Kandji EDR

Kandji Endpoint Detection and Response (EDR) is designed to enhance endpoint protection and streamline device management, particularly for Apple devices. Kandji EDR combines real-time threat detection, automated response mechanisms, and robust analytics to safeguard organizations against evolving cyber threats. For detailed information, refer to Kandji EDR’s official documentation.

Integration Method: API

Table: Detection Finding (2004)

This integration supports the following events.

This integration supports the following versions.

Prerequisites

• The user should have access to the Kandji portal with an account that has admin access. 

• The user should have access to the DataBee console.

Configuration Overview

1. Create an API Token with required permissions to fetch the data.

2. Create Kandji EDR data feed in the DataBee console with the required Client credentials.

Kandji EDR Configuration

Create a Token

1. Login to the Kandji EDR console.
    

2. Click on the Settings button.
    

3. Click on the Access tab.
    

4. Click on the Add Token button.
    

5. Enter ‘Name’ and ‘Description’ of Token.
    

6. Click on the Create button.
    

7. Click on the Copy Token to copy the token to your clipboard. Ensure you store the token in a secure location, as you will not be able to view it again. Check the checkbox to confirm that the token has been copied.
    

   Note:

   Ensure you store the token in a secure location, as you will not be able to view it again.

8. Click on the Next button.
    

9. Click on the Configure button.
    

10. Click on the Configure Permissions button.
     

11. Select get Threat Details permission.

    1. Search for Threat Details.

    2. Select check box of Get Threat Details permission.

    3. Click on the Save button.

12. Click on the Close button.
     

13. Copy the Organization’s API URL, as it contains the subdomain and region, which are required during the DataBee configuration process. 

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for Kandji EDR and select it.
    

3. Click on the API Ingest.
    

4. Enter feed contact information and click Next.
    

5. In the configuration page, enter the following:

   • API Base URL: replace < subdomain > and < region >with your subdomain and region according to your organization's API URL .

   • Authorization Method: Bearer Token

   • Token: paste the Token generated earlier in the Kandji EDR portal.

   • Event Types: preselected for all the event types that integration pulls.

Note:

The URL for the API endpoint that you use is based on your region. Here, we have used the URL for US region. You can change the URL as per subscription. Below is the list of URLs as per the subscription.

• US - https://SubDomain.api.kandji.io

• EU - https://SubDomain.api.eu.kandji.io

6. Click Submit.

Troubleshooting Tips

• If you encounter an Unauthorized error, it may indicate that the authentication token has expired or deleted. In this case, regenerate the token to restore access. To prevent potential issues, consider pasting the token into a text editor to verify that there are no extra spaces or unexpected characters before reconfiguring the DataBee feed.