Alert Severity - Security teams are commonly faced with a high incoming count of alerts from various security tools. The concept of alert severity helps these teams prioritize what, if any, investigation they perform against incoming alerts and which to tackle first.
With this release, alerts will be assigned one of four default severities:
- High - Known bad malware and behavior that indicates a high confidence of compromise (CVEs, reverse shells, keyloggers, red-team frameworks, etc)
- Medium - Known adware/grayware and suspicious behavior (SSH as root, Climpli, etc)
- Low - Potentially unwanted programs and behavior that could be suspicious but also exhibited by legitimate vendors (Crypto-miners, behavior to avoid LittleSnitch, etc)
- Informational - Interesting events that aid visibility into the environment for investigations and threat hunting(normal launch agent installation, EICAR detections, etc)
Note: Any events that had previously been collected in the “Log” section will now appear in the “Alert” section with a severity of “Informational.”
To make this information easy to digest and actionable, we’ve overhauled our UI for listing and digging into alerts.
In the alert section of Jamf Protect, you now see an ordered list of all alerts with severity marked as a column with a visual bubble graph. By default, the UI will apply a filter that does not show any alerts with an Informational status. Clicking into an alert still allows you to dig into the details within that alert.
All severities are assigned based on the analytic that triggered the alert. Since you can customize your alerts, you can also customize the severity of an alert.
Note: Any older existing deployed agents will continue to function and severity will be displayed in the Jamf Protect console correctly. However, any events sent to a SIEM, S3 bucket, etc may be missing their severity.
You’ll also note that we have another new property on each alert: Status
Alert Status and Actions - When you have a flow of alerts coming in or if you are analyzing alerts as part of a team, one common issue is to identify which of these alerts has already been dealt with. Alert status is a new feature in Jamf Protect that provides visibility into the status each alert.
By default, any new alert will have a status of “New.” You can change this status to “In Progress” or “Resolved” in both the alert detail view and in the alert list. In the alert list, you can al assign status in bulk to multiple alerts at the same time.
Any alerts logged as a result of a Threat Prevention policy will have a status of “Auto Resolved.” Note that “Resolved”and “Auto Resolved” alerts are filtered from the alerts list by default.
Note also the “Action” on each of these alerts. If an alert was raised because a Threat Prevention policy (such as blocking known malware) triggered, the “Action” will be “Prevented”. Those alerts that triggered a Jamf Pro remediation flow will have an “Action” of “SmartGroup.”
Other UI changes - Many other areas of the Jamf Protect UI were updated to take advantage of these new alert properties.
The Detections dashboard and individual Computer view now show alerts grouped by severity and shows a much more intuitive timeline of alert activity.
The Action settings now allows you to specify what data is actually collected by Jamf Protect’s cloud to limit your data flow.
And your data retention settings can be customized for Informational alerts specifically.
We’ve also release a set of API changes to power all of this new functionality. Details on these API changes can be found in our blog post.
Any Jamf Protect plans you have deployed with the “Enable AutoUpdate” checkbox selected will have the latest agent deployed to them automatically when it is released. For any other plans, please update the deployments in the Jamf Protect console and push them to devices using Jamf Pro when you are ready.
For additional details about this release, see the Jamf Protect Release Notes.