Endpoint Detection & Response - Understanding Threat Events

By Corey Willis

Learn how to view, understand, and act on Threat events in the Kandji web app

Defining Threat Events

Endpoint Detection & Response (EDR) generates a Threat event when it detects (Detect Posture) or detects and quarantines (Protect Posture) malware or potentially unwanted programs (PUPs) on a device. Information contained in the Threat event will include the threat name, threat classification, process, detection date, and status. All Threat events are reported on the Threats page for devices that belong to Blueprints containing Avert. Threat events are also available on the device record page for viewing on a per-device level.

Classifications

Kandji categorizes threats into two classifications, malware and potentially unwanted program (PUP).

  • Malware is a blanket term used to describe malicious software designed with the intent to cause harm to computers, tablets, mobile devices, individuals, or organizations.
  • A potentially unwanted program (PUP) is software or applications that may be unwanted on a device. PUPs typically tend to utilize high system resources resulting in impacted performance, can display unwanted ads, and can collect personal information. Unlike malware, PUPs are not intended to cause harm and are typically installed inadvertently with other software, as commonly found in bundled software.

Event Information

Every Threat event will include critical information that will help InfoSec teams investigate threats.

  • Threat Name: Lists the threat’s name as detected.
  • Process: Lists the process responsible for the threat detected.
  • Device:  The device that EDR detected the threat on.
  • Detection Date: The date that EDR detected the threat.
  • Path: The path location of the detected threat.
  • Hash: SHA-256 hash value of the detected threat.
  • User: The process owner of the identified process that was in use when the threat was detected.

Statuses

All Threat events will have a status associated with them. The various statuses that a Threat event may have are:

  • Quarantined - A detected threat that was automatically quarantined (Protect posture).
  • Not Quarantined - A detected threat not quarantined (Detect posture).
  • Released - A threat initially quarantined and later released and restored to its original location.
Quarantining of Malware and PUP will be determined by the posture mode as configured in the Avert Library Item. Please see Endpoint Detection and Response: Configuring the Avert Library Item more information on how to configure the posture modes in your environment.

Releasing a Threat Event

There may be scenarios in which InfoSec teams may want to release a Threat event for specific files or applications that may have inadvertently gotten quarantined in an environment, i.e., releasing a Threat event for another security tool or application in use by the organization. The process of releasing a Threat event entails adding the item to the Allow list to the associated Avert Library Item.

The Threat event release action will only apply to the Blueprints scoped in the Avert Library Item.
  1. On the left-hand navigation bar, navigate to Threats.
  2. Click the ellipsis located on the far right of the desired Threat event to be released.
  3. Click "Release threat event."
  4. Optionally, enter an internal note stating why the Threat event is being released.
  5. Click Next.
  6. Give the item a name. All other information, such as item type and hash, will be prefilled.
  7. Click Next.
  8. Confirm the release by selecting the "I understand, and would like to proceed." checkbox.
  9. Click the "Add and release." button to save changes.
The steps above can also be performed in the device record page of a device.

Next Steps

Please see the Configure the Avert Library Item support article to learn more about configuring the Avert Library Item for EDR.