Security Operations Actions in Endpoint Detection

  • EF
 Prev Next

What are Security Operations actions?

Security Operations (SecOps) actions are the controls available in an endpoint security or EDR workflow that let administrators review detections and take follow-up steps such as updating status, investigating details, or performing response tasks within the security console. In Kandji Endpoint Detection & Response, these actions are surfaced on the Threats page and include updating the detection's Status to track progress through review and remediation.

Using SecOps Actions in EDR

The Status action on the Threats page of Endpoint Detection lets you track and update detection events as you work through them. As an admin, you can manually mark detections as Open or Closed, while Kandji automatically assigns other statuses based on timing, such as when the detection first occurred or how long it's been resolved. This creates a consistent workflow that helps you see what's new, what needs attention, and what's been handled, making it easier to triage threats and track progress across your fleet.

The Status column is available in both File Detection and Behavioral Detection tables.

Status Types

Detection events can have one of four statuses:

  • New – Occurred within the last 24 hours.

  • Open – Not yet marked as closed.

  • Closed – Resolved by manually marking as Closed.

  • Archived – Closed for more than 30 days.

Automatic management: The New and Archived statuses are set automatically by Kandji. You can manually change a detection between Open and Closed.

Filtering by Status

You can filter detection events by status on the Threats page:

  • Event filter – By default, shows New, Open, and Closed events. Archived events are hidden unless selected.

  • Device filter – Located in the side panel, allows filtering devices by Open or Closed detections.

Changing Detection Status

Updating statuses regularly helps keep detection lists accurate and improves filtering for active threats.

To change the status of one or more detections:

  1. Select the detection(s) using the checkbox.

  2. Click Change Status in the action bar.

  3. Choose the new status from the dropdown menu.

  4. Click Change to apply.

You can update detections individually or in bulk.