Endpoint Detection & Response - Understanding Threat Events

By Emalee Firestein

Learn how to view, understand, and act on Threat events in the Kandji Web App

Defining Threat Events

Endpoint Detection & Response (EDR) generates a Threat event when it detects (Detect Posture) or detects and quarantines (Protect Posture) malware or potentially unwanted programs (PUPs) on a device. Information contained in the Threat event will include the threat name, threat classification, process, detection date, and status. All Threat events are reported on the Threats page for devices that belong to Blueprints containing Avert. Threat events are also available on the device record page for viewing on a per-device level.


Kandji categorizes threats into two classifications: malware and potentially unwanted program (PUP).

  • Malware is a blanket term used to describe malicious software designed with the intent to cause harm to computers, tablets, mobile devices, individuals, or organizations.
  • A potentially unwanted program (PUP) is software or applications that may be unwanted on a device. PUPs typically tend to utilize high system resources resulting in impacted performance, can display unwanted ads, and can collect personal information. Unlike malware, PUPs are not intended to cause harm and are typically installed inadvertently with other software, as commonly found in bundled software.

Event Information

Every Threat event will include critical information that will help InfoSec teams investigate threats.

  • Threat Name: Lists the threat’s name as detected.
  • Process: Lists the process responsible for the threat detected.
  • Device:  The device that EDR detected the threat on.
  • Detection Date: The date that EDR detected the threat.
  • Path: The path location of the detected threat.
  • Hash: SHA-256 hash value of the detected threat.
  • User: The process owner of the identified process that was in use when the threat was detected.
  • Quarantine Date: The date EDR quarantined the threat.
  • Resolved Date: The date the threat was updated in the web app as resolved.
  • Release Date: The date the threat was released from quarantine on the device.
Threat events are visible in the web app for up to 90 days; all historical Threat events data since device enrollment is available via API. However, Kandji may purge Threat event history in certain device action scenarios.


All Threat events will have a status associated with them. The various statuses that a Threat event may have are:

  • Quarantined - A detected threat that was automatically quarantined (Protect posture).
  • Not Quarantined - A detected threat not quarantined (Detect posture).
  • Released - A threat initially quarantined and later released and restored to its original location.
  • Resolved - A detected threat that was no longer at the last detected file path and was not quarantined by the agent.
Quarantining of Malware and PUP will be determined by the posture mode as configured in the Avert Library Item. Please see Endpoint Detection and Response: Configuring the Avert Library Item more information on how to configure the posture modes in your environment.

Filtering Threat Events

You can filter threat events based on their status for easier visualization and remediation. 

  1. Select the Detection date range for which you'd like to view threat events.
  2. Select the Status you'd like to see in the list; you can select one or multiple.
  3. Select the threat type.
  4. When finished, click the Clear all button to revert to the default view all statuses for the last 7 days.

Rechecking the Status of a Threat

In scenarios where the Malware or PUP posture modes are in Detect mode, you can manually recheck a threat’s status to determine whether the threat is still present at the file path location. If the threat is no longer present at the file path location, its status will change from Not quarantined to Resolved. If the threat remains at the file path location, its status will remain unchanged.

  1. On the left-hand navigation bar, navigate to Threats.
  2. Click the ellipsis on the far right of the desired non-quarantined threat you want to recheck.
  3. Click "Recheck status."

Prior threats that were initially detected and that were deleted locally on the device, after initial detection, will have their status updated from Not quarantined to Resolved when the Malware or PUP posture modes in the Avert Library Item are elevated to Protect mode or when the device is assigned a new Blueprint containing an Avert Library Item with the malware or PUP posture modes in Protect mode.

Releasing a Threat Event

There may be scenarios in which InfoSec teams want to release a Threat event for specific files or applications that have inadvertently gotten quarantined in an environment, i.e., a Threat event for another security tool or application in use by the organization. Releasing a Threat event entails adding the item to the Allow list for the associated Avert Library Item.

The Threat event release action will only apply to the Blueprints assigned to the Avert Library Item.
  1. On the left-hand navigation bar, navigate to Threats.
  2. Click the ellipsis located on the far right of the desired Threat event to be released.
  3. Click "Release threat."
  4. Enter an Item Name.
  5. Optionally, enter an internal note stating why the threat event is being released.
  6. Type RELEASE to release the threat.
  7. Click Add and Release to add the threat to your Allow list and release the threat.
The steps above can also be performed in the device record page of a device.

VirusTotal is an advanced and multifaceted tool that offers valuable insights and thorough analysis of files and URLs. The web application includes a feature that allows for easy hash searches within VirusTotal, providing additional contextual information directly from the threat event entry without the need to leave the web app.

  1. On the left-hand navigation bar, navigate to Threats.
  2. Click the ellipsis located on the far right of the desired Threat event.
  3. Click "Search VirusTotal" to perform a search of the hash in VirusTotal.

Kandji EDR may classify certain hashes as malware or PUP, even if VirusTotal has no detections on them or considers them non-malicious; this is expected due to Kandji EDR's utilization of multiple threat sources.

Exporting Threat Events in CSV

In addition to the Kandji API, InfoSec and IT teams may want to export the list of Threat events directly from within the admin console. The export icon displayed in the Threat list view will apply the on-screen filter settings and provide a CSV file with all available detail about the Threat events in unique columns. This functionality is available in the main Threats module view and the Threats tab under Device Record.

  1. On the left-hand navigation bar, navigate to Threats.
  2. Click the Export icon or text located on the far right of the Threat events list view.
  3. A CSV export file will download automatically.
The steps above can also be performed in the device record page of a device. When exporting from the device view, the results will only be for that device.

Next Steps

Please see the Configure the Avert Library Item support article to learn more about configuring the Avert Library Item for EDR.