Heimdal Assistance and Support Help Center home page

Articles in this section

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.

Threat - hunting & Action Center

Last updated

In this article, you will learn everything you need to know about the Theat - hunting and Action Center product.

1. Description
2. How does Threat - hunting and Action Center work?
3. Threat - hunting and Action Center

DESCRIPTION

The Threat - hunting and Action Center is a powerful threat intel and hunting toolkit that equips security leaders, operations teams, and managed service providers with the ability to detect and respond to next-gen threats using a visual storyboard across their entire IT landscape or customer base. Our pioneering action center allows your security teams to make critical decisions on the go with the ability to run and execute commands such as advanced file processing, malware quarantines, software patches, machine isolation, and more with 1-click resolutions while further investigating incidents or threats using the platform’s deep analysis reporting modules.

HOW DOES THREAT - HUNTING AND ACTION CENTER WORK?

Threat - hunting and Action Center (TAC) collects data referring to events inside your organization by leveraging our Extended Threat Protection (XTP) Engine, the renowned MITRE ATT&CK techniques center, and the rest of the Heimdal products to provide granular telemetry into IT environments, endpoints, networks, and beyond to help teams proactively classify security risks, hunt detected anomalies, and neutralize persistent threats securely without risking the spread of attacks, disrupting end-users, or affecting organizational productivity.

THREAT - HUNTING AND ACTION CENTER

You can access the Threat - hunting and Action Center (TAC) after you log in to the HEIMDAL Dashboard (as Corporate Customer or as a reseller who impersonates a Corporate Customer). In the Threat - hunting and Action Center (TAC) section, you can visualize relevant info related to the endpoints in your environment. This info is linked to the selection made in regards to the desired visualization: Threat Telemetry Visualization (offering info revolving around pre-calculated risk scores) or XTP/ MITRE ATT&CK Visualization (offering info revolving around the number of alerts based on 1400+ sigma rules, the majority being subject to the MITRE ATT&CK tactics and techniques).

Threat Telemetry Visualization

When the Threat Telemetry Visualization is selected, you can visualize, on the globe, all of the endpoints, grouped geographically and their highest endpoint risk score/location (pin). On the left-hand side of the page, there is an overview containing the total number of endpoints for that particular customer and the Top 5 endpoints, sorted in descending order, by risk score. When clicking a pin (node) on the globe, a panel opens up in the top-right corner of the page, displaying a list of endpoints that have their location data positioned in the same geographical region as the selected node/pin, sorted in descending order, based on the endpoint risk score. The panel will display a maximum of 10 endpoints but has a search field that enables users to search for any hostnames (endpoints).
threat_visualization.PNG
map.PNG
XTP/MITRE ATT&CK Visualization

The same logic applies to the XTP/MITRE ATT&ACK Visualization, with the endpoint info revolving around the number of XTP/ MITRE alerts. The left-hand side panel displays the Top 5 categories of XTP/MITRE alerts encountered in your environment, as well as a breakdown of severity (the Display all events button, which, if pressed, will lead the user to the Extended Threat Protection view), while the top-right panel displays the endpoints, sorted in descending order, based on the number of XTP/MITRE alerts.
XTP_visualization.PNG
When clicking one of the endpoints found in the top right-hand side panel (in any of the visualization modes), the panel will switch to displaying endpoint-related details like the most recent five blocked DNS connections/queries, the most recent five IP Addresses intercepted due to Brute Force Attacks and the latest five antivirus infections. Only Brute Force Attack (BFA) events generated from public IP Addresses are reported in the TAC portal (BFA Private or FailedLocalPasswordAttempt events will not be listed).

tac_endpoint_details.png

The blocked DNS and Firewall connections are also graphically displayed on the globe (DNS – red lines and Firewall – white ones).

maps_dns.png

Action Center widget

In all the visualizations (Threat Telemetry, XTP/MITRE ATT&ACK - Globe/Map) and in both Reseller and Corporate Customer scenarios, the bottom-center section of the pages includes a collapsed widget (which can be expanded by clicking the blue arrow). The widget provides a relevant summary of the protection stats, average/endpoint risk score, number of alerts, and risk evolution during the last 30 days.
widget.PNG

Action Center
For easier navigation, the widget can redirect you to the Action Center - a modal that allows you to take actions for mitigating the detected threats (Alerts/Actions tab), visualize the state of the applied commands (Server commands tab) and get a taste of compliance by visualizing a multitude of logs (History tab).
ac.PNG

  • Alerts/Actions
    This view displays a centralized list of the threats detected by the engines powering TAC at the hostname level. The grid provides the following details: Hostname, Alert Name, Details, Alert Source, Severity, Categories, Timestamp, and Resolution. The Search field allows you to search among the multiple alerts.
    The entries are multi-selectable, as long as the alerts are similar (so that the mitigation actions are applicable to all the selected alerts) and as soon as one or multiple checkbox(es) are ticked, the user can act on the alert by applying one of the recommended actions from the dropdown menu. An action can be taken by hitting the Unresolved status in the Resolution column. 
    ac_alerts.PNG
    The Filters button allows you to filter the alerts by Alert source, Severty Type, Resolution, or Categories.
    filter.png
  • Server commands
    This view displays a list of the commands sent from the HEIMDAL Dashboard to an endpoint or multiple endpoints. The grid provides the following details: Hostname, Commant Type, Command Description, Resolution, and Timestamp
    ac_server_commands.PNG
  • History (Audit logs)
    This view displays a list of audit events that were performed in your environment. The grid provides the following details: Operation, Details, Username, HEIMDAL Agent Version, and Timestamp. The audit events are organized in the following categories: Global (global settings), Active Clients (actions done in the Active Clients view), Windows GP (edits done in the Windows GP section), Linux GP (edits done in the Linux GP section), macOS GP (edits done in the macOS GP section), Android GP (edits done in the Android GP section), Network Settings (edits done in the Network Settings section). 
    ac_history.PNG

The risk score is calculated every 24 hours, while the risk score displayed on the Globe is displaying the maximum score met in a location. The left-side pane does not consider the IP Address localization. 

IMPORTANT
A list of all the Audit Logs operations (with their descriptions) can be downloaded below.

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.