In this article, you will see and understand how the HEIMDAL Dashboard works, the data collected from your environment and what are the benefits of the HEIMDAL Unified Threat Platform. The HEIMDAL Dashboard allows you to see what are the threats that are intercepted in your environment, thus, enabling you to mitigate and take action against malware. The HEIMDAL Dashboard works with a variety of Internet browsers, but it is best supported by the following: Google Chrome (recommended), Mozilla Firefox, Microsoft Edge, and Safari.
1. Home
2. Admin
3. Unified Endpoint Management
4. Customer Overview
5. Products
6. Threat-hunting & Action Center
7. Accounts
8. Guide
9. Generate Reports
10. Support
HOME
Right after you log in to the HEIMDAL Dashboard, you are presented with the HEIMDAL Dashboard Home page and the Group Policies overview that warns the HEIMDAL Dashboard user that one or more HEIMDAL products are not enabled in the Group Policy settings.
Pressing the Acknowledge button will close the Group Policy overview. This modal will pop up for every user who logs in to the HEIMDAL Dashboard for the first time, or for every impersonated enterprise customer (when a user with the reseller role is logged in). The Group Policy overview modal will reappear once any other HEIMDAL Dashboard user assigned to the same customer will enable/disable a HEIMDAL product in any Group Policy, or when it will enable/disable reporting mode in any Group Policy, or when a new Group Policy is created or an existing one is deleted.
The left-side menu allows you to navigate to any section of the HEIMDAL Dashboard. On the top, you can use the Customer impersonation field (available to Resellers only) that allows you to impersonate the Enterprise account of any of your customers. The Timeframe selection field allows you to select the Start-Date and the End-Date to display the information collected in the HEIMDAL Dashboard. The Endpoint Settings and the Network Settings allow you to configure the settings for the HEIMDAL Security products.
On the right side of the Home page, you get information about each of the products/modules that are active under the current customer account. The charts include data regarding attacks, vulnerabilities, detections, infected/quarantined files, blocked/allowed processes, 3rd Party Application vulnerabilities or OS Updates, and quarantined/rejected emails. Is it important to know that the information displayed in the charts considers the selected Timeframe and, by default, the Timeframe stretches 30-days in the past. The chart order can be switched using drag and drop and the inactive products will be listed at the end of the homepage (by default). The order of the products is saved at user account level. This means that another user account pertaining to the same customer will see a different order (according to the user's settings).
Clicking the eye icon (top-right corner) will redirect you to the product page. Some products allow you to take action straight from the chart itself (e.g. Next-Gen Antivirus & MDM, Ransomware Encryption Protection, Privilege Elevation and Delegation Management, Email Security).
Hovering over the graphics in the chart will offer you information for that specific date.
On the bottom side of the Home page, you can see the contact information of HEIMDAL Security and the HEIMDAL Dashboard version:
Distributors and Resellers will see a new homepage with the license overview representing a centralized overview per product of all the licenses that are under their management. This view showcases the user number of licenses, as well as the available ones. Total seats represents the number of purchased* or committed* licenses for a product/module. Used is the number of user licenses for each product. Available is the difference between Total seats and Used. This page will also allow the Partner to filter the data from the grid, offering the possibility to see All, Monthly Billing and/or Annual licensing types. On the bottom section of the new homepage, the Distributor/Reseller will find links to our Support Knowledge Base articles and the Heimdal™ YouTube channel which holds lots of interesting and useful video training content.
ADMIN
The Admin page (available for the Reseller accounts) allows you to add new customers or edit existing ones and manage their licensing options. You can add/delete Home Batch Keys (if they are activated on your reseller account). The Customers menu displays a list of all your customers and details such as ID, Name, Type, License Type, SPLA License, Device, Purchased Licenses. In this section, you can add a new customer and you can also generate a CSV report that includes the list of all customers (the CSV report will be populated with all the customers that have activity/have active clients):
-
Creating a new customer is easy and can be done by filling in the required fields.
Name - specify the name of the new customer;
Type - Corp available only;
Total licenses - specify the number of devices;
Email - specify the email address of the customer account owner;
Details - specify any details that you considered necessary to be saved; - The Licensing options section is where you select which products/modules are available for the customer.
- The next thing is to generate a license key. To do that, you have to press the Add Key button and fill in the fields below:
- The Billing Info section is not mandatory, but you can fill in the requested information:
Under Home Batch Keys, you can create new Home Batch Keys, you can view the Registered Batch Keys and the Non-Registered Batch Keys and you can delete the generated licensed keys.
This view also allows you to download a list of all Home licenses included in a Batch.
UNIFIED ENDPOINT MANAGEMENT
ROI REPORT
The Return on Investment (ROI) reports are considered essential analytics tools and are useful because they review the costs saved by your organization by using the HEIMDAL Security suite. On this page, you can see charts about the DNS Security modules, Patch & Assets Management modules, Endpoint Detection modules, and Email Protection modules:
DEVICE INFO
The Device Info page displays all the information collected from the devices/endpoints that are running the HEIMDAL Agent. The collected information includes system information details and HEIMDAL Agent status. On the top, you see a statistic regarding the number of Active servers, the number of Active endpoints, and the number of Total devices.
The collected information is placed in two views: Standard, Hardware, Non-Heimdal devices, Hostname groups, and Server commands.
-
Standard
This view displays a table with the following details: Hostname, Chassis (laptop, desktop, tablet) Username, IP Address, HEIMDAL Agent version, Operating System, Edition, Current Group Policy, Selected Group Policy, Last Seen, Enabled Modules, and HEIMDAL Agent Status. The Last Seen status refreshes every 6 hours. The Last Reboot and the VDF Info (VDFs are updated every 120 minutes locally) are updated every 60 minutes. The Status column can sort hostnames and group them in 2 groups: Operational (green check mark) and Warning (orange exclamation mark). The displayed Status is considered the last 24 hours only.
The Hostname displayed for Windows devices is limited to a maximum of 15 characters. Any characters beyond this limit will be truncated to the first 15 characters.
The Column Options button allows you to change the order of the existing columns (the Hostname column cannot be moved) or add/remove up to 3 custom text columns (where you can insert/edit text-type information). The custom columns can have a custom name and they can be added manually or via the Import CSV file. This layout is saved at the Enterprise customer level (all HEIMDAL Dashboard user accounts will use the same settings).
-
Hardware
This view displays a table with the following details: Hostname\Username, installed CPU, CPU Usage, installed Memory, Memory Usage installed Disk Drive, Disk Usage, Last Seen, and HEIMDAL Agent Status:
- Non-Heimdal devices
This view displays a table with all the devices that are not running the HEIMDAL Agent and comes with the following details: Hostname, IP Address, MAC Address, Details, and Scan Date.
Selecting a Non-Heimdal device allows you to Hide the device or Deploy Heimdal Agent from a server (on which the HEIMDAL Agent is installed). The server must be a domain controller and the device where the deployment is made needs to be in the same domain as the server. Applying the Deploy Heimdal Agent operation will display a toaster where the server can be selected by hostname or IP Address. To get the available options, you need to enter at least 3 characters. - Hostname groups
This view displays a list of groups where specific endpoints/devices can be added/mapped (for specific reasons). A Hostname Group can be used to automatically assign a HEIMDAL Dashboard Group Policy to that specified group of endpoints (the Hostname Group's name needs to be specified in the Group Policy settings, under General -> AD Computer Group). The Create group button allows you to create a group and define its description.
One or multiple endpoints can be added to a Hostname Group from the Standard view, by selecting the hostname(s) and by clicking Add to group from the dropdown menu:
At the moment, only Windows devices can be assigned to Hostname Groups. - Server commands view
This view displays a list of the individual actions (3rd Party install, scan) performed on specific endpoints. This view displays a table with the following details: Hostname, Command Type, Command Description, Resolutions, and Timestamp:
In case you have dozens, hundreds, or thousands of endpoints registered in the Device Info view, you can use the Search field to filter the results based on the following criteria: Hostname, Username, IP Address, Version, Operating System, and Current GP.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information displayed in the Standard view. If you want the complete CSV report (Verbose report), use the Download CSV functionality available in the Hardware view.
The Select View dropdown menu allows you to select what type of devices/endpoints to be visible in the view: All Statuses, Revoked, Active (all endpoints/devices in the selected timeframe, whether they were active or inactive), or Inactive endpoints (ignores the selected timeframe and displays all the endpoints/devices that were inactive since the beginning of time until 7 days ago, 14 days ago, 21 days ago, 28 days ago, consider 7, 14, 21, 28 days ago since the day of the search).
The Device Info filters, allow you to filter the results displayed in the table by Machine type, Operating System (thus, enabling you to apply 2 filters), Chassis, or Status.
The tickbox placed on the left side of the hostname of each endpoint allows you to take action on the selected device(s)/endpoint(s).
- Revoke - revokes the HEIMDAL license key from the selected endpoint, making the HEIMDAL Agent downgrade to the Free version (only the 3rd Party Software module is available). The HEIMDAL Agent will stop communicating with the HEIMDAL Dashboard and it will stop applying any other settings specified in the Group Policy. The revoked device(s)/endpoint(s) can be unrevoked from the Revoked view, by selecting it and hitting Unrevoke in the dropdown menu;
- Add to group - adds the endpoint(s) to a selected Hostname Group (available in the Hostname groups view);
- Isolate - isolates the selected device(s)/endpoint(s) by blocking the external connection. Note: if your Firewall settings are managed through another application/vendor or Intune, the HEIMDAL Agent will not be able to achieve the isolation operation. In case you are using Microsoft Intune to manage the Firewall settings, you need to disable any policy that interacts with it. An example would be the one below, in which the Firewall settings should be set to Not configured (Endpoint security -> Security Baselines baselines -> Security Baseline for Windows 10 and later -> Intune Security Baseline Policy -> Properties, edit the Configuration settings, and set the Firewall settings to Not configured);
-
Unblock RDP Port - unblocks the default RDP Port (3389), if it has been blocked due to a Brute Force Attack detection;
- Scan non-Heimdal devices - tells the selected computer to perform a network scan for computers that are not running the HEIMDAL Agent (this option is available if Allow network scan is enabled in the Group Policy settings and discovers endpoints/devices ONLY if they are registered in the Reverse Lookup Zone of the DNS Server). This operation initiated the scan for non-Heimdal devices in less than 2 minutes (if Realtime Communication is enabled) or immediately after pressing the Sync GP button (within the HEIMDAL Agent). The HEIMDAL Agent will be using the local IP Address and the local Subnet Mask to calculate the IP class for the current Subnet. An nslookup is performed for each discovered IP Address to correlate the Hostname with the IP Address, a ping is used to populate the ARP cache for each IP Address, and an arp -a command is performed to get the MAC address for each IP Address;
- Install 3rd Party Software - installs one or more 3rd Party Application(s) from the list of 3rd Party Patch Management applications;
- Uninstall 3rd Party Software - uninstall one or multiple applications that support uninstall through the HEIMDAL Agent;
- Next-Gen Antivirus scan - perform a Next-Gen Antivirus scan from the scan type list;
- Apply to Specific GP - allows you to apply a specific Group Policy to the select device(s)/endpoint(s) or to set it/them to Automatic to apply a Group Policy automatically, based on GP Priority, Azure AD Group, AD Computer/User Group, ComputerTag/UserTag, External IP Address.
- Add IPXE Server - designate the machine as an iPXE deployment server. You can also edit - Config iPXE Server or delete - Remove iPXE Server, machines that had already been designated as iPXE servers. The device designated as an iPXE server will continue to function as an iPXE server despite hostname changes (unless the Remove iPXE Server command is applied to the hostname).
Clicking on a hostname will direct you to another page where you are able to see information regarding the HEIMDAL Agent status, the Device information, the Hardware information, the Operating System information, the Antivirus information, the DNS information, and the Enabled Modules;
Clicking on the number of Modules will display a list of all the modules that are enabled on the selected device(s)/endpoint(s).
Clicking on the Status exclamation icon will pop up a modal that will show you the current status of the HEIMDAL Agent and the steps required to get the device/endpoint operational.
CLIENT MANAGEMENT
The Client Management section is divided between BitLocker, Scripting, USB Management, and Device Info Notifications.
BITLOCKER
BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the device's hard drive to a different device. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, rendering data inaccessible when BitLocker-protected devices are decommissioned or recycled. BitLocker provides maximum protection when used with a Trusted Platform Module (TPM), which is a common hardware component installed on Windows devices. The TPM works with BitLocker to ensure that a device hasn't been tampered with while the system is offline. In addition to the TPM, BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device that contains a startup key. These security measures provide multifactor authentication and assurance that the device can't start or resume hibernation until the correct PIN or startup key is presented. On devices that don't have a TPM, BitLocker can still be used to encrypt the operating system drive. This implementation requires the user to either:
- use a startup key, which is a file stored on a removable drive that is used to start the device, or when resuming from hibernation;
- use a password. This option isn't secure since it's subject to brute force attacks as there isn't a password lockout logic. As such, the password option is discouraged and disabled by default.
Both options don't provide the preboot system integrity verification offered by BitLocker with a TPM.
System requirements
BitLocker has the following requirements:
- For BitLocker to use the system integrity check provided by a TPM, the device must have TPM 1.2 or later versions. If a device doesn't have a TPM, saving a startup key on a removable drive is mandatory when enabling BitLocker;
- A device with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the preboot startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware;
- The system BIOS or UEFI firmware (for TPM and non-TPM devices) must support the USB mass storage device class, and reading files on a USB drive in the preboot environment;
-
The hard disk must be partitioned with at least two drives:
a. The operating system drive (or boot drive) contains the OS and its support files. It must be formatted with the NTFS file system;
b. The system drive contains files required to boot, decrypt, and load the operating system. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive:
- must not be encrypted;
- must differ from the operating system drive;
- must be formatted with the FAT32 file system on computers that use UEFI-based firmware, or with the NTFS file system on computers that use BIOS firmware;
- it's recommended that it be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space; - When you encrypt the OS Volume with the TPMandPIN method, you need to make sure that Require additional authentication at startup policy is enabled in the Local Computer Policy (Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives), because the HEIMDAL Agent does not perform any changes in the Local Policies.
BitLocker is supported on Windows 10 1607 (and later versions), Windows Server 2012 (and later versions) and can be enabled on the following editions: Windows Pro, Windows Enterprise, Windows Pro Education/SE, Windows Education, Windows Pro/Pro Education/SE, Windows Enterprise.
IMPORTANT
The BitLocker feature is not automatically enabled on Windows Server. However, it can be manually enabled from the Windows Features by an Administrator. After manually enabling BitLocker from the Windows Features, the Windows Server endpoint requires a reboot to get make the functionality available.
Encryption can take anywhere from few minutes to a couple hours depending on the amount of data that has been encrypted, the speed of the computer, and whether the process is interrupted by the computer being turned off or going to sleep. The BitLocker OS Drive encryption does not start until the computer is restarted. If work must be completed, it is safe to complete work and save it before restarting. If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. BitLocker resuming encryption or decryption is true even if the power is suddenly unavailable.
BitLocker Management view
The BitLocker Management view serves as a central hub for monitoring the BitLocker encryption across various devices. On the top, you see a statistic regarding the number of Active servers, the number of Active endpoints, the number of Fully Secured Devices, the number of Partially Secured Devices, the number of Unsecured Devices. and the number of Unavailable Recovery Keys Devices.
The collected information is placed in the Standard view, where you can see details referring to the Hostname, Username, Last Seen, Protection Status, Recovery Key, and Error status:
The Protection Statuses range between Fully Secured (all volumes on the devices are protected), Partially Secured (at least one volume on the device is not protected), and Unsecured (no volumes on the device are protected). The Recovery Key can be Backed up (the recovery key for all volumes is stored in our database), Partially Backed Up (the recovery keys for some volumes are missing in our database), and Unavailable (no recovery keys for any volume are stored in our database).
The Download CSV functionality allows you to generate and download a CSV report that includes all the information displayed in the Standard view. The Filters functionality allows you to filter entries by Protection Status and/or Recovery Key.
BitLocker client specifics
The client specifics provide detailed information about the client's encryption status. The general TPM information displays the TPM Status (active or inactive), the TPM Manufacturer Name, and the TPM Manufacturer Version. The table below includes information related to the Username associated with the volume, the Volume Name, the Volume Type, the Protection Status, the Encryption Status, the Encryption, the Protector, the Auto-Unlock status, the Volume size, and the Recovery Key.
BitLocker settings
Enabling BitLocker Management will enable BitLocker on the endpoints applying the Group Policy.
BitLocker Management - turn ON/OFF the BitLocker product/service;
Force disk encryption - initiates the encryption process according to the following settings;
OS Volume - encrypts the System drive and displays the Encryption Method and the Key Protector Type that need to be configured;
- Encryption Method - allows you to choose between the encryption methods (XTS-AES 128-bit, XTS-AES 256-bit, AES-CBC 128-bit, AES-CBC 256-bit);
- Key Protector Type - allows you to select a Key Protector type (TPM and PIN or Passphrase).
Data Volumes - encrypts the data drive and displays the Encryption Method and the Key Protector Type that need to be configured;
- Encryption Method - allows you to choose between the encryption methods (XTS-AES 128-bit, XTS-AES 256-bit, AES-CBC 128-bit, AES-CBC 256-bit);
- Key Protector Type - comes with the Passphrase Key Protector type;
- Auto-Unlock - automatically unlocks volumes that don't host an operating system when the OS volume is unlocked. BitLocker uses encrypted information stored in the registry and volume metadata to unlock any data volumes that use automatic unlocking.
SCRIPTING
The Scripting feature will allow you to control the push Batch/PowerShell scripts through the Windows Task Scheduler under the NT Authority\System user, which is leveraged to launch scripts at pre-defined times or after specified time intervals.
Scripting view
The Scripting page displays all the information related to the scripts that are deployed through the HEIMDAL Agent. On the top, you see a statistic regarding the number of Available Scripts, Active Scripts, and the number of Scripts with errors.
The collected information is placed in the following views: Standard, and the Repository.
-
Standard
This view displays a table with the following details: Hostname, Username, Task Name, Trigger, Resolution, and Timestamp.
The Resolution values are Error (this means the script has run but threw an error code) and Completed (this means the script has run successfully).
The Error Log mechanism provides enhanced granularity for analyzing the outcomes of script deployments, ensuring a more efficient troubleshooting process for scripts with erroneous results. This functionality is available in the Standard view and the Client Specifics view (accessible by clicking a hostname).
Errors are logged and can be reviewed by selecting the View Details button located in the Resolution column. The corresponding icon for this action is displayed exclusively for entries with an Error resolution, enabling users to quickly identify and address problematic deployments.
The actual error message is displayed in a pop-up window, as exemplified below. The resulting Error message (from the dashboard) is composed of the Error Logs generated in the Windows Event Viewer and the error generated by the script itself. The script error info is written in a log file stored in the Scripting directory.
The Scripting Error Log files are created in the (...\Heimdal\Scripting\Logs) directory, with the filename comprised of timestamp + PID, as showcased in the picture below. -
Repository
This view displays a table with the following details: Script Name, Script Description, Timestamp, and Action.New scripts can be added by pressing the Add new script button.
For the Reseller repository to show in the Customers tab, the Reseller must add the script to a (Master GP) and enable the Reseller Master GPs Distribution option. The Customer also needs to enable the Opt-in Reseller Master GPs option.
Once both are enabled, the Customer will have access to the general scripts in the repository.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard mode corresponding to each view. The Filters functionality allows you to filter entries by Resolution.
IMPORTANT
In order to be able to see the resolution of the Scripting product in the HEIMDAL Dashboard, you need to make sure that the Task Scheduler logging is enabled in the Event Viewer logs (Applications and Services Logs -> Microsoft -> Windows -> TaskScheduler -> Operational).
Scripting settings
Enabling Scripting will enable Scripting on the endpoints applying the Group Policy.
Scripting - turn ON/OFF the Scripting functionality;
Add Task - allows you to create a new task that will deploy one of the scripts that you select from the repository.
General - here you can set a Task Name and a Task Description:
Triggers - allows you to select how a script is being triggered and when (the trigger type can be set to: On a Schedule, At Log On, At Start Up, On Idle, On Workstation Lock, On Workstation Unlock);
Once a trigger has been set, remember to turn the trigger ON.
Actions - allows you to select the script that you want to deploy (from the Repository);
Conditions - allows you to trigger an action on Idle conditions (start the task if the endpoint is idle for a specific time, stop it if the endpoint ceases to be idle, or restart if the idle state resumes) or Power conditions (start the task only if the endpoint is on AC power, stop if the endpoint switches to battery power or wake the endpoint to run the task);
Settings - allows you to configure multiple settings: bypass execution protection (for PowerShell scripts), run the task as soon as possible after a scheduled start is missed, if the task fails, restart every time specified in the dropdown or if the task is running, then apply one of the selected rules.
Scripts are deployed by the HEIMDAL Agent and can be seen within the Task Scheduler (under Task Scheduler Library -> Heimdal folder):
IMPORTANT
Remember that the scripts that you run with the HEIMDAL Agent are running under the NT Authority\System user. If you are trying to run a script that handles user profiles, that might not work/run correctly.
USB MANAGEMENT
USB Management allows you to control the way the USB ports work inside your company. They can be restricted or allowed, depending on your preferences
USB Management view
The USB Management page displays all the information related to the USB devices that are plugged in after enabling the USB Management service. On the top, you see a statistic regarding the number of USB Detections.
The collected information is placed in the Standard view.
- Standard
This view displays a table with the following details: Hostname, Username, Device name, Device ID, Hardware ID, Class ID, Action, and Timestamp. Selecting an entry will allow you to add the detected USB device to the Allowlist or to hide it from this view (by taking the Suppress action) and move it to the Show suppressed devices page. Adding a device to the Allowlist can be done based on the following criteria: Hardware ID, Class ID, or Device instance path. - Show suppressed devices
This view displays a table that includes the hidden USB devices and the following details: Hostname, Username, Device name, Device ID, Hardware ID, Class ID, Action, and Timestamp. The devices that are disconnected and plugged in again will switch back to the Standard view.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard mode corresponding to each view. The Filters functionality allows you to filter entries by Resolution.
USB Management settings
Enabling USB Management will enable the USB Management on the endpoints applying the Group Policy.
USB Management - turn ON/OFF the USB Management functionality;
Disable USB Ports - allows you to disable Removable Media Devices from being connected to a computer. A computer reboot is required to activate/deactivate this function;
USB restrictive mode - this functionality will disable ALL USB devices found on the computer, except the allowed list. A computer reboot is required to activate/deactivate this function. USB restrictive mode will allow you to add a device to an allowlist (based on either Class or Hardware ID), thus, allowing it to run;
USB Reporting mode - this functionality will monitor all the plugged-in USB devices without taking any action. All detected USB devices will be listed on the USB Management page;
USB Allowlist - allows you to whitelist a USB device based on Hardware ID, Class ID, or Device instance path. You can give a Friendly name to each entry and you can also import an Allowlist from a CSV file.
IMPORTANT
The Hardware ID is different based on the brand/model of the USB Device. The top one is the most specifically identified, as, shown below:
The Class ID is being shared by all USB Devices of the same type and this is how it can be found:
It's not enough to enable only a single hardware ID to enable a single USB thumb drive. The IT admin has to ensure all the USB devices that are preceding the target one aren't blocked (allowed) as well. In our case, the following devices have to be allowed so that the target USB thumb drive can be allowed as well:
- Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft) -> PCI\CC_0C03
- USB Root Hub (USB 3.0) -> USB\ROOT_HUB30
- Generic USB Hub -> USB\USB20_HUB
- USB Mass Storage Device
-
Generic Flash Disk USB Device
USB devices nested under each other in the PnP tree
These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't prevent any external/peripheral device from being installed on the machine. Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing his/her machine through HID devices.
DEVICE INFO NOTIFICATIONS
Windows OS
Device Info Notifications, streamlines notification preferences. This feature includes 22 types of notifications, some of which are enabled by default for newly created Group Policies, organized into 5 sections. Notifications associated with specific products, such as Next-Gen AV, Firewall, or OS Updates, will be disabled if those products are not activated for the user.
Note: The device info notifications settings will only apply to new and updated agents. The settings will only apply to agents with newer versions (starting from 4.5.0), after they get the latest GP.
DNS Security
Uptime Faulted - The notification is triggered when DNS Security was disabled by the uptime checker;
DNS Poisoning - The notification is triggered when the machine has a rick of DNS poisoning.
Patch & Assets
Windows Updates Restart Required - The notification is triggered when the machine requires a restart in order to complete the OS updates installation;
Windows Update Shutdown Detected - The notification is triggered when a shutdown or reboot (required to complete a Windows update) was detected;
Windows Updates Available Updates Collection Empty - The notification is triggered when no Microsoft Updates have been retrieved for more than 20 days;
Windows Updates Available Updates Error - The notification is triggered when OS updates fail to install.
Endpoint Detection
Antivirus Incompatibilities - The notification is triggered when a different antivirus is installed on the machine;
Antivirus Restart Required - The notification is triggered when a machine restart is required for NGAV to properly function;
Antivirus Status - The notification is triggered to report a faulty or missing AV;
Antivirus Update Error - The notification is triggered to report NGAV engine update issues;
Antivirus Realtime Error - The notification reports AV Realtime detection issues;
Firewall Status - The notification reports a missing or faulty firewall;
Firewall Incompatibilities - The notification reports incompatibilities between GPO (Windows) Firewall set-up and Heimdal Firewall (GP) settings;
Firewall Audit Breach Events Not Set - The notification is triggered when BFA subcategory audit events, generated by user account logon attempts on a computer, cannot be intercepted.
Device Stats
Processor Utilization Above Limit - The notification is triggered when the processor utilization exceeds the threshold set in the GP;
Memory Utilization Above Limit - The notification is triggered when the memory utilization exceeds the threshold set in the GP;
Disk Utilization Above Limit - The notification is triggered when the disk utilization exceeds the threshold set in the GP.
General
DLL hijacking - The notification is triggered when DLL hijacking is detected and stopped;
Self Update - The notification is triggered when a self-update was started or completed;
Uninstall - The notification is triggered When the Heimdal Agent is uninstalled on the machine (notification is persistent and will be present until the agent is reinstalled, and the license key is activated);
Agent Deployment - The notification is triggered when the machine has deployed the Heimdal agent to a different device;
Digital signature missing - The notification is triggered when the digital signature for one of the Heimdal services is missing.
Linux OS
There are 3 types of notifications (Restart required being default enabled).
Restart Required - The notification is triggered when the machine requires a restart in order to complete the OS updates installation;
Processor Utilization Above Limit - The notification is triggered when the processor utilization exceeds the threshold set in the GP;
Memory Utilization Above Limit - The notification is triggered when the memory utilization exceeds the threshold set in the GP.
Note: The device info notifications settings will only apply to new and updated agents. The settings will only apply to agents with newer versions after they get the latest GP.
The Device Info CSV exports (for the Standard and Hardware tabs) displays:
- The notification text, if there are active notifications, and the module and the notification type are enabled in the GP;
- “NO,” if the module and the notification type are enabled in the GP, but there are no active notifications;
- If the product is not enabled or if that/those specific notification(s) is/are disabled.
When it comes to Device Info CSV exports, the order of the columns has been adjusted:
- Standard Export – new notification columns have been added;
- Hardware (Verbose) Export – all notifications columns are displayed at the end of the file, before the DNS information (as opposed to the previous way, where they were divided into 2 groups); new notification columns have been added.
REVENUE SHARE
The Revenue share page displays the information referring to the revenue share of the customers. On the top, you see a statistic regarding the Number of licenses attached to your account, the Projected revenue share next year, the Projected revenue share year after, and the Revenue share.
The collected information refers to Client Name, Email Address, Renewal Date, Revenue Share, and Total Revenue.
CUSTOMER OVERVIEW
Distributors and Resellers can visualize an overview of each Reseller/Enterprise customer, regarding their licensing option situation.
Create Group - allows you to create a group to assign customers to keep track of their Resellers/Enterprise customers and filter them when multiple reseller accounts are managing specific groups of customers.
Create New Customer - redirects you to the Admin section of the HEIMDAL Dashboard and allows you to create a new Reseller or Enterprise customer.
The Filters button opens a toaster that allows you to filter by Customer Groups, Client info type, or Billing type.
PRODUCTS
DNS Security - NETWORK
The DNS Security - Network view displays all the information collected by HEIMDAL Agent/HEIMDAL Log Agent that is running on the DNS Server(s) in your organization. The collected information refers to the DNS queries that went through your DNS Server(s). On the top, you see a statistic regarding the number of Analyzed Traffic Requests, Prevented Attacks, Prevented Attacks %, and Category Blocks.
The collected information is placed in the following views: Standard, Threat Type, Latest Threats, Category Blocks, Most Used Domains, Investigate, and App Discovery.
- Standard
This view displays a table with the following details: Hostname (the HEIMDAL Log Agent is required to collect the hostname of the endpoint making the request), IP Address (the HEIMDAL Log Agent is required to collect the local/internal IP Address of the endpoint making the request), Approved Requests, Prevented attacks, and Risk Level (which is calculated according to the following formulas: Low-risk level - the number of prevented attacks is lower than the number of days, Medium-risk level - the number of prevented attacks is equal or higher than the number of days and lower than 1.66 * the number of days, High-risk level - everything else over these two levels). The data in this view updates every hour. - Threat Type
This view displays a table with the following details: Threat Type and number of Hits. The data in this view updates every hour. - Latest Threats
This view displays a table with the following details: Hostname (the HEIMDAL Log Agent is required to collect the hostname of the endpoint making the request), Client IP Address (the HEIMDAL Log Agent is required to collect the local/internal IP Address of the endpoint making the request), Domain, Threat Type, Date and Time. The data can be filtered using the Latest Threats and Forensics filters.
The Forensics filter displays the following details: IP Address, Protocol, URL, Date.
The "DNS Query Blocked" and "All" filter options will display data for the last 24 hours only.
To view data from a different timeframe, you can do it by clicking on the dedicated toaster message with a "click here" option. This will lead you to a dedicated download page where you can obtain hourly .csv files with the corresponding data based on your preferred timeframe.
The tool tip next to the Latest Threats .csv download page contains a “click here” URL which, if pressed, will download a guide containing instructions on how to interpret the .csv file data.
The data in this view is updated in real-time. -
Category Blocks
This view displays a table with the following details: Hostname (the HEIMDAL Log Agent is required to collect the hostname of the endpoint making the request), IP Address (the HEIMDAL Log Agent is required to collect the local/internal IP Address of the endpoint making the request), Domain, Date.
Please note that hostnames that are listed in Standard View and Latest Threats View with the N/A tag instead of their name are not listed in the Forward Lookup Zones. In order to fix this, you will need to add those hostnames in the Forward Lookup Zones.
-
Most Used Domains
This view displays a table with the following details: Domain and the Total Hits. The data in this view updates every hour. -
Investigate
This view allows you to get DNS-related statistics on any domain you input in the search field. The view is split into 3 subsections:
a. Global Threat Intelligence - displays a top 3 of most accessing processes, the DNS-E matches (the number of times, in the selected timeframe, the domain has been intercepted via DNS-E), the Global DNS-E matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E in the Global Heimdal Security database), the domains/URLs related to the same IP Address, the DNS-E + DNS-N matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E and DNS-N), the Global DNS-E + DNS-N matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E and DNS-N in the Global Heimdal Security database);
b. Predictive DNS Score - displays a maliciousness score based on an Artificial Intelligence algorithm (ranging from 0 to 100) that is corroborated with the presence of the domain (in question) on the DNS Security Endpoint blacklist (blacklist match). The higher the score, the higher the probability that the domain in question is infected. The Predictive DNS Score will showcase a Risk Level (None, Low, Medium, High, Critical) based on the above-mentioned score;
c. DNS Statistics - displays a graphical representation of the daily number of hits for the chosen domain (the blue
the line shows that the queried domain was found clean at the time of the query, while the red line shows that the queried domain was found infected at the time of the query);
d. Requester distribution - displays a map and statistics of top public IP Addresses that called the domain in question (the origin of the DNS query to the domain in question).
-
App Discovery
App Discovery can be used as a cloud access security broker (CASB) that provides a comprehensive set of capabilities to help you manage and control the use of cloud apps across your organization - including visibility into inappropriate cloud app usage. This view displays a list of the applications discovered by the DarkLayer Guard engine in your environment and the following details: Application Name, Vendor, Installed Endpoints, and Risk Level. The data in this view updates in real-time.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information corresponding to each view.
DNS Security - ENDPOINT
The DNS Security - Endpoint view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the DNS queries that are filtered by the HEIMDAL Agent's DarkLayer Guard engine. On the top, you see a statistic regarding the number of Analyzed Traffic Requests, the number of Prevented Attacks, the percentage of Prevented Attacks, and the number of Category Blocks.
The collected information is placed in the following views: Standard, Threat Type, Hostname/Latest Threats, TTPC, Category Blocks, and Full Logging.
-
Standard
This view displays a table with the following details: Hostname, Username, IP Address, Analyzed Requests, Prevented Attacks, and Risk Level.
- Threat Type
This view displays a table with the following details: Threat Type, Number of matches, Most Targeted Hostname, and Username. - Hostname/Threats
This view displays a table with the following details: Hostname, Username, Domain Blocked, Threat Type, and Number of matches. - Latest Threats
This view displays a table with the following details: Hostname, Username, Threat Type, Threat Type, Threat Source, TTPC, and Date. - TTPC
This view displays a table with the following details: TTPC Detections, the Number of matches, Most Targeted Hostname, Username, Most Frequently Detected Infected Domain, and Last Match. - Category Blocks
This view displays a table with the following details: Hostname, Username, IP Address, and Category Blocked Domains. - Full Logging
The Hostname view displays a table with the following details: Hostname, Allowed Requests, Prevented Attacks, and Risk Level.
The Domain view displays a table with the following details: Domain and Total Hits. - Investigate
This view allows you to get DNS-related statistics on any domain you input in the search field. The view is split into 3 subsections:
a. Global Threat Intelligence - displays a top 3 of most accessing processes, the DNS-E matches (the number of times, in the selected timeframe, the domain has been intercepted via DNS-E ), the Global DNS-E matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E in the Global Heimdal Security database), the domains/URLs related to the same IP Address, the DNS-E + DNS-N matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E and DNS-N), the Global DNS-E + DNS-N matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E and DNS-N in the Global Heimdal Security database);
b. Predictive DNS Score - displays a maliciousness score based on an Artificial Intelligence algorithm (ranging from 0 to 100) that is corroborated with the presence of domain (in question) on the DNS Security Endpoint blacklist (blacklist match). The higher the score, the higher the probability that the domain in question is infected. The Predictive DNS Score will showcase a Risk Level (None, Low, Medium, High, Critical) based on the above-mentioned score;
c. DNS Statistics - displays a graphical representation of the daily number of hits for the chosen domain (the blue
the line shows that the queried domain was found clean at the time of the query, while the red line shows that the queried domain was found infected at the time of the query);
d. Requester distribution - displays a map and statistics of top public IP Addresses that called the domain in question (the origin of the DNS query to the domain in question). - App Discovery
This view displays a list of the applications discovered by the DarkLayer Guard engine in your environment and the following details: Application Name, Vendor, Risk Level, and Installed Endpoints. App Discovery can be used as a cloud access security broker (CASB) that provides a comprehensive set of capabilities to help you manage and control the use of cloud apps across your organization - including visibility into inappropriate cloud app usage.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Operating System.
The Select GPs dropdown menu lets you list the entries for the selected Group Policy.
DNS Security - VectorN Detection
The DNS Security - VectorN Detection view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the patterns identified within the DarkLayer Guard domain blocks. On the top, you see a statistic regarding the number of VectorN Endpoint Detections and VectorN Network Detections.
The collected information is placed in the VectorN Endpoint and VectorN Network.
- VectorN Endpoint
This view displays a table with the following details: Hostname, Malware Pattern, Probability of Infection, Count, TTPC, and Last Match. Selecting a detected pattern will allow you to quarantine the intercepted process, upload it to the HEIMDAL Security storage for analysis, or hide it (which means that the detection[s] will be dismissed for 30 days). The Resolve option can be used in case you have a false positive pattern that does not allow you to elevate through the Privileged Access Management product in case De-elevate and block elevation for users with risk or infections is enabled in the Group Policy. After hiding a VectorN Detection, you need to wait 24 hours until the hiding is propagated on the computer; -
VectorN Network
This view displays a table with the following details: Hostname, Malware Pattern, Probability of Infection, Count, and Last Match. Selecting a detected pattern will allow you to quarantine the intercepted process, upload it to the HEIMDAL Security storage for analysis, or hide it (which means that the detection[s] will be dismissed for 30 days). The Hide option can be used in case you have a false positive pattern that does not allow you to elevate through the Privileged Access Management product in case De-elevate and block elevation for users with risk or infections is enabled in the Group Policy. After hiding a VectorN Detection, you need to wait 24 hours until the hiding is propagated on the computer;
The Show Dismissed Detections will display the hidden VectorN patterns. The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view. The Filters functionality allows you to filter entries by Operating System. You can use the Select GPs dropdown menu to list the entries for the selected Group Policy.
PATCH & ASSET MANAGEMENT - 3RD PARTY SOFTWARE
The Patch & Asset Management - 3rd Party Software view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the 3rd Party Applications that are installed or monitored by the HEIMDAL Agent and is divided between the 3rd Party Applications monitored on Windows endpoints and the 3rd Party Applications monitored on Linux endpoints.
Windows OS
On the top, you see a statistic regarding the Number of current vulnerabilities, the Total number of applied patches, the Number of updated software, and the Number of monitored software.
The collected information is placed in the following views: Standard, Patches per Endpoint, Assets, and Compliance.
- Standard
This view displays a table with the following details: Hostname, Username, Software, Version, CVE, CVS, Date, and Status.
The Standard allows you to view the information regarding the Latest Status (all statuses - up-to-date, patched, and vulnerable), Latest Patch (the latest installed/patched), Currently Outdated(displays the endpoints where vulnerabilities are still being discovered; a check is made every sync GP interval), Historically Outdated(displays the endpoints that have been discovered with vulnerabilities at a point in time), Up-to-date (all applications that are found to be up-to-date), Uninstalled. You are allowed to select one or multiple entries in the Standard and Hide them from the view. Vulnerable applications (that are listed in the Standard view -> Latest Status, Currently Outdated view, and Historically Outdated view) can be installed by selecting the Install 3rd Party Software option from the dropdown menu. The Show Hidden Apps radio button allows you to display all the applications that were hidden by the HEIMDAL Dashboard Administrator. You can use the Select GPs dropdown menu to list the entries for the selected Group Policy.
Note: The Latest Patch view shows all patches that have been done, even if an application or more has been patched multiple times in a very short time period. -
Patches per Endpoint
This view displays a table with the following details: Hostname, Username, and Patches per Endpoint. -
Assets
The Asset view displays a list of all the 3rd Party Applications that are installed on all the endpoints that run the HEIMDAL Agent in your organization (no matter if the 3rd Party Applications are monitored by the HEIMDAL Agent or not). The detection is made in the following Windows Registries paths (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall). The table includes the following information: Application Name, Version, GUID, Installed Endpoints, Hostname (visible in the Non-Stacked view), Installed Server, CVSS, Username (visible in the Non-Stacked view), Machine Type (visible in the Non-Stacked view), Uninstallable (3rd Party Applications that can be uninstalled by the HEIMDAL Agent), Supported (3rd Party Applications that are installed and updated through the HEIMDAL Agent), and Date and Time (visible in the Non-Stacked view). The Hide Microsoft Products radio button allows you to hide the Microsoft products from the Assets view. The Filters functionality allows you to filter entries by Monitored and Not Monitored applications. This view filters the data by the client (device) information's last seen status instead of the install/update time of a 3rd Party Application.
Selecting one or multiple 3rd Party Applications allows you to:
a. Add the selected application(s) to a Group Policy or all Group Policies to be automatically installed or be automatically updated (when a new version is available);
b. Uninstall the selected application(s) if the Uninstall is supported by the HEIMDAL Agent (the Uninstall is supported for the 3rd Party Applications that are installed using an MSI Installer that creates an UninstallString property or for the 3rd Party Applications that are installed using an EXE Installer that creates a QuietUninstallString property). -
Compliance
This view displays a table with the following details: Hostname, Username, Number of Updates, and Last Seen.
The Compliant / Non-Compliant filter allows you to switch between the endpoints that are compliant or not. This view does not consider the selected timeframe (from the top of the HEIMDAL Dashboard), but instead, it displays the endpoints filtered by a specific date or an interval, both selected from the green Filter button. When checking for compliance, it is necessary to set a desired date. A compliant machine is an endpoint that has no pending updates before the selected date/interval. A non-compliant machine is an endpoint that has got pending updates before the selected date/interval. Filtering for compliant endpoints will list endpoints with 0 updates, which shows they are up to date. Filtering for non-compliant endpoints is possible only by selecting a specific date but not an interval, as this view can only show the endpoints that have got pending updates before the selected interval.
The Compliance view considers the Cyber Essentials norms when deeming an endpoint as being compliant or not. The Cyber Essentials compliant view will display all endpoints that do not have any 3rd Party Patches missing in the last 14 days and have a CVSS score of less than 7 since the application's release date (Heimdal release date), while the Cyber Essentials non-compliant view will display all endpoints that are missing a patch that is not applied and older than 14 days and has a CVSS score higher than (or equal) 7, a patch version lower than the version selected in the Group Policy, and the patch reached End of Life (EOL).
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Standard and Assets views, besides the standard Grid view, have an additional view called the Stats view, which can be toggled by switching from the Grid view.
This view contains statistical data regarding the 3rd Party patches that are separated into Pie charts and Matrixes data. The info displayed shows the CVSS pie chart graphs and the By release date matrixes.
By clicking the data, you will be redirected to a pre-filtered view (date range and CVSS) where you can visualize only the 3rd party patches that fall under that specific selection.
Linux OS
On the top, you see a statistic regarding the Number of current vulnerabilities, the Total number of applied patches, the Number of updated software, and the Number of monitored software.
The collected information is placed in the following views: Standard view, Patches per Endpoint view, and Assets view.
- Standard
This view displays a table with the following details: Hostname, Username, Software, Package, CVE, CVSS, Distribution, Version, Date, and Status.
The Standard view allows you to view the information regarding the Latest Status, Latest Patch, Currently Outdated, Historically Outdated, Up-to-date, and Uninstalled. You are also allowed to select one or multiple entries in the Standard view and Hide them from the view. The Show Hidden Apps radio button allows you to display all the applications that were hidden by the HEIMDAL Dashboard Administrator. If multiple CVEs are available for the same application, the CVE with the highest CVSS score will always be displayed. -
Patches per Endpoint
This view displays a table with the following details: Hostname, Username, and Patches per Endpoint. -
Compliance
This view displays a table with the following details: Hostname, Username, Number of Updates, Last Seen, and Status.
The Compliant / Non-Compliant filter allows you to switch between the endpoints that are compliant or not.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
macOS
On the top, you see a statistic regarding the Number of current vulnerabilities, the Total number of applied patches, the Number of updated software, and the Number of monitored software.
The collected information is placed in the following views: Standard, Patches per Endpoint and Assets.
- Standard
This view displays a table with the following details: Hostname, Username, Software, Version, Date, and Status.
The Standard view allows you to view the information regarding the Current Status, Latest Patch, Currently Outdated, Historically Outdated, Up-to-date, and Assets. - Patches per Endpoint
This view displays a table with the following details: Hostname, Username, and Patches per Endpoint. -
Assets
This view displays a table with the following details: Software, Version, Supported, and Installed Endpoints.
This view will show all the applications that are installed on the Heimdal customers’ macOS estates. The dashboard user will be able to switch between the Stacked and Non-stacked versions of the data (similarly to the Windows OS, 3rd Party Patch Management version of the Assets view) by using a dropdown placed above the grid.
The Stacked grid displays the applications that are installed on all the macOS machines, grouped by application name (Software) and Version. The grid displays the name of the application (Software), the Version that is installed if the app. is part of the Heimdal 3rd Party Patch Management “standard list” (monitored and patched by Heimdal Patch & Assets) – Supported, and the number of Installed Endpoints where the application is installed.
When clicking the Installed Endpoints number, you will be redirected to a 3rd Party app details view. The corresponding grid/table will show additional details corresponding to each application. The name and the version of the application are displayed above the grid, while the table showcases the Hostname where the application was detected, the Username that was logged in at the time, and the Date when the application was detected.
The Non-stacked grid displays a raw data view containing the Software name, Version, Hostname, Username, if the application is Supported by the Heimdal 3rd Patch Management solution (standard list of apps monitored and managed through Heimdal), and the Date when the application was detected.
Clicking the Hostname will redirect users to the dedicated Client Specifics Assets view tab (Patch & Asset Management > 3rd Party Patching Management), providing a holistic view of all macOS 3rd party applications that are currently installed on that particular machine. The machine view's 3rd Party Patch Management Assets view grid/ table will show the Software name, the installed Version, and the Date when the applications were detected.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
PATCH & ASSET MANAGEMENT - Infinity Management
The Infinity Management view displays a list of all your 3rd Party Applications that are configured for deployment inside your organization, while the Software Asset Management view displays a list of all the software licenses that are detected on the endpoints in your organization.
Windows OS
A. Infinity Management
On the top, you see a statistic regarding the number of Apps included, and the Occupied size out of a total of 1,000 TB.
Below the statistics, you see a search field that allows you to search between the configured applications, the Add New App and View Private Patching Storage buttons and the list of 3rd Party Applications.
To add a 3rd Party Application to Infinity Management you need to upload the encrypted installer to your Private Patching Storage and create the new application in the Infinity Management view.
B. Software Asset Management
On the top, you see a statistic regarding the number of Apps included, and the Occupied size out of a total of 1,000 TB.
In this view, you get information about the Application Name, Publisher, Type, Quantity, Maximum number of Endpoint Licenses, Maximum number of Server Licenses, Total Price Endpoints, Total Price Servers, Discovered Endpoints, Discovered Servers, License Key, and Expiration Date. Clicking the Application Name will redirect you to the SAM Details page where you can edit the license information. The primary properties of a SAM item are the Application Name and the Alias. The Alias property represents a list of expressions used for automatically discovering assets by their name. Since multiple assets may be part of the same license (only having different versions), multiple assets may match the same Software Assets Management item. Since the same software can be bought from multiple publishers in multiple ways, in the editor (SAM Details page) there is a “Details” tab granting the possibility to input multiple license details concerning multiple publishers. The Create New License functionality allows you to add a new license for a specific application. The SAM view is available if Software Asset Management and Infinity Management are enabled in the Group Policy settings.
I. Preparing, encrypting, and uploading the installer
1. To encrypt an installer that follows to be deployed in your organization, you need to use the HEIMDAL Encryption Tool (which can be downloaded from the Private Patching Storage). This tool allows you to encrypt .msi, .msp, .exe, .zip files that are going to be uploaded to the Private Patching Storage. In order to go smoothly with the encryption process, make sure the filename of the file(s) you are trying to encrypt doesn't include special characters (like [ ] { } # =) and doesn't extend to more than 50 characters. Once encrypted, the file will get the .enc extensions (e.g. setup.exe.enc)
2. After encrypting the file, you can access the Private Pathing Storage, available in the Products -> Patch & Asset Management -> Infinity Management -> View Private Patching Storage section. Here you see a list of all the encrypted files (if any were added previously) and the remaining size of your storage.
3. Upload the encrypted file to your Private Patching Storage by pressing the Upload File button and by importing the file. Once uploaded, the file will be displayed in the list of uploaded files.
II. Creating the new application
1. Once the installer of the 3rd Party Application is uploaded to the Private Patching Storage, you can create the application in Infinity Management, by going back to the Infinity Management view and by hitting the Add New App button.
Fill in the following fields:
- Application Name - name of the application;
- Architecture - Both, x64 or x86. This field is used by the HEIMDAL Agent to discover a 3rd Party Application in the Windows Registries paths HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall (usually 64-bit applications) and HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall (usually 32-bit applications). The applications are identified by the DisplayName and DisplayVersion properties from the application's GUID registries);
- Custom Expressions (the custom expression must match the Application's name, just like it is displayed in Control Panel - Programs and Features) - This field tells the HEIMDAL Agent what's the name of the application and how to identify it when it is installed on the computer. You can specify multiple custom expressions to match an application by its name and you can also exclude the name of an application that might have a similar name. Use the Custom Expressions Helper for more examples.
2. Once the Application is configured, you need to press the Add Patch button to configure the patch.
- Private Patches - select the encrypted file from the dropdown menu;
- Version - Specify the version number (the version number must be identical with the one version number displayed in Control Panel - Programs and Features);
- Checksum SHA512 - The checksum SHA512 is filled in automatically when the user selects the encrypted file in the Private Patches dropdown. In case you upload a file larger than 1 GB, the automatic filling in of this field might be slowed down. If this happens, we recommend you manually add the Checksum SHA512 from the HEIMDAL Encryption tool;
- Checksum MD5 - The checksum MD5 is filled in automatically when the user selects the encrypted file in the Private Patches dropdown. In case you upload a file larger than 1 GB, the automatic filling in of this field might be slowed down. If this happens, we recommend you manually add the Checksum MD5 from the HEIMDAL Encryption tool;
- Type - Default or Archive (default is Default, while Archive is meant for .zip files);
- Install Arguments - Specify the silent installation argument (usually MSI Installers use /qn while EXE Installers use /S or /SILENT, but these differ from one application to another and this is better to contact the developer of the application);
- Applies to specific version - you can select an older version of the application (if already configured) or you can click the Applies to all upper versions tickbox;
- Before Install - allows you to perform specific operations before installing the 3rd Party Application:
Uninstall Specific Version - uninstall a specific version or all previous versions (this usually works for MSI Installers);
Execute script - Infinity Management allows you to run Command-Prompt command lines before installing the application or after installing the application (in case you are required to run specific batch scripts before/after installing the application); - After Install - allows you to perform specific operations after installing the 3rd Party Application:
Skip Post-Event Script if Patch Fails: if enabled, this cancels the execution of the script below in case the application install/update fails;
Execute script - Infinity Management allows you to run Command-Prompt command lines before installing the application or after installing the application (in case you are required to run specific batch scripts before/after installing the application);
3. Select the Operating System(s) where you want the deployment of the 3rd Party Application to be available and press Save Patch. Once you save a patch, you can always come back and disable it by pressing the Disable button.
4. After saving the patch, press the Save button to complete the configuration.
When a new patch version is available for a configured application, you can always come back to Infinity Management, access the 3rd Party Application and add a new patch, which will get a higher version number than the existing patch(es). In case you want to disable a patch from the list of patches, you can click on the specific patch and press the Disable button. Don't forget to press the Save button on the Application Definition window.
Linux OS
On the top, you see a statistic regarding the number of Apps included, and the Occupied size out of a total of 1,000 TB.
Below the statistics, you see a search field that allows you to search between the configured applications, the Add New App button, and the Distribution filter that allows you to filter the applications by Distribution.
1. When adding a 3rd Party Application to Infinity Management you need to fill in the following fields:
- Application Name - the name of the application;
- Publisher - the name of the Publisher of the application;
- Distribution - select a Linux distribution (Ubuntu is currently the ONLY supported distribution);
- Custom Expressions (the custom expression must match the application's name or package). This field tells the HEIMDAL Agent what's the name of the application and how to identify it when it is installed on the endpoint. You can specify multiple custom expressions to match an application by its name and you can also exclude the name of an application that might have a similar name. Use the Custom Expressions Helper for more examples;
- Repositories - allows you to specify the locations from which the system retrieves updates and installs the applications. Multiple repositories can be added through the Add Repository button. For each repository added, users will need to select the corresponding Distribution and mark with the checkmark Is Default the default repository to be used;
Note: On the Heimdal agent side, only the repositories configured for the installed version of Linux Ubuntu and the ones marked as being default are added. For example, if an application has 3 defined repositories, one for Ubuntu 16.04, one for Ubuntu 18.04, and one for Ubuntu 20.04 that also has Is Default checkbox ticked, and the Heimdal Linux Ubuntu agent is installed on an Ubuntu 18.04 version, the repositories for 18.04 are added because it matches the OS version and for 20.04 because this version is marked as Is Default. - GPG URL - allows you to specify the URL for the public key of the repository where the application is downloaded from;
- GPG Thumbprint - allows you to specify the public key fingerprint used to identify the public key of the repository public key;
- Packages - name of the packages that are used by the application;
- Before Install - allows you to run a script before installing the 3rd Party Application:
-
After Install - allows you to run a script after installing the 3rd Party Application:
2. After configuring all the required fields, press the Save button. Once you save a patch, you can always come back and disable it by pressing the Disable button.
Since the 3rd Party Applications that are deployed on Linux endpoints update themselves automatically through the repository, once the application is configured, there's no need to make any other changes to the setup (the way you would do for the 3rd Party Applications that are deployed on Windows endpoints).
PATCH & ASSET MANAGEMENT - Operating System Updates
The Patch & Asset Management - Operating System Updates view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the Operating System Updates that are available or installed by the HEIMDAL Agent and is divided between the Windows Updates installed on Windows endpoints and the Linux Updates installed on Linux endpoints.
Windows OS
On the top, you see a statistic regarding the number of Installed updates and the number of Available/Pending updates.
The collected information is placed in the following views: Installed, Pending, Available, Updates per Endpoint, and Compliance.
- Installed
This view displays a table with Windows Updates that are installed on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, CVE, CVSS, Products, and Categories.
In the Installed view, you are allowed to select one or multiple entries and Hide them from the view using the Hide Updates button from the dropdown menu. You can also use the Select GP dropdown menu to list the installed Windows Updates for the selected Group Policy. The Show Hidden Updates radio button allows you to display all the hidden Windows Updates. The updates can be listed per update or per endpoint. - Pending
This view displays a table with Windows Updates that are pending to complete the installation on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, Reboot, CVE, CVSS, Products, and Categories.In the Pending view, you are allowed to select one or multiple entries and Remove or Hide them from the view using the Remove or Hide Updates buttons from the dropdown menu. You can also use the Select GP dropdown menu to list the pending Windows Updates for the selected Group Policy. The Show Hidden Updates radio button allows you to display all the hidden Windows Updates. The updates can be listed per update or per endpoint.
- Available
This view displays a table with Windows Updates that are available for installation on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, Reboot, CVE, CVSS, Products, and Categories.In the Available view, you are allowed to select one or multiple entries and Install or Hide them from the view using the Install or Hide Updates buttons from the dropdown menu. You can also use the Select GP dropdown menu to list the pending Windows Updates for the selected Group Policy. The Show Hidden Updates radio button allows you to display all the hidden Windows Updates. The updates can be listed per update or per endpoint.
- Error
This view includes a grid with the following columns: Hostname (clickable, will redirect to the OS Updates -> Pending tab), Username, Error code (with a tooltip for the error code's description), and Last Seen. The Reboot required view displays all the endpoints that need to be rebooted in order for their corresponding Windows Updates to be completed. - Assets
This view displays a table with all the Windows Updates that have been installed since the OS installation with the following details: Title, Endpoints, Servers, Client Application ID, and Description. This is a complete audit of the installed Windows Updates, no matter if the Heimdal Agent was installing them or not. -
Compliance
This view displays a table with the compliant and non-compliant endpoints (in terms of installed Windows Updates) with the following days: Hostname, Username, Number of Updates, Highest Severity, Operating System, Oldest patch date, Last Seen, and Status.
The Compliance view considers the Cyber Essentials norms when deeming an endpoint as being compliant or not. The Cyber Essentials compliant view will display all endpoints that do not have any available/pending OS updates with a vintage of more than 14 days or the OS Build version is not End of Life (EOL) or End of Service. The Cyber Essentials non-compliant view will display all endpoints that have at least one available/pending OS update with a release date older than 14 days or the OS Build version is End of Life (EOL) or End of Service.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
Note: Although the release date for the OS updates is not shown in the Installed, Pending, and Available views, this piece of information is included in the Verbose CSV report, if extracted from the mentioned views.
The Installed, Pending, and Available views, besides the standard Grid view, have an additional view called the Stats view, which can be toggled by switching from the Grid view.
This view contains statistical data regarding the OS Updates that are separated into Pie charts and Matrixes data. The info displayed shows the By severity pie chart graphs and the By release date matrixes.
By clicking the data, you will be redirected to a pre-filtered view (date range and Severity) where you can visualize only the OS Updates that fall under that specific selection.
Linux OS
On the top, you see a statistic regarding the number of Installed updates and the number of Available/Pending updates.
The collected information is placed in the following views: Installed, Pending, Available and Updates per Endpoint.
- Installed
This view displays a table with Linux Updates that are installed on the endpoints in your organization with the following details: Application, Package, Version, CVE, CVSS, Endpoints, Servers, Category, and Distribution. - Pending
This view displays a table with Linux Updates that are pending to complete the installation on the endpoints in your organization with the following details: Application, Package, Version, Endpoints, Servers, Category, and Distribution. - Available
This view displays a table with Linux Updates that are available for installation on the endpoints in your organization with the following details: Application, Package, Version, Endpoints, Servers, Category, and Distribution. -
Updates per Endpoint
This view displays a table with the Updates per Endpoint with the following details: Hostname, Username, and Updates per Endpoint.
macOS
On the top, you see a statistic regarding the number of Installed updates and the number of Available updates.
The collected information is placed in the following views: Installed and Available.
-
Installed
This view displays a table with OS Updates that are installed by Heimdal on the endpoints in your organization with the following details: Title, Size (MB), Version, and Endpoints.
You can use the Select GPs dropdown menu to list the installed OS Updates for the selected Group Policy.
-
Available
This view displays a table with OS Updates that are available for installation on the endpoints in your organization with the following details: Title, Size (MB), Version, and Endpoints.
You can use the Select GPs dropdown menu to list the available OS Updates for the selected Group Policy.
-
Assets
This view displays a table with OS Updates that are detected as installed on the endpoints in your organization with the following details: Title, Version, and Endpoints.
The Title information and the Endpoints numbers are clickable. When clicking on the Title the user will get redirected to a dedicated Update details page.
If the number of machines on which an update is present is clicked, the user will be redirected to the same Update Details pre-filtered page, containing info on all the machines on which that particular update is present. This includes the Hostname where the update is installed, the Username of the user who was last logged in when the update was detected, as well as the Title and Version of the update.
If the Hostname info is clicked from this view, the user will be redirected to the Client Specifics view > Patch & Asset Management > Operating System Updates > Assets view.
The macOS machine view Operating System Updates > Assets view details grid/ table will show the Title of the update, the Size (MB), its Version, and the Date (timestamp) when the update was detected, for all the macOS Operating System Updates that are currently installed on the machine.
ENDPOINT DETECTION - NEXT-GEN ANTIVIRUS
The Endpoint Detection - Next-Gen Antivirus view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the detected/quarantined files intercepted by the HEIMDAL Agent's Next-Gen Antivirus engine. On the top, you see a statistic regarding the number of Infected Files, the number of Suspicious Files, and the number of Quarantined Files.
The collected information is placed in the following views: Latest Infections, Infections Type, Hostname/Infections, Quarantine, Exclude, Scan History, and Zero - Trust Execution Protection.
-
Latest Infections
This view displays a table with the latest detected infections and the following details: Hostname, Username, File, MD5, Threat Category, Infection name, Status, Resolution, and Timestamp. This view allows you to select one or multiple infected files and add it/them to quarantine, delete it/them or add it/them to storage. - Infections Type
This view displays a table with the infection type and the following details: Threat Category, Number of Matches, Most Targeted Hostname, Username, and Last match. - Hostname/Infections
This view displays a table with the hostname/infections and the following details: Hostname, Username, Highest Threat Category, Number of Matches, and Last match. - Quarantine
This view displays a table with all quarantined files and the following details: Hostname, Username, File, MD5, Threat Category, Infection Name, Status, Resolution, and Timestamp. This view allows you to select one or multiple quarantined files and Remove it/them from quarantine or add it/them to storage. - Exclude
This view displays a table of all exclusions and the following details: Hostname, Username, File, MD5, Threat Category, Infection Name, Status, Resolution, and Timestamp. - Scan History
This view displays a table with the computers that were performing scan operations and the following details: Hostname, Username, Group Policy, Timestamp, New Infections Found, and Resolution. This view allows you to select one or multiple endpoints and select a scan type (Quick Scan, Full Scan, Active Processes Scan, Hard Drive Scan, Local Drive Scan, Removable Drive Scan, System Scan, Network Drive Scan). The selected scan will start on the first Group Policy check performed by the HEIMDAL Agent on the selected endpoint. -
Zero - Trust Execution Protection
This view displays a table with the processes (non-signed executable files) intercepted by the Zero-Trust Execution Protection engine and the following details: Hostname, Username, Process Name, MD5 Hash, Timestamp, and Status. Clicking the 3-dot button will give you the option to search the file hash on VirusTotal or to Copy the file path to the Clipboard. The data in this view gets updated in realtime.
Selecting a file from the list allows you to add it to the exclusion list or upload it to the storage.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Select GPs dropdown menu lets you list the entries for the selected Group Policy.
The Filters functionality allows you to filter entries by Operating System.
The files listed in the Latest Infections view, Quarantine view, and Exclude view can get one of the following Resolution statuses:
None - no action is taken on the file;
Deleted - the file is deleted;
DeletePending - the file has been selected for deletion and it will be deleted when the HEIMDAL Agent performs a GP check;
ErrorDelete - the file has been selected for deletion but an error occurred (the file could be in use);
ErrorQuarantine - the file has been marked to be quarantined but an error occurred (the file could be in use);
FNOEXIST - the file has been marked to be deleted or quarantined but does not exist in the path (it has been removed manually or by another application);
Quarantined - the file has been quarantined; A file that has been quarantined will be automatically deleted after 30 days, if it has not been restored;
QuarantinePending - the file has been marked to be quarantined and this operation will take place on the next HEIMDAL Agent GP check;
DeleteQuarantinePending - the file has been selected for deletion and this operation will be performed on the next HEIMDAL Agent GP check;
Excluded - the file has been excluded;
ExcludePending - the file has been marked to be excluded and the operation will take place on the next HEIMDAL Agent GP check;
ExcludeQuarantinePending - the file has been marked to be excluded and the operation will take place on the next HEIMDAL Agent GP check;
ErrorExcludeQuarantine - the file has been marked to be excluded and an error occurred;
ErrorRemoveQuarantine - the file has been marked to be removed from the Quarantine list and an error occurred (the file could have been deleted manually);
RemoveExclusionPending - the file has been marked to be excluded and the operation will be performed on the next HEIMDAL Agent GP check;
RemoveQuarantinePending - the file has been marked to be removed from the Quarantine list and the operation will be performed on the next HEIMDAL Agent GP check;
ENDPOINT DETECTION - FIREWALL
The Endpoint Detection - Firewall view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the Windows Firewall rules and alerts intercepted by the HEIMDAL Agent. On the top, you see a statistic regarding the number of Infected Files, the number of Suspicious Files, and the number of Quarantined Files.
The collected information is placed in the following views: Firewall Rules, and Firewall Alerts.
- Firewall Rules
This view displays a table with the following details: Hostname, Username, Application, Port, Profile type, Protocol, Direction, Permission, and Timestamp.
The entries that you see in this view include all the new rules that Windows creates in the Windows Firewall (this is event is logged in the Event Viewer Logs, under Microsoft -> Windows -> Windows Firewall with Advanced Security -> Firewall -> event ID 2004). When a new application has a new rule in the Windows Firewall with Advanced Security, the HEIMDAL Agent sends it to the HEIMDAL Dashboard to be displayed in the Firewall view -> Firewall Rules (if there is no other rule that is matched in the Group Policy under Firewall). The rules created in the Firewall Management settings will not be displayed in the Firewall Rules view. These custom rules will be displayed ONLY in the specific Group Policy, under the Firewall Management sub-tab where they are created. -
Firewall Alerts
This view displays a table with the following details: Hostname, Username, Local IP, Attempts Per Username, Attempts Per IP, Detection type, Timestamp, and Risk Level.
-
The checkbox allows you to select an entry and add the IP Address to the Brute Force Attack Allowlist. The entries that you see in this view include a list of all the unwanted connections that are interpreted as Brute Force Attacks. A Brute Force Attack is triggered when a user fails to insert the correct password (event 4625) at least 100 times in less than 5 minutes. The detection types are classified as BruteForceAttackPrivate (these attacks are originating from an IP Address on the same network as the affected endpoint/server - 192.x.x.x, 172.x.x.x, 10.x.x.x), BruteForceAtackPublic (these attacks are originating from an IP Address that is coming from outside the network/public IP Address), FailedLocalPasswordAttempt (the password was incorrectly entered on the endpoint/server). Brute Force Attacks alerts are triggered when the local user is failing a number of password attempts:
- Low Risk - under 150 failed attempts;
- Medium Risk - between 150 and 200 failed attempts;
- High Risk - over 200 failed attempts.
An external user will trigger a High Risk of Brute Force Attack when a minimum of 100 failed attempts are performed in less than 5 minutes. The failed password attempts are found in the Event Viewer Logs, under Windows Logs -> Security -> Event ID 4625. During a Brute Force Attack, the Heimdal.Firewall.exe process might use a higher CPU usage (depending on the interval of the Brute Force Attack attempts) of 1% to 60%.
ENDPOINT DETECTION - RANSOMWARE ENCRYPTION PROTECTION
The Ransomware Encryption Protection view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the detected processes intercepted by the HEIMDAL Agent engine. On the top, you see a statistic regarding the number of Detections Found.
The collected information is placed in the following views: Endpoint Detections, Hostname/Detections, and Cloud Detections.
- Endpoint Detections
This view displays a table with the following details: Hostname, Username, Process Name, Blocking Reason, PID, Owner, Status, and Timestamp. This view allows you to select one or multiple infected files and exclude it/them or add it/them to storage.
In the Process Name column, you can click on the hamburger menu to access VirtusTotal (to get a detailed VirusTotal analysis), the Forensic details (to get the Process details) or copy the file path to the clipboard. The Statuses can be Blocked (when a process is intercepted and blocked at REP level) or Detected (when the process is intercepted and reported in the HEIMDAL Dashboard when Reporting mode is enabled). Please be aware that we have a retention policy of 90 days in place for the REP entries. That means that all the entries from the Endpoint Detections view older than 90 days will be removed. - Hostname/Detections
This view displays a table with the following details: Hostname, Username, Number of Matches. - Cloud Detections
This view displays a table with the following details: Email, AD Groups, Number of affected files, User's session revoked, and Timestamp. This view is populated if Ransomware Encryption Protection for Cloud is enabled.
The Process Details view gives information on the parent process and the spawned processes, their PIDs, username, File Name, Path, Command-Line, Thread Count, top 3 encrypted files, Write Operations, Read Operations, MD5, Signature, and Owner.
You also get information on the Network Activity of the detected process, where you can select one or multiple IP Addresses to block them in the Firewall (on one, multiple, or all Group Policies).
Exclusions can be made by selecting one or more detections and by pressing the Exclude and Apply buttons from the dropdown menu. This will pop up the following modal that allows you to exclude the file(s) on one or multiple Group Policies, or all Group Policies. The detection(s) can be excluded by File Name, Folder Path, File Path or MD5:
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Select GPs dropdown menu lets you list the entries for the selected Group Policy.
The Filters functionality allows you to filter entries by Allowed or Blocked detections.
PRIVILEGES & APP CONTROL - PRIVILEGED ACCESS MANAGEMENT
The Privileges & App Control - Privileged Access Management view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the elevation requests, the processes that are running during the elevations, and the Zero-Trust processes that are executed in your environment. On the top, you see a statistic regarding the number of Pending Requests, and the number of used Admin Rights.
The collected information is placed in the following views: Pending Approvals, History, Most Escalated Process, Most Escalating Hostname, Compliance, and Zero - Trust Execution Protection.
-
Pending Approvals
This view displays a table with the pending elevation requests and the following details: Hostname, Username, Reason given, Request Time, Type, Filename, and Status. If the Status is Requested and written in red, this means the endpoint is running a 3rd Party Application that has a vulnerability with a CVSS score of 7 or higher.
When you select an elevation request, you have the option to send a message to the user by enabling the Administrator message tickbox and by filling in your message.
-
History
This view displays a table with the elevated/de-elevated requests and the following details: Hostname, Username, Duration, Start Time, Reason Given, Action, and Executed Process(es).
-
Most Escalated Process
This view displays a table with the number of escalated processes and the following details: Process Name, Number of Escalations, Hostname, and Username.
-
Most Escalating Hostname
This view displays a table with the number of escalating hostnames and the following details: Hostname, Username, and Total Number of Elevations.
-
Compliance
This view displays a table with the compliant endpoints and the following details: Hostname, Active User, Domain Name, Local Groups, AD Groups, and Admin rights.
-
Zero - Trust Execution Protection
This view displays a table with the processes (non-signed executable files) intercepted by the Zero-Trust Execution Protection engine and the following details: Hostname, Username, Process Name, MD5 Hash, Timestamp, and Status. Clicking the 3-dot button will give you the option to search the file hash on VirusTotal or to Copy the file path to the Clipboard. The data in this view gets updated in realtime.
Selecting a file from the list allows you to add it to the exclusion list or upload it to the storage.
The tables in each view have a 60-second refresh rate.
The Select GPs dropdown menu lets you list the entries for the selected Group Policy.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Operating System.
PRIVILEGES & APP CONTROL - APPLICATION CONTROL
The Application Control view displays a table with all the intercepted processes that are running on the computers inside your organization. Newly-intercepted processes are visible in the HEIMDAL Dashboard 24 hours after the interception made by the HEIMDAL Agent. The processes that were already intercepted will be displayed in the HEIMDAL Dashboard in real time. On the top, you see a statistic regarding the number of Pending Requests, and the number of used Admin Rights.
The collected information is placed in the following views: Full logging, Matching Allowed rules, Matching Blocked rules, and Matching Allowed with auto elevation.
-
Full logging
This view displays a table with all the processes (stacked number of executions) that are intercepted by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, and Timestamp. The data in this view updates in real-time for the processes that have already been intercepted, but it updates overnight when it comes to newly intercepted processes.
- Matching Allowed rules
This view displays a table with all the allowed processes that are intercepted by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status and Timestamp. - Matching Blocked rules
This view displays a table with all the blocked processes that are intercepted by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, and Timestamp. -
Matching Allowed with auto elevation
This view displays a table with all the processes that are allowed with the Auto Elevation feature by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, and Timestamp.
-
Raw data
This view displays a table with all the processes (unstacked) that are intercepted by the Application Control module with the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, Deny file permissions, Elevated, and Timestamp. The data in this view updates in real-time and requires a short timeframe selection due to the 10,000-entry limitation of our database. We recommend a timeframe of hours/minutes.
You can Allow or Block one or multiple processes by selecting them from the Full Logging or Raw Data views. Clicking on the Number of Executions will redirect you to the process details where you can see the Process Name, the Software Name, the Publisher, the MD5, the Hostname of the computer, the Username, the Version, the Intercepted time, the Group Policy applying to the computer and the Status.
From any of the views, you can select one process and Allow it or Block it in Application Control. Once you select a process, you can choose whether to Block or Allow the process from the dropdown menu:
After hitting the Allow or the Block button, a modal that enables configuration of the rule will appear:
Global Update - creates the rule in all existing Group Policies;
Custom Policy Update - creates the rule in the selected Group Policies;
Rule Type - Path (you can specify the process' file path), Software name (you can specify the process' name as it appears in Control Panel -> Programs and Features), MD5 (you can specify the process' MD5 hash), Publisher (the Publisher information is taken from the CN value of the Subject field inside the Certificate of a signed file or the Company Name detail of an unsigned file), Signature (you can specify the process' digital signature thumbprint), Wildcard Path (you can specify a wildcard path) , Command Line (C:\Documents\test.pdf, *.pdf, C:\*\My Folder\*.pdf);
Subject - add the value of the selected Rule Type. Selecting a Rule Type will automatically fill in the Subject field;
Priority - rules are processed based on priority numbers (the higher the number is the higher the priority is). Leaving gaps between each rule is recommended (10, 20, 30, 40, etc.) to have an easy and neat rule organization, without having to edit existing rules (priority ranges between 0 and 1000);
Allow auto elevation - allows the process to run as Administrator (available only for Allow rules);
Include spawns - allows the process to spawn other child processes (available only for Allow rules).
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Status.
EMAIL PROTECTION - EMAIL SECURITY
The Email Security page displays 2 views: the Homepage (that showcases relevant data from the Email Security product) and the Details (for in-depth data analysis).
Homepage
The Homepage displays several stats and graphs that provide a streamlined understanding of the usage and activity of the email addresses and domains:
- Summary Report - brief info about the total number of malicious, inbound, and outbound emails, over the last 90 days. These are further broken down by Status and expressed in percentiles;
- User Anomalies - shows, sorted in descending order, the top 8 email addresses on which outliers have been detected (SPAM, Virus, and ATP); each entry (email address) will have 3 bars, displaying the number of emails from this category, over the last month, 2 and 3 months ago (from the current date). For more details regarding a certain email address, the dashboard user can click on the bar chart section and a detailed linear graph is displayed below;
- Domain status - lists all the email domains, with their corresponding TAC risk score and their MX, SPF, and DMARC authentication methods’ statuses;
-
The bottom row tiles display a month-to-month comparison of Quarantined, Rejected, Spam, Virus, and ATP emails. The stats are computed by comparing the past 30 days from the current date vs. the previous 30 days. Each tile displays the increase/ decrease, in the number of emails (both as a number and as a percentage) and a chart presenting the activity for each interval.After clicking on the hovered point in the chart tile, the timeframe interval of the redirected Details page is automatically set to one of the hovered data points.Moreover, this action also sets, in the Advanced filter, the Type or Status field to whatever Type or Status from the graph style from which the selected data point was clicked. Depending on the graph tile clicked, the following actions occur: clicking on the Rejected and Quarantined tiles, automatically sets the Status of the Advanced filter, while clicking on the Spam, Virus, and ATP graph tiles, automatically sets the Type field from the Advanced filter.If there is no recorded data when hovering over the chart data points and attempting to click on them, a toast notification will be shown to the dashboard user with the message "No data for the specific timeframe."
Details
The Details view displays all the information regarding the Inbound Mail Flow and the Outbound Mail Flow in your organization. The collected information refers to emails that are DELIVERED, QUARANTINED, QUEUED, UNDELIVERED, or REJECTED.
On the top, you see a statistic regarding the number of Scanned Emails, the number of Spam Emails, the number of Virus detections, and the number of detected Advanced Threats.
The Inbound view and Outbound view display all the emails that are being filtered by the Email Security engines, while the Domain Status view displays the status of the MX, SPF, and DMARC Records that are set up on your domain(s).
The Advanced Filter allows you to filter your searches by Domain, To, From, Type, Status, Spam Classification, Minimum Spam Score, Maximum Spam Score, and EFP Rule Category.
The Type submenu has the following types:
- All
- Normal
- Botnet
- Spam
- Virus
- Encrypted
- ATP
- SPF Block
- DMARC
- Blocklisted
- Allowed
- Attachment Block
- Released to ATP
- Newsletter
- EFP
The EFP Rule category submenu has the following categories:
- Targeted Spear Phishing
- Targeted Fraud
- Spear Phishing
- Phraseology attempt or General Fraud
-
Modified or Malicious attachment
In the Inbound view, you can see a list of all inbound emails, the recipient, the sender, the timestamp, the email subject, the type, the email status, and the details of each email (the Inbound view has a refresh rate of 60 seconds). Selecting one or more emails pops up a dropdown menu where you can select one of the following actions:
- Release - this action will release the selected email in case it has been quarantined and you think is safe;
- Resend - this action will resend the selected email (this action works only for delivered emails);
- Report - this action will automatically mark the selected email as Spam.
- Deny email release - this action will block the regular end users' ability to release quarantined emails from their QER report;
In the Outbound view, you can see a list of all outbound emails, the recipient, the sender, the timestamp, the email subject, the type, the email status, and the details of each email (the Outbound view has a refresh rate of 60 seconds). Selecting one or more emails pops up a dropdown menu where you can select one of the following actions:
- Release - this action will release the selected email in case it has been quarantined and you think is safe;
- Resend - this action will resend the selected email (this action works only for delivered emails);
- Report - this action will automatically mark the selected email as Spam.
The Show Details button will display a popup with various email details (Main, Advanced, Header, and Body). In the Main tab, you can use the Choose a domain dropdown field to take actions for the specified domains.
- Add Sender to Blocklist - adds the sender (the one who sends the email) to the blacklist of the selected domain(s);
- Add Sender to Allowlist - adds the sender (the one who sends the email) to the whitelist of the selected domain(s);
- Add Domain to Blocklist - adds the sender's domain (the one who sends the email) to the blacklist of the selected domain(s);
- Add Domain to Allowlist - adds the sender's domain (the one who sends the email) to the whitelist of the selected domain(s);
- Add Email based on subject to Allowlist - adds the sender's email to the whitelist of the selected subject(s). Unchecking the SPF/DMARC scanning will still perform an SPF/DMARC check to increase security;
- Add Email based on subject to Blocklist - adds the sender's email to the blacklist of the selected subject(s).
Dashboard users have the option to create Allowlist/Blocklist rules either at a personal or global (domain) level.
If the dashboard user selects the “Personal” option, a new End User Console rule will be created (and also displayed in the End Users Allowlist & Blocklist table which can be found in the Blocklist, Allowlist & Greylist section in Network Settings - Email Protection).
In the Advanced Status tab, you can use the Choose a domain dropdown field to take more actions for the specified domains.
- Add Source IP to Blocklist - adds the Source IP Address (the source IP Address of the sending server) to the blacklist of the selected domain;
- Add Destination IP to Blocklist - adds the Destination IP Address (the destination IP Address where the email is sent to) to the blacklist of the selected domain;
- Add Source IP to Allowlist - adds the Source IP Address (the source IP Address of the sending server) to the whitelist of the selected domain;
- Add Destination IP to Allowlist - adds the Destination IP Address (the destination IP Address where the email is sent to) to the whitelist of the selected domain.
In the Header tab, you see information about the Envelope-From the Header-From:
EMAIL PROTECTION - EMAIL FRAUD PREVENTION
The Email Protection - Email Fraud Prevention page is split between 2 views: Homepage and Details. The Homepage displays the Summary Report (the scanned emails and their resolution for the last 90 days), the User Anomalies (the number of potentially malicious emails based on Artificial Intelligence - determined outliers at the user level for the last 90 days), the Domain Status (the domains that have EFP configured).
The Total Malicious number from the Summary Report represents the total number of emails that have type EFP and were Quarantined (status “Quarantine”).
On the bottom, you see charts describing the following information:
- Targeted Spear Phishing
- Targeted Fraud
- Spear Phishing
- Phraseology attempt or General Fraud
- Modified or Malicious attachment
Clicking the lower tiles graphs' info points (Targeted Spear Phishing, Targeted Fraud, Spear Phishing, Phraseology attempt, or General Fraud and Modified or Malicious attachment), redirects the dashboard user to a pre-filtered Details view, containing the emails that meet the corresponding criteria.
The stats are computed by comparing the past 30 days from the current date vs. the previous 30 days. Each tile displays the increase/ decrease in the number of emails (both as a number and as a percentage) and a chart presenting the activity for each interval.
The Details view displays all the information collected by the Email Fraud Prevention in your organization. The collected information refers to the emails scanned by the anti-fraud engine. On the top, you see a statistic regarding the number of Scanned emails, the number of Outliers, and the number of Fraud emails.
The collected information is placed in the following views: Inbound and Domain Status, which are shared views with Email Security.
-
Inbound
This view displays a table with the following details: Hostname, To, From, Header From, Timestamp, Subject, Type, Status, and Details.
There is an Advanced filter button, which when clicked, will reveal some filtering options: Domain, To, From, Header From, Type, Status, Spam Classification, Minimum Spam Score, Maximum Spam Score, and EFP Rule Category.
The Type submenu has automatically assigned the EFP type, and it cannot be changed.
The EFP Rule category submenu has the following categories:
- Targeted Spear Phishing
- Targeted Fraud
- Spear Phishing
- Phraseology attempt or General Fraud
- Modified or Malicious attachment.
Release - this action will release the selected email in case it has been quarantined and you think is safe;
Deny email release - this action will block the regular end users' ability to release quarantined emails from their QER report;
More details for the emails that fall under User Anomalies can be seen on the Triggered rules. These details pertaining to emails falling under the rule category “AI outliers”, can be visualized in a “process tree” visualization by pressing the View triggered rules button in the EFP Inbound view.
The outliers that our Email Fraud Prevention Neural Network can spot are comprised in one of the following 7 categories:
- Suspicious Links: counts the number of URLs identified as suspicious by our detection engine;
- Clickbait Detection: the neural network assesses whether content is designed as clickbait or not;
- Language Analysis: identifies the language used in the email and compares it with the typical languages used within the company;
- Attachment Analysis: evaluates attachments based on their potential malicious character;
- Text Analysis: identifies potential fraudulent words from the email's content;
- HTML Analysis: singles out HTML templates and tags the ones that deviate from the norm;
- Timing Analysis: looks at the distribution of common times when emails are sent and received by the company;
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Status.
REMOTE DESKTOP
The Remote Desktop view displays all the computers running on Windows OS that are visible in the Unified Endpoint Management -> Device Info view. The collected information is placed in four views: Standard, History, and Recordings. On the top, you see a statistic regarding the number of Attended sessions and the number of Unattended sessions.
- Standard
This view displays a table with all the endpoints in your environment and the following details: Hostname, Username, Supporter, Non Agent Connections, IP Address, Version, Last Seen, and Actions.
The Filters button allows you to filter All entries, by Endpoint, by Supporter with invite permissions, or by Supporter without invite permissions. - History
This view displays a table with the following details: From (Hostname), To (Hostname), To (Username), Session Duration, Start Time, and Session Type.
This view refreshes and populates with new information every 24 hours. - Recordings
This view displays a table of the recordings saved to the HEIMDAL storage and the following details: Recorded on (Hostname), Filename, Timestamp, Password, and Action.
The Show Only Supporters radio button allows you to filter only the hostnames that have been assigned the Supporter role. The Invite to remote session button allows the administrator to invite another user to a private remote session by sending a session code that the user can use to download the HEIMDAL RD Client and join the remote session. The Download CSV functionality allows you to generate and download a CSV report that includes all the information corresponding to each view.
THREAT-HUNTING & ACTION CENTER
Threat - hunting and Action Center (TAC) collects data referring to events inside your organization by leveraging our Extended Threat Protection (XTP) Engine, the renowned MITRE ATT&CK techniques center, and the rest of the Heimdal products to provide granular telemetry into IT environments, endpoints, networks, and beyond to help teams proactively classify security risks, hunt detected anomalies, and neutralize persistent threats securely without risking the spread of attacks, disrupting end-users, or affecting organizational productivity.
ACCOUNTS
The Accounts page is the area where you can create new enterprise/reseller accounts and assign them to a specific Enterprise/Reseller customer or edit existing ones and manage their configuration.
A. Enterprise customers can create/edit Enterprise accounts that can get the Administrator role (can view/add/edit HEIMDAL Dashboard settings) or the Visitor role (can view the HEIMDAL Dashboard information but cannot add/edit any settings).
B. Reseller customers can create/edit Reseller accounts that can get the Reseller role (can view/add/edit HEIMDAL Dashboard settings for all of its Enterprise customers). Also, Reseller customers can create/edit Enterprise accounts to any of their Enterprise customers that can get the Administrator role (can view/add/edit HEIMDAL Dashboard settings) or the Visitor role (can view the HEIMDAL Dashboard information but cannot add/edit any settings).
C. Distributor customers can create/edit Distributor accounts that can get the Distributor role (can view/create/edit Reseller customers) but they cannot perform any changes on the HEIMDAL products Also, Distributor customers can create/edit Reseller accounts that can be assigned to any Reseller customer under the Distributor account.
Account
The Account section allows you to create a new HEIMDAL Dashboard account that can be appointed to an Enterprise customer, to a Reseller customer, or to a Distributor customer (with their specific roles).
Here, a name, email address (used for logging in), time zone, currency, the range of IPs accepted for login, date format, alerts/reports, dashboard idle time and the customer (or Reseller or Distributor) to which the Dashboard account is assigned, can be set.
The Display Mode option, when activated, will refresh the data from the page every 3 minutes but it will not refresh the whole page itself (like F5 - Refresh does).
Custom Role Management
The Custom Role Management section allows you to create/edit/delete a custom role that can be assigned to a HEIMDAL Dashboard user account or multiple user accounts. This functionality is handled through the newly added claims in the Access Control of each user account (View Custom Role Management area & Full Control Custom Role Management area). A Custom Role can be assigned to users who log into the HEIMDAL Dashboard using the SAML 2.0 mechanism based on the synced Azure Active Directory group (the Azure AD Groups must be synced in the Guide -> Customer settings area first in order to become visible in the dropdown menu where you sync an AD Azure Group to a Custom Role).
The newly-created Custom Role can be assigned to one or more accounts by editing the user accounts settings in the Miscellaneous Settings. The Custom Role functionality is available to Reseller and Enterprise customer user accounts only.
IMPORTANT
A Custom Role applying to a user account supersedes the individual Access Control settings of the user account. This means that disabling the Manage account claims on the Custom Role applying to a user, will automatically supersede the user account's claims and disable the individual Manage account claims that were configured on the user account's Access Control.
Access Control
Reseller accounts can set up or edit Access Control settings for Enterprise accounts where the owner of the Enterprise account can get claims to perform specific actions in the HEIMDAL Dashboard:
Manage Custom Roles - Ability to view and/ or edit (create and delete) custom roles in your organization.
- View Custom Role Management area
- Full control Custom Role Management area
Manage account - Ability to view and/ or edit (create and delete) the allowed dashboard account logins.
- View account
- Create account
- Edit account
- Delete account
Manage API key - Ability to view and/ or edit (create and delete) and view the API key and data.
- View API key
- Edit API key
Manage Endpoint Settings area - Ability to view and/ or edit the Endpoint Settings area.
- View Endpoint Settings area
- View DarkLayer Guard™ endpoint settings
- View VectorN Detection™ endpoint settings
- View 3ʳᵈ Party Patch Management endpoint settings
- View Operating System Updates endpoint settings
- View Next-Gen Antivirus endpoint settings
- View Firewall endpoint settings
- View Ransomware Encryption Protection endpoint settings
- View Privileged Access Management endpoint settings
- View Application Control endpoint settings
- View Zero Trust endpoint settings
- View Email Fraud Prevention endpoint settings
- View Remote Desktop endpoint settings
- View Extended Threat Protection Endpoint settings
- View BitLocker Endpoint settings
- View Scripting Endpoint settings
- Edit Endpoint Settings area
- Edit DarkLayer Guard™ endpoint settings
- Edit VectorN Detection™ endpoint settings
- Edit 3ʳᵈ Party Patch Management endpoint settings
- Edit Operating System Updates endpoint settings
- Edit Next-Gen Antivirus endpoint settings
- Edit Firewall endpoint settings
- Edit Ransomware Encryption Protection endpoint settings
- Edit Privileged Access Management endpoint settings
- Edit Application Control endpoint settings
- Edit Zero Trust endpoint settings
- Edit Email Fraud Prevention endpoint settings
- Edit Remote Desktop endpoint settings
- Edit Extended Threat Protection Endpoint settings
- Edit BitLocker Endpoint settings
- Edit Scripting Endpoint settings
Manage Windows Endpoint Settings area - Ability to select access rights on Windows Endpoint Settings area.
- Full access device settings windows
- Specific access device settings windows
Manage macOS Endpoint Settings area - Ability to select access rights on Mac OS Endpoint Settings area.
- Full access device settings macOS
- Specific access device settings macOS
Manage Linux Endpoint Settings area - Ability to select access rights on Linux Endpoint Settings area.
- Full access device settings Linux
- Specific access device settings Linux
Manage Android Endpoint Settings area - Ability to select access rights on Android Endpoint Settings area.
- Full access device settings mobile
- Specific access device settings mobile
Manage DNS Security Network Settings area - Ability to view and/ or edit the DNS Security Network data/Settings area.
- View DNS Security network data
- View DNS Security network settings
- Edit DNS Security network settings
Manage Email Security Network Settings area - Ability to view and/ or edit the Email Security Network Settings area.
- View email security network settings
- Full control of email security network settings
Manage Email Security data - Ability to manage Email Security settings at specific or all domain levels (view, release, blacklist, whitelist) + view data related to body and attachments.
- View email security data
- View email security sensitive
- Release email security
- Whitelist blacklist email security
- Full access email security domain
- Specific access email security domain
Manage customer data on all product/ module grids - Ability to view data and/ or perform actions on all the Heimdal products/ modules' grids (e.g.: quarantined files, excluded files, Group Policy settings, Isolated machines, Approved/ Denied PAM escalation requests etc.).
- View products data
- View DNS Security Endpoint data
- View VectorN Detection™ data
- View 3ʳᵈ Party Patch Management data
- View Infinity Management data
- View Operating System Updates data
- View Next-Gen Antivirus data
- View Firewall data
- View Ransomware Encryption Protection data
- View Privileged Access Management data
- View Application Control data
- View Zero Trust data
- View Forensics data
- View Email Fraud Prevention data
- View Remote Desktop data
- Perform actions on products data
- Perform actions on DNS Security Endpoint data
- Perform actions on VectorN Detection™ data
- Perform actions on 3ʳᵈ Party Patch Management data
- Perform actions on Infinity Management data
- Perform actions on Operating System Updates data
- Perform actions on Next-Gen Antivirus data
- Perform actions on Firewall data
- Perform actions on Ransomware Encryption Protection data
- Perform actions on Privileged Access Management data
- Perform actions on Application Control data
- Perform actions on Zero Trust data
- Perform actions on Forensics data
- Perform actions on Email Fraud Prevention data
- Perform actions on Remote Desktop data
Manage PAM elevations for Windows endpoints
- Full access PAM elevations Windows
- Specific access PAM elevations Windows
Manage PAM elevations of macOS endpoints
- Full access PAM elevations Windows
- Specific access PAM elevations Windows
Manage Device Info area - Ability to edit the Device Info area.
- Edit Device Info area
- View Device Info Custom columns
- Edit Device Info Custom columns
- View Hostname groups
- Edit Hostname groups
View BitLocker Recovery Keys
- View the BitLocker Recovery Keys
Generate email reports - Ability to generate Email Security reports.
- Generate email reports
Manage customer settings - Ability to manage settings in the GUIDE section of the Heimdal Dashboard, Customer Settings tab.
- Manage customer settings
View customer license - Ability to view the license key in the Guide section of the Heimdal Dashboard.
- View customer license
View uninstall password - Ability to view the Master Password for uninstalling the Heimdal Agent.
- View uninstall password
Invite to remote session - Ability to invite other users to a remote session
- Remote desktop invite to session
Remote Desktop connection - Ability to connect to any endpoint regardless of GP access rights
- Remote desktop connect full access
GUIDE
The Guide page is the area where you get information about the HEIMDAL license key, the API Key, the latest versions of the HEIMDAL installers, your Customer settings (restriction of the data for the HEIMDAL Security employees, SAML 2.0, Azure AD Group synchronization, Integration for ConnectWise, HaloPSA, and Autotask) and the MXDR Permissions.
YOUR HEIMDAL ACTIVATION KEY
This section displays the HEIMDAL Activation Key, the Expiration date, and its Status.
The Generate Password button will show your Master Uninstall password (valid only throughout the day it was generated). It can be used to uninstall the HEIMDAL Agent in case you forgot the Uninstall Password that is set in the Group Policy settings.
Pressing the Send email button (for the Android Setup email) will send an activation email with a URL pointing towards a HEIMDAL page that allows you to Activate the HEIMDAL license key without needing to type it manually.
In order to activate the HEIMDAL Mobile Security app, you need to access the URL in the Android setup email from the device where you are trying to activate using the Activate button.
YOUR HEIMDAL API KEY
This section displays your personal API key that is available for your HEIMDAL Dashboard user account. The API Key can be deleted and generated again. You can also see a few guides on how to use the APIs HEIMDAL provides.
DOWNLOAD AND INSTALL
This section provides you with a list of the installers and some guides on how to use some of the HEIMDAL products/services.
CUSTOMER SETTINGS
This section allows you to set the Azure AD Sync & SAML Setup and also to configure the integration with ConnectWise, HaloPSA, or Autotask.
MXDR PERMISSIONS
This section is meant for MXDR customers to configure the permissions that the HEIMDAL MXDR Team can use to act on detections.
GENERATE REPORTS
The Generate Reports button (available for Enterprise accounts) triggers the report sending of all reports that are enabled on each email account assigned to the customer via email. This feature is available for a timeframe of a maximum 30 days. If you have selected a wider timeframe, the Generate Reports button will become greyed out.
IMPORTANT
Endpoint Detection reports can include detections/warnings that extend to 31 days (ignoring the configured timeframe).
TOGGLE THEME
The Toggle Theme button allows the logged-in user to switch between the light theme and the dark theme (in case the customer that the user is assigned to does NOT have the Threat-hunting & Action Center product on its license. For the customers that already have the Threat-hunting & Action Center product will not see this option in the left-hand side menu.
SUPPORT
The Support button redirects you to the HEIMDAL Security Support and Knowledge Base section where you can find support articles for all of our products and solutions to known problems. In this section, you can also get in contact with our Support Team (via the customized forms).