Skip to main content

Kandji

Visualize Kandji devices and apps, and monitor changes through queries and alerts.

Installation

JupiterOne requires an Access Token and Organization API URL for this integration. You need permission to create users in Kandji that will be used to obtain the Access Token and API URL.

Configuration in Kandji

  1. Log in to your Kandji subdomain, such as https://{subdomain}.kandji.io/.
  2. Go to Settings > Access > API Token. If you do not see this, contact the server admin.
  3. Click Add Token.
  4. Optionally, enter a token name and description.
  5. Copy the API Token. You will not see it again.
  6. Configure these API permissions:
    • Device list GET /devices
    • Device details GET /devices/{device_id}/details
    • Application list GET /devices/{device_id}/apps

Upon completion of the configuration, you should to see the organization API URL under the API token section.

Use the organization API URL for API_URL and API token for ACCESS_TOKEN.

Data Volume Configuration

Control how much data is ingested from Kandji to manage storage and processing.

Ingestion Windows (Time Ranges)

FieldDescriptionDefaultOptions
Threat Ingest Since DaysNumber of days to look back for threat ingestion9090, 180, 275, 365

How it affects data volume: Higher number of days will result in more threats being ingested from Kandji.

Data Filtering Options

FieldTypeDescriptionDefault
Threat StatusSelectFilter threats by their quarantine statusAll statuses

Available options:

  • Quarantined - Only ingest threats that are quarantined
  • Not Quarantined - Only ingest threats that are not quarantined
  • Released - Only ingest threats that have been released

How it affects data volume: Filtering by status reduces the number of threat entities ingested. By default, all threat statuses are imported.

Configuration in JupiterOne

To install the Kandji integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Kandji. Click New Instance to begin configuring your integration, providing the following:

  • Account Name used to identify the Kandji account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName option is enabled.

  • Description to assist in identifying the integration instance, if desired.

  • Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

  • Kandji Access Token and Kandji API URL generated for use by JupiterOne. Ensure you enter Kandji API URL using the format https://{yourApiUrl}/api/v1/, adding https:// at the beginning and /api/v1/ at the end of the API URL.

Click Create once all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.