Overview

In this article, you will learn everything you need to know about the Theat-hunting and Action Center product.

1. Description
2. How does Threat-hunting and Action Center work?
3. Overview

DESCRIPTION

The Threat - hunting and Action Center is a powerful threat intel and hunting toolkit that equips security leaders, operations teams, and managed service providers with the ability to detect and respond to next-gen threats using a visual storyboard across their entire IT landscape or customer base. Our pioneering Action Center allows your security teams to make critical decisions on the go with the ability to run and execute commands such as advanced file processing, malware quarantines, software patches, machine isolation, and more with 1-click resolutions while further investigating incidents or threats using the platform’s deep analysis reporting modules.

HOW DOES THREAT-HUNTING AND ACTION CENTER WORK?

Threat - hunting and Action Center (TAC) collects data referring to events inside your organization by leveraging our Extended Threat Protection (XTP) engine, the renowned MITRE ATT&CK techniques center, and the rest of the Heimdal products to provide granular telemetry into IT environments, endpoints, networks, and beyond to help teams proactively classify security risks, hunt detected anomalies, and neutralize persistent threats securely without risking the spread of attacks, disrupting end-users, or affecting organizational productivity.
You can access the Threat-hunting and Action Center (TAC) after you log in to the HEIMDAL Dashboard (as a Corporate Customer or as a reseller who impersonates a Corporate Customer). In the Threat - hunting and Action Center (TAC) section, you can visualize relevant info related to the endpoints and users in your environment.

On the Overview page, you get telemetry data and details on the objects in the environment, together with risk scores and notifications. These objects are grouped by External Firewall, Devices, and M365 objects/notifications, and they can also be split between Risk Score and Notification count.

On the left-hand side of the page, you can switch between External Firewall, Devices, and M365 objects/notifications to see the most risky devices or users.

A. External Firewall

The External Firewall tab shows devices with events intercepted by an external firewall. It contains the total number of endpoints for that particular customer and the top endpoints, sorted in descending order by risk score, in a scrollable list.

I. Reseller level

A reseller can visualize all its Enterprise/Corp customers grouped geographically with a pin on the globe, and also their highest risk score. Pins are displayed on the map ONLY if there is data registered within the selected timeframe.
On the left side of the page, there is an overview containing the total number of customers for that reseller, with the External Firewall configured and the correlated list sorted in descending order based on the External Firewall average risk score.
Left hand side TAC menu reseller level.png
When clicking a pin (node) on the globe, a panel opens in the top-right corner of the page, displaying a list of customers that have their location data positioned in the same geographical region as the selected pin (node), sorted in descending order based on the External Firewall average risk score.

Clicking on a customer name from the panel will impersonate that specific customer.

II. Customer level

In External Firewall (using the designated toggle), a customer can view all of their end users, grouped geographically with a pin on the globe, and their corresponding risk score. Pins are displayed on the map ONLY if there is data registered within the selected timeframe.

On the left side of the page, we display the total number of end users under the impersonated customer and the list of users, sorted in descending order by the Risk Score.

When clicking a pin (node) on the globe, a panel opens in the top-right corner of the page, displaying a list of users who have their location data positioned in the same geographical region as the selected pin (node), sorted in descending order based on the user’s risk score.

B. Devices

The Devices tab shows the total number of endpoints and the top devices, sorted in descending order by risk score, in a scrollable list. The risk score of each device is calculated based on the alerts triggered by the HEIMDAL products. Threat-hunting and Action Center (TAC) looks for:

Ransomware Encryption Protection detections
Next-Gen Antivirus detections
XTP detection
VectorN detections
Brute Force attacks
Operational issues

The M365 tab shows the total number of users and the top users, sorted in descending order by risk score, in a scrollable list. The risk score of each user is calculated based on the events triggered by the HEIMDAL products. Threat-hunting and Action Center (TAC) looks for:

Ransomware Encryption Protection detections
Login Anomaly detections
Email Security interceptions
Forwarding Rules
Security issues

The objects are identified and displayed with pins on the Globe/Map for a better visualization. When clicking a pin (node) on the globe, a panel opens up in the top-right corner of the page, displaying a list of endpoints with the highest risk scores that have their location data positioned in the same geographical region as the selected node/pin, sorted in descending order. The panel will display a maximum of 10 endpoints, but has a search field that enables users to search for any hostnames (endpoints).

The same happens with the M365 users.

When displaying telemetry data by notifications count, each tab displays the Unresolved Notifications (for devices and users).

When clicking a pin (node) on the globe, a panel opens up in the top-right corner of the page, displaying a list of endpoints/users with the highest unresolved notification counts that have their location data positioned in the same geographical region as the selected node/pin, sorted in descending order. The panel will display a maximum of 10 endpoints/users, but has a search field that enables users to search for any entry.
When clicking one of the endpoints found in the top right-hand side panel (in any of the visualization modes), the panel will switch to displaying endpoint-related details like the most recent five blocked DNS connections/queries, the most recent five IP Addresses intercepted due to Brute Force Attacks, and the latest five antivirus infections. Only Brute Force Attack (BFA) events generated from public IP Addresses are reported in the TAC portal (BFA Private or FailedLocalPasswordAttempt events will not be listed).

The blocked DNS and Firewall connections are also graphically displayed on the globe (DNS – red lines and Firewall – white ones).

When clicking one of the users found in the top right-hand side panel (in any of the visualization modes), the panel will switch to displaying user-related details like the most recent LAD alerts, the Email Security alerts, the EFP alerts, and the REP Network detections.

IMPORTANT

The TAC risk scores are being updated in real-time, depending on the new detections, mitigation actions that are taken, etc. The risk score displayed on the Globe displays the maximum score met in a location. The left-side pane does not consider the IP Address localization.

ACTION CENTER

In all the visualizations and in both Reseller and Corporate Customer scenarios, the bottom-center section of the pages includes a collapsed widget (which can be expanded by clicking the blue arrow). The widget provides a relevant summary of the protection stats, average/endpoint risk score (used as a strategic score), number of notifications (considered as a tactical counter), and risk evolution during the last 30 days.

Action Center
For easier navigation, the widget can redirect you to the Action Center - a modal that allows you to take actions for mitigating the detected threats (Alerts/Actions tab), visualize the state of the applied commands (Server commands tab), and get a taste of compliance by visualizing a multitude of logs (History tab).

A. External Firewall

External Firewall is a TAC component that enables real-time ingestion, normalization, and actionability of external firewall telemetry, starting with Meraki Firewall alerts, alongside devices and user security signals in the same consolidated security console. Traditionally, firewall alerts live in vendor-specific consoles and can generate noisy, isolated data. With External Firewall, these alerts are brought directly into TAC, where they become meaningful MXDR signals, alerting users without overwhelming them, and enabling consistent investigation and response workflows.
The External Firewall telemetry works by importing supported firewall alert data through API integration and mapping it into Heimdal’s TAC pipeline. After configuration, firewall alerts flow into TAC alongside device and user security events.
TAC normalizes alert data, calculates risk scores, and presents findings in geo-visualizations, notifications, and Action Center views.

The External Firewall is split between Aggregated Notifications and Notifications.

Aggregated Notifications
The grid provides the following details: Device/Source IP, Network/Domain, Notification Type, Details, Severity, Hits, Timestamp, and Resolution. The Search field allows you to search among the multiple notifications.
Notifications
The grid provides the following details: Device/Source IP, Network/Domain, Notification Type, Details, Severity, Alert Body, Timestamp, and Resolution. The Search field allows you to search among the multiple notifications.

B. Devices

The Devices tab splits between Aggregated Notifications, Notifications, Server commands, and History.

Aggregated Notifications
The grid provides the following details: Notification Name, Details, Source, Severity, Hits, and Resolution. The Search field allows you to search among the multiple notifications. The entries are multi-selectable, as long as the alerts are similar (so that the mitigation actions apply to all the selected alerts), and as soon as one or multiple checkboxes are ticked, the user can act on the alert by applying one of the recommended actions from the dropdown menu.
Notifications
This view displays a list of threats detected by the engines powering TAC at the hostname level. The grid provides the following details: Hostname, Notification Name, Details, Source, Severity, Categories, Timestamp, and Resolution. The Search field allows you to search among the multiple notifications.
The entries are multi-selectable, as long as the alerts are similar (so that the mitigation actions apply to all the selected alerts), and as soon as one or multiple checkboxes are ticked, the user can act on the alert by applying one of the recommended actions from the dropdown menu.
Server commands
This view displays a list of the commands sent from the HEIMDAL Dashboard to an endpoint or multiple endpoints. The grid provides the following details: Hostname, Command Type, Command Description, Resolution, and Timestamp.
History (Audit logs)
This view displays a list of audit events that were performed in your environment. The grid provides the following details: Operation, Details, Username, and Timestamp. The audit events are organized in the following categories: Global (global settings), Active Clients (actions done in the Active Clients view), Windows GP (edits done in the Windows GP section), Linux GP (edits done in the Linux GP section), macOS GP (edits done in the macOS GP section), Android GP (edits done in the Android GP section), Network Settings (edits done in the Network Settings section). A list of all the Audit Logs operations (with their descriptions) can be downloaded at the bottom of the page.

The Filters button allows you to filter the notifications by several criteria.

C. M365

The M365 tab splits between Aggregated Notifications, Notifications, and User Compliance.

Aggregated Notifications
The grid provides the following details: Notification name, Details, Source, Severity, Hits, and Resolution. The Search field allows you to search among the multiple notifications. The entries are multi-selectable, as long as the alerts are similar (so that the mitigation actions apply to all the selected alerts), and as soon as one or multiple checkboxes are ticked, the user can act on the alert by applying one of the recommended actions from the dropdown menu.
Notifications
This view displays a list of threats detected by the engines powering TAC at the hostname level. The grid provides the following details: User, Notification Name, Details, Source, Severity, Categories, Timestamp, and Resolution. The Search field allows you to search among the multiple notifications.
The entries are multi-selectable, as long as the alerts are similar (so that the mitigation actions apply to all the selected alerts), and as soon as one or multiple checkboxes are ticked, the user can act on the alert by applying one of the recommended actions from the dropdown menu.
User compliance
This view displays a list of compliance conditions that M365 fulfills or does not. The grid displays the following details: User, Multi-factor authentication, Strong password, Password expiration, 90 days inactive, and Last login.