DataDog · surabhipatel-crest · Oct 14, 2025 · Oct 15, 2025 · Oct 15, 2025 · Oct 15, 2025
@@ -324,6 +324,11 @@ datadog_checks_base/datadog_checks/base/checks/windows/              @DataDog/wi
 /keeper/manifest.json                                                @DataDog/saas-integrations @DataDog/documentation
 /keeper/assets/logs/                                                 @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend
 
+/kandji/                                                             @DataDog/saas-integrations
+/kandji/*.md                                                         @DataDog/saas-integrations @DataDog/documentation
+/kandji/manifest.json                                                @DataDog/saas-integrations @DataDog/documentation
+/kandji/assets/logs/                                                 @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend
+
 /lastpass/                                                          @DataDog/saas-integrations
 /lastpass/*.md                                                      @DataDog/saas-integrations @DataDog/documentation
 /lastpass/manifest.json                                             @DataDog/saas-integrations @DataDog/documentation

@@ -361,6 +361,8 @@ integration/kafka_consumer:
 - kafka_consumer/**/*
 integration/karpenter:
 - karpenter/**/*
+integration/kandji:
+- kandji/**/*
 integration/keda:
 - keda/**/*
 integration/keeper:

@@ -0,0 +1,7 @@
+# CHANGELOG - kandji
+
+## 1.0.0 / 2025-10-15
+
+***Added***:
+
+* Initial Release
@@ -0,0 +1,61 @@
+## Overview
+
+[Kandji][1] is an Apple device management and security platform that helps organizations automate deployment, enforce compliance, secure macOS, and iOS devices.
+
+This integration ingests the following logs:
+- **Audit**: Provides information about security events, device lifecycle changes, and admin/user actions.
+- **Threats**: Provides information about detected threats, including classification, status, affected devices, associated files, processes, and blueprints.
+- **Detections**: Lists detected findings, their severity, affected devices and applications, and associated blueprints.
+
+Integrate Kandji with Datadog to gain insights into audit, threats and detections logs using pre-built dashboard visualizations. Datadog uses its built-in log pipelines to parse and enrich these logs, facilitating easy search and detailed insights. Additionally, the integration can be used for Cloud SIEM detection rules for enhanced monitoring and security.
+
+## Setup
+
+### Prerequisites
+
+- Kandji MDM, EDR and Vulnerability Management.
+
+### Generate API Token from the Kandji Platform
+
+1. Log in to Kandji Platform using **Admin** or **Owner** account and click on **Settings**.
+2. Click the **Access** tab.
+3. Scroll down to the **API Token** section and click the **Add Token** button. 
+4. Enter **Name** and **Description** for your API token.
+5. Click **Create**.
+6. Copy the **Token**, then check the box confirming: **I have copied the token and understand that I will not be able to see these details again.**
+7. Click **Next**.
+8. Click **Configure** to manage the **API permissions** for a specific token.
+9. Select **List Audit Events** and **Detections List**.
+10. Click **Save**.
+11. Under **API Token** section, locate your domain. For example, your organizations API Domain will be:
+**your-subdomain.api.kandji.io**.
+
+### Connect your Kandji Account to Datadog
+
+1. Add your Domain and API Token.
+   | Parameters | Description |
+   | ---------- | ---------------------------------------------- |
+   | Domain     | The Domain of your Kandji account.             |
+   | API Token  | The API Token of your Kandji account.          |
+2. Click the Save button to save your settings.
+
+## Data Collected
+
+### Logs
+
+Kandji collects and forwards audit, threat and detection logs to Datadog.
+
+### Metrics
+
+Kandji does not include any metrics.
+
+### Events
+
+Kandji does not include any events.
+
+## Troubleshooting
+
+Need help? Contact [Datadog support][2].
+
+[1]: https://www.kandji.io/login/
+[2]: https://docs.datadoghq.com/help/
@@ -0,0 +1,246 @@
+id: kandji
+metric_id: kandji
+backend_only: false
+facets:
+  - groups:
+      - User
+    name: User Name
+    path: usr.name
+    source: log
+  - groups:
+      - User
+    name: User Email
+    path: usr.email
+    source: log
+  - groups:
+      - Event
+    name: Event Outcome
+    path: evt.outcome
+    source: log
+  - groups:
+      - User
+    name: User ID
+    path: usr.id
+    source: log
+pipeline:
+  type: pipeline
+  name: Kandji
+  enabled: true
+  filter:
+    query: source:kandji
+  processors:
+    - type: date-remapper
+      name: Define `detection_datetime,occurred_at` as the official date of the log
+      enabled: true
+      sources:
+        - detection_datetime
+        - occurred_at
+    - type: pipeline
+      name: Parse Audit Logs with Admin Activities
+      enabled: true
+      filter:
+        query: service:audit @target_type:admin
+      processors:
+        - type: string-builder-processor
+          name: Prepare `fullName` string for user
+          enabled: true
+          template: "%{new_state.first_name} %{new_state.last_name}"
+          target: usr.name
+          replaceMissing: true
+        - type: attribute-remapper
+          name: Map `new_state.email` to `usr.email`
+          enabled: true
+          sources:
+            - new_state.email
+          sourceType: attribute
+          target: usr.email
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+    - type: pipeline
+      name: Parse Audit Logs with File Detection
+      enabled: true
+      filter:
+        query: service:audit @target_type:file_detection
+      processors:
+        - type: attribute-remapper
+          name: Map `new_state.event.outcome` to `evt.outcome`
+          enabled: true
+          sources:
+            - new_state.event.outcome
+          sourceType: attribute
+          target: evt.outcome
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `new_state.user.name` to `usr.name`
+          enabled: true
+          sources:
+            - new_state.user.name
+          sourceType: attribute
+          target: usr.name
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `new_state.user.id` to `usr.id`
+          enabled: true
+          sources:
+            - new_state.user.id
+          sourceType: attribute
+          target: usr.id
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `new_state.file.name` to `file_name`
+          enabled: true
+          sources:
+            - new_state.file.name
+          sourceType: attribute
+          target: file_name
+          targetType: attribute
+          preserveSource: true
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `metadata.device.name` to `device_name`
+          enabled: true
+          sources:
+            - metadata.device.name
+          sourceType: attribute
+          target: device_name
+          targetType: attribute
+          preserveSource: true
+          overrideOnConflict: false
+    - type: pipeline
+      name: Parse Audit Logs with Device Details
+      enabled: true
+      filter:
+        query: service:audit @target_type:device
+      processors:
+        - type: attribute-remapper
+          name: Map `new_state.blueprint.name` to `blueprint_name`
+          enabled: true
+          sources:
+            - new_state.blueprint.name
+          sourceType: attribute
+          target: blueprint_name
+          targetType: attribute
+          preserveSource: true
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `new_state.device.name` to `device_name`
+          enabled: true
+          sources:
+            - new_state.device.name
+          sourceType: attribute
+          target: device_name
+          targetType: attribute
+          preserveSource: true
+          overrideOnConflict: false
+    - type: pipeline
+      name: Parse Audit Logs with Vulnerability
+      enabled: true
+      filter:
+        query: service:audit @target_type:vulnerability
+      processors:
+        - type: attribute-remapper
+          name: Map `new_state.vulnerability.id` to `cve_id`
+          enabled: true
+          sources:
+            - new_state.vulnerability.id
+          sourceType: attribute
+          target: cve_id
+          targetType: attribute
+          preserveSource: true
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `new_state.host.name` to `device_name`
+          enabled: true
+          sources:
+            - new_state.host.name
+          sourceType: attribute
+          target: device_name
+          targetType: attribute
+          preserveSource: true
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `new_state.file.name` to `file_name`
+          enabled: true
+          sources:
+            - new_state.file.name
+          sourceType: attribute
+          target: file_name
+          targetType: attribute
+          preserveSource: true
+          overrideOnConflict: false
+        - name: Lookup on `new_state.vulnerability.severity` to `detection_severity`
+          enabled: true
+          source: new_state.vulnerability.severity
+          target: detection_severity
+          lookupTable: |-
+            Critical,critical
+            High,warning
+            Medium,warning
+            Low,info
+            Undefined,info
+          type: lookup-processor
+        - type: status-remapper
+          name: Define `detection_severity` as the official status of the log
+          enabled: true
+          sources:
+            - detection_severity
+    - type: pipeline
+      name: Parse Audit Logs with Blueprint
+      enabled: true
+      filter:
+        query: service:audit @target_type:blueprint
+      processors:
+        - type: attribute-remapper
+          name: Map `new_state.name` to `blueprint_name`
+          enabled: true
+          sources:
+            - new_state.name
+          sourceType: attribute
+          target: blueprint_name
+          targetType: attribute
+          preserveSource: true
+          overrideOnConflict: false
+    - type: pipeline
+      name: Parse Detection Logs
+      enabled: true
+      filter:
+        query: service:detection
+      processors:
+        - type: message-remapper
+          name: Define `description` as the official message of the log
+          enabled: true
+          sources:
+            - description
+        - name: Lookup on `severity` to `detection_severity`
+          enabled: true
+          source: severity
+          target: detection_severity
+          lookupTable: |-
+            Critical,critical
+            High,warning
+            Medium,warning
+            Low,info
+            Undefined,info
+          type: lookup-processor
+        - type: status-remapper
+          name: Define `detection_severity` as the official status of the log
+          enabled: true
+          sources:
+            - detection_severity
+        - type: attribute-remapper
+          name: Map `name` to `file_name`
+          enabled: true
+          sources:
+            - name
+          sourceType: attribute
+          target: file_name
+          targetType: attribute
+          preserveSource: true
+          overrideOnConflict: false