HEIMDAL Dashboard overview

In this article, you will see and understand how the HEIMDAL Dashboard works, the data collected from your environment, and what are the benefits of the HEIMDAL Unified Threat Platform. The HEIMDAL Dashboard allows you to see what are the threats that are intercepted in your environment, thus enabling you to mitigate and take action against malware. The HEIMDAL Dashboard works with a variety of Internet browsers, but it is best supported by the following: Google Chrome (recommended), Mozilla Firefox, Microsoft Edge, and Safari.

1. Home
2. Admin
3. Unified Management
4. Customer Overview
5. Products
6. Threat-hunting & Action Center
7. Accounts
8. Guide
9. Reports
10. Support

HOME

Right after you log in to the HEIMDAL Dashboard, you are presented with the HEIMDAL Dashboard Home page and the Group Policies overview that warns the HEIMDAL Dashboard user that one or more HEIMDAL products are not enabled in the Group Policy settings.

Pressing the Acknowledge button will close the Group Policy overview. This modal will pop up for every user who logs in to the HEIMDAL Dashboard for the first time, or for every impersonated enterprise customer (when a user with the reseller role is logged in). The Group Policy overview modal will reappear once any other HEIMDAL Dashboard user assigned to the same customer enables/disables a HEIMDAL product in any Group Policy, or when it enables/disables reporting mode in any Group Policy, or when a new Group Policy is created, or an existing one is deleted.
The left-side menu allows you to navigate to any section of the HEIMDAL Dashboard. On the top, you can use the Customer impersonation field (available to Resellers only) that allows you to impersonate the Enterprise account of any of your customers. The Timeframe selection field allows you to select the Start-Date and the End-Date to display the information collected in the HEIMDAL Dashboard. The Endpoint Settings and the Network Settings allow you to configure the settings for the HEIMDAL Security products.

On the right side of the Home page, you get information about each of the products/modules that are active under the current customer account. The charts include data regarding attacks, vulnerabilities, detections, infected/quarantined files, blocked/allowed processes, 3rd-party application vulnerabilities or OS Updates, and quarantined/rejected emails. Is it important to know that the information displayed in the charts considers the selected Timeframe and, by default, the Timeframe stretches 30 days in the past. The chart order can be switched using drag and drop, and the inactive products will be listed at the end of the homepage (by default). The order of the products is saved at the user account level. This means that another user account of the same customer will see a different order (according to the user's settings). You can also click the graph area/segment to get redirected to the relevant product page.

Clicking the eye icon (top-right corner) will redirect you to the product page. Some products allow you to take action straight from the chart itself (e.g., Next-Gen Antivirus & MDM, Ransomware Encryption Protection, Privilege Elevation and Delegation Management, Email Security). 

Hovering over the graphics in the chart will offer you information for that specific date.
On the bottom side of the Home page, you can see the contact information of HEIMDAL Security and the HEIMDAL Dashboard version:

Distributors and Resellers will see a new homepage with the license overview representing a centralized overview per product of all the licenses that are under their management. This view showcases the number of licenses, as well as the available ones. Total seats represent the number of purchased* or committed* licenses for a product/module. Used is the number of user licenses for each product. Available is the difference between the Total seats and Used. This page will also allow the Partner to filter the data from the grid, offering the possibility to see All, Monthly Billing, and/or Annual licensing types. On the bottom section of the new homepage, the Distributor/Reseller will find links to our Support Knowledge Base articles and the Heimdal™ YouTube channel, which holds lots of interesting and useful video training content.

 

ADMIN

The Admin page (available for the Reseller accounts) allows you to add new customers or edit existing ones and manage their licensing options. You can add/delete Home Batch Keys (if they are activated on your reseller account). The Customers menu displays a list of all your customers and details such as ID, Name, Type, License Type, SPLA License, Device, and Purchased Licenses. In this section, you can add a new customer, and you can also generate a CSV report that includes the list of all customers (the CSV report will be populated with all the customers that have activity/have active clients):

• Creating a new customer is easy and can be done by filling in the required fields.
  
  Name - specify the name of the new customer.
  Type - Corp available only.
  Total licenses - specify the number of devices.
  Email - specify the email address of the customer account owner.
  Details - specify any details that you considered necessary to be saved.
• The Licensing options section is where you select which products/modules are available for the customer. 
  
• The next thing is to generate a license key. To do that, you have to press the Add Key button and fill in the fields below: 
  
• The Billing Info section is not mandatory, but you can fill in the requested information:
  

Under Home Batch Keys, you can create new Home Batch Keys, you can view the Registered Batch Keys and the Non-Registered Batch Keys, and you can delete the generated licensed keys. 

This view also allows you to download a list of all Home licenses included in a Batch.

UNIFIED MANAGEMENT 

ROI REPORT

The Return on Investment (ROI) reports are considered essential analytics tools and are useful because they review the costs saved by your organization by using the HEIMDAL Security suite. On this page, you can see charts about the DNS Security, Patch & Assets Management, Endpoint Detection, Privileges & App Control, Remote Desktop, Email Protection, and Threat hunting & Action Center. On top, you have a summary of the ROI Report:

Below the summary, you get a chart for each product detailing the saved costs per category:

• Revoke - revokes the HEIMDAL license key from the selected endpoint, making the HEIMDAL Agent downgrade to the Free version (only the 3rd Party Software module is available). The HEIMDAL Agent will stop communicating with the HEIMDAL Dashboard, and it will stop applying any other settings specified in the Group Policy. The revoked device(s)/endpoint(s) can be unrevoked from the Revoked view by selecting them and hitting Unrevoke in the dropdown menu.
   
• Add to group - adds the endpoint(s) to a selected Hostname Group (available in the Hostname groups view).
• Isolate - isolates the selected device(s)/endpoint(s) by blocking the external connection. Note: if your Firewall settings are managed through another application/vendor or Intune, the HEIMDAL Agent will not be able to achieve the isolation operation. In case you are using Microsoft Intune to manage the Firewall settings, you need to disable any policy that interacts with it. An example would be the one below, in which the Firewall settings should be set to Not configured (Endpoint security -> Security Baselines baselines -> Security Baseline for Windows 10 and later -> Intune Security Baseline Policy -> Properties, edit the Configuration settings, and set the Firewall settings to Not configured)/
  
• Unblock RDP Port - unblocks the default RDP Port (3389) if it has been blocked due to a Brute Force Attack detection. The Unblock RDP Port option will not appear if the RDP port is not blocked.
  Applying the Unblock RDP Port option will show the following notification:
  
• Cancel Unblock RDP Port - cancels the Unblock RDP Port action.
• Scan non-Heimdal devices - tells the selected computer to perform a network scan for computers that are not running the HEIMDAL Agent (this option is available if Allow network scan is enabled in the Group Policy settings and discovers endpoints/devices ONLY if they are registered in the Reverse Lookup Zone of the DNS Server). This operation initiated the scan for non-Heimdal devices in less than 2 minutes (if Realtime Communication is enabled) or immediately after pressing the Sync GP button (within the HEIMDAL Agent). The HEIMDAL Agent will be using the local IP Address and the local Subnet Mask to calculate the IP class for the current Subnet. An nslookup is performed for each discovered IP Address to correlate the Hostname with the IP Address, a ping is used to populate the ARP cache for each IP Address, and an arp -a command is performed to get the MAC address for each IP address.
• Install 3rd Party Software - installs one or more 3rd-party application(s) from the list of 3rd Party Patch Management applications.
• Uninstall 3rd Party Software - uninstall one or multiple applications that support uninstall through the HEIMDAL Agent.
• Apply script - allows you to run an on-demand script defined in the Scripting section.
• Next-Gen Antivirus scan - perform a Next-Gen Antivirus scan from the scan type list.
• Apply to Specific GP - allows you to apply a specific Group Policy to the select device(s)/endpoint(s) or to set it/them to Automatic to apply a Group Policy automatically, based on GP Priority, Azure AD Group, AD Computer/User Group, ComputerTag/UserTag, External IP Address.
• Add IPXE Server - designate the machine as an iPXE deployment server. You can also edit - Config iPXE Server or delete - Remove iPXE Server, machines that had already been designated as iPXE servers. The device designated as an iPXE server will continue to function as an iPXE server despite hostname changes (unless the Remove iPXE Server command is applied to the hostname).
• Clear AAD cache and resync - sends a server command in real-time to the Heimdal Agent to clear the AAD cache and perform a sync of the AAD Groups. This server command is available only if Azure AD sync is configured (in the Customer Settings -> Login Setup -> Azure login area). You can cancel the server command if the resolution is Pending or In Progress.
• Schedule one-time reboot - allows you to schedule a one-time reboot that the HEIMDAL Agent will trigger. The reboot can be configured according to a schedule, and the HEIMDAL Agent can display a reboot pop-up to inform the user that a reboot is going to take place.
  
  If configured, the reboot can be postponed. If no reboot pop-up is configured, the end user will only get a 5-minute warning telling them that the operating system will reboot in 5 minutes. This action will be reflected in the Server commands tab, where the HEIMDAL Dashboard admin can see the status of the server command. It's part of best practice to schedule a one-time reboot at least 3 hours from the configuration moment, to make sure the action is propagated to the HEIMDAL Agent from the HEIMDAL Dashboard.

Clicking on a hostname will direct you to another page where you can see information regarding the HEIMDAL Agent status, the Device information, the Hardware information, the Operating System information, the Antivirus information, the DNS information, and the Enabled Modules.

Clicking on the number of Modules will display a list of all the modules that are enabled on the selected device(s)/endpoint(s). 
Clicking on the Status exclamation icon will pop up a modal that will show you the current status of the HEIMDAL Agent and the steps required to get the device/endpoint operational. 

DEVICES/USERS COMPLIANCE

This page covers devices and users' information in regard to the Cyber Essentials recommendations. When navigating to it, the HEIMDAL Dashboard user can refer to a Devices view and to a User’s view.  

• Cyber Essentials devices view

  This level of visibility helps you quickly identify potential vulnerabilities, ensure consistent protection across all devices, and maintain Cyber Essentials readiness. For an endpoint to be considered compliant, all key security controls — Next-Gen Antivirus (NGAV), Firewall, Patching, and Admin Rights — must be properly enabled. 
  The view displays the current state of each control (enabled/ disabled) for every device, allowing administrators to quickly identify and address non-compliant systems. From this view, you can also see which Group Policy is assigned to each endpoint, helping you verify configuration sources and manage compliance more effectively. Devices running macOS or Linux will have several areas marked as N/A (Not Applicable), as these operating systems do not support the same range of modules and integrations available for Windows-based devices. This behaviour is expected and aligns with the platform’s current compatibility scope for Cyber Essentials compliance monitoring.
  The view, like the majority of the Heimdal dashboard ones, provides search, filtering, sorting, and download .csv options.

• Cyber Essentials users view

  The Users view provides an overview of user-level Cyber Essentials norms adherence. It displays the status of key security controls — Multi-Factor Authentication (MFA), Strong Passwords, and Password Expiration — indicating whether each control is enabled (true) or not (false). Administrators can quickly identify users who are non-compliant and take appropriate actions to strengthen account security and maintain overall Cyber Essentials readiness. The Users view in Cyber Compliance highlights accounts that are not compliant (the source of the info being the Threat – hunting & Action Center -> M365 Action Center -> User Compliance view), meaning they have at least one required security option disabled.
  

  The search, filtering, sorting, and download .csv options are similar to the ones from the Device view.

  IMPORTANT

  User data visualisation is subject to the M365 User Security module being licensed and to the individual settings related to Multi-Factor Authentication and Password compliance being enabled in Network Settings. 

CLIENT MANAGEMENT

The Client Management section is divided between BitLocker, Scripting, and USB Management, and you can learn everything about it here.

REVENUE SHARE

The Revenue share page displays the information referring to the revenue share of the customers. On the top, you see a statistic regarding the Number of licenses attached to your account, the Projected revenue share next year, the Projected revenue share the year after, and the Revenue share.

The collected information refers to Client Name, Email Address, Renewal Date, Revenue Share, and Total Revenue.

CUSTOMER OVERVIEW 

Distributors and Resellers can visualize an overview of each Reseller or Enterprise customer and their current licensing status directly from the Customer Overview page. The page provides a centralized, single-pane view of customer environments with their used licenses and the total number of purchased licenses (per product/service), helping partners manage licensing visibility and customer administration more efficiently across larger portfolios. The Customer Overview page includes functionality designed to simplify customer identification, navigation, and management workflows for Distributor and Reseller accounts. Users can quickly search for and identify either corporate customers or reseller accounts directly from the overview page, depending on the role and access level of the logged-in dashboard account. The page also includes performance and stability optimizations intended to improve responsiveness when handling larger customer portfolios. Backend data retrieval processes and queries are optimized to provide faster load times and a more reliable overall experience. 

• Create Group - allows you to create a group to assign customers to, helping you organize and filter Reseller or Enterprise customers more efficiently when managing multiple accounts or customer segments.
• Create New Customer - redirects you to the Admin section of the HEIMDAL Dashboard and allows you to create a new Reseller or Enterprise customer.
• Filters - opens a toaster panel that allows filtering by Customer Groups, Client Info Type, or Billing Type.
• Search by End User - allows Distributor and Reseller accounts to quickly identify and access specific corporate customers or reseller accounts directly from the Customer Overview page.

IMPORTANT

The data in this grid is gathered by a job that runs every Sunday (once a week) and considers the last 30 days (it does not consider the timeframe). 

PRODUCTS 

DNS Security - Network

The DNS Security - Network view displays all the information collected by HEIMDAL Agent/HEIMDAL Log Agent that is running on the DNS Server(s) in your organization. The collected information refers to the DNS queries that went through your DNS Server(s). On the top, you see a statistic regarding the number of Analyzed Traffic Requests, Prevented Attacks, Prevented Attacks %, and Category Blocks.

The collected information is placed in the following views: Standard, Category Blocks, Manual Blocklists, Allowlists Requests, Category Blocks, Investigate and CASB..

• Standard
  The details displayed in the Standard view table are the following: Hostname (the HEIMDAL Log Agent is required to collect the hostname of the endpoint making the request), IP Address  (the HEIMDAL Log Agent is required to collect the local/internal IP Address of the endpoint making the request), Approved Requests, Prevented attacks, and Risk Level (which is calculated according to the following formulas: Low-risk level - the number of prevented attacks is lower than the number of days, Medium-risk level - the number of prevented attacks is equal or higher than the number of days and lower than 1.66 * the number of days, High-risk level - everything else over these two levels). The data in this view updates every hour. The Standard view is a complete overview of the total analyzed requests, prevented attacks, and manually blocked domains as well as a pre-calculated risk level for your device. All entries are identified by hostname, username, and IP address. The calculated risk score is based on the time frame selected in the HEIMDAL Dashboard and offers a great way to visualize and measure the impact of your awareness training and security procedures that you facilitate in your organization, as you can track the changes in your high-risk users' behavior over time. 
  
  The Analyzed Requests represent the total DNS requests intercepted by the HEIMDAL Agent (whether they are blocked or allowed). The Prevent Attacks represent the DNS requests that are blocked by the HEIMDAL Agent, while the Manual Blocklists will display domains blocked based on the entries in the group policies' blocklist.
  The information on blocked domains can be arranged and filtered based on the other views available from the dropdown: Threat Type, Domain/Hits(blocks), Hostname/Threats, Latest Threats, Forensics and TTPC.
• Category Blocks
  This view displays a table with the following details: Hostname, Username, IP Address, and Category Blocked Domains. The Category Blocks view presents a consolidated overview of all hits to the preset Category Filters. This view makes it easy to manage chosen Categories, get a visualization of their impact, and identify users with online behavior that does not match the organization.
  
• Manual Blocklists
  This view displays a table with the following details: Hostname, Username, Type, Domain blocked, Process name. The view will show domains blocked by the Agent, based on the entries set in the blocklist from the group policy.
  
• Allowlist Requests
  The Pending approval view displays a table with the following details: Hostname, Username, Domain, Reason. 
  This view shows all access requests to blocked domains awaiting administrator action. Approving the request will allow you to add the domain to the allowlist in both the group policy for the DNS Endpoint module or the Network settings for the DNS Network module.
  
  The History view displays a table with the following details: Hostname, Username, Domain, Reason, Status.
  This view will display all processed requests, both approved and denied.
  
• Investigate
  This view allows you to get DNS-related statistics on any domain you input in the search field. The view is split into 3 subsections:
  a. Global Threat Intelligence - displays a top 3 of most accessing processes, the DNS-E matches (the number of times, in the selected timeframe, the domain has been intercepted via DNS-E), the Global DNS-E matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E in the Global Heimdal Security database), the domains/URLs related to the same IP Address, the DNS-E + DNS-N matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E and DNS-N), the Global DNS-E + DNS-N matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E and DNS-N in the Global Heimdal Security database).
  b. Predictive DNS Score - displays a maliciousness score based on an Artificial Intelligence algorithm (ranging from 0 to 100) that is corroborated with the presence of the domain (in question) on the DNS Security Endpoint blocklist (blocklist match). The higher the score, the higher the probability that the domain in question is infected. The Predictive DNS Score will showcase a Risk Level (None, Low, Medium, High, Critical) based on the above-mentioned score. 
  c. DNS Statistics - displays a graphical representation of the daily number of hits for the chosen domain (the blue 
  the line shows that the queried domain was found clean at the time of the query, while the red line shows that the queried domain was found infected at the time of the query.
  d. Requester distribution - displays a map and statistics of the top public IP Addresses that called the domain in question (the origin of the DNS query to the domain in question).
  
• CASB
  This view displays a list of the applications discovered by the DarkLayer Guard engine in your environment and the following details: Application Name, Vendor, Installed Endpoints, and Risk Level. CASB can be used as a cloud access security broker (CASB) that provides a comprehensive set of capabilities to help you manage and control the use of cloud apps across your organization - including visibility into inappropriate cloud app usage.
  
  The selection column allows you to select one or multiple applications and add/remove them to/from the Application blocklist. 

The Download CSV functionality allows you to generate and download a CSV report that includes all the information corresponding to each view.

DNS Security - Endpoint

The DNS Security - Endpoint view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the DNS queries that are filtered by the HEIMDAL Agent's DarkLayer Guard engine. On the top, you see a statistic regarding the number of Analyzed Traffic Requests, the number of Prevented Attacks, the percentage of Prevented Attacks, and the number of Category Blocks.

The collected information is placed in the following views: Standard, Category Blocks, Manual Blocklists, Allowlists Requests, Category Blocks, Full Logging, Investigate and CASB.

• Standard
  The details displayed in the Standard view table are the following: Hostname, Username, IP Address, Analyzed Requests, Prevented Attacks, Manual Blocklists and Risk Level. The Standard view is a complete overview of the total analyzed requests, prevented attacks, and manually blocked domains as well as a pre-calculated risk level for your device. All entries are identified by hostname, username, and IP address. The calculated risk score is based on the time frame selected in the HEIMDAL Dashboard and offers a great way to visualize and measure the impact of your awareness training and security procedures that you facilitate in your organization, as you can track the changes in your high-risk users' behavior over time. 
  
  The Analyzed Requests represent the total DNS requests intercepted by the HEIMDAL Agent (whether they are blocked or allowed). The Prevent Attacks represent the DNS requests that are blocked by the HEIMDAL Agent, while the Manual Blocklists will display domains blocked based on the entries in the group policies' blocklist.
  The information on blocked domains can be arranged and filtered based on the other views available from the dropdown: Threat Type, Domain/Hits(blocks), Hostname/Threats, Latest Threats, Forensics and TTPC.
• Category Blocks
  This view displays a table with the following details: Hostname, Username, IP Address, and Category Blocked Domains. The Category Blocks view presents a consolidated overview of all hits to the preset Category Filters. This view makes it easy to manage chosen Categories, get a visualization of their impact, and identify users with online behavior that does not match the organization.
  
• Manual Blocklists
  This view displays a table with the following details: Hostname, Username, Type, Domain blocked, Process name. The view will show domains blocked by the Agent, based on the entries set in the blocklist from the group policy.
  
• Allowlist Requests
  The Pending approval view displays a table with the following details: Hostname, Username, Domain, Reason. 
  This view shows all access requests to blocked domains awaiting administrator action. Approving the request will allow you to add the domain to the allowlist in both the group policy for the DNS Endpoint module or the Network settings for the DNS Network module.
  
  The History view displays a table with the following details: Hostname, Username, Domain, Reason, Status.
  This view will display all processed requests, both approved and denied.
  
• Full Logging
  The Hostname view displays a table with the following details: Hostname, Allowed Requests, Prevented Attacks, and Risk Level.
  
  The Domain view displays a table with the following details: Domain and the Total Hits.
  
• Investigate
  This view allows you to get DNS-related statistics on any domain you input in the search field. The view is split into 3 subsections:
  a. Global Threat Intelligence - displays a top 3 of most accessing processes, the DNS-E matches (the number of times, in the selected timeframe, the domain has been intercepted via DNS-E), the Global DNS-E matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E in the Global Heimdal Security database), the domains/URLs related to the same IP Address, the DNS-E + DNS-N matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E and DNS-N), the Global DNS-E + DNS-N matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E and DNS-N in the Global Heimdal Security database).
  b. Predictive DNS Score - displays a maliciousness score based on an Artificial Intelligence algorithm (ranging from 0 to 100) that is corroborated with the presence of the domain (in question) on the DNS Security Endpoint blocklist (blocklist match). The higher the score, the higher the probability that the domain in question is infected. The Predictive DNS Score will showcase a Risk Level (None, Low, Medium, High, Critical) based on the above-mentioned score.
  c. DNS Statistics - displays a graphical representation of the daily number of hits for the chosen domain (the blue 
  the line shows that the queried domain was found clean at the time of the query, while the red line shows that the queried domain was found infected at the time of the query.
  d. Requester distribution - displays a map and statistics of the top public IP Addresses that called the domain in question (the origin of the DNS query to the domain in question).
  
• CASB
  This view displays a list of the applications discovered by the DarkLayer Guard engine in your environment and the following details: Application Name, Vendor, Installed Endpoints, and Risk Level. CASB can be used as a cloud access security broker (CASB) that provides a comprehensive set of capabilities to help you manage and control the use of cloud apps across your organization - including visibility into inappropriate cloud app usage.
  
  The selection column allows you to select one or multiple applications and add/remove them to/from the Application blocklist. 

The Download CSV functionality allows you to generate and d

The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Operating System.
The Select GPs dropdown menu lets you list the entries for the selected Group Policy.   

DNS Security - VectorN Detection 

The DNS Security - Vector^N Detection view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the patterns identified within the DarkLayer Guard domain blocks. On the top, you see a statistic regarding the number of VectorN Endpoint Detections and VectorN Network Detections.

The collected information is placed in the VectorN Endpoint and VectorN Network.

• VectorN Endpoint 
  This view displays a table with the following details: Hostname, Malware Pattern, Probability of Infection, Count, TTPC, and Last Match. Selecting a detected pattern will allow you to quarantine the intercepted process, upload it to the HEIMDAL Security storage for analysis, or hide it (which means that the detection[s] will be dismissed for 30 days). The Resolve option can be used in case you have a false positive pattern that does not allow you to elevate through the Privileged Access Management product, in case De-elevate and block elevation for users with risk or infections is enabled in the Group Policy. After hiding a VectorN Detection, you need to wait 24 hours until the hiding is propagated on the computer.
• VectorN Network
  This view displays a table with the following details: Hostname, Malware Pattern, Probability of Infection, Count, and Last Match. Selecting a detected pattern will allow you to quarantine the intercepted process, upload it to the HEIMDAL Security storage for analysis, or hide it (which means that the detection[s] will be dismissed for 30 days). The Hide option can be used in case you have a false positive pattern that does not allow you to elevate through the Privileged Access Management product, in case De-elevate and block elevation for users with risk or infections is enabled in the Group Policy. After hiding a VectorN Detection, you need to wait 24 hours until the hiding is propagated on the computer.

The Show Dismissed Detections will display the hidden VectorN patterns. The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view. The Filters functionality allows you to filter entries by Operating System. You can use the Select GPs dropdown menu to list the entries for the selected Group Policy.

3RD PARTY SOFTWARE

The 3rd Party Software view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the 3rd-party applications that are installed or monitored by the HEIMDAL Agent and is divided between the 3rd-party applications monitored on Windows endpoints and the 3rd-party applications monitored on Linux endpoints.

Windows OS

On the top, you see a statistic regarding the Number of current vulnerabilities, the Total number of applied patches, the Number of updated software, and the Number of monitored software.

The collected information is placed in the following views: Standard, Patches per Endpoint, Assets, and Compliance.

• Standard
  This view displays a table with the following details: Hostname, Username, Software, Version, CVE, CVS, Date, and Status. 
  
  The Standard allows you to view the information regarding the Latest Status (all statuses - up-to-date, patched, and vulnerable), Latest Patch (the latest installed/patched), Currently Outdated(displays the endpoints where vulnerabilities are still being discovered; a check is made every sync GP interval), Historically Outdated(displays the endpoints that have been discovered with vulnerabilities at a point in time), Up-to-date (all applications that are found to be up-to-date), Uninstalled. You are allowed to select one or multiple entries in the Standard and hide them from the view. Vulnerable applications (that are listed in the Standard view -> Latest Status, Currently Outdated view, and Historically Outdated view) can be installed by selecting the Install 3rd Party Software option from the dropdown menu. The Show Hidden Apps radio button allows you to display all the applications that were hidden by the HEIMDAL Dashboard Administrator. You can use the Select GPs dropdown menu to list the entries for the selected Group Policy.
  The Latest Patch view shows all patches that have been done, even if an application or more have been patched multiple times in a very short time period.
• Patches per Endpoint
  This view displays a table with the following details: Hostname, Username, and Patches per Endpoint. 
  
• Assets
  The Asset view displays a list of all the 3rd-party applications that are installed on all the endpoints that run the HEIMDAL Agent in your organization (no matter if the 3rd-party applications are monitored by the HEIMDAL Agent or not). The detection is made in the following Windows Registry paths (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall). The table includes the following information:
  - Stacked view: Software, Version, GUID, Installed Endpoints, Installed Servers, CVSS, Uninstallable (3rd-party applications that can be uninstalled by the HEIMDAL Agent), and Supported (3rd-party applications that are installed and updated through the HEIMDAL Agent).
  
  - Non-Stacked view: Software, Version, GUID, Hostname, Username, Machine Type, CVSS, Uninstallable (3rd-party applications that can be uninstalled by the HEIMDAL Agent), Supported (3rd-party applications that are installed and updated through the HEIMDAL Agent), and Installed Date.
  
  The Hide Microsoft Products radio button allows you to hide the Microsoft products from the Assets view. The Filters functionality allows you to filter entries by Monitored and Not Monitored applications. This view filters the data by the client (device) information's last seen status instead of the install/update time of a 3rd-party application, and the check is performed every 24 hours. The CVSS score is also updated in an interval that can be 24 hours to 48 hours (maximum).
  Selecting one or multiple 3rd-party applications allows you to:
  a. Add the selected application(s) to a Group Policy or all Group Policies to be automatically installed or automatically updated (when a new version is available).
  b. Uninstall the selected application(s) if the Uninstall is supported by the HEIMDAL Agent (the Uninstall is supported for the 3rd-party applications that are installed using an MSI Installer that creates an UninstallString property or for the 3rd-party applications that are installed using an EXE Installer that creates a QuietUninstallString property).
  c. Create a software license for the selected software to be added in the Assets view (this requires the Software Asset Management product to be enabled).
• Compliance
  This view displays a table with the following details: Hostname, Username, Number of Updates, and Last Seen. 
  
  The Compliant / Non-Compliant filter allows you to switch between the endpoints that are compliant or not. This view does not consider the selected timeframe (from the top of the HEIMDAL Dashboard), but instead, it displays the endpoints filtered by a specific date or an interval, both selected from the green Filter button. When checking for compliance, it is necessary to set a desired date. A compliant machine is an endpoint that has no pending updates before the selected date/interval. A non-compliant machine is an endpoint that has pending updates before the selected date/interval. Filtering for compliant endpoints will list endpoints with 0 updates, which shows they are up to date. Filtering for non-compliant endpoints is possible only by selecting a specific date but not an interval, as this view can only show the endpoints that have got pending updates before the selected interval. 
  
  The Compliance view considers the Cyber Essentials norms when deeming an endpoint as being compliant or not. The Cyber Essentials compliant view will display all endpoints that do not have any 3rd Party Patches missing in the last 14 days and have a CVSS score of less than 7 since the application's release date (Heimdal release date), while the Cyber Essentials non-compliant view will display all endpoints that are missing a patch that is not applied and older than 14 days and has a CVSS score higher than (or equal) 7, a patch version lower than the version selected in the Group Policy, and the patch reached End of Life (EOL).
   

The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.

The Standard and Assets views, besides the standard Grid view, have an additional view called the Stats view, which can be toggled by switching from the Grid view.

This view contains statistical data regarding the 3rd Party patches that are separated into Pie charts and matrix data. The info displayed shows the CVSS pie chart graphs and the By release date matrices.
By clicking the data, you will be redirected to a pre-filtered view (date range and CVSS) where you can visualize only the 3rd party patches that fall under that specific selection.

Linux OS

On the top, you see a statistic regarding the Number of current vulnerabilities, the Total number of applied patches, the Number of updated software, and the Number of monitored software.

The collected information is placed in the following views: Standard view, Patches per Endpoint view, and Assets view.

• Standard
  This view displays a table with the following details: Hostname, Username, Software, Package, CVE, CVSS, Distribution, Version, Date, and Status. 
  
  The Standard view allows you to view the information regarding the Latest Status, Latest Patch, Currently Outdated, Historically Outdated, Up-to-date, and Uninstalled. You are also allowed to select one or multiple entries in the Standard view and hide them from the view. The Show Hidden Apps radio button allows you to display all the applications that were hidden by the HEIMDAL Dashboard Administrator. If multiple CVEs are available for the same application, the CVE with the highest CVSS score will always be displayed.
• Patches per Endpoint
  This view displays a table with the following details: Hostname, Username, and Patches per Endpoint. 
  
• Compliance
  This view displays a table with the following details: Hostname, Username, Number of Updates, Last Seen, and Status. 
  
  The Compliant / Non-Compliant filter allows you to switch between the endpoints that are compliant or not.

The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.

macOS

On the top, you see a statistic regarding the Number of current vulnerabilities, the Total number of applied patches, the Number of updated software, and the Number of monitored software.

The collected information is placed in the following views: Standard, Patches per Endpoint, and Assets.

• Standard
  This view displays a table with the following details: Hostname, Username, Software, Version, Date, and Status. 
  
  The Standard view allows you to view the information regarding the Current Status, Latest Patch, Currently Outdated, Historically Outdated, Up-to-date, and Assets.
• Patches per Endpoint
  This view displays a table with the following details: Hostname, Username, and Patches per Endpoint. 
  
• Assets
  This view displays a table with the following details: Software, Version, Supported, and Installed Endpoints.
  
  This view will show all the applications that are installed on the Heimdal customers’ macOS estates. The dashboard user will be able to switch between the Stacked and Non-stacked versions of the data (similarly to the Windows OS, 3^rd Party Patch Management version of the Assets view) by using a dropdown placed above the grid.
  
  The Stacked grid displays the applications that are installed on all the macOS machines, grouped by application name (Software) and Version. The grid displays the name of the application (Software), the Version that is installed if the app. is part of the Heimdal 3rd Party Patch Management “standard list” (monitored and patched by Heimdal Patch & Assets) – Supported, and the number of Installed Endpoints where the application is installed.
  When clicking the Installed Endpoints number, you will be redirected to a 3^rd Party app details view. The corresponding grid/table will show additional details corresponding to each application. The name and the version of the application are displayed above the grid, while the table showcases the Hostname where the application was detected, the Username that was logged in at the time, and the Date when the application was detected.
  
  The Non-stacked grid displays a raw data view containing the Software name, Version, Hostname, Username, if the application is supported by the HEIMDAL 3^rd Patch Management solution (standard list of apps monitored and managed through Heimdal), and the Date when the application was detected.
  
  Clicking the Hostname will redirect users to the dedicated Client Specifics Assets view tab (Patch & Asset Management > 3^rd Party Patching Management), providing a holistic view of all macOS 3^rd party applications that are currently installed on that particular machine. The machine view's 3^rd Party Patch Management Assets view grid/ table will show the Software name, the installed Version, and the Date when the applications were detected.
  

The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.

INFINITY MANAGEMENT

The Infinity Management view displays a list of all your 3rd-party applications that are configured for deployment inside your organization, while the Software Asset Management view displays a list of all the software licenses that are detected on the endpoints in your organization.

Windows OS

A. Infinity Management

On the top, you see a statistic regarding the number of Apps included, and the Occupied size out of a total of 1,000 TB.

Below the statistics, you see a search field that allows you to search between the configured applications, the Add New App and View Private Patching Storage buttons, and the list of 3rd-party applications.

To add a 3rd-party application to Infinity Management, you need to upload the encrypted installer to your Private Patching Storage and create the new application in the Infinity Management view.  

B. Software Asset Management
On the top, you see a statistic regarding the number of Apps included, and the Occupied size out of a total of 1,000 TB.

In this view, you get information about the Application Name, Publisher, Type, Quantity, Maximum number of Endpoint Licenses, Maximum number of Server Licenses, Total Price Endpoints, Total Price Servers, Discovered Endpoints, Discovered Servers, License Key, and Expiration Date. Clicking the Application Name will redirect you to the SAM Details page, where you can edit the license information. The primary properties of a SAM item are the Application Name and the Alias. The Alias property represents a list of expressions used for automatically discovering assets by their name. Since multiple assets may be part of the same license (only having different versions), multiple assets may match the same Software Assets Management item. Since the same software can be bought from multiple publishers in multiple ways, in the editor (SAM Details page), there is a “Details” tab granting the possibility to input multiple license details concerning multiple publishers. The Create New License functionality allows you to add a new license for a specific application. The SAM view is available if Software Asset Management and Infinity Management are enabled in the Group Policy settings.

I. Preparing, encrypting, and uploading the installer
1. To encrypt an installer that is to be deployed in your organization, you need to use the HEIMDAL Encryption Tool (which can be downloaded from the Private Patching Storage). This tool allows you to encrypt .msi, .msp, .exe, and .zip files that are going to be uploaded to the Private Patching Storage. To go smoothly with the encryption process, make sure the filename of the file(s) you are trying to encrypt doesn't include special characters (like [ ] { } # =) and doesn't extend to more than 50 characters. Once encrypted, the file will get the .enc extension (e.g., setup.exe.enc)
2. After encrypting the file, you can access the Private Pathing Storage, available in the Products -> Patch & Asset Management -> Infinity Management -> View Private Patching Storage section. Here you see a list of all the encrypted files (if any were added previously) and the remaining size of your storage.

3. Upload the encrypted file to your Private Patching Storage by pressing the Upload File button and by importing the file. Once uploaded, the file will be displayed in the list of uploaded files.

II. Creating the new application
1. Once the installer of the 3rd-party application is uploaded to the Private Patching Storage, you can create the application in Infinity Management by going back to the Infinity Management view and by hitting the Add New App button.

Fill in the following fields:

• Application Name - name of the application.
• Architecture - Both, x64 or x86. This field is used by the HEIMDAL Agent to discover a 3rd-party application in the Windows Registry paths HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall (usually 64-bit applications) and HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall (usually 32-bit applications). The applications are identified by the DisplayName and DisplayVersion properties from the application's GUID registry.
• Custom Expressions (the custom expression must match the Application's name, just like it is displayed in Control Panel - Programs and Features) - This field tells the HEIMDAL Agent what the name of the application is and how to identify it when it is installed on the computer. You can specify multiple custom expressions to match an application by its name, and you can also exclude the name of an application that might have a similar name. Use the Custom Expressions Helper for more examples.

2. Once the Application is configured, you need to press the Add Patch button to configure the patch.

• Private Patches - select the encrypted file from the dropdown menu.
• Version - Specify the version number (the version number must be identical to the one version number displayed in Control Panel - Programs and Features).
• Checksum SHA512 - The checksum SHA512 is filled in automatically when the user selects the encrypted file in the Private Patches dropdown. In case you upload a file larger than 1 GB, the automatic filling in of this field might be slowed down. If this happens, we recommend you manually add the Checksum SHA512 from the HEIMDAL Encryption tool.
• Checksum MD5 - The checksum MD5 is filled in automatically when the user selects the encrypted file in the Private Patches dropdown. In case you upload a file larger than 1 GB, the automatic filling in of this field might be slowed down. If this happens, we recommend you manually add the Checksum MD5 from the HEIMDAL Encryption tool.
• Type - Default or Archive (default is Default, while Archive is meant for .zip files).
• Install Arguments - Specify the silent installation argument (usually MSI Installers use /qn while EXE Installers use /S or /SILENT, but these differ from one application to another, and this is better to contact the developer of the application).
• Applies to specific version - you can select an older version of the application (if already configured) or you can click the Applies to all upper versions tickbox.
• Before Install - allows you to perform specific operations before installing the 3rd-party application:
  Uninstall Specific Version - uninstall a specific version or all previous versions (this usually works for MSI Installers).
  Execute script - Infinity Management allows you to run Command-Prompt command lines before installing the application or after installing the application (in case you are required to run specific batch scripts before/after installing the application).
• After Install - allows you to perform specific operations after installing the 3rd-party application:
  Skip Post-Event Script if Patch Fails: if enabled, this cancels the execution of the script below in case the application install/update fails.
  Execute script - Infinity Management allows you to run Command-Prompt command lines before installing the application or after installing the application (in case you are required to run specific batch scripts before/after installing the application).

3. Select the Operating System(s) where you want the deployment of the 3rd-party application to be available and press Save Patch. Once you save a patch, you can always come back and disable it by pressing the Disable button.

4. After saving the patch, press the Save button to complete the configuration. 

When a new patch version is available for a configured application, you can always come back to Infinity Management, access the 3rd-party application, and add a new patch, which will get a higher version number than the existing patch(es). In case you want to disable a patch from the list of patches, you can click on the specific patch and press the Disable button. Don't forget to press the Save button on the Application Definition window. 

Linux OS

On the top, you see a statistic regarding the number of Apps included, and the Occupied size out of a total of 1,000 TB.

Below the statistics, you see a search field that allows you to search among the configured applications, the Add New App button, and the Distribution filter that allows you to filter the applications by Distribution.

1. When adding a 3rd-party application to Infinity Management, you need to fill in the following fields:

• Application Name - the name of the application.
• Publisher - the name of the Publisher of the application.
• Distribution - select a Linux distribution (Ubuntu is currently the ONLY supported distribution).
• Custom Expressions (the custom expression must match the application's name or package). This field tells the HEIMDAL Agent what's the name of the application and how to identify it when it is installed on the endpoint. You can specify multiple custom expressions to match an application by its name, and you can also exclude the name of an application that might have a similar name. Use the Custom Expressions Helper for more examples.
• Repositories - allows you to specify the locations from which the system retrieves updates and installs the applications. Multiple repositories can be added through the Add Repository button. For each repository added, users will need to select the corresponding Distribution and mark with the checkmark Is Default the default repository to be used.
  
  Note: On the Heimdal agent side, only the repositories configured for the installed version of Linux Ubuntu and the ones marked as being default are added. For example, if an application has 3 defined repositories, one for Ubuntu 16.04, one for Ubuntu 18.04, and one for Ubuntu 20.04 that also has Is Default checkbox ticked, and the Heimdal Linux Ubuntu agent is installed on an Ubuntu 18.04 version, the repositories for 18.04 are added because it matches the OS version and for 20.04 because this version is marked as Is Default.
• GPG URL - allows you to specify the URL for the public key of the repository from which the application is downloaded.
• GPG Thumbprint - allows you to specify the public key fingerprint used to identify the public key of the repository public key.
• Packages - name of the packages that are used by the application.
• Before Install - allows you to run a script before installing the 3rd-party application.
• After Install - allows you to run a script after installing the 3rd-party application.
   

2. After configuring all the required fields, press the Save button. Once you save a patch, you can always come back and disable it by pressing the Disable button.
Since the 3rd-party applications that are deployed on Linux endpoints update themselves automatically through the repository, once the application is configured, there's no need to make any other changes to the setup (the way you would do for the 3rd-party applications that are deployed on Windows endpoints).

OPERATING SYSTEM UPDATES

The Patch & Asset Management - Operating System Updates view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the Operating System Updates that are available or installed by the HEIMDAL Agent and is divided between the Windows Updates installed on Windows endpoints and the Linux Updates installed on Linux endpoints.

Windows OS

On the top, you see a statistic regarding the number of installed updates and the number of Available/Pending updates.

The collected information is placed in the following views: Installed, Pending, Available, Updates per Endpoint, and Compliance.

• Installed
  This view displays a table with Windows Updates that are installed on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, CVE, CVSS, Products, and Categories. 
  
  In the Installed view, you are allowed to select one or multiple entries and hide them from the view using the Hide Updates button from the dropdown menu. You can also use the Select GP dropdown menu to list the installed Windows Updates for the selected Group Policy.  The Show Hidden Updates radio button allows you to display all the hidden Windows Updates. The updates can be listed per update or per endpoint.
• Pending
  This view displays a table with Windows Updates that are pending to complete the installation on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, Reboot, CVE, CVSS, Products, and Categories. 
  In the Pending view, you are allowed to select one or multiple entries and remove or hide them from the view using the Remove or Hide Updates buttons from the dropdown menu. You can also use the Select GP dropdown menu to list the pending Windows Updates for the selected Group Policy.  The Show Hidden Updates radio button allows you to display all the hidden Windows Updates. The updates can be listed per update or per endpoint.
• Available
  This view displays a table with Windows Updates that are available for installation on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, Reboot, CVE, CVSS, Products, and Categories. 
  In the Available view, you are allowed to select one or multiple entries and install, hide, show them from the view using the Install or Hide Updates buttons from the dropdown menu. The Install option works to push updates only created on the impersonated customer tenant, meaning that it doesn't work to push on Reseller Master GPs. You can also exclude an update by KB number by selecting an update and applying the Exclude OS Updates action. This action works only for updates that have a KB number. If you want to exclude an update that does not have a KB number, you need to add it by title from the GP settings. You can also use the Select GP dropdown menu to list the pending Windows Updates for the selected Group Policy.  The Show Hidden Updates radio button allows you to display all the hidden Windows Updates. The updates can be listed per update or endpoint.
• Error
  This view includes a grid with the following columns: Hostname (clickable, will redirect to the OS Updates -> Pending tab), Username, Error code (with a tooltip for the error code's description), and Last Seen. The Reboot required view displays all the endpoints that need to be rebooted in order for their corresponding Windows Updates to be completed. 
  
• Assets
  This view displays a table with all the Windows Updates that have been installed since the OS installation, with the following details: Title, Endpoints, Servers, Client Application ID, and Description. This is a complete audit of the installed Windows Updates, regardless of whether the HEIMDAL Agent was installing them or not.
  
• Compliance
  This view displays a table with the compliant and non-compliant endpoints (in terms of installed Windows Updates) with the following days: Hostname, Username, Number of Updates, Highest Severity, Operating System, Oldest patch date, Last Seen, and Status.
  
  The Compliance view considers the Cyber Essentials norms when deeming an endpoint as being compliant or not. The Cyber Essentials compliant view will display all endpoints that do not have any available/pending OS updates with a vintage of more than 14 days, or the OS Build version is not End of Life (EOL) or End of Service. The Cyber Essentials non-compliant view will display all endpoints that have at least one available/pending OS update with a release date older than 14 days, or the OS Build version is End of Life (EOL) or End of Service.
  

The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
Note: Although the release date for the OS updates is not shown in the Installed, Pending, and Available views, this piece of information is included in the Verbose CSV report if extracted from the mentioned views.

The Installed, Pending, and Available views, besides the standard Grid view, have an additional view called the Stats view, which can be toggled by switching from the Grid view.

This view contains statistical data regarding the OS Updates that are separated into Pie charts and matrix data. The info displayed shows the By severity pie chart graphs and the By release date matrices.
By clicking the data, you will be redirected to a pre-filtered view (date range and Severity) where you can visualize only the OS Updates that fall under that specific selection.

Linux OS

On the top, you see a statistic regarding the number of installed updates and the number of Available/Pending updates.

The collected information is placed in the following views: Installed, Pending, Available, and Updates per Endpoint.

• Installed
  This view displays a table with Linux Updates that are installed on the endpoints in your organization with the following details: Application, Package, Version, CVE, CVSS, Endpoints, Servers, Category, and Distribution. 
  
• Pending
  This view displays a table with Linux Updates that are pending to complete the installation on the endpoints in your organization with the following details: Application, Package, Version, Endpoints, Servers, Category, and Distribution. 
  
• Available
  This view displays a table with Linux Updates that are available for installation on the endpoints in your organization with the following details: Application, Package, Version, Endpoints, Servers, Category, and Distribution. 
  
• Updates per Endpoint
  This view displays a table with the Updates per Endpoint with the following details: Hostname, Username, and Updates per Endpoint. 
  

macOS

On the top, you see a statistic regarding the number of installed updates and the number of Available updates.

The collected information is placed in the following views: Installed and Available.

• Installed
  This view displays a table with OS Updates that are installed by Heimdal on the endpoints in your organization with the following details: Title, Size (MB), Version, and Endpoints. 
  
  You can use the Select GPs dropdown menu to list the installed OS Updates for the selected Group Policy.
• Available
  This view displays a table with OS Updates that are available for installation on the endpoints in your organization with the following details: Title, Size (MB), Version, and Endpoints.
  
  You can use the Select GPs dropdown menu to list the available OS Updates for the selected Group Policy.
• Assets
  This view displays a table with OS Updates that are detected as installed on the endpoints in your organization, with the following details: Title, Version, and Endpoints.
  
  The Title information and the Endpoints numbers are clickable. When clicking on the Title, the user will get redirected to a dedicated Update details page.
  
  If the number of machines on which an update is present is clicked, the user will be redirected to the same Update Details pre-filtered page, containing info on all the machines on which that particular update is present. This includes the Hostname where the update is installed, the Username of the user who was last logged in when the update was detected, as well as the Title and Version of the update.
  If the Hostname info is clicked from this view, the user will be redirected to the Client Specifics view > Patch & Asset Management > Operating System Updates > Assets view.
  The macOS machine view Operating System Updates > Assets view details grid/ table will show the Title of the update, the Size (MB), its Version, and the Date (timestamp) when the update was detected, for all the macOS Operating System Updates that are currently installed on the machine.
  

NEXT-GEN ANTIVIRUS

The Endpoint Detection - Next-Gen Antivirus view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the detected/quarantined files intercepted by the HEIMDAL Agent's Next-Gen Antivirus engine. On the top, you see a statistic regarding the number of Infected Files, the number of Suspicious Files, and the number of Quarantined Files.

The collected information is placed in the following views: Latest Infections, Infection Type, Hostname/Infections, Quarantine, Exclude, Scan History, and Zero-Trust Execution Protection.

• Latest Infections
  This view displays a table with the latest detected infections and the following details: Hostname, Username, File, MD5, Threat Category, Infection name, Status, Resolution, and Timestamp. This view allows you to select one or multiple infected files and add/them to quarantine, delete/them, or add/them to storage.
  
• Infections Type
  This view displays a table with the infection type and the following details: Threat Category, Number of Matches, Most Targeted Hostname, Username, and Last match.
  
• Hostname/Infections
  This view displays a table with the hostname/infections and the following details: Hostname, Username, Highest Threat Category, Number of Matches, and Last match.
  
• Quarantine
  This view displays a table with all quarantined files and the following details: Hostname, Username, File, MD5, Threat Category, Infection Name, Status, Resolution, and Timestamp. This view allows you to select one or multiple quarantined files and remove it/them from quarantine or add/them to storage.
  
• Exclude
  This view displays a table of all exclusions and the following details: Hostname, Username, File, MD5, Threat Category, Infection Name, Status, Resolution, and Timestamp.
  
• Scan History
  This view displays a table with the computers that were performing scan operations and the following details: Hostname, Username, Group Policy, Timestamp, New Infections Found, and Resolution. This view allows you to select one or multiple endpoints and select a scan type (Quick Scan, Full Scan, Active Processes Scan, Hard Drive Scan, Local Drive Scan, Removable Drive Scan, System Scan, Network Drive Scan). The selected scan will start on the first Group Policy check performed by the HEIMDAL Agent on the selected endpoint. 
  
• Zero-Trust Execution Protection
  This view displays a table with the processes (non-signed executable files) intercepted by the Zero-Trust Execution Protection engine and the following details: Hostname, Username, Process Name, MD5 Hash, Timestamp, and Status. Clicking the 3-dot button will give you the option to search the file hash on VirusTotal or to copy the file path to the Clipboard. The data in this view gets updated in real-time.
  
  Selecting a file from the list allows you to add it to the exclusion list or upload it to the storage.

The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Select GPs dropdown menu lets you list the entries for the selected Group Policy. 
The Filters functionality allows you to filter entries by Operating System. 
The files listed in the Latest Infections view, Quarantine view, and Exclude view can get one of the following Resolution statuses:
None - no action is taken on the file.
Deleted - the file is deleted.
DeletePending - the file has been selected for deletion, and it will be deleted when the HEIMDAL Agent performs a GP check.
ErrorDelete - the file has been selected for deletion, but an error occurred (the file could be in use);
ErrorQuarantine - the file has been marked to be quarantined, but an error occurred (the file could be in use);
FNOEXIST - the file has been marked to be deleted or quarantined, but does not exist in the path (it has been removed manually or by another application).
Quarantined - the file has been quarantined.  A file that has been quarantined will be automatically deleted after 30 days if it has not been restored.
QuarantinePending - the file has been marked to be quarantined, and this operation will take place on the next HEIMDAL Agent GP check.
DeleteQuarantinePending - the file has been selected for deletion, and this operation will be performed on the next HEIMDAL Agent GP check.
Excluded - the file has been excluded.
ExcludePending - the file has been marked to be excluded, and the operation will take place on the next HEIMDAL Agent GP check.
ExcludeQuarantinePending - the file has been marked to be excluded, and the operation will take place on the next HEIMDAL Agent GP check.
ErrorExcludeQuarantine - the file has been marked to be excluded, and an error occurred.
ErrorRemoveQuarantine - the file has been marked to be removed from the Quarantine list, and an error occurred (the file could have been deleted manually).
RemoveExclusionPending - the file has been marked to be excluded, and the operation will be performed on the next HEIMDAL  Agent GP check.
RemoveQuarantinePending - the file has been marked to be removed from the Quarantine list, and the operation will be performed on the next HEIMDAL  Agent GP check.

FIREWALL & RAP

The Endpoint Detection - Firewall view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the Windows Firewall rules and alerts intercepted by the HEIMDAL Agent. On the top, you see a statistic regarding the number of Infected Files, the number of Suspicious Files, and the number of Quarantined Files.

The collected information is placed in the following views: Firewall Rules, Brute Force Attacks, and Remote Access Protection.

• Firewall Rules
  This view displays a table with the following details: Hostname, Username, Application, Port, Profile type, Protocol, Direction, Permission, and Timestamp. 
  
  The entries that you see in this view include all the new rules that Windows creates in the Windows Firewall (this is event is logged in the Event Viewer Logs, under Microsoft -> Windows -> Windows Firewall with Advanced Security -> Firewall -> event ID 2004). When a new application has a new rule in the Windows Firewall with Advanced Security, the HEIMDAL Agent sends it to the HEIMDAL Dashboard to be displayed in the Firewall view -> Firewall Rules (if there is no other rule that is matched in the Group Policy under Firewall). The rules created in the Firewall Management settings will not be displayed in the Firewall Rules view. These custom rules will be displayed ONLY in the specific Group Policy, under the Firewall Management sub-tab where they are created.

• Brute Force Attacks
  This view displays a table with the following details: Hostname, Username, Local IP, Attempts Per Username, Attempts Per IP, Detection type, Timestamp, and Risk Level. 
  
  The checkbox allows you to select an entry and add the IP Address to the Brute Force Attack Allowlist. The entries that you see in this view include a list of all the unwanted connections that are interpreted as Brute Force Attacks. A Brute Force Attack is triggered when a user fails to insert the correct password (event 4625) at least 100 times in less than 5 minutes. The detection types are classified as BruteForceAttackPrivate (these attacks are originating from an IP Address on the same network as the affected endpoint/server - 192.x.x.x, 172.x.x.x, 10.x.x.x), BruteForceAtackPublic (these attacks are originating from an IP Address that is coming from outside the network/public IP Address), FailedLocalPasswordAttempt (the password was incorrectly entered on the endpoint/server). Brute Force Attacks alerts are triggered when the local user fails a number of password attempts:

  • Low Risk - under 150 failed attempts;
  • Medium Risk - between 150 and 200 failed attempts;
  • High Risk - over 200 failed attempts.

  An external user will trigger a High Risk of Brute Force Attack when a minimum of 100 failed attempts are performed in less than 5 minutes. The failed password attempts are found in the Event Viewer Logs, under Windows Logs -> Security -> Event ID 4625. During a Brute Force Attack, the Heimdal.Firewall.exe process might use a higher CPU usage (depending on the interval of the Brute Force Attack attempts) of 1% to 60%.

RANSOMWARE ENCRYPTION PROTECTION

The Ransomware Encryption Protection view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the detected processes intercepted by the HEIMDAL Agent engine. At the top, you see a statistic regarding the number of Detections Found.

The collected information is placed in the following views: Endpoint Detections, Hostname/Detections, and Cloud Detections.

• Endpoint Detections
  This view displays a table with the following details: Hostname, Username, Process Name, Blocking Reason, PID, Owner, Status, and Timestamp. This view allows you to select one or multiple infected files and exclude it/them or add it/them to storage.
  
  In the Process Name column, you can click on the hamburger menu to access VirtusTotal (to get a detailed VirusTotal analysis), the Forensic details (to get the Process details), or copy the file path to the clipboard. The Statuses can be Blocked (when a process is intercepted and blocked at the REP level) or Detected (when the process is intercepted and reported in the HEIMDAL Dashboard when Reporting mode is enabled).  Please be aware that we have a retention policy of 90 days in place for the REP entries. That means that all the entries from the Endpoint Detections view older than 90 days will be removed.
• Hostname/Detections
  This view displays a table with the following details: Hostname, Username, Number of Matches.
  
• Cloud Detections
  This view displays a table with the following details: Email, AD Groups, Number of affected files, User's session revoked, and Timestamp. This view is populated if Ransomware Encryption Protection for Cloud is enabled.
  

The Process Details view gives information on the parent process and the spawned processes, their PIDs, username, File Name, Path, Command-Line, Thread Count, top 3 encrypted files, Write Operations, Read Operations, MD5, Signature, and Owner. 

You also get information on the Network Activity of the detected process, where you can select one or multiple IP Addresses to block them in the Firewall (on one, multiple, or all Group Policies).

Exclusions can be made by selecting one or more detections and by pressing the Exclude and Apply buttons from the dropdown menu. This will pop up the following modal that allows you to exclude the file(s) on one or multiple Group Policies, or all Group Policies. The detection(s) can be excluded by File Name, Folder Path, File Path or MD5:

The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Select GPs dropdown menu lets you list the entries for the selected Group Policy. 
The Filters functionality allows you to filter entries by Allowed or Blocked detections. 

PRIVILEGED ELEVATION AND DELEGATION MANAGEMENT

The Privileges & App Control - Privilege Elevation and Delegation Management view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the elevation requests, the processes that are running during the elevations, the Zero-Trust processes that are executed in your environment, and the Primary User Management. 

A. PEDM

On the top, you see a statistic regarding the number of Pending Requests, and the number of used Admin Rights.

The collected information is placed in the following views: Pending Approvals, History, Most Escalated Process, Most Escalating Hostname, Compliance, and Zero-Trust Execution Protection.

• Pending Approvals
  This view displays a table with the pending elevation requests and the following details: Hostname, Username, Reason given, Request Time, Type, Application, and Status. If the Status is Requested and written in red, this means the endpoint is running a 3rd-party application that has a vulnerability with a CVSS score of 7 or higher. 
  
  Clicking on the process listed under the Application column, you will get additional information regarding the elevated process: Full Path, Publisher, Version, and MD5.
  
  When you select an elevation request, you have the option to send a message to the user by enabling the Administrator message tickbox and filling in your message. 
• History
  This view displays a table with the elevated/de-elevated requests and the following details: Hostname, Username, Start Time, End Time (an info bubble with the number of extensions is displayed when an elevated session has been extended), Reason Given, Action, Executed Process(es), Handled By.
  
  Process Details will provide all the additional information related to a process that has been executed via PEDM. You can access this view just by pressing on one of the processes listed in the Executed Process column.
  
• Most Executed Processes
  This view displays a table with the number of executed processes (during the elevated session) and the following details: Process Name, Number of Executions, Hostname, and Username. If you use Application Control next to Privilege Elevation and Delegation Management, and need to allow or block an executed application, you can select the elevated application from the Most Executed Processes view and add it via a rule in the Application Control module. Select the process, and from the drop-down menu, select the action you want to take.
  
• Most Escalating Hostname
  This view displays a table with the number of escalating hostnames and the following details: Hostname, Username, and Total Number of Elevations.
  
• Compliance
  This view displays a table with the compliant endpoints and the following details: Hostname, Active User, Domain Name, Local Groups, AD Groups, and Admin rights (Y/N). The Local Group field populates if the active user is found in any of the local groups or AD Groups. If it is found, it is marked as Admin (Yes). 
  
• Zero - Trust Execution Protection
  
  This view displays a table with the processes (non-signed executable files) intercepted by the Zero-Trust Execution Protection engine and the following details: Hostname, Username, Process Name, MD5 Hash, Timestamp, and Status. Clicking the 3-dot button will give you the option to search the file hash on VirusTotal or to Copy the file path to the Clipboard. The status of detection can be: Unknown (intercepted by ZTEP and not found in our database; files that are whitelisted globally by the Heimdal Support Team propagate to the endpoints after 3 days since the whitelist), Allowed (intercepted by ZTEP, but whitelisted in our database). The data in this view gets updated in real time.
  
  Selecting a file from the list allows you to add it to the exclusion list or upload it to the storage. 

The tables in each view have a 60-second refresh rate.

B. Primary User Management

In environments with hundreds or thousands of computers, which are often used by multiple users, IT Administrators might want to restrict the ability for users to request elevation to only a predominant user on that specific device. This can be achieved with Primary User Management. On the top, you see a statistic regarding the number of AAD Primary Users, First login primary users, Most logins primary users, and the number of Unassigned hostnames.

In the Standard view, you see a grid containing information about endpoints and their primary users listed as follows: Hostname, Primary user (set on the device), AAD Primary user (the source used to fetch the Primary user, Azure AD or first logged-in user), Most logins user (the user with the highest number of logins in the last 30 days), and Action (a dropdown that allows you to select between the users that logged-in on the device in the last 30 days).

The grid allows you to assign a Primary User by selecting it from the Action dropdown, or you can unassign a Primary User. To assign a Primary User, you just need to click on the Action dropdown and select a user that you want to be assigned as Primary User on the specific endpoint. The dropdown includes all the users who have been logging in on each machine during the last 30 days:
When one of the users is selected, a pop-up window will appear, displaying the hostname, the old primary user selection, and the new one, asking you to confirm if you want to update the assignment. 

On the HEIMDAL Agent side, only the user who is configured as Primary User will get the ability to request an elevation (single-file or Administrator Session), while other logged-in users will not be able to elevate. 

IMPORTANT

In case there are any WIP elevations in use on the endpoint while a new Primary User info is received, all the elevations will be terminated immediately, and the Elevate button will be grayed out. Also, the Run with Admin Privileges option from the context menu (used for file elevations) will be removed. In case Primary Users is enabled and one of the non-Primary Users wants to request a file elevation while Disable Windows Consent is enabled, the custom consent window will display the following message:

To unassign a Primary User, you just need to select a hostname in the grid and apply the Unassign primary user action:
Post clicking on the action, a confirmation modal window will be displayed, showing the hostname(s) and corresponding user(s) which will be unassigned as primary user(s):
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view. The Filters button allows you to filter by criteria specific to each section.

APPLICATION CONTROL

The Application Control view displays a table with all the intercepted processes that are running on the computers inside your organization. Newly-intercepted processes are visible in the HEIMDAL Dashboard 24 hours after the interception made by the HEIMDAL Agent. The processes that were already intercepted will be displayed in the HEIMDAL Dashboard in real time. On the top, you see a statistic regarding the number of Pending Requests, and the number of used Admin Rights.

The collected information is placed in the following views: Full logging, Matching Allowed rules, Matching Blocked rules, and Matching Allowed with auto elevation.

• Full logging
  This view displays a table with all the processes (stacked number of executions) that are intercepted by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, and Timestamp. The data in this view updates in real-time for the processes that have already been intercepted, but it updates overnight when it comes to newly intercepted processes.
  
• Matching Allowed rules
  This view displays a table with all the allowed processes that are intercepted by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, and Timestamp.
  
• Matching Blocked rules
  This view displays a table with all the blocked processes that are intercepted by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, and Timestamp.
  
• Matching Allowed with auto elevation
  This view displays a table with all the processes that are allowed with the Auto Elevation feature by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, and Timestamp.
  
   

• Raw data
  This view displays a table with all the processes (unstacked) that are intercepted by the Application Control module with the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, Deny file permissions, Elevated, and Timestamp. The data in this view updates in real-time and requires a short timeframe selection due to the 10,000-entry limitation of our database. We recommend a timeframe of hours/minutes.

  

You can allow or block one or multiple processes by selecting them from the Full Logging or Raw Data views. Clicking on the Number of Executions will redirect you to the process details, where you can see the Process Name, the Software Name, the Publisher, the MD5, the Hostname of the computer, the Username, the Version, the Intercepted time, the Group Policy applying to the computer, and the Status.

From any of the views, you can select one process and allow it or block it in Application Control. Once you select a process, you can choose whether to Block or Allow the process from the dropdown menu:

After hitting the Allow or the Block button, a modal that enables configuration of the rule will appear:

Global Update - creates the rule in all existing Group Policies.
Custom Policy Update - creates the rule in the selected Group Policies.
Rule Type - Path (you can specify the process' file path), Software name (you can specify the process' name as it appears in Control Panel -> Programs and Features), MD5 (you can specify the process' MD5 hash), Publisher (the Publisher information is taken from the CN value of the Subject field inside the Certificate of a signed file or the Company Name detail of an unsigned file), Signature (you can specify the process' digital signature thumbprint), Wildcard Path (you can specify a wildcard path), Command Line (C:\Documents\test.pdf, *.pdf, C:\*\My Folder\*.pdf).
Subject - add the value of the selected Rule Type. Selecting a Rule Type will automatically fill in the Subject field.
Priority - rules are processed based on priority numbers (the higher the number is the higher the priority). Leaving gaps between each rule is recommended (10, 20, 30, 40, etc.) to have an easy and neat rule organization, without having to edit existing rules (priority ranges between 0 and 1000).
Allow auto elevation - allows the process to run as Administrator (available only for Allow rules).
Include spawns - allows the process to spawn other child processes (available only for Allow rules).
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Status. 

EMAIL PROTECTION - EMAIL SECURITY

The Email Security page displays 2 views: the Homepage (which showcases relevant data from the Email Security product) and the Details (for in-depth data analysis). 

Homepage

The Homepage displays several stats and graphs that provide a streamlined understanding of the usage and activity of the email addresses and domains: 

• Summary Report - brief info about the total number of malicious, inbound, and outbound emails over the last 90 days. These are further broken down by Status and expressed in percentiles.
• User Anomalies - shows, sorted in descending order, the top 8 email addresses on which outliers have been detected (SPAM, Virus, and ATP); each entry (email address) will have 3 bars, displaying the number of emails from this category, over the last month, 2, and 3 months ago (from the current date). For more details regarding a certain email address, the dashboard user can click on the bar chart section, and a detailed linear graph is displayed below.
• Domain status - lists all the email domains, with their corresponding TAC risk score and their MX, SPF, and DMARC authentication methods’ statuses.

• The bottom row tiles display a month-to-month comparison of Quarantined, Rejected, Spam, Virus, and ATP emails. The stats are computed by comparing the past 30 days from the current date vs. the previous 30 days. Each tile displays the increase/ decrease in the number of emails (both as a number and as a percentage) and a chart presenting the activity for each interval.
  
  

  After clicking on the hovered point in the chart tile, the timeframe interval of the redirected Details page is automatically set to one of the hovered data points.
  
  
  Moreover, this action also sets, in the Advanced filter, the Type or Status field to whatever Type or Status from the graph style from which the selected data point was clicked. Depending on the graph tile clicked, the following actions occur: clicking on the Rejected and Quarantined tiles automatically sets the Status of the Advanced filter, while clicking on the Spam, Virus, and ATP graph tiles automatically sets the Type field from the Advanced filter.
  
  If there is no recorded data when hovering over the chart data points and attempting to click on them, a toast notification will be shown to the dashboard user with the message "No data for the specific timeframe."
  

Details

The Details view all the information regarding the Inbound Mail Flow and the Outbound Mail Flow in your organization. The collected information refers to emails that are DELIVERED, QUARANTINED, QUEUED, UNDELIVERED, or REJECTED. 
On the top, you see a statistic regarding the number of Scanned Emails, the number of Spam Emails, the number of Virus detections, and the number of detected Advanced Threats. 

The Inbound view and Outbound view display all the emails that are being filtered by the Email Security engines, while the Domain Status view displays the status of the MX, SPF, and DMARC Records that are set up on your domain(s). 

The Advanced Filter allows you to filter your searches by Domain, To, From, Header From, Type, Status, Spam Classification, Minimum Spam Score, Maximum Spam Score, EFP Rule Category, AI Outlier and Delete Type.

The Type submenu has the following types:

• All
• Normal
• Botnet
• Spam
• Virus
• Encrypted
• ATP
• SPF Block
• DMARC
• Blocklisted
• Allowed
• Attachment Block
• Released to ATP
• Non-TLS block
• Newsletter
• EFP

The EFP Rule category submenu has the following categories:

• Targeted Spear Phishing
• Targeted Fraud
• Spear Phishing
• Phraseology attempt or General Fraud
• Modified or Malicious attachment

The AI Outlier category has the following categories: AI outlier detected, AI outlier not detected.

The Delete Type category has the following categories:

• All – displays all emails, regardless of deletion action
• Inbox Delete – shows emails removed from user inboxes
• Permanent Delete – displays emails permanently removed from mailboxes

In the Inbound view, you can see a list of all inbound emails, the recipient, the sender, the timestamp, the email subject, the type, the email status, and the details of each email (the Inbound view refreshes in real-time). Selecting one or more emails pops up a dropdown menu where you can select one of the following actions:

• Release - this action will release the selected email in case it has been quarantined and you think it is safe.
• Resend - this action will resend the selected email (this action works only for delivered emails).
• Report - this action will automatically mark the selected email as Spam, and an email notification will be sent to the Heimdal Security Team.
• Deny email release - this action will block the regular end users' ability to release quarantined emails from their QER report.
• Delete from Inbox – moves the email to Deleted Items and email remains preserved in cold storage (Grant Consent should be given for this action to be visible).
• Permanently Delete from Inbox – completely removes the email from Inbox, but preserves it in the cold storage (Grant Consent should be given for this action to be visible).
• Delete from ESEC / Delete from EFP repository – deletes the email from the ESEC/ EFP grid/ repository. The email is not deleted from the user's mailbox (Grant Consent should be given for this action to be visible).

In the Outbound view, you can see a list of all outbound emails, the recipient, the sender, the timestamp, the email subject, the type, the email status, and the details of each email (the Outbound view refreshes in real-time). Selecting one or more emails pops up a dropdown menu where you can select one of the following actions:
 

• Release - this action will release the selected email in case it has been quarantined and you think it is safe.
• Resend - this action will resend the selected email (this action works only for delivered emails).
• Report - this action will automatically mark the selected email as Spam, and an email notification will be sent to the Heimdal Security Team.

The Details button will display a pop-up with various email details (Main, Advanced, Header, Body and Audit Logs). In the Main tab, you can use the Choose a domain dropdown field to take actions for the specified domains.

• Add Sender to Blocklist - adds the sender (the one who sends the email) to the blocklist of the selected domain(s).
• Add Sender to Allowlist - adds the sender (the one who sends the email) to the allowlist of the selected domain(s).
• Add Domain to Blocklist - adds the sender's domain (the one who sends the email) to the blocklist of the selected domain(s).
• Add Domain to Allowlist - adds the sender's domain (the one who sends the email) to the allowlist of the selected domain(s).
• Add Email based on subject to Allowlist - adds the sender's email to the allowlist of the selected subject(s). Unchecking the SPF/DMARC scanning will still perform an SPF/DMARC check to increase security.
• Add Email based on subject to Blocklist- adds the sender's email to the blocklist of the selected subject(s).

Dashboard users have the option to create Allowlist/Blocklist rules either at a personal or global (domain) level.

If the dashboard user selects the “Personal” option, a new End User Console rule will be created (and also displayed in the End Users Allowlist & Blocklist table, which can be found in the Blocklist, Allowlist & Greylist section in Network Settings - Email Protection).

In the Advanced Status tab, you can use the Choose a domain dropdown field to take more actions for the specified domains.

• Add Source IP to Blocklist - adds the Source IP Address (the source IP Address of the sending server) to the blocklist of the selected domain;
• Add Destination IP to Blocklist - adds the Destination IP Address (the destination IP Address where the email is sent to) to the blocklist of the selected domain;
• Add Source IP to Allowlist - adds the Source IP Address (the source IP Address of the sending server) to the allowlist of the selected domain;
• Add Destination IP to Allowlist - adds the Destination IP Address (the destination IP Address where the email is sent to) to the allowlist of the selected domain.

In the Header tab, you see information about the Envelope-From the Header-From:

The Body and the Attachments tabs preview the body and the files that are attached to the email, whether the email has been quarantined, delivered, undelivered, or rejected. These options are available only if the domain has enabled the Email Archiving options feature in the Additional Domain Settings tab. In the Body tab, you can also download the email in EML format. To preview the Body and the Attachments tab, the HEIMDAL Dashboard user needs appropriate Access Control (View Email Security Data and View Email Security Sensitive claims enabled). 

IMPORTANT

The email's body and attachments must not exceed 25 MB. If the total size exceeds this limit, the Body tab section will be disabled and appear grayed out. Just the size of the body should not exceed 1 MB. If that happens, the Body tab will be grayed out.

The Audit Logs tab records:

• the user who initiated the delete action (visible only for Inbound emails)
• the delete type performed (Inbox Delete or Permanent Delete, visible only for Inbound emails)
• the exact timestamp of the action execution (visible only for Inbound emails)
• released by
• initial status
• initial responses from server

EMAIL FRAUD PREVENTION

The Email Protection - Email Fraud Prevention page is split between 2 views: Homepage and Details.

A. Homepage

The Homepage displays the Summary Report (the scanned emails and their resolution for the last 90 days), the User Anomalies (the number of potentially malicious emails based on Artificial Intelligence - determined outliers at the user level for the last 90 days), and the Domain Status (the domains that have EFP configured).

The Total Malicious number from the Summary Report represents the total number of emails that have type EFP and were Quarantined (status “Quarantine”). On the bottom, you see charts describing the following information:

• Targeted Spear Phishing
• Targeted Fraud
• Spear Phishing
• Phraseology attempt or General Fraud
• Modified or Malicious attachment

Clicking the lower tiles graphs' info points (Targeted Spear Phishing, Targeted Fraud, Spear Phishing, Phraseology attempt, or General Fraud and Modified or Malicious attachment) redirects the dashboard user to a pre-filtered Details view, containing the emails that meet the corresponding criteria. The stats are computed by comparing the past 30 days from the current date vs. the previous 30 days. Each tile displays the increase/ decrease in the number of emails (both as a number and as a percentage) and a chart presenting the activity for each interval.

B. Details

The Details view displays all the information collected by the Email Fraud Prevention in your organization. The collected information refers to the emails scanned by the anti-fraud engine. On the top, you see a statistic regarding the number of Scanned emails, the number of Outliers, and the number of Fraud emails.

The collected information is placed in the following views: Inbound and Domain Status, which are shared views with Email Security.
In the Inbound tab, you see a table with the following details: To, From, Header From, Timestamp, Subject, Type, Status, and Details. There is an Advanced filter button, which, when clicked, will reveal some filtering options: Domain, To, From, Header From, Type, Status, Spam Classification, Minimum Spam Score, Maximum Spam Score, EFP Rule Category, and AI Outlier.
The Type submenu has automatically assigned the EFP type, and it cannot be changed. The EFP Rule category submenu has the following categories:

• Targeted Spear Phishing
• Targeted Fraud
• Spear Phishing
• Phraseology attempt or General Fraud
• Modified or Malicious attachment.Inbound

You can select one or multiple emails and take the following actions:
 

• Release - this action will release the selected email in case it has been quarantined and you think it is safe.
• Deny email release - this action will block the regular end users' ability to release quarantined emails from their QER report.

The outliers that our Email Fraud Prevention Neural Network can spot are comprised of one of the following 7 categories:

• Suspicious Links: counts the number of URLs identified as suspicious by our detection engine;
• Clickbait Detection: the neural network assesses whether the content is designed as clickbait or not.
• Language Analysis: identifies the language used in the email and compares it with the typical languages used within the company.
• Attachment Analysis: evaluates attachments based on their potentially malicious character.
• Text Analysis: identifies potential fraudulent words from the email's content.
• HTML Analysis: singles out HTML templates and tags the ones that deviate from the norm.
• Timing Analysis: looks at the distribution of common times when emails are sent and received by the company.

The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Status. 

REMOTE DESKTOP

The Remote Desktop view displays all the computers running on Windows OS that are visible in the Unified Management -> Device Info view. The collected information is placed in four views: Standard, History, and Recordings. On the top, you see a statistic regarding the number of Attended sessions and the number of Unattended sessions.

• Standard
  This view displays a table with all the endpoints in your environment and the following details: Hostname, Username, Supporter, Non Agent Connections, IP Address, Version, Last Seen, and Actions.
  
  The Filters button allows you to filter all entries by Endpoint, by Supporter with invite permissions, or by Supporter without invite permissions. 
• History
  This view displays a table with the following details: From (Hostname), To (Hostname), To (Username), Session Duration, Start Time, and Session Type. 
  
  This view refreshes and populates with new information every 24 hours.
• Recordings
  This view displays a table of the recordings saved to the HEIMDAL storage and the following details: Recorded on (Hostname), Filename, Timestamp, Password, and Action. 
  
   

The Show Only Supporters radio button allows you to filter only the hostnames that have been assigned the Supporter role. The Invite to remote session button allows the administrator to invite another user to a private remote session by sending a session code that the user can use to download the HEIMDAL RD Client and join the remote session. The Download CSV functionality allows you to generate and download a CSV report that includes all the information corresponding to each view.

THREAT-HUNTING & ACTION CENTER

Threat - hunting and Action Center (TAC) collects data referring to events inside your organization by leveraging our Extended Threat Protection (XTP) Engine, the renowned MITRE ATT&CK techniques center, and the rest of the Heimdal products to provide granular telemetry into IT environments, endpoints, networks, and beyond to help teams proactively classify security risks, hunt detected anomalies, and neutralize persistent threats securely without risking the spread of attacks, disrupting end-users, or affecting organizational productivity.

ACCOUNTS

The Accounts page is the area in which you can create new enterprise/reseller accounts and assign them to a specific Enterprise/Reseller customer or edit existing ones and manage their configuration. 
 

A. Enterprise/Corp customers

Enterprise customers can create/edit Enterprise accounts that can get the Administrator role (can view/add/edit HEIMDAL Dashboard settings) or the Visitor role (can view the HEIMDAL Dashboard information but cannot add/edit any settings). 
In the Accounts tab, you can see a list of all HEIMDAL Dashboard user accounts under your Enterprise customer. At the same time, you can use the Create New Account button to create a new HEIMDAL Dashboard user account (see https://support.heimdalsecurity.com/hc/en-us/articles/360020061117-Creating-a-new-HEIMDAL-Dashboard-account). 
In the Custom Role Management tab, you to create/edit/delete a custom role that can be assigned to a HEIMDAL Dashboard user account or multiple user accounts. A Custom Role can be assigned to users who log into the HEIMDAL Dashboard using the SAML 2.0 mechanism based on the synced Azure Active Directory group (the Azure AD Groups must be synced in the Guide -> Customer settings area first to become visible in the dropdown menu where you sync an Azure AD Group to a Custom Role). 


The newly-created Custom Role can be assigned to one or more accounts by editing the user accounts settings in the Miscellaneous Settings. The Custom Role functionality is available to Reseller and Enterprise customer user accounts only. A Custom Role applying to a user account supersedes the individual Access Control settings of the user account. This means that disabling the Manage account claims on the Custom Role applying to a user will automatically supersede the user account's claims and disable the individual Manage account claims that were configured on the user account's Access Control.
Access Control claims can be configured for any HEIMDAL Dashboard user account by clicking on the user account and going to the Access Control tab.

Manage Custom Roles - Ability to view and/ or edit (create and delete) custom roles in your organization.

- View Custom Role Management area
- Full control Custom Role Management area

Manage account - Ability to view and/ or edit (create and delete) the allowed dashboard account logins.
- View account
- Create account
- Edit account
- Delete account

Account does not require 2-Factor - Ability to tick "Do not require 2-Factor' in the account section for the accounts visible to the user.

Manage API key - Ability to view and/ or edit (create and delete) and view the API key and data.
- View API key
- Edit API key

Manage Endpoint Settings area - Ability to view and/ or edit the Endpoint Settings area.
- View Endpoint Settings area
- View DarkLayer Guard™ endpoint settings
- View VectorN Detection™ endpoint settings
- View 3ʳᵈ Party Patch Management endpoint settings
- View Operating System Updates endpoint settings
- View Next-Gen Antivirus endpoint settings
- View Firewall endpoint settings
- View Ransomware Encryption Protection endpoint settings
- View Privileged Access Management endpoint settings
- View Application Control endpoint settings
- View Zero Trust endpoint settings
- View Email Fraud Prevention endpoint settings
- View Remote Desktop endpoint settings
- View Extended Threat Protection Endpoint settings
- View BitLocker Endpoint settings
- View Scripting Endpoint settings
- Edit Endpoint Settings area
- Edit DarkLayer Guard™ endpoint settings
- Edit VectorN Detection™ endpoint settings
- Edit 3ʳᵈ Party Patch Management endpoint settings
- Edit Operating System Updates endpoint settings
- Edit Next-Gen Antivirus endpoint settings
- Edit Firewall endpoint settings
- Edit Ransomware Encryption Protection endpoint settings
- Edit Privileged Access Management endpoint settings
- Edit Application Control endpoint settings
- Edit Zero Trust endpoint settings
- Edit Email Fraud Prevention endpoint settings
- Edit Remote Desktop endpoint settings
- Edit Extended Threat Protection Endpoint settings
- Edit BitLocker Endpoint settings
- Edit Scripting Endpoint settings

Manage Windows Endpoint Settings area - Ability to select access rights on the Windows Endpoint Settings area.
- Full access to device settings windows
- Specific access device settings windows

Manage macOS Endpoint Settings area - Ability to select access rights on Mac OS Endpoint Settings area.
- Full access to device settings on macOS
- Specific access device settings macOS

Manage Linux Endpoint Settings area - Ability to select access rights on the Linux Endpoint Settings area.
- Full access to device settings Linux
- Specific access device settings Linux

Manage DNS Security Network Settings area - Ability to view and/ or edit the DNS Security Network data/Settings area.
- View DNS Security network data
- View DNS Security network settings
- Edit DNS Security network settings

Manage Email Protection Network Settings area - Ability to view and/ or edit the Email Security Network Settings area.
- View email security network settings
- Full control of email security network settings

Manage Email Protection data - Ability to manage Email Security settings at specific or all domain levels (view, release, blacklist, whitelist) + view data related to body and attachments.
- View email security data
- View email security sensitive
- Release email security
- Whitelist blacklist email security
- Full access email security domain
- Specific access email security domain

Manage Ransomware Encryption Protection Network Settings area - Ability to view and/ or edit the Ransomware Encryption Protection Network Settings area.
- View Encryption Network data
- View Encryption Network settings
- Edit Encryption Network settings

Manage Network OS Deployment Network Settings area - Ability to view and/ or edit the Network OS Deployment Network Settings area.
- View network os deployment settings
- Edit network os deployment settings

Manage Login Anomaly Detection Network Settings area - Ability to view and/ or edit the Login Anomaly Detection Network Settings area.
- View login anomaly detection settings
- Edit login anomaly detection settings

Manage customer data on all product/ module grids - Ability to view data and/ or perform actions on all the Heimdal products/ modules' grids (e.g., quarantined files, excluded files, Group Policy settings, Isolated machines, Approved/ Denied PAM escalation requests, etc.).
- View products data
- View DNS Security Endpoint data
- View VectorN Detection™ data
- View 3ʳᵈ Party Patch Management data
- View Infinity Management data
- View Operating System Updates data
- View Next-Gen Antivirus data
 - View Firewall data
- View Ransomware Encryption Protection data
- View Privileged Access Management data
- View Application Control data
- View Zero Trust data
- View Forensics data
- View Email Fraud Prevention data
- View Remote Desktop data
- Perform actions on product data
- Perform actions on DNS Security Endpoint data
- Perform actions on VectorN Detection™ data
- Perform actions on 3ʳᵈ Party Patch Management data
- Perform actions on Infinity Management data
- Perform actions on Operating System Updates data
- Perform actions on Next-Gen Antivirus data
- Perform actions on Firewall data
- Perform actions on Ransomware Encryption Protection data
- Perform actions on Privileged Access Management data
- Perform actions on Application Control data
- Perform actions on Zero Trust data
- Perform actions on Forensics data
- Perform actions on Email Fraud Prevention data
- Perform actions on Remote Desktop data

Manage PEDM elevations for Windows endpoints
- Full access PEDM elevations Windows
- Specific access PEDM elevations Windows
Manage PEDM elevations of macOS endpoints
- Full access PEDM elevations Windows
- Specific access PEDM elevations Windows

Manage Device Info area - Ability to edit the Device Info area.
- Edit Device Info area
- View Device Info Custom columns
- Edit Device Info Custom columns
- View Hostname groups
- Edit Hostname groups

View BitLocker Recovery Keys

- View the BitLocker Recovery Keys

Generate email reports - Ability to generate Email Security reports.
- Generate email reports

Manage customer settings - Ability to manage settings in the GUIDE section of the Heimdal Dashboard, Customer Settings tab.
- Manage customer settings

View customer license - Ability to view the license key in the Guide section of the Heimdal Dashboard.
- View customer license

View uninstall password - Ability to view the Master Password for uninstalling the Heimdal Agent.
- View uninstall password

Invite to remote session - Ability to invite other users to a remote session
- Remote desktop invite to session

Remote Desktop connection - Ability to connect to any endpoint regardless of GP access rights
- Remote desktop connect full access

B. Resellers

Resellers can create/edit user accounts that can get the Administrator role (can view/add/edit HEIMDAL Dashboard settings) or the Visitor role (can view the HEIMDAL Dashboard information but cannot add/edit any settings). These accounts can be assigned to Enterprise customers only. Resellers can also create/edit user accounts with the Reseller role (can view/add/edit HEIMDAL Dashboard settings at the reseller-level and at the enterprise customer level).
In the Accounts tab, you can see a list of all HEIMDAL Dashboard user accounts under your Reseller (including the users' accounts assigned to each Enterprise customer). At the same time, you can use the Create New Account button to create a new HEIMDAL Dashboard user account (see https://support.heimdalsecurity.com/hc/en-us/articles/360020061117-Creating-a-new-HEIMDAL-Dashboard-account). 
Custom Role Management is tied to each Enterprise custome,r and this means that if you want to add a custom role, you need to impersonate the customer that you are trying to update. In the Custom Role Management tab, you can create/edit/delete a custom role that can be assigned to a HEIMDAL Dashboard user account or multiple user accounts. Resellers can set up or edit Access Control settings for Enterprise accounts of any of their Enterprise customers or for the other reseller accounts. 
Access Control claims can be configured for any HEIMDAL Dashboard user account by clicking on the user account and going to the Access Control tab.

C. Distributors
Distributors can create/edit Distributor accounts that can get the Distributor role (can view/create/edit Reseller customers), but they cannot perform any changes on the HEIMDAL products. Also, distributors can create/edit Reseller accounts that can be assigned to any Reseller customer under the Distributor account.

GUIDE

The Guide page is the area where you get information about the HEIMDAL license key, the API Key, the latest versions of the HEIMDAL installers, your Customer settings (restriction of the data for the HEIMDAL Security employees, SAML 2.0, Azure AD Group synchronization, Integration for ConnectWise, HaloPSA, and Autotask), and the MXDR Permissions.

ABOUT HEIMDAL

YOUR HEIMDAL ACTIVATION KEY

This section displays the HEIMDAL Activation Key, the Expiration date, and its Status. 
The Generate Password button will show your Master Uninstall password (valid only throughout the day it was generated). It can be used to uninstall the HEIMDAL Agent in case you forgot the Uninstall Password that is set in the Group Policy settings. 

YOUR HEIMDAL API KEY

This section displays your personal API key that is available for your HEIMDAL Dashboard user account. The API Key can be deleted and generated again. You can also see a few guides on how to use the APIs HEIMDAL provides.

DOWNLOAD AND INSTALL

This section provides you with a list of the installers and some guides on how to use some of the HEIMDAL products/services.

CUSTOMER SETTINGS

This section allows you to configure customer-related global settings.

• Login Setup - allows you to set the Azure Login (see this article: https://support.heimdalsecurity.com/hc/en-us/articles/360019971018-SAML-2-0-Login) or Okta Login (see this article: https://support.heimdalsecurity.com/hc/en-us/articles/21698669567005-Okta-Login)
• Integrations - allows you to configure the ConnectWise PSA integration (see this article: https://support.heimdalsecurity.com/hc/en-us/articles/16883467334045-HEIMDAL-and-ConnectWise-PSA), the HaloPSA integration (see this article: https://support.heimdalsecurity.com/hc/en-us/articles/20040078821661-HEIMDAL-and-HaloPSA), or the Autotask integration (see this article: https://support.heimdalsecurity.com/hc/en-us/articles/20552894807197-HEIMDAL-and-Autotask);
• Company Info - allows you to set a company logo (png, jpg, but it would be ideal to be with a transparent background), which will be displayed on the HEIMDAL Dashboard login page (next to the HEIMDAL logo), on the HEIMDAL Dashboard left-side menu and in the templates for Alerts and Reports (which are configured in the Reports section, when choosing custom logo),on Heimdal Agent co-branding scenario, when the agent menu is expanded. Each HEIMDAL Dashboard user (reseller or enterprise role) will always see their configured logo (in case a reseller uploads a custom logo, all HEIMDAL Dashboard users linked to that reseller, which have the "Reseller Logo Distribution" feature enabled will see the reseller's logo).
  
  
• Azure AD Sync - allows you to apply HEIMDAL Group Policies based on Azure AD Group membership (see this article: https://support.heimdalsecurity.com/hc/en-us/articles/4402377573137-Synchronizing-Azure-Active-Directory-Groups-Windows);
• PEDM Primary Users - allows you to configure the Azure AD (Entra) PEDM Primary Users application that will fetch the Azure AD Group membership for the PEDM Primary Users functionality.

MXDR PERMISSIONS

This section is meant for MXDR customers to configure the permissions that the HEIMDAL MXDR Team can use to act on detections. 

• Managing Dashboard Data Visibility

If you do not want Heimdal to access your Dashboard data, deselect the checkbox below.

Please note that if this option is disabled, Resellers will still be able to access the Dashboard data for the customers within their portfolio.

REPORTS

The Reports section is split into three categories: On-demand reports, Scheduled reports, and Alerts management. 

A. On-demand reports

The On-Demand Reports section is dedicated to manual report generation, filtering options, and data visualization for Detailed products, C-Level reports, NIS2 reports, and Cyber Essentials reports (for both Enterprise/Corporate customer and Reseller-type user accounts). 


The Standard view includes a table with the following details: Report type (C-Level, Detailed, NIS2 and Cyber Essentials), Included modules, Customer (in the case of a Reseller), Selected start/end date (this date considers the report's timezone settings), Generated start/end date (this date considers the report's timezone settings), Timestamp (the timestamp when the report has been generated), and Status (can be Queued, Queue Failure, Processing, Failed, Download).

The Filters functionality allows you to filter entries by Operating System. 

The Generate on-demand report button will guide you through the setup of a new report type generation, which can be a Detailed product report, C-Level report, NIS2 report, and Cyber Essentials report. 
After choosing a report type, you can select the products you want to be included in the report:




If you are generating a report at the Reseller-level, you will have to specify the Enterprise customer(s) that the report is/are generated for. The next step is to choose the report details: timeframe, time zone, date format, language, currency, and logo (custom logo or HEIMDAL logo).

B. Scheduled reports

The Scheduled reports section is dedicated to the automatic report generation, filtering options, and data visualization for Detailed products and C-Level reports (for both Enterprise/Corporate customer and Reseller-type user accounts. 


The Standard view includes a table with the following details: Report type (C-Level or Detailed), Included modules, Customer (in the case of a Reseller), Timestamp (the timestamp when the report has been generated), Scheduled, Scheduled by, Recipients, and Actions (Edit or Delete).

The Filters functionality allows you to filter entries by Operating System. 

The left-side selector allows the user to apply the Delete action on one or more entries listed in the table.

The Generate scheduled report button will guide you through the setup of a new report type generation, which can be a Detailed product report, C-Level report, NIS2 report, and Cyber Essentials report. After choosing a report type, you can select the products you want to be included in the report:

If you are generating a report at the Reseller-level, you will have to specify the Enterprise customer(s) that the report is/are generated for. The next step is to choose the report details: email address (can be an internal or external address), timeframe, time zone, date format, language, currency, and logo (custom logo or HEIMDAL logo).


To see what a report looks like, you can scroll down to the bottom of this article and download one of the 2 attached samples.

C. Alerts Management

The Alerts management section is dedicated to the live alerts that are being sent for each selected product that triggers a detection. 
The view includes a table with the following details: Customer (in the case of a Reseller), Recipient(s) (email address of the receiving user), REP, MU, GP, NGAV, VN, Zero-Trust, PEDM, and Actions (Edit or Delete).

The Set up alerts button will guide you through setting up a new alert configuration for a specific customer (or more) that should be sent to a recipient or more. 
An Enterprise customer would be presented with a modal that allows them to select the products for which alerts should be generated. 

If you are a Reseller, you need to specify one or more customers first and then select the products that should be monitored.

The next step is to configure the recipient's email address, time zone, date format, language, and logo (custom or HEIMDAL).

To see what an alert looks like, check out the samples below:

IMPORTANT

Alerts are generated by a job that runs on our servers every hour. This means that once an event is detected, the alert will be sent out as an email notification when the job runs again (in a specific case, if a detection is made at 12:10 PM and the job ran at 12:05 PM, the alert will be sent at 1:05 PM, when the job runs again). Endpoint Detection reports can include detections/warnings that extend to 31 days (ignoring the configured timeframe). 

TOGGLE THEME

The Toggle Theme button allows the logged-in user to switch between the light theme and the dark theme (in case the customer that the user is assigned to does NOT have the Threat-hunting & Action Center product on its license. In the case of customers who already have the Threat-hunting & Action Center product will not see this option in the left-hand side menu. 

SUPPORT

The Support button redirects you to the HEIMDAL Security Support and Knowledge Base section, where you can find support articles for all of our products and solutions to known problems. In this section, you can also get in contact with our Support Team (via the customized forms).