In this article, you will learn everything you need to know about the Theat - hunting and Action Center product.
1. Description
2. How does Threat - hunting and Action Center work?
3. Threat - hunting and Action Center
4. Sandbox
DESCRIPTION
The Threat - hunting and Action Center is a powerful threat intel and hunting toolkit that equips security leaders, operations teams, and managed service providers with the ability to detect and respond to next-gen threats using a visual storyboard across their entire IT landscape or customer base. Our pioneering action center allows your security teams to make critical decisions on the go with the ability to run and execute commands such as advanced file processing, malware quarantines, software patches, machine isolation, and more with 1-click resolutions while further investigating incidents or threats using the platform’s deep analysis reporting modules.
HOW DOES THREAT - HUNTING AND ACTION CENTER WORK?
Threat - hunting and Action Center (TAC) collects data referring to events inside your organization by leveraging our Extended Threat Protection (XTP) Engine, the renowned MITRE ATT&CK techniques center, and the rest of the Heimdal products to provide granular telemetry into IT environments, endpoints, networks, and beyond to help teams proactively classify security risks, hunt detected anomalies, and neutralize persistent threats securely without risking the spread of attacks, disrupting end-users, or affecting organizational productivity.
THREAT - HUNTING AND ACTION CENTER
You can access the Threat - hunting and Action Center (TAC) after you log in to the HEIMDAL Dashboard (as Corporate Customer or as a reseller who impersonates a Corporate Customer). In the Threat - hunting and Action Center (TAC) section, you can visualize relevant info related to the endpoints in your environment. In the left-hand side of the home page, where customers/ endpoints are displayed, default sorted descendent on risk score, you will see a set of icons, showcasing the: Ransomware Encryption Protection endpoint, Next-Gen Antivirus, Extended Threat Protection, VectorN Detection™ and Firewall Brute Force Attacks detections + the Operational Issues (Active Clients notifications) and their corresponding number and also, at reseller level, the number of active clients (machines) of each customer, for fast lighting forensics and prioritization. This info is linked to the selection made in regards to the desired visualization: Threat Telemetry Visualization (offering info revolving around pre-calculated risk scores) or XTP/ MITRE ATT&CK Visualization (offering info revolving around the number of alerts based on 1400+ sigma rules, the majority being subject to the MITRE ATT&CK tactics and techniques). In the search field, there is also an option, enabling you to select criteria from the above-described entries (except for Operational Issues) and sort the view based on the desired criteria.
On top, the TAC risk scores are being updated in real-time, depending on the new detections, mitigation actions that are taken etc.
Threat Telemetry Visualization
When the Threat Telemetry Visualization is selected, you can visualize, on the globe, all of the endpoints, grouped geographically and their highest endpoint risk score/location (pin). On the left-hand side of the page, there is an overview containing the total number of endpoints for that particular customer and the top endpoints, sorted in descending order, by risk score, in a scrollable list. When clicking a pin (node) on the globe, a panel opens up in the top-right corner of the page, displaying a list of endpoints that have their location data positioned in the same geographical region as the selected node/pin, sorted in descending order, based on the endpoint risk score. The panel will display a maximum of 10 endpoints but has a search field that enables users to search for any hostnames (endpoints).
XTP/MITRE ATT&CK Visualization
The same logic applies to the XTP/MITRE ATT&ACK Visualization, with the endpoint info revolving around the number of XTP/ MITRE alerts. The left-hand side panel displays the Top 5 categories of XTP/MITRE alerts encountered in your environment, as well as a breakdown of severity (the Display all events button, which, if pressed, will lead the user to the Extended Threat Protection view), while the top-right panel displays the endpoints, sorted in descending order, based on the number of XTP/MITRE alerts.
When clicking one of the endpoints found in the top right-hand side panel (in any of the visualization modes), the panel will switch to displaying endpoint-related details like the most recent five blocked DNS connections/queries, the most recent five IP Addresses intercepted due to Brute Force Attacks and the latest five antivirus infections. Only Brute Force Attack (BFA) events generated from public IP Addresses are reported in the TAC portal (BFA Private or FailedLocalPasswordAttempt events will not be listed).
The blocked DNS and Firewall connections are also graphically displayed on the globe (DNS – red lines and Firewall – white ones).
Action Center widget
In all the visualizations (Threat Telemetry, XTP/MITRE ATT&ACK - Globe/Map) and in both Reseller and Corporate Customer scenarios, the bottom-center section of the pages includes a collapsed widget (which can be expanded by clicking the blue arrow). The widget provides a relevant summary of the protection stats, average/endpoint risk score, number of alerts, and risk evolution during the last 30 days.
Action Center
For easier navigation, the widget can redirect you to the Action Center - a modal that allows you to take actions for mitigating the detected threats (Alerts/Actions tab), visualize the state of the applied commands (Server commands tab), and get a taste of compliance by visualizing a multitude of logs (History tab).
- Alerts/Actions
This view displays a centralized list of the threats detected by the engines powering TAC at the hostname level. The grid provides the following details: Hostname, Alert Name, Details, Alert Source, Severity, Categories, Timestamp, and Resolution. The Search field allows you to search among the multiple alerts.
The entries are multi-selectable, as long as the alerts are similar (so that the mitigation actions apply to all the selected alerts) and as soon as one or multiple checkboxes are ticked, the user can act on the alert by applying one of the recommended actions from the dropdown menu. An action can be taken by hitting the Unresolved status in the Resolution column.
The Filters button allows you to filter the alerts by Alert source, Severty Type, Resolution, or Categories. - Server commands
This view displays a list of the commands sent from the HEIMDAL Dashboard to an endpoint or multiple endpoints. The grid provides the following details: Hostname, Commant Type, Command Description, Resolution, and Timestamp. - History (Audit logs)
This view displays a list of audit events that were performed in your environment. The grid provides the following details: Operation, Details, Username, and Timestamp. The audit events are organized in the following categories: Global (global settings), Active Clients (actions done in the Active Clients view), Windows GP (edits done in the Windows GP section), Linux GP (edits done in the Linux GP section), macOS GP (edits done in the macOS GP section), Android GP (edits done in the Android GP section), Network Settings (edits done in the Network Settings section).
The risk score displayed on the Globe displays the maximum score met in a location. The left-side pane does not consider the IP Address localization.
IMPORTANT
A list of all the Audit Logs operations (with their descriptions) can be downloaded below.
SANDBOX
The Heimdal Sandbox is a file analysis tool designed to assist with computer forensics endeavors, augmenting the already powerful threat intel and hunting toolkit offered by TAC. It equips, to an even greater extent, security leaders, operations teams, and managed service providers with the ability to detect next-gen threats and respond by using the other relevant product modules encompassed in the Heimdal product stack.
The Upload Button opens a pop-up window, from which customers can choose the file they want to import, specify the file's password (where applicable) and/or specify the file's execution arguments (where applicable).
Note: The Heimdal Sandbox scans only files that have a size <= 1MB. Files must have a .exe or .zip extension (only the first .exe file archived is scanned), otherwise an "Invalid file extension" error will be displayed. Also, an “Invalid file name” message will be displayed in cases where the users attempt to upload a file with spaces in its name.
The Sandbox, Standard view, contains a stat icon displaying the scanned files, in the selected timeframe, which can be observed in the header section. The corresponding grid consists of 4 columns: “File name”; “Uploaded by”; “Resolution” and “Timestamp”.The grid also offers the possibility to search based on “File name” and “Uploaded by” and filter (green “Filters” button) based on “Resolution”.
File analysis and Resolutions
When uploading a file in the Sandbox, Standard view, the file is added as an entry in the data table with a “New” resolution for a brief time. The file's resolution is then changed to “Pending Upload” (also briefly displayed) until it is fully uploaded. After being uploaded, the resolution changes to “Queued” until the file analysis begins and when the file analysis begins, the resolution value adjusts to “In Progress.”The “outcome” resolutions could be: “Completed” (files that have been successfully analyzed) and “Error” (files for which the analysis failed). Files that have been analyzed successfully (resolution “Completed”) have an “eye” icon next to their file name, which, if pressed, will lead the dashboard user to a dedicated “File analysis” page, where granular details (including a “process tree” visualization) are available.
The "Upload to Storage & Send to Sandbox" command is a key feature available across various product modules within the Heimdal dashboard, designed to streamline threat analysis and response. This functionality can be found in the following sections:
- DNS Security – Endpoint: Accessible within the Latest Threats view.
- Next-Gen AV: Available in the Latest Infections/Quarantine and Zero-Trust Execution Protection views.
- Ransomware Encryption Protection: Present in the Endpoint Detections view, as well as the corresponding Client Specifics views (accessible by clicking on a hostname).
The command is also fully integrated into the TAC widgets associated with these modules and is accessible via the TAC Action Center, specifically within the Notifications and Aggregated Notifications views.
This feature ensures administrators have a robust toolset for handling and analyzing potential threats efficiently, reinforcing comprehensive endpoint security management.