In this article, you will learn everything you need to know about the Endpoint Detection - Extended Threat Protection product.
1. Description
2. How does Extended Threat Protection (XTP) work?
3. Extended Threat Protection view
4. XTP settings
DESCRIPTION
The Extended Threat Protection (XTP) engine offers you superior protection against next-generation threats by supplying evidence-based information about sophisticated cybersecurity risks and offering a holistic view of weaknesses, categorized on MITRE ATT&CK tactics and techniques. The new engine uses intel coming from 1400+ sigma rules and is offered complimentary as part of our Next-Gen Antivirus, Firewall, and MDM license. Regardless of whether the attack method consists of exploits, defense evasion, credential access, or exfiltration, the XTP engine will keep you at the forefront of protection, with a deep and detailed analysis such as process trees, attack mechanisms, and attack types leveraged.
HOW DOES EXTENDED THREAT PROTECTION (XTP) WORK?
Extended Threat Protection (XTP) stores information based on the system's audit policies. These events are analyzed by the XTP engine, which can tell when a suspicious event occurred. The product collects information from any computer in your environment using the Heimdal XTP service and compares them against the 1400+ sigma rules that are defined in the MITRE ATT&CK knowledge base. It gives you a description of each rule that the endpoint is not complying with and offers you a small solution on how to mitigate the issue. XTP uses the sysmon Windows addon to log information, which might conflict with other applications that also use sysmon.
EXTENDED THREAT PROTECTION (XTP) view
The Extended Threat Protection view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the rules and alerts intercepted by the HEIMDAL Agent. On the top, you see a statistic regarding the number of Detections, the number of Critical Detections, the number of Medium Detections, and the number of Low Detections.
The collected information is placed in the following views: Standard, and Raw.
- Standard
This view displays a table with the following details: Hostname, Rule Name, Severity, Process Name, Categories, and Detections. -
Raw
This view displays a table with the following details: Hostname, Rule Name, Severity, Process Name, PID, Categories, Timestamp and Resolution.
The checkbox allows you to select an entry and Resolve or Unresolve the event.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view. The Filters button opens a toaster that allows you to filter by Severity type.
XTP settings
XTP allows you to collect information on the events that take place on a computer in your environment, based on the rules defined by the HEIMDAL specialists.
XTP - turn ON/OFF the Extended Threat Protection;
General Settings
Scan check interval - how often does the XTP service check the computer for events that don't comply with the XTP rules;
Exclusions - allows you to exclude a process by filename, file path, directory path, or MD5 by matching it with a rule found in the XTP engine. An exclusion can be matched by command line argument/parameter and it can take in any type of argument/parameter;
Rules
You can manually disable any of the rules listed under the XTP engine by unticking the Enabled tickbox (right-side column). Clicking the rule name will pop up a modal that offers you all the information related to the rule in question. Rules are classified by severity and organized into categories. The Select categories dropdown menu allows you to filter through any of the selected categories.