Endpoint Detection & Response - Understanding Threat Events

By Corey Willis

Learn how to view, understand, and act on Threat events in the Kandji web app

TABLE OF CONTENTS

Defining Threat Events

Endpoint Detection & Response (EDR) generates a Threat event when it detects (Detect Posture) or detects and quarantines (Protect Posture) malware or potentially unwanted programs (PUPs) on a device. Information contained in the Threat event will include the threat name, threat classification, process, detection date, and status. All Threat events are reported on the Threats page for devices that belong to Blueprints containing Avert. Threat events are also available on the device record page for viewing on a per-device level.

Classifications

Kandji categorizes threats into two classifications, malware and potentially unwanted program (PUP).

  • Malware is a blanket term used to describe malicious software designed with the intent to cause harm to computers, tablets, mobile devices, individuals, or organizations.
  • A potentially unwanted program (PUP) is software or applications that may be unwanted on a device. PUPs typically tend to utilize high system resources resulting in impacted performance, can display unwanted ads, and can collect personal information. Unlike malware, PUPs are not intended to cause harm and are typically installed inadvertently with other software, as commonly found in bundled software.

Event Information

Every Threat event will include critical information that will help InfoSec teams investigate threats.

  • Threat Name: Lists the threat’s name as detected.
  • Process: Lists the process responsible for the threat detected.
  • Device:  The device that EDR detected the threat on.
  • Detection Date: The date that EDR detected the threat.
  • Path: The path location of the detected threat.
  • Hash: SHA-256 hash value of the detected threat.
  • User: The process owner of the identified process that was in use when the threat was detected.
Threat events are visible in the web app for up to 90 days; all historical Threat events data since device enrollment is available via API. However, Kandji may purge Threat event history in certain device action scenarios.

Statuses

All Threat events will have a status associated with them. The various statuses that a Threat event may have are:

  • Quarantined - A detected threat that was automatically quarantined (Protect posture).
  • Not Quarantined - A detected threat not quarantined (Detect posture).
  • Released - A threat initially quarantined and later released and restored to its original location.
  • Resolved - A detected threat that was no longer at the last detected file path and was not quarantined by the agent.
Quarantining of Malware and PUP will be determined by the posture mode as configured in the Avert Library Item. Please see Endpoint Detection and Response: Configuring the Avert Library Item more information on how to configure the posture modes in your environment.

Rechecking the Status of a Threat

In scenarios where the Malware or PUP posture modes are in Detect mode, you can manually recheck a threat’s status to determine whether the threat is still present at the file path location. If the threat is no longer present at the file path location, its status will change from Not quarantined to Resolved. If the threat remains at the file path location, its status will remain unchanged.

  1. On the left-hand navigation bar, navigate to Threats.
  2. Click the ellipsis on the far right of the desired non-quarantined threat you want to recheck.
  3. Click "Recheck status."

Prior threats that were initially detected and that were deleted locally on the device, after initial detection, will have their status updated from Not quarantined to Resolved when the Malware or PUP posture modes in the Avert Library Item are elevated to Protect mode or when the device is assigned a new Blueprint containing an Avert Library Item with the malware or PUP posture modes in Protect mode.

Releasing a Threat Event

There may be scenarios in which InfoSec teams may want to release a Threat event for specific files or applications that may have inadvertently gotten quarantined in an environment, i.e., releasing a Threat event for another security tool or application in use by the organization. Releasing a Threat event entails adding the item to the Allow list to the associated Avert Library Item.

The Threat event release action will only apply to the Blueprints scoped in the Avert Library Item.
  1. On the left-hand navigation bar, navigate to Threats.
  2. Click the ellipsis located on the far right of the desired Threat event to be released.
  3. Click "Release threat event."

  4. Optionally, enter an internal note stating why the Threat event is being released.
  5. Click Next.
  6. Give the item a name. All other information, such as item type and hash, will be prefilled.
  7. Click Next.
  8. Confirm the release by selecting the "I understand, and would like to proceed." checkbox.
  9. Click the "Add and release." button to save changes.
The steps above can also be performed in the device record page of a device.

Exporting Threat Events in CSV

In addition to the Kandji API, InfoSec and IT teams may want to export the list of Threat events directly from within the admin console. The export icon displayed in the Threat list view will apply the on-screen filter settings and provide a CSV file with all available detail about the Threat events in unique columns. This functionality is available in the main Threats module view and the Threats tab under Device Record.

  1. On the left-hand navigation bar, navigate to Threats.
  2. Click the Export icon or text located on the far right of the Threat events list view.
  3. A CSV export file will download automatically.
The steps above can also be performed in the device record page of a device. When exporting from the device view, the results will only be for that device.

Next Steps

Please see the Configure the Avert Library Item support article to learn more about configuring the Avert Library Item for EDR.