Endpoint Detection & Response - Understanding Threat Events

Learn how to view, understand, and act on threat events in the Kandji Web App

Defining Threat Events

Endpoint Detection & Response (EDR) creates a threat event when it identifies malware or potentially unwanted programs (PUPs) on a device. This happens in either Detect Posture or Protect Posture, where the threat is also quarantined. Each threat event includes details such as the threat name, classification, process involved, detection date, and current status. You can find all Threat events on the Threats page for devices linked to Blueprints with Avert. Additionally, these events are viewable on individual device records.

• Learn how to view, understand, and act on Threat events in the Kandji Web App
  • Defining Threat Events
  • Threat-Centric table view
  • Event Information
  • Classifications
  • Statuses
  • Filtering Threat Events
  • Side Panel
  • Viewing a Device's Threat Events in the Side Panel
  • On the left-hand navigation bar, navigate to Threats.
  • Rechecking the Status of a Threat
  • Releasing a Threat Event
• Performing a VirusTotal Search
• Exporting Threat Events in CSV

Threat-Centric table view

Threat events are organized by hash, allowing you to easily evaluate the overall impact of a threat across your Mac fleet. Each group includes a side panel that offers detailed insights into each threat.

Event Information

Each threat event in the threat-centric table view provides essential information to assist InfoSec teams in investigating threats.

• Threat ID - Displays the SHA-256 hash value of the detected threat.

• Process - Shows the most recently detected process responsible for the threat.

• Classification - Indicates the classification category of the threat event.

• Detection Date - Records the date when EDR identified the threat.

• Devices - Lists the total number of Mac devices affected by the threat event.

• Threat Status - Provides a comprehensive view of all threat statuses—Not quarantined, Quarantined, Resolved, and Released—across all devices for the grouped threat event.

Classifications

Kandji classifies threats into four categories: malware, potentially unwanted programs (PUPs), benign, and unknown.

• Malware - This term refers to malicious software designed to harm devices, individuals, or organizations.

• Potentially Unwanted Program (PUP) - These are applications that might be unwanted on a device. PUPs often use high system resources, affecting performance, displaying unwanted ads, and collecting personal information. Unlike malware, PUPs are not intended to cause harm and are usually installed inadvertently with other software, often found in bundled packages.

• Benign - This classification is for files initially flagged as malicious but later determined to be non-malicious after further analysis. If you encounter benign threat events, it might be because the item was in your Avert Library Item block list at the time of detection or quarantine.

• Unknown - This category is for files that Kandji EDR cannot definitively classify as either malicious or benign based on the available data. If you encounter benign threat events, it might be because the item was in your Avert Library Item block list at the time of detection or quarantine.

Statuses

All threat events will have a status associated with them. The various statuses that a threat event may have are:

• Quarantined - A detected threat that was automatically quarantined in Protect posture.

• Not Quarantined - A detected threat that was not quarantined in Detect posture.

• Released - A threat that was initially quarantined but later released and restored to its original location.

• Resolved - A detected threat that is no longer at the last detected file path and was not quarantined by the agent.

Quarantining of Malware and PUP will be determined by the posture mode as configured in the Avert Library Item. Please see Endpoint Detection and Response: Configuring the Avert Library Item for more information on how to configure the posture modes in your environment.

Filtering Threat Events

You can filter threat events based on their status for easier visualization and remediation.

1. Select the Detection Date range for which you'd like to view threat events.

2. Choose the Threat status you want to see in the list; you can select one or multiple.

3. Pick the Classification type.

4. When you're finished, click the Clear all button to return to the default view, which shows all statuses for the last 30 days.

Side Panel

The threat-centric table view features a side panel for each grouped event, which can be opened by clicking on a threat event row to access detailed information about that specific threat. The side panel includes information such as:

• Latest file name associated with the threat
• A global view of all threat statuses—Not quarantined, Quarantined, Resolved, and Released—for the grouped threat event across all devices
• First and last detection dates across all devices.
• Insights on all unique file paths found related to the threat

Device cards

Device cards in the side panel represent devices where the malicious file was found. These cards will display information such as:

• Device Name

• Serial Number

• Blueprint and Library Item.

• Malware and PUP Posture Mode

• Actionable Events
  

• Threat Event Details:

  • Threat Status - The current status of the threat on the device.

  • Path - The file path where the threat was detected.

  • User - The user associated with the process when the threat was detected.

  • Detection Date - The date when EDR identified the threat.

  • Quarantine Date - The date when EDR quarantined the threat.

  • Resolved Date - The date when the threat was marked as resolved in the web app.

  • Release Date - The date when the threat was released from quarantine on the device.

  • Application Bundle Path - The path to the application bundle.

Viewing a Device's Threat Events in the Side Panel

1. On the left-hand navigation bar, navigate to Threats.

2. Click on any threat event to open the side panel.

3. In the Devices tab, view the device cards for all devices where the malicious hash was detected. Click any device card to expand it and view associated threat events.

Rechecking the Status of a Threat

When the Malware or PUP posture modes are set to Detect, you can manually check a threat's status in the side panel to see if it's still present at the file path. If the threat is no longer there, its status will update from 'Not quarantined' to 'Resolved.' If the threat is still present, its status will remain unchanged.

1. On the left-hand navigation bar, navigate to Threats.

2. Click on any threat event to open the side panel.

3. Click the desired device card to expand it and view the device's threat events.

4. Click Recheck status.

When threats are initially detected and removed from a device, their status will change from Not quarantined to Resolved once the Malware or PUP posture modes in the Avert Library Item are set to Protect mode. This update also occurs when a new Blueprint with these settings is applied to the device

Releasing a Threat Event

There might be situations where InfoSec teams need to release a threat event for specific files or applications that were mistakenly quarantined, such as a security tool or application used by the organization. Releasing a threat event involves adding the item to the Allow list for the associated Avert Library Item.

The threat event release action will only apply to the Blueprints assigned to the Avert Library Item.

1. On the left-hand navigation bar, navigate to Threats.

2. Click on any threat event to open the side panel.

3. Click the desired device card to expand it and view the device's threat events.

4. Click Release threat.
   

5. Enter an Item Name.

6. Optionally, enter an internal note stating why the threat event is being released.

7. Type RELEASE to release the threat.

8. Click Add and Release to add the threat to your Allow list and release the threat.

Performing a VirusTotal Search

VirusTotal is a powerful tool that provides in-depth analysis and insights into files and URLs. The web app includes a convenient feature for searching hashes within VirusTotal, allowing you to access additional contextual information directly from a threat event entry without leaving the app.

1. On the left-hand navigation bar, navigate to Threats.

2. Click the ellipsis located on the far right of the desired threat event.

3. Click Search VirusTotal to search the hash in VirusTotal.

Kandji EDR may classify certain hashes as malware or PUP, even if VirusTotal has no detections on them or considers them non-malicious; this is expected due to Kandji EDR's utilization of multiple threat sources.

Exporting Threat Events in CSV

In addition to using the Kandji API, InfoSec and IT teams can export the list of threat events directly from the admin console. The export icon in the threat-centric view applies the current filter settings and generates a CSV file with detailed information about each Threat event in separate columns. This feature is available in both the main Threats module view and the Threats tab under Device Record.

1. On the left-hand navigation bar, navigate to Threats.

2. Click the Export icon on the far right of the Threat events list view. A CSV export file will download automatically.

1. Optionally, select individual threat events to export.

2. Click Export CSV at the bottom of the page to export the selected items.