to lower case maybe for comparison reasons and you can even um extract for instance the file name from a path or with path extension get the file extension item if that's interested to you so they're string types uh the next type are enums so enums basically are objects have a predefined set of values and each value will Define a particular response so as an example we have a type object under the F system event that gives you some more information about what happened for that event U so these are the values so for instance zero was a newly created object one means that know the item was deleted okay um but be S careful some of these attributes are used elsewhere so under the process event as an example there's a type attribute and that has a completely different meaning so as an example that that would tell you whether a process was created or a process was exit know exit basically so slightly different values so they're the E nums then we get more complex um objects so as an example there's an object for users so we get information about the user is involved and that contains a whole set of attributes we in relation to that user so for instance we can get access to the user's U ID which should be a number we can get the uu ID which is typically a string or the name as an example okay so again we can just kind of drill down into these objects get more bit more information about that that that particular user so we have a user type and then finally we have um a process type so typically um some sort of process is involved when the activity happens so with the process again we get a bunch of um sub attribute so for instance we get the path of the process um that was um launched or exited so in this example maybe launch CTL but then we can get details about any arguments that are passed to that process so maybe someone is maliciously booting out or unloading a launch demon so we get access to the arguments um and also we get access to the parent process so what what what parent process actually launched launch CTL so that returns another process for that parent basically okay and we also get information about whether the process was signed so that return returns another type called a signin type and again that gives you lots of good information about how that process was it signed um if it wasn't signed that' be obviously be a red flag um if it was signed who signed it so we get the app ID the team ID of the developer and even what certificate or signing certificate was used was it ad hoc was it from the App Store was it or or was it unsigned as an example so again we can use all this data in our predicate to kind of qualify what's going on uh so sometimes um I always always like to give like useful tools so sometimes you might want to get the information about particular bundle ID app ID team ID so there's a really useful command called Cod sign um that will let you um get the signning information for an app and also there an app called parency um this is done by the same people did suspicious package um and that will return again all this information more about who signed the app and um things like team ID basically so if you have need that information um a couple of useful resources and again all these types are basically um documented in the portal okay so if you go to the administration section there's a documentation section and again it list all the types okay and again example values and a description of what they hold okay so haven't got that um the heart of the analytic is the uh predicate so a predicate is basically a logical statement that returns true or Force which you can use to qualify whe whether the event that happened is one that you're interested in basically so you define a set of um rules basically and then the predicate will then be applied to all the events and then if the event is monitored and it matches your criteria an alert is raised inside protect and then you can then go on and uh analyze it and or remediate against it so when it comes to these predicates um all you all you pretty much doing is just comparing values so you're going to take some of the attributes you're interested in and comparing it to particular values you're interested in so these can be simple comparisons like equals not equals to we got things like case and Di critic insensitive lookups so we can basically do like a case insensitive search on a file path we've got logical operations like true or false we've got date date constraints we've got things like relational conditions which are basically like partial matches and we even got things like aggregate operators where we can count item so maybe you want to count how many times a particular value or key appears in a preference file okay so these are all tools at our fingertips so to create the predicate which is the heart of it there's two ways you can do this um one is there's a built-in form editor so it's basically a UI that would just walk you through creating the predicate and this is quite useful or quite nice if you if you're new to this because it's it kind of it's kind of contextually aware it just kind of walk you through selecting the attributes you need selecting The Operators you need and then you can put the values in B basically so there's a nice UI for this or if you're a bit more advanced and kind of used to this there's a text box where you can just kind of maybe prepare the predicate outside of protect and just kind of paste it in okay so when we create our predicat um there are three variables we talked to um dollar event is probably the main one dollar event holds all the attributes that was collected from that event okay so this is typically the main one we access to get those values um but there's a dollar context which basically has um some some more contextual information around that event and then we've got dollar tag which we look at later on um typically in this story it's it's used for the analytic chain in piece okay so we start with dollar event uh dollar event um basically holds all all the raw data from the event happened for the analytic so we can access dollar event and then basically create the predicate around this to then dictate or evaluate whether the condition we're looking for has been met met so to dive into attributes I'll pass my colleague Erin thank you very much so we're going to go ahead and take a look at some of the ways that we can like he said drill down further and those are with those attributes now to access those you're going to use the dollar sign event to throw a period after that to get to those other attributes so let's start taking a look at some of those so we're going to look at event is new file that is going to be one of those booleans one is true zero is false for event. uid we're going to think about our user that will return five 1 for a particular user for timestamp that is going to return that result with the unix's Tim stamp next we're going to take a look at the string that we mentioned so taking a look at string here event path that's going to give me that full path for whatever is contained in there for path length we're looking at that path that we have before that's that's 48 characters here we're going to switch that down with that lowercase take out all of those capitals replace them with lowercase letters if we look at that path that we're seeing up there if I use last path component it's going to return that comm. apple. login window. pist but if I just want that extension I can use path extension then lastly if I want to get everything but deleting that last Mass path component that'll bring me back Library preferences moving over to user I can enter user. uid and bring back The UU ID of that user or we can go back to that uid and get that 501 if I need somebody's name do name looking at the process type of event if I go to the path for a particular process process say that uh goodness my contact just slid out of my head thank you we're going to return back that particular path if I'm looking for the arguments that could be used to run that particular process I can gather those there within that particular array I can also search for the parent path that'll be the parent object and the signing info returns and signing info of that process continuing on with our processes again returning that parent object so parent path B Zell and then the signing info for that is going to return com. apple. cell to do any comparison Within These say I want to look at one particular event path versus another I'm going to use some operators now here are are the operators that we can use the equal the not equal to greater than less than less than or equal to greater than or equal to as well as I can use the booleans again one is true zero is false I can also return a number so I'm comparing whether or not a uid is equal to or greater than 501 looking at our strings I can do a comparison so I'm looking for an exact comparison here it has to be the same case it has to have everything match I can also determine if it contains something so in this case I am looking to see does this particular process contain apppp or I can figure out if it begins with something so in this case com. apppp but there are more things we can do with strings such as I can determine whether or not a string begins with a component or has something like a particular component like Library that'll be a wild card as we're showing with the asterisks on both sides matches we're looking for anything that matches using a Rex here to find out if anything within the system library for any user whatsoever then Library launch agents we can also determine whether or not we want to be case sensitive or dietic sensitive so whether or not it has to match a particular case or not we can skip that whole idea of the upper and lower case and use C or if there's a possibility that we would have a character that for example is e or an E with a Accent on the top using that D will strip that out so anything that has e in it will match just fine but maybe you don't want to do just one thing you want to collect a whole bunch of things here you can use arrays So within here I can look for anything in that particular extension list that contains the PNG the jpeg or the PDF as well as whether or not there is a particular type that is zero three or four you can also collect the arguments within there so for example if I'm running a command that would contain say Pudu or launch CTL or anything that that particular process could execute I can throw that into that array I can also count how many of those particular arguments are going through so in that first example our count is returning five I can also return the number that is greater than a particular so in that example I'm going to get account that is going to return that it's going to be more than three excuse me more than zero and lastly I can go through all of those arguments and anything inside of there is going to return our unload or our boot out and again if you've got any other questions about this there is NS predicate documentation to help you along the way finally we're going to move on to our Boolean logic we are looking at and or not simple enough we're looking for anything that has both of those things or one or the other or none of those things so to go even further Richard's going to take us through all of our examples to explain how we can put all of these things together thanks s okay so let's look at some example so these are taken from some real um analytics some some from the the built-in ones some from jamps GitHub repository just kind of give you an idea how you can kind of build out the logic uh for the activity you want to monitor so the first one um is one that's looking for um modifications to the host file okay so this is made up of two sections really using the and logic so this is using the file system events because we're going to monitor changes to this uh this file so the first part is looking at um whether the event was a modified file basically so using dollar event is modified equals one so it's true and then we have the and logic and with the and logic we then have the second qualifier and here we got using the path um attribute so we looking at the path of the file that was modified uh we got the um the C and the square brackets do like a case insensitive match and then we specify the path to want to modify so in this case if the host file is modified that would turn true and then that would trigger our analytic for then us to go investigate so that's a pretty straightforward one uh the second one is looking for any Cur activity so anyone using Cur to either download or upload content they shouldn't be doing basically so the first one is the type so with the type we can specify the type of activity so this is a process event so we're looking for any new processes that have been created so or executed um and then to qualify that we're look on the process itself we're looking for the signning information uh for the particular Co binary that Apple supplies with Mac OS so we're using the signning information on the process going down to the app ID and comparing it to the known bundle ID of that that process so again combined this would trigger if KL get executed now one thing I would say is if you are going to create customer analytics um do test them don't just deploy them um if you get these wrong um it can generate lots of falce alerts okay so definitely you're going to test these test these to a test plan a set small set of computers just to make sure you got the logic correct correct in this so that's a CO example and then just to create one slightly longer this this one is looking for um any activity where someone is using launch CTL to either unload or boot out a launch demon uh from memory so maybe someone is trying to unload your security tools as an example so this is using at the process event again and as we dive in we can see that it's going first of all using type so basically the type is is looking for any new process that gets created and then we're going to qualify that with the app ID of the launch CTL command line tool okay so again on the event process we're going to dig into that just to make sure that whatever process got created matches launch CTL and then we're going to count the arguments so how many arguments was passed to launch CTL because what we don't want is force triggers so if someone happens to un launch CTL maybe just for the manual page we don't want be triggered for that we're only interested if someone's using launch CTL and asking to do something so we're going to just qualify that by asking where we got basically one or more um arguments and then in the argument list we then qualify that by checking whether the unload or the boot out argument matches the arguments we passed launch utl so combined we can then track anyone basically kicking out a launch demon okay slightly longer one uh this one is checking for screenshots Okay so maybe you're interested to know is someone's doing screenshots on the computer so this is used in a file system event so we monitoring for file file system changes so the first argument is using the type so the type for this one is actually checking for renamed files now that might need might seem strange maybe you're expecting it to check for new files but we screenshots the last thing that happens to those files is they get renamed with a Tim stamp so that's the activity it's looking for and then it's going to qualify um the the file extension of that file to see whether it matches any of the known kind of graphical formats we can use screenshots for so pngs jpegs okay now at this point if we left it at this point um this would trigger for any any graphical image any picture that gets that gets mod um um renamed so to qualify that we're then going to look at the process that was involved and we compare the app ID to two known bundle IDs of the two processes that Apple Ed for screenshots okay so this will only trigger now if the those processes were involved and we get an image that's renamed with those file extensions okay so so this can get quite comp complicated but if you break it down logically hopefully it makes a bit sense uh the next one is looking for any launch agents that have been created okay so again we start off with um uh Dollar Rent new file so we're going to basically check if any new files get created and then we have something really horrible this is a Rex example so on the path we're using Rex to match all the locations that launch agents can exist because there's at least three locations where launch agents can be deployed to and also the launch agent can have you know numerous uh naming conventions okay so this is where the kind of Rex comes into play where you can have a you can create a Rex pattern to all those locations and all the potential fire names that launch agents can have okay so that would that would check for any new launch agents however what they do with this one is they got an and notot so here they're excluding um particular well particular team ID which is jam and a particular launch agent because uh J if using Jam pro jam Pro does regularly update the launch agents it deploys and we don't want protect being triggered all time for that that update date so here there's just excluding J Pros launch agents um from this an um analytic okay so hopefully it gives you some idea how these get built out um if you go to the GitHub um project I pointed you to earlier on there's about 60 or 70 in there now and uh if you look into them it's quite a nice learning exercise to go through them and see what they use to build out that particular logic uh for that analytic okay and finally um we got something called analytic chaining so analytic chaining allows you to um have a sequence of analytics they run in particular order so you can have a sequence and this is all done by the level number so the level zeros all run first and then you can have a set of level ones level twos Etc and the idea is you can create a sequence of analytics that will pass data from the lower one to The Higher One okay so it allows you to have um a high level of analytics that kind of further qualifies is the lower ones okay now to create these to create these um we use the dollar tag um attributes so we use we can use the tag of the analytics to create that that sequence and we use the level number to um set the order they run so as an example um built into well built some of the with some of the built-in um analytics we have two analytics that look for new launch Dem demons and agents so these are Level zeros so these will track all those agents and demons that get created okay so they got they've got all the logic to look for the correct directories and the correct file names being used so these will then obviously get triggered if the activity happens now on top of that we have a level one and the example I've picked is this pist disguises Apple so some malicious players will create launch demons and they will disguise that launch demon or agent as an one so they might use an apple naming convention like com. apple for the file name so visually it looks like it's a legitimate apple one now with this sequence um the advantage of doing this is we have we can have all the heavy lifted logic we need for all the directories and far pass in the level zeros and the level one just needs then to further qualify how to look for the Apple disguise ones okay so it makes our level ones much simpler because all the lifting has been done for the level zeros and it also kind of future proofs them um if Apple ever came out and released I don't know added a another launch agents directory as an example all we have to do is update the level zeros and then the level ones will inherit that that deta basically so to create the sequence uh we set the pist disguises apple as a level one and then to connect it to the launch agent demons we use this dollar tags um variable and in there we just compare compare it to the tags we're expecting or need to connect to so those tags exist on the level zeros and if they get triggered those tags get passed up to the level one and then we can just kind of qualify that and um if the tags match the ones we're expecting we know that they have run and then the pist disguises Apple can then take over and kind of further qualify so here's just an example so this this one here basically is just an example um of of two sequences so the top one is the launch agent one I kind of showed you and then the bottom one is basically just looking for um you know just kind of further qualifying it so this example is looking for two named launch agents that we use in a popular bit of malware so the level zero will look for any launch agents and then level one we'll have the tags variable to to verify the level zero ran and then it can kind of further qualify the name of the um the launch agent based on two names is expecting basically and then it will trigger okay so hopefully that was helpful um so what we've done is um there's there was another talk unfortunately earlier on uh with one of our colleagues he kind of builds in this talk by building out real world workflows so taking all this information and kind of just going through and kind of building out real world scenario and workflows so that should hopefully when it goes live online definitely check that one out okay and Aon this week has been doing some Labs okay which um she's been doing and then there's a high spot page so take take a picture of the um the URL that's got some extra information um regarding this topic basically on analytics and predicates uh Etc so some extra information there so thank you very much um I think we got 10 minutes so if there's any questions um we try to duct them we do have time for some Q&A if people do have any questions I can stumble around the room and help people ask them out loud anything at all no great content thank you okay thank you no questions last chance it's actually the perfect content you've answered them all cool all right thanks for coming everyone really appreciate it have a great rest of your day and thanks for coming to the conference if this is your l