TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Kandji Audit Events | ✅ | ✅ | kandji_audit_logs | NDJSON | S3, API | ||
Kandji Devices | ✅ | kandji_devices_logs | NDJSON | S3, API | |||
Kandji Users | ✅ | kandji_users_logs | NDJSON | S3, API |
Overview
Kandji is a modern, cloud-based Apple endpoint management and security platform built specifically for enterprises using Apple devices. It supports macOS, iOS, iPadOS, tvOS, and visionOS, helping IT and security teams manage and secure devices across the entire lifecycle — from automated provisioning (zero-touch deployment) to ongoing compliance, patch management, and threat response.
Kandji combines Mobile Device Management (MDM) with Endpoint Detection and Response (EDR) in one integrated platform, allowing organizations to enforce security policies, deploy and update software, and detect and remediate threats in real-time. Its automation engine reduces manual IT tasks by enabling auto-remediation, self-healing scripts, and customizable compliance controls.
Designed with user experience in mind, Kandji provides a sleek, intuitive interface for administrators while ensuring minimal disruption for end users. It also supports integrations with tools like Okta, Slack, Microsoft Azure AD, and others for seamless enterprise workflows.
In short, Kandji helps organizations stay secure, compliant, and productive—without compromising the Apple user experience.
Supported data types
Kandji Logs
Table name: kandji_audit_logs
The kandji_audit_logs table contains detailed audit events generated by the Kandji platform. Each record represents a system action or change, such as device enrollments, profile updates, compliance enforcement, vulnerability detections, and administrative activities. These logs are designed to help IT, compliance, and security teams maintain visibility into all operational events across managed Apple devices.
Typical fields include event identifiers, timestamps, actor and target details, event types (e.g., vulnerability_detect), and contextual metadata about devices or users affected.
Table name: kandji_devices_logs
The kandji_devices_logs table provides a complete inventory and state view of all devices managed through Kandji. It captures device attributes such as hardware model, OS version, serial number, enrollment timestamps, agent version, blueprint assignment, and MDM status. These records also include the last check-in time and associated user information, enabling continuous device compliance tracking and operational insight.
Table name: kandji_users_logs
The kandji_users_logs table tracks user information and associations with managed devices. It includes details such as user IDs, names, email addresses, directory and home paths, account type, secure token or FileVault status, and last login or password change times. This dataset helps correlate device activity with specific users and supports compliance and identity investigations.
Send data to Hunters
Hunters supports the ingestion of Kandji logs via an intermediary AWS S3 bucket.
To connect Kandji logs:
use the Puller for API pulling mechanism.
or,
Use the S3-List to push your logs from Kandji to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Important note
when connecting Kandji please pay attention to:
put only the sub domain:
Also, if users facing 401 error that might be because of permissions.
.png?sv=2022-11-02&spr=https&st=2025-10-31T03%3A56%3A41Z&se=2025-10-31T04%3A09%3A41Z&sr=c&sp=r&sig=qOF7mnEbOyMkY5%2BTohhm%2F1SfWkSryyST2N3zGAAjH%2Fk%3D)
Expected format
The expected format is json which is one of Kandji’s default output formats:
Kandji Audit Events:
{ "id": "01K30QW926472W", "action": "detect", "occurred_at": "2025-08-28T06:17:53.047251Z", "actor_id": "VULNERABILITY_MANAGEMENT", "actor_type": "kandji", "target_id": "997cb667f3f84ad5c738", "target_type": "vulnerability", "target_component": "", "new_state": { "ecs": { "version": "1.6.0" }, "vulnerability": { "enumeration": "CVE", "description": "An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.6. A local attacker may gain access to Keychain items.", "scanner": { "vendor": "Kandji" }, "score": { "base": 5.5 }, "id": "CVE-2025-43251", "severity": "Medium" }, "event": { "action": "vulnerability_detect", "type": [ "info" ], "kind": "alert", "id": "997cbff7d4667f3f84ad5c738", "category": [ "vulnerability" ] }, "host": { "mac": [ "8:9:7:8:8:2", "0:9:7:9:A:C", "0:a:9:4:8:2" ], "id": "332db-aa4c-43d6-a58e-a465ac6cb", "os": { "version": "Sequoia", "platform": "darwin", "name": "macOS" }, "name": "J097NN2" }, "@timestamp": "2025-08-28T06:17:51.720701Z", "device": { "id": "331b-aa4c-d6-a58e-a46a905ac6cb" } }, "metadata": {} }Kandji Devices:
{ "device_id": "46-519682a2effc", "device_name": "C02MD6M", "model": "MacBook Pro (16-inch, 2019)", "serial_number": "C02D6M", "platform": "Mac", "os_version": "15.5", "supplemental_build_version": "274", "supplemental_os_version_extra": "", "last_check_in": "2025-06-06T13:21:00.913906Z", "user": { "email": "al.bler@xxxnet.com", "name": "Alex Butler", "id": "b1a-9b15-45-9736-0d62d8a290", "is_archived": false, "active": true }, "asset_tag": "", "blueprint_id": "81438fbb-ab9-1d6d483950a7", "mdm_enabled": true, "agent_installed": true, "is_missing": true, "is_removed": false, "agent_version": "4.6.20 (5297)", "first_enrollment": "2024-10-23 11:32:16.760828+00:00", "last_enrollment": "2024-10-23 11:32:16.760828+00:00", "blueprint_name": "RV Global", "lost_mode_status": "", "tags": [] }Kandji Users:
{ "device_id": "xxxx-xxxx-xxxx", "device__name": "xxxx", "device__family": "Mac", "device__user_id": "1234", "device__user_name": "Carly Danner", "device__user_email": "abc@example.com", "blueprint_id": "81438fbb-xxx-471e-xxx-1d6d483950a7", "blueprint_name": "RV Global", "tags": null, "asset_tag": "", "serial_number": "XX1234XX", "model_id": "MacBookPro18,1", "count": null, "created_at": "2024-10-30T16:56:09.092397+00:00", "updated_at": "2025-09-09T14:38:10.585561+00:00", "last_changed_at": null, "last_collected_at": "2025-09-09T14:38:10.585561+00:00", "uid": 60, "user_created_at": null, "failed_logins": null, "failed_login_time": null, "password_last_set": null, "generated_uid": "XXX-EEEE-DDDD-ASDF", "directory": "/Local/Default", "home_directory": "/var/empty", "shell": "/usr/bin/false", "type": "Standard", "hidden_user": false, "secure_token": null, "filevault_user": false, "volume_owner": false, "full_name": "Seatbelt", "username": "_sandbox", "logged_in": false, "logged_in_time": null, "mobile_account": false, "home_folder_secure": false }