In this article, you will see and understand how the HEIMDAL Dashboard works, the data collected from your environment and what are the benefits of the HEIMDAL Unified Threat Platform. The HEIMDAL Dashboard allows you to see what are the threats that are intercepted in your environment, thus, enabling you to mitigate and take action against malware. The HEIMDAL Dashboard works with a variety of Internet browsers, but it is best supported by the following: Google Chrome (recommended), Mozilla Firefox, Microsoft Edge, and Safari.
1. Home
2. Admin
3. Management
4. Customer Overview
5. Products
6. Accounts
7. Guide
8. Generate Reports
9. Support
10. Global Scalability
HOME
Right after you log in to the HEIMDAL Dashboard, you are presented with the HEIMDAL Dashboard Home page. The left-side menu allows you to navigate to any section of the HEIMDAL Dashboard. On the top, you can use the Customer impersonation field (available to Resellers only) that allows you to impersonate the Enterprise account of any of your customers. The Timeframe selection field allows you to select the Start-Date and the End-Date to display the information collected in the HEIMDAL Dashboard. The Endpoint Settings and the Network Settings allow you to configure the settings for the HEIMDAL Security products.
On the right side of the Home page, you get information about each of the modules that are active under the current Customer account. The charts include data regarding attacks, vulnerabilities, detections, infected/quarantined files, blocked/allowed processes, and quarantined/rejected emails. Is it important to know that the information displayed in the charts is considering the selected Timeframe and, by default, the Timeframe stretches 30-days in the past.
The charts are animated and they switch between the products/services (every 15 seconds, if the user is not hovering over the chart in question), but you can also select the graph of a specific product from the dropdown menu or you can click the square symbol (top-right corner of each module) to open a more detailed chart.
Hovering over the bullets in the chart will offer you information for that specific date and will allow you to navigate to the module view (on that specific date) to dig deeper. You can also click anywhere inside the graph to get to the module view.
On the bottom side of the Home page, you can see the contact information of HEIMDAL Security and the HEIMDAL Dashboard version:
Distributors and Resellers will see a new homepage with the license overview representing a centralized overview per product of all the licenses that are under their management. This view showcases the user number of licenses, as well as the available ones. Total seats represents the number of purchased* or committed* licenses for a product/module. Used is the number of user licenses for each product. Available is the difference between Total seats and Used. This page will also allow the Partner to filter the data from the grid, offering the possibility to see All, Monthly Billing and/or Annual licensing types. On the bottom section of the new homepage, the Distributor/Reseller will find links to our Support Knowledge Base articles and the Heimdal™ YouTube channel which holds lots of interesting and useful video training content.
ADMIN
The Admin page (available for the Reseller accounts) allows you to add new customers or edit existing ones and manage their licensing options. You can add/delete Home Batch Keys (if they are activated on your reseller account). The Customers menu displays a list of all your customers and details such as ID, Name, Type, License Type, SPLA License, Active Clients, Purchased Licenses. In this section, you can add a new customer and you can also generate a CSV report that includes the list of all customers:
- Creating a new customer is easy and can be done by filling in the required fields.
Name - specify the name of the new customer;
Type - Corp available only;
Total licenses - specify the number of devices;
Email - specify the email address of the customer account owner;
Details - specify any details that you considered necessary to be saved; - The Licensing options section is where you select which products/modules are available for the customer.
- The next thing is to generate a license key. To do that, you have to press the Add Key button and fill in the fields below:
- The Billing Info section is not mandatory, but you can fill in the requested information:
Under Home Batch Keys, you can create new Home Batch Keys, you can view the Registered Batch Keys and the Non-Registered Batch Keys and you can delete the generated licensed keys.
This view also allows you to download a list of all Home licenses included in a Batch.
MANAGEMENT
ROI REPORT
The Return on Investment (ROI) reports are considered essential marketing analytics tools and are useful because they review the costs saved by your organization by using the HEIMDAL Security suite. On this page, you can see charts about the Threat Prevention modules, Patch & Assets Management modules, Endpoint Detection modules, and Email Protection modules:
ACTIVE CLIENTS
The Active Clients page displays all the information collected from the devices/endpoints that are running the HEIMDAL Agent. The collected information includes system information details and HEIMDAL Agent status. On the top, you see a statistic regarding the number of Active servers, the number of Active endpoints, and the number of Total devices.
The collected information is placed in two views: Standard, Hardware, Non-Heimdal devices, Hostname groups, and Server commands.
- Standard
This view displays a table with the following details: Hostname, Username, IP Address, HEIMDAL Agent version, Operating System, Current Group Policy, Selected Group Policy, Last Seen, Enabled Modules, and HEIMDAL Agent Status. The Last Seen status refreshes every 4 hours. The Last Reboot and the VDF Info (VDFs are updated every 120 minutes locally) are updated every 60 minutes.
The Column Options button allows you to change the order of the existing columns (the Hostname column cannot be moved) or add/remove up to 3 custom text columns (where you can insert/edit text-type information). The custom columns can have a custom name and they can be added manually or via the Import CSV file. This layout is saved at the Enterprise customer level (all HEIMDAL Dashboard user accounts will use the same settings). - Hardware
This view displays a table with the following details: Hostname\Username, installed CPU, CPU Usage, installed Memory, Memory Usage installed Disk Drive, Disk Usage, Last Seen, and HEIMDAL Agent Status: - Non-Heimdal devices
This view displays a table with all the devices that are not running the HEIMDAL Agent and comes with the following details: Hostname, IP Address, MAC Address, Details, and Scan Date.
Selecting a Non-Heimdal device allows you to Hide the device or Deploy Heimdal Agent from a server (on which the HEIMDAL Agent is installed). The server must be a domain controller and the device where the deployment is made needs to be in the same domain as the server. Applying the Deploy Heimdal Agent operation will display a toaster where the server can be selected by hostname or IP Address. To get the available options, you need to enter at least 3 characters. - Hostname groups
This view displays a list of groups where specific endpoints/devices can be added/mapped (for specific reasons). A Hostname Group can be used to automatically assign a HEIMDAL Dashboard Group Policy to that specified group of endpoints (the Hostname Group's name needs to be specified in the Group Policy settings, under General -> AD Computer Group). The Create group button allows you to create a group and define its description.
One or multiple endpoints can be added to a Hostname Group from the Standard view, by selecting the hostname(s) and by clicking Add to group from the dropdown menu: - Server commands view
This view displays a list of the individual actions (3rd Party install, scan) performed on specific endpoints. This view displays a table with the following details: Hostname, Command Type, Command Description, Resolutions, and Timestamp:
In case you have dozens, hundreds, or thousands of endpoints registered in the Active Clients view, you can use the Search field to filter the results based on the following criteria: Hostname, Username, IP Address, Version, Operating System, and Current GP.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information displayed in the Standard view. If you want the complete CSV report (Verbose report), use the Download CSV functionality available in the Hardware view.
The Select View dropdown menu allows you to select what type of devices/endpoints to be visible in the view: All Statuses, Revoked, Active (all endpoints/devices in the selected timeframe, whether they were active or inactive), or Inactive endpoints (ignores the selected timeframe and displays all the endpoints/devices that were inactive since the beginning of time until 7 days ago, 14 days ago, 21 days ago, 28 days ago, consider 7, 14, 21, 28 days ago since the day of the search).
The Active Clients filters, allow you to filter the results displayed in the table by Operating System (thus, enabling you to apply 2 filters).
The tickbox placed on the left side of the hostname of each endpoint allows you to take action on the selected device(s)/endpoint(s).
- Revoke - revokes the HEIMDAL license key from the selected endpoint, making the HEIMDAL Agent downgrade to the Free version (only the 3rd Party Software module is available). The HEIMDAL Agent will stop communicating with the HEIMDAL Dashboard and it will stop applying any other settings specified in the Group Policy. The revoked device(s)/endpoint(s) can be unrevoked from the Revoked view, by selecting it and hitting Unrevoke in the dropdown menu;
- Add to group - adds the endpoint(s) to a selected Hostname Group (available in the Hostname groups view);
- Isolate - isolates the selected device(s)/endpoint(s) by blocking the external connection;
- Unblock RDP Port - unblocks the default RDP Port (3389), if it has been blocked due to a Brute Force Attack detection;
- Scan non-Heimdal devices - tells the selected computer to perform a network scan for computers that are not running the HEIMDAL Agent (this option is available if Allow network scan is enabled in the Group Policy settings);
- Install 3rd Party Software - installs one or more 3rd Party Application(s) from the list of 3rd Party Patch Management applications;
- Uninstall 3rd Party Software - uninstall one or multiple applications that support uninstall through the HEIMDAL Agent;
- Next-Gen Antivirus scan - perform a Next-Gen Antivirus scan from the scan type list;
- Apply to Specific GP - allows you to apply a specific Group Policy to the select device(s)/endpoint(s) or to set it/them to Automatic to apply a Group Policy automatically, based on GP Priority, Azure AD Group, AD Computer/User Group, ComputerTag/UserTag, External IP Address.
Clicking on a hostname will direct you to another page where you are able to see information regarding the HEIMDAL Agent status, the Device information, the Hardware information, the Operating System information, the Antivirus information, the DNS information, and the Enabled Modules;
Clicking on the number of Modules will display a list of all the modules that are enabled on the selected device(s)/endpoint(s).
Clicking on the Status exclamation icon will pop up a modal that will show you the current status of the HEIMDAL Agent and the steps required to get the device/endpoint operational.
REVENUE SHARE
The Revenue share page displays the information referring to the revenue share of the customers. On the top, you see a statistic regarding the Number of licenses attached to your account, the Projected revenue share next year, the Projected revenue share year after, and the Revenue share.
The collected information refers to Client Name, Email Address, Renewal Date, Revenue Share, and Total Revenue.
CUSTOMER OVERVIEW
Distributors and Resellers are able to visualize an overview of each Reseller/Enterprise customer, in regard to their licensing option situation.
Create Group - allows you to create a group to assign customers to keep track of their Resellers/Enterprise customers and filter them when multiple reseller accounts are managing specific groups of customers.
Create New Customer - redirects you to the Admin section of the HEIMDAL Dashboard and allows you to create a new Reseller or Enterprise customer.
The Filters button opens a toaster that allows you to filter by Customer Groups, Client info type, or Billing type.
PRODUCTS
THREAT PREVENTION - NETWORK
The Threat Prevention - Network view displays all the information collected by HEIMDAL Agent/HEIMDAL Log Agent that is running on the DNS Server(s) in your organization. The collected information refers to the DNS queries that went through your DNS Server(s). On the top, you see a statistic regarding the number of Analyzed Traffic Requests, Prevented Attacks, Prevented Attacks %, and Category Blocks.
The collected information is placed in the following views: Standard, Threat Type, Latest Threats, Category Blocks, Most Used Domains, Investigate, and App Discovery.
- Standard
This view displays a table with the following details: Hostname (the HEIMDAL Log Agent is required to collect the hostname of the endpoint making the request), IP Address (the HEIMDAL Log Agent is required to collect the local/internal IP Address of the endpoint making the request), Approved Requests, Prevented attacks, and Risk Level (which is calculated according to the following formulas: Low-risk level - the number of prevented attacks is lower than the number of days, Medium-risk level - the number of prevented attacks is equal or higher than the number of days and lower than 1.66 * the number of days, High-risk level - everything else over these two levels). The data in this view updates every hour. - Threat Type
This view displays a table with the following details: Threat Type and number of Hits. The data in this view updates every hour. - Latest Threats
This view displays a table with the following details: Hostname (the HEIMDAL Log Agent is required to collect the hostname of the endpoint making the request), Client IP Address (the HEIMDAL Log Agent is required to collect the local/internal IP Address of the endpoint making the request), Domain, Threat Type, Date and Time. The data can be filtered using the Latest Threats and Forensics filters.
The Forensics filter displays the following details: IP Address, Protocol, URL, Date.
The data in this view is updated in real-time. - Category Blocks
This view displays a table with the following details: Hostname (the HEIMDAL Log Agent is required to collect the hostname of the endpoint making the request), IP Address (the HEIMDAL Log Agent is required to collect the local/internal IP Address of the endpoint making the request), Domain, Date.
Please note that hostnames that are listed in Standard View and Latest Threats View with the N/A tag instead of their name are not listed in the Forward Lookup Zones. In order to fix this, you will need to add those hostnames in the Forward Lookup Zones.
-
Most Used Domains
This view displays a table with the following details: Domain and the Total Hits. The data in this view updates every hour. - Investigate
This view allows you to get DNS-related statistics on any domain you input in the search field. The view is split into 3 subsections:
a. Global Threat Intelligence - displays a top 3 of most accessing processes, the TPE matches (the number of times, in the selected timeframe, the domain has been intercepted via TPE), the Global TPE matches (the number of times, in the selected timeframe, the domain has been intercepted by TPE in the Global Heimdal Security database), the domains/URLs related to the same IP Address, the TPE + TPN matches (the number of times, in the selected timeframe, the domain has been intercepted by TPE and TPN), the Global TPE + TPN matches (the number of times, in the selected timeframe, the domain has been intercepted by TPE and TPN in the Global Heimdal Security database);
b. Predictive DNS Score - displays a maliciousness score based on an Artificial Intelligence algorithm (ranging from 0 to 100) that is corroborated with the presence of the domain (in question) on the Threat Prevention Endpoint blacklist (blacklist match). The higher the score, the higher the probability that the domain in question is infected. The Predictive DNS Score will showcase a Risk Level (None, Low, Medium, High, Critical) based on the above-mentioned score;
c. DNS Statistics - displays a graphical representation of the daily number of hits for the chosen domain (the blue
the line shows that the queried domain was found clean at the time of the query, while the red line shows that the queried domain was found infected at the time of the query);
d. Requester distribution - displays a map and statistics of top public IP Addresses that called the domain in question (the origin of the DNS query to the domain in question). - App Discovery
This view displays a list of the applications discovered by the DarkLayer Guard engine in your environment and the following details: Application Name, Vendor, Risk Level, and Installed Endpoints. App Discovery can be used as a cloud access security broker (CASB) that provides a comprehensive set of capabilities to help you manage and control the use of cloud apps across your organization - including visibility into inappropriate cloud app usage. The data in this view updates in real-time.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information corresponding to each view.
THREAT PREVENTION - ENDPOINT
The Threat Prevention - Endpoint view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the DNS queries that are filtered by the HEIMDAL Agent's DarkLayer Guard engine. On the top, you see a statistic regarding the number of Analyzed Traffic Requests, the number of Prevented Attacks, the percentage of Prevented Attacks, and the number of Category Blocks.
The collected information is placed in the following views: Standard, Threat Type, Hostname/Latest Threats, TTPC, Category Blocks, and Full Logging.
- Standard
This view displays a table with the following details: Hostname, Username, IP Address, Analyzed Requests, Prevented Attacks, and Risk Level. - Threat Type
This view displays a table with the following details: Threat Type, Number of matches, Most Targeted Hostname, and Username. - Hostname/Threats
This view displays a table with the following details: Hostname, Username, Domain Blocked, Threat Type, and Number of matches. - Latest Threats
This view displays a table with the following details: Hostname, Username, Threat Type, Threat Type, Threat Source, TTPC, and Date. - TTPC
This view displays a table with the following details: TTPC Detections, the Number of matches, Most Targeted Hostname, Username, Most Frequently Detected Infected Domain, and Last Match. - Category Blocks
This view displays a table with the following details: Hostname, Username, IP Address, and Category Blocked Domains. - Full Logging
The Hostname view displays a table with the following details: Hostname, Allowed Requests, Prevented Attacks, and Risk Level.
The Domain view displays a table with the following details: Domain and Total Hits. - Investigate
This view allows you to get DNS-related statistics on any domain you input in the search field. The view is split into 3 subsections:
a. Global Threat Intelligence - displays a top 3 of most accessing processes, the TPE matches (the number of times, in the selected timeframe, the domain has been intercepted via TPE), the Global TPE matches (the number of times, in the selected timeframe, the domain has been intercepted by TPE in the Global Heimdal Security database), the domains/URLs related to the same IP Address, the TPE + TPN matches (the number of times, in the selected timeframe, the domain has been intercepted by TPE and TPN), the Global TPE + TPN matches (the number of times, in the selected timeframe, the domain has been intercepted by TPE and TPN in the Global Heimdal Security database);
b. Predictive DNS Score - displays a maliciousness score based on an Artificial Intelligence algorithm (ranging from 0 to 100) that is corroborated with the presence of domain (in question) on the Threat Prevention Endpoint blacklist (blacklist match). The higher the score, the higher the probability that the domain in question is infected. The Predictive DNS Score will showcase a Risk Level (None, Low, Medium, High, Critical) based on the above-mentioned score;
c. DNS Statistics - displays a graphical representation of the daily number of hits for the chosen domain (the blue
the line shows that the queried domain was found clean at the time of the query, while the red line shows that the queried domain was found infected at the time of the query);
d. Requester distribution - displays a map and statistics of top public IP Addresses that called the domain in question (the origin of the DNS query to the domain in question). - App Discovery
This view displays a list of the applications discovered by the DarkLayer Guard engine in your environment and the following details: Application Name, Vendor, Risk Level, and Installed Endpoints. App Discovery can be used as a cloud access security broker (CASB) that provides a comprehensive set of capabilities to help you manage and control the use of cloud apps across your organization - including visibility into inappropriate cloud app usage.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Operating System.
THREAT PREVENTION - VectorN Detection
The Threat Prevention - VectorN Detection view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the patterns identified within the DarkLayer Guard domain blocks. On the top, you see a statistic regarding the number of VectorN Endpoint Detections and VectorN Network Detections.
The collected information is placed in the VectorN Endpoint and VectorN Network.
- VectorN Endpoint
This view displays a table with the following details: Hostname, Malware Pattern, Probability of Infection, Count, TTPC, and Last Match. Selecting a detected pattern will allow you to quarantine the intercepted process, upload it to the HEIMDAL Security storage for analysis, or hide it (which means that the detection[s] will be dismissed for 30 days). The Resolve option can be used in case you have a false positive pattern that does not allow you to elevate through the Privileged Access Management product in case De-elevate and block elevation for users with risk or infections is enabled in the Group Policy. After hiding a VectorN Detection, you need to wait 24 hours until the hiding is propagated on the computer; - VectorN Network
This view displays a table with the following details: Hostname, Malware Pattern, Probability of Infection, Count, and Last Match. Selecting a detected pattern will allow you to quarantine the intercepted process, upload it to the HEIMDAL Security storage for analysis, or hide it (which means that the detection[s] will be dismissed for 30 days). The Hide option can be used in case you have a false positive pattern that does not allow you to elevate through the Privileged Access Management product in case De-elevate and block elevation for users with risk or infections is enabled in the Group Policy. After hiding a VectorN Detection, you need to wait 24 hours until the hiding is propagated on the computer;
The Show Dismissed Detections will display the hidden VectorN patterns. The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view. The Filters functionality allows you to filter entries by Operating System.
PATCH & ASSET MANAGEMENT - 3RD PARTY SOFTWARE
The Patch & Asset Management - 3rd Party Software view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the 3rd Party Applications that are installed or monitored by the HEIMDAL Agent and is divided between the 3rd Party Applications monitored on Windows endpoints and the 3rd Party Applications monitored on Linux endpoints.
Windows OS
On the top, you see a statistic regarding the Number of current vulnerabilities, the Total number of applied patches, the Number of updated software, and the Number of monitored software.
The collected information is placed in the following views: Standard, Patches per Endpoint, Assets, and Compliance.
- Standard
This view displays a table with the following details: Hostname, Username, Software, Version, CVE, CVS, Date, and Status.
The Standard allows you to view the information regarding the Latest Status (all statuses - up-to-date, patched, and vulnerable), Latest Patch (the latest installed/patched), Currently Vulnerable, Historically Vulnerable, Up-to-date (all applications that are found to be up-to-date), Uninstalled. You are allowed to select one or multiple entries in the Standard and Hide them from the view. Vulnerable applications (that are listed in the Standard view -> Latest Status, Currently Vulnerable view, and Historically Vulnerable view) can be installed by selecting the Install 3rd Party Software option from the dropdown menu. The Show Hidden Apps radio button allows you to display all the applications that were hidden by the HEIMDAL Dashboard Administrator. - Patches per Endpoint
This view displays a table with the following details: Hostname, Username, and Patches per Endpoint. - Assets
The Asset view displays a list of all the 3rd Party Applications that are installed on all the endpoints that run the HEIMDAL Agent in your organization (no matter if the 3rd Party Applications are monitored by the HEIMDAL Agent or not). The detection is made in the following Windows Registries paths (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall). The table includes the following information: Application Name, Version, GUID, Installed Endpoints, Hostname (visible in the Non-Stacked view), Installed Server, Username (visible in the Non-Stacked view), Machine Type (visible in the Non-Stacked view), Uninstallable (3rd Party Applications that can be uninstalled by the HEIMDAL Agent), Supported (3rd Party Applications that are installed and updated through the HEIMDAL Agent), and Date and Time (visible in the Non-Stacked view). The Hide Microsoft Products radio button allows you to hide the Microsoft products from the Assets view. The Filters functionality allows you to filter entries by Monitored and Not Monitored applications. This view filters the data by the client (device) information's last seen status instead of the install/update time of a 3rd Party Application.
Selecting one or multiple 3rd Party Applications allows you to:
a. Add the selected application(s) to a Group Policy or all Group Policies to be automatically installed or be automatically updated (when a new version is available);
b. Uninstall the selected application(s) if the Uninstall is supported by the HEIMDAL Agent (the Uninstall is supported for the 3rd Party Applications that are installed using an MSI Installer that creates an UninstallString property or for the 3rd Party Applications that are installed using an EXE Installer that creates a QuietUninstallString property). - Compliance
This view displays a table with the following details: Hostname, Username, Number of Updates, and Last Seen.
The Compliant / Non-Compliant filter allows you to switch between the endpoints that are compliant or not. This view does not consider the selected timeframe (from the top of the HEIMDAL Dashboard), but instead, it displays the endpoints filtered by a specific date or an interval, both selected from the green Filter button. When checking for compliance, it is necessary to set a desired date. A compliant machine is an endpoint that has no pending updates before the selected date/interval. A non-compliant machine is an endpoint that has got pending updates before the selected date/interval. Filtering for compliant endpoints will list endpoints with 0 updates, which shows they are up to date. Filtering for non-compliant endpoints is possible only by selecting a specific date but not an interval, as this view can only show the endpoints that have got pending updates before the selected interval.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
Linux OS
On the top, you see a statistic regarding the Number of current vulnerabilities, the Total number of applied patches, the Number of updated software, and the Number of monitored software.
The collected information is placed in the following views: Standard view, Patches per Endpoint view, and Assets view.
- Standard
This view displays a table with the following details: Hostname, Username, Software, Package, Distribution, Version, Date, and Status.
The Standard view allows you to view the information regarding the Latest Status, Latest Patch, Currently Vulnerable, Historically Vulnerable, Up-to-date, Uninstalled. You are also allowed to select one or multiple entries in the Standard view and Hide them from the view. The Show Hidden Apps radio button allows you to display all the applications that were hidden by the HEIMDAL Dashboard Administrator. - Patches per Endpoint
This view displays a table with the following details: Hostname, Username, and Patches per Endpoint. - Compliance
This view displays a table with the following details: Hostname, Username, Number of Updates, Last Seen, and Status.
The Compliant / Non-Compliant filter allows you to switch between the endpoints that are compliant or not.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
PATCH & ASSET MANAGEMENT - Infinity Management
The Infinity Management view displays a list of all your 3rd Party Applications that are configured for deployment inside your organization, while the Software Asset Management view displays a list of all the software licenses that are detected on the endpoints in your organization.
Windows OS
A. Infinity Management
On the top, you see a statistic regarding the number of Apps included, and the Occupied size out of a total of 1,000 TB.
Below the statistics, you see a search field that allows you to search between the configured applications, the Add New App and View Private Patching Storage buttons and the list of 3rd Party Applications.
To add a 3rd Party Application to Infinity Management you need to upload the encrypted installer to your Private Patching Storage and create the new application in the Infinity Management view.
B. Software Asset Management
On the top, you see a statistic regarding the number of Apps included, and the Occupied size out of a total of 1,000 TB.
In this view, you get information about the Application Name, Publisher, Type, Quantity, Maximum number of Endpoint Licenses, Maximum number of Server Licenses, Total Price Endpoints, Total Price Servers, Discovered Endpoints, Discovered Servers, License Key, and Expiration Date. Clicking the Application Name will redirect you to the SAM Details page where you can edit the license information. The primary properties of a SAM item are the Application Name and the Alias. The Alias property represents a list of expressions used for automatically discovering assets by their name. Since multiple assets may be part of the same license (only having different versions), multiple assets may match the same Software Assets Management item. Since the same software can be bought from multiple publishers in multiple ways, in the editor (SAM Details page) there is a “Details” tab granting the possibility to input multiple license details concerning multiple publishers. The Create New License functionality allows you to add a new license for a specific application. The SAM view is available if Software Asset Management and Infinity Management are enabled in the Group Policy settings.
I. Preparing, encrypting, and uploading the installer
1. To encrypt an installer that follows to be deployed in your organization, you need to use the HEIMDAL Encryption Tool (which can be downloaded from the Private Patching Storage). This tool allows you to encrypt .msi, .msp, .exe, .zip files that are going to be uploaded to the Private Patching Storage. In order to go smoothly with the encryption process, make sure the filename of the file(s) you are trying to encrypt doesn't include special characters (like [ ] { } # =) and doesn't extend to more than 50 characters. Once encrypted, the file will get the .enc extensions (e.g. setup.exe.enc)
2. After encrypting the file, you can access the Private Pathing Storage, available in the Products -> Patch & Asset Management -> Infinity Management -> View Private Patching Storage section. Here you see a list of all the encrypted files (if any were added previously) and the remaining size of your storage.
3. Upload the encrypted file to your Private Patching Storage by pressing the Upload File button and by importing the file. Once uploaded, the file will be displayed in the list of uploaded files.
II. Creating the new application
1. Once the installer of the 3rd Party Application is uploaded to the Private Patching Storage, you can create the application in Infinity Management, by going back to the Infinity Management view and by hitting the Add New App button.
Fill in the following fields:
- Application Name - name of the application;
- Architecture - Both, x64 or x86. This field is used by the HEIMDAL Agent to discover a 3rd Party Application in the Windows Registries paths HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall (usually 64-bit applications) and HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall (usually 32-bit applications). The applications are identified by the DisplayName and DisplayVersion properties from the application's GUID registries);
- Custom Expressions (the custom expression must match the Application's name, just like it is displayed in Control Panel - Programs and Features) - This field tells the HEIMDAL Agent what's the name of the application and how to identify it when it is installed on the computer. You can specify multiple custom expressions to match an application by its name and you can also exclude the name of an application that might have a similar name. Use the Custom Expressions Helper for more examples.
2. Once the Application is configured, you need to press the Add Patch button to configure the patch.
- Private Patches - select the encrypted file from the dropdown menu;
- Version - Specify the version number (the version number must be identical with the one version number displayed in Control Panel - Programs and Features);
- Checksum SHA512 - The checksum SHA512 is filled in automatically when the user selects the encrypted file in the Private Patches dropdown. In case you upload a file larger than 1 GB, the automatic filling in of this field might be slowed down. If this happens, we recommend you manually add the Checksum SHA512 from the HEIMDAL Encryption tool;
- Checksum MD5 - The checksum MD5 is filled in automatically when the user selects the encrypted file in the Private Patches dropdown. In case you upload a file larger than 1 GB, the automatic filling in of this field might be slowed down. If this happens, we recommend you manually add the Checksum MD5 from the HEIMDAL Encryption tool;
- Type - Default or Archive (default is Default, while Archive is meant for .zip files);
- Install Arguments - Specify the silent installation argument (usually MSI Installers use /qn while EXE Installers use /S or /SILENT, but these differ from one application to another and this is better to contact the developer of the application);
- Applies to specific version - you can select an older version of the application (if already configured) or you can click the Applies to all upper versions tickbox;
- Before Install - allows you to perform specific operations before installing the 3rd Party Application:
Uninstall Specific Version - uninstall a specific version or all previous versions (this usually works for MSI Installers);
Execute script - Infinity Management allows you to run Command-Prompt command lines before installing the application or after installing the application (in case you are required to run specific batch scripts before/after installing the application); - After Install - allows you to perform specific operations after installing the 3rd Party Application:
Skip Post-Event Script if Patch Fails: if enabled, this cancels the execution of the script below in case the application install/update fails;
Execute script - Infinity Management allows you to run Command-Prompt command lines before installing the application or after installing the application (in case you are required to run specific batch scripts before/after installing the application);
3. Select the Operating System(s) where you want the deployment of the 3rd Party Application to be available and press Save Patch. Once you save a patch, you can always come back and disable it by pressing the Disable button.
4. After saving the patch, press the Save button to complete the configuration.
When a new patch version is available for a configured application, you can always come back to Infinity Management, access the 3rd Party Application and add a new patch, which will get a higher version number than the existing patch(es). In case you want to disable a patch from the list of patches, you can click on the specific patch and press the Disable button. Don't forget to press the Save button on the Application Definition window.
Linux OS
On the top, you see a statistic regarding the number of Apps included, and the Occupied size out of a total of 1,000 TB.
Below the statistics, you see a search field that allows you to search between the configured applications, the Add New App button, and the Distribution filter that allows you to filter the applications by Distribution.
1. When adding a 3rd Party Application to Infinity Management you need to fill in the following fields:
- Application Name - name of the application;
- Publisher - name of the Publisher of the application;
- Distribution - select a Linux distribution (Ubuntu is currently the ONLY supported distribution);
- Custom Expressions (the custom expression must match the application's name or package). This field tells the HEIMDAL Agent what's the name of the application and how to identify it when it is installed on the endpoint. You can specify multiple custom expressions to match an application by its name and you can also exclude the name of an application that might have a similar name. Use the Custom Expressions Helper for more examples;
- Repository - allows you to specify the location from which the system retrieves updates and installs the application;
- GPG URL - allows you to specify the URL for the public key of the repository where the application is downloaded from;
- GPG Thumbprint - allows you to specify the public key fingerprint used to identify the public key of the repository public key;
- Packages - name of the packages that are used by the application;
- Before Install - allows you to run a script before installing the 3rd Party Application:
- After Install - allows you to run a script after installing the 3rd Party Application:
2. After configuring all the required fields, press the Save button. Once you save a patch, you can always come back and disable it by pressing the Disable button.
Since the 3rd Party Applications that are deployed on Linux endpoints update themselves automatically through the repository, once the application is configured, there's no need in making any other changes to the setup (the way you would do for the 3rd Party Applications that are deployed on Windows endpoints).
PATCH & ASSET MANAGEMENT - Operating System Updates
The Patch & Asset Management - Operating System Updates view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the Operating System Updates that are available or installed by the HEIMDAL Agent and is divided between the Windows Updates installed on Windows endpoints and the Linux Updates installed on Linux endpoints.
Windows OS
On the top, you see a statistic regarding the number of Installed updates and the number of Available/Pending updates.
The collected information is placed in the following views: Installed, Pending, Available, Updates per Endpoint, and Compliance.
- Installed
This view displays a table with Windows Updates that are installed on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, CVE, CVSS, Products, and Categories.
In the Installed view, you are allowed to select one or multiple entries and Hide them from the view using the Hide Updates button from the dropdown menu. You can also use the Select GP dropdown menu to list the installed Windows Updates for the selected Group Policy. The Show Hidden Updates radio button allows you to display all the hidden Windows Updates. - Pending
This view displays a table with Windows Updates that are pending to complete the installation on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, Reboot, CVE, CVSS, Products, and Categories.In the Pending view, you are allowed to select one or multiple entries and Remove or Hide them from the view using the Remove or Hide Updates buttons from the dropdown menu. You can also use the Select GP dropdown menu to list the pending Windows Updates for the selected Group Policy. The Show Hidden Updates radio button allows you to display all the hidden Windows Updates.
- Available
This view displays a table with Windows Updates that are available for installation on the endpoints in your organization with the following details: Title, KB, Severity, Endpoints, Servers, Reboot, CVE, CVSS, Products, and Categories.In the Available view, you are allowed to select one or multiple entries and Install or Hide them from the view using the Install or Hide Updates buttons from the dropdown menu. You can also use the Select GP dropdown menu to list the pending Windows Updates for the selected Group Policy. The Show Hidden Updates radio button allows you to display all the hidden Windows Updates.
- Updates per Endpoint
This view displays a table with Windows Updates per Endpoint with the following details: Hostname, Username, and Updates per Endpoint. - Error
This view includes a grid with the following columns: Hostname (clickable, will redirect to the OS Updates -> Pending tab), Username, Error code (with a tooltip for the error code's description), and Last Seen. The Reboot required view displays all the endpoints that need to be rebooted in order for their corresponding Windows Updates to be completed. - Compliance
This view displays a table with the compliant and non-compliant endpoints (in terms of installed Windows Updates) with the following days: Hostname, Username, Number of Updates, Highest Severity, Operating System, Oldest patch date, Last Seen, and Status.
Linux OS
On the top, you see a statistic regarding the number of Installed updates and the number of Available/Pending updates.
The collected information is placed in the following views: Installed, Pending, Available and Updates per Endpoint.
- Installed
This view displays a table with Linux Updates that are installed on the endpoints in your organization with the following details: Application, Package, Version, Endpoints, Servers, Category, and Distribution. - Pending
This view displays a table with Linux Updates that are pending to complete the installation on the endpoints in your organization with the following details: Application, Package, Version, Endpoints, Servers, Category, and Distribution. - Available
This view displays a table with Linux Updates that are available for installation on the endpoints in your organization with the following details: Application, Package, Version, Endpoints, Servers, Category, and Distribution. - Updates per Endpoint
This view displays a table with the Updates per Endpoint with the following details: Hostname, Username, and Updates per Endpoint.
ENDPOINT DETECTION - NEXT-GEN ANTIVIRUS
The Endpoint Detection - Next-Gen Antivirus view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the detected/quarantined files intercepted by the HEIMDAL Agent's Next-Gen Antivirus engine. On the top, you see a statistic regarding the number of Infected Files, the number of Suspicious Files, and the number of Quarantined Files.
The collected information is placed in the following views: Latest Infections, Infections Type, Hostname/Infections, Quarantine, Exclude, Scan History, and Zero - Trust Execution Protection.
- Latest Infections
This view displays a table with the latest detected infections and the following details: Hostname, Username, File, MD5, Threat Category, Infection name, Status, Resolution, and Timestamp. This view allows you to select one or multiple infected files and add it/them to quarantine, delete it/them or add it/them to storage. - Infections Type
This view displays a table with the infection type and the following details: Threat Category, Number of Matches, Most Targeted Hostname, Username, and Last match. - Hostname/Infections
This view displays a table with the hostname/infections and the following details: Hostname, Username, Highest Threat Category, Number of Matches, and Last match. - Quarantine
This view displays a table with all quarantined files and the following details: Hostname, Username, File, MD5, Threat Category, Infection Name, Status, Resolution, and Timestamp. This view allows you to select one or multiple quarantined files and Remove it/them from quarantine or add it/them to storage. - Exclude
This view displays a table of all exclusions and the following details: Hostname, Username, File, MD5, Threat Category, Infection Name, Status, Resolution, and Timestamp. - Scan History
This view displays a table with the computers that were performing scan operations and the following details: Hostname, Username, Group Policy, Timestamp, New Infections Found, and Resolution. This view allows you to select one or multiple endpoints and select a scan type (Quick Scan, Full Scan, Active Processes Scan, Hard Drive Scan, Local Drive Scan, Removable Drive Scan, System Scan, Network Drive Scan). The selected scan will start on the first Group Policy check performed by the HEIMDAL Agent on the selected endpoint. - Zero - Trust Execution Protection
This view displays a table with the processes (non-signed executable files) intercepted by the Zero-Trust Execution Protection engine and the following details: Hostname, Username, Process Name, MD5 Hash, Timestamp, and Status. Clicking the 3-dot button will give you the option to search the file hash on VirusTotal or to Copy the file path to the Clipboard.
Selecting a file from the list allows you to add it to the exclusion list or upload it to the storage.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Operating System.
The files listed in the Latest Infections view, Quarantine view, and Exclude view can get one of the following Resolution statuses:
None - no action is taken on the file;
Deleted - the file is deleted;
DeletePending - the file has been selected for deletion and it will be deleted when the HEIMDAL Agent performs a GP check;
ErrorDelete - the file has been selected for deletion but an error occurred (the file could be in use);
ErrorQuarantine - the file has been marked to be quarantined but an error occurred (the file could be in use);
FNOEXIST - the file has been marked to be deleted or quarantined but does not exist in the path (it has been removed manually or by another application);
Quarantined - the file has been quarantined;
QuarantinePending - the file has been marked to be quarantined and this operation will take place on the next HEIMDAL Agent GP check;
DeleteQuarantinePending - the file has been selected for deletion and this operation will be performed on the next HEIMDAL Agent GP check;
Excluded - the file has been excluded;
ExcludePending - the file has been marked to be excluded and the operation will take place on the next HEIMDAL Agent GP check;
ExcludeQuarantinePending - the file has been marked to be excluded and the operation will take place on the next HEIMDAL Agent GP check;
ErrorExcludeQuarantine - the file has been marked to be excluded and an error occurred;
ErrorRemoveQuarantine - the file has been marked to be removed from the Quarantine list and an error occurred (the file could have been deleted manually);
RemoveExclusionPending - the file has been marked to be excluded and the operation will be performed on the next HEIMDAL Agent GP check;
RemoveQuarantinePending - the file has been marked to be removed from the Quarantine list and the operation will be performed on the next HEIMDAL Agent GP check;
ENDPOINT DETECTION - FIREWALL
The Endpoint Detection - Firewall view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the Windows Firewall rules and alerts intercepted by the HEIMDAL Agent. On the top, you see a statistic regarding the number of Infected Files, the number of Suspicious Files, and the number of Quarantined Files.
The collected information is placed in the following views: Firewall Rules, and Firewall Alerts.
- Firewall Rules
This view displays a table with the following details: Hostname, Username, Application, Port, Profile type, Protocol, Direction, Permission, and Timestamp.
The entries that you see in this view include all the new rules that Windows creates in the Windows Firewall (this is event is logged in the Event Viewer Logs, under Microsoft -> Windows -> Windows Firewall with Advanced Security -> Firewall -> event ID 2004). When a new application has a new rule in the Windows Firewall with Advanced Security, the HEIMDAL Agent sends it to the HEIMDAL Dashboard to be displayed in the Firewall view -> Firewall Rules (if there is no other rule that is matched in the Group Policy under Firewall). The rules created in the Firewall Management settings will not be displayed in the Firewall Rules view. These custom rules will be displayed ONLY in the specific Group Policy, under the Firewall Management sub-tab where they are created. - Firewall Alerts
- This view displays a table with the following details: Hostname, Username, Local IP, Attempts Per Username, Attempts Per IP, Detection type, Timestamp, and Risk Level.
The checkbox allows you to select an entry and add the IP Address to the Brute Force Attack Allowlist. The entries that you see in this view include a list of all the unwanted connections that are interpreted as Brute Force Attacks. The detection types are classified as BruteForceAttackPrivate (these attacks are originating from an IP Address on the same network as the affected endpoint/server), BruteForceAtackPublic (these attacks are originating from an IP Address that is coming from outside the network/public IP Address), FailedLocalPasswordAttempt (the password was incorrectly entered on the endpoint/server). Brute Force Attacks alerts are triggered when the local user is failing a number of password attempts:- Low Risk - under 150 failed attempts;
- Medium Risk - between 150 and 200 failed attempts;
- High Risk - over 200 failed attempts.
An external user will trigger a High Risk of Brute Force Attack when a minimum of 5 failed attempts are performed in less than 5 minutes. The failed local password attempts are found in the Event Viewer Logs, under Windows Logs -> Security -> Event ID 4625.
ENDPOINT DETECTION - RANSOMWARE ENCRYPTION PROTECTION
The Endpoint Detection - Ransomware Encryption Protection view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the detected processes intercepted by the HEIMDAL Agent engine. On the top, you see a statistic regarding the number of Detections Found.
The collected information is placed in the following views: Latest Detections, and Hostname/Detections.
- Latest Detections
This view displays a table with the following details: Hostname, Username, Process Name, Blocking Reason, PID, Owner, Status, and Timestamp. This view allows you to select one or multiple infected files and to exclude it/them or add it/them to storage.
In the Process Name column, you can click on the process (or on the Forensics 'F' icon) to see the process details or you can click on the VirusTotal icon to get a detailed VirusTotal analysis. When Reporting Mode is enabled, the Status column will display an R icon next to the default status.
The Process Details view gives information on the parent process and the spawned processes, their PIDs, username, File Name, Path, Command-Line, Thread Count, top 3 encrypted files, Write Operations, Read Operations, MD5, Signature, and Owner.
You also get information on the Network Activity of the detected process, where you can select one or multiple IP Addresses to block them in the Firewall (on one, multiple, or all Group Policies).
Exclusions can be made by selecting one or more detections and by pressing the Exclude and Apply buttons from the dropdown menu. This will pop up the following modal that allows you to exclude the file(s) on one or multiple Group Policies, or all Group Policies. The detection(s) can be excluded by File Name, Folder Path, File Path or MD5: - Hostname/Detections
This view displays a table with the following details: Hostname, Username, and Number of Matches.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Allowed or by Blocked detections.
PRIVILEGES & APP CONTROL - PRIVILEGED ACCESS MANAGEMENT
The Privileges & App Control - Privileged Access Management view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the elevation requests, the processes that are running during the elevations, and the Zero-Trust processes that are executed in your environment. On the top, you see a statistic regarding the number of Pending Requests, and the number of used Admin Rights.
The collected information is placed in the following views: Pending Approvals, History, Most Escalated Process, Most Escalating Hostname, Compliance, and Zero - Trust Execution Protection.
- Pending Approvals
This view displays a table with the pending elevation requests and the following details: Hostname, Username, Given reason, Request Time, Type, Filename, and Status. - History
This view displays a table with the elevated/de-elevated requests and the following details: Hostname, Username, Duration, Start Time, Reason Given, Action, and Executed Process(es). - Most Escalated Process
This view displays a table with the number of escalated processes and the following details: Process Name, Number of Escalations, Hostname, and Username. - Most Escalating Hostname
This view displays a table with the number of escalating hostnames and the following details: Hostname, Username, and Total Number of Elevations. - Compliance
This view displays a table with the compliant endpoints and the following details: Hostname, Active User, Domain Name, Local Groups, AD Groups, and Admin rights. - Zero - Trust Execution Protection
This view displays a table with the processes (non-signed executable files) intercepted by the Zero-Trust Execution Protection engine and the following details: Hostname, Username, Process Name, MD5 Hash, Timestamp, and Status. Clicking the 3-dot button will give you the option to search the file hash on VirusTotal or to Copy the file path to the Clipboard.
Selecting a file from the list allows you to add it to the exclusion list or upload it to the storage.
The tables in each view have a 60-seconds refresh rate.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Operating System.
PRIVILEGES & APP CONTROL - APPLICATION CONTROL
The Application Control view displays a table with all the intercepted processes that are running on the computers inside your organization. Newly-intercepted processes are visible in the HEIMDAL Dashboard 24 hours after the interception made by the HEIMDAL Agent. The processes that were already intercepted will be displayed in the HEIMDAL Dashboard in real-time. On the top, you see a statistic regarding the number of Pending Requests, and the number of used Admin Rights.
The collected information is placed in the following views: Full logging, Matching Allowed rules, Matching Blocked rules, and Matching Allowed with auto elevation.
- Full logging
This view displays a table with all the processes that are intercepted by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status and Timestamp. The data in this view updates in real-time for the processes that have already been intercepted, but it updates overnight when it comes to newly-intercepted processes. - Matching Allowed rules
This view displays a table with all the allowed processes that are intercepted by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status and Timestamp. - Matching Blocked rules
This view displays a table with all the blocked processes that are intercepted by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status and Timestamp. - Matching Allowed with auto elevation
This view displays a table with all the processes that are allowed with the Auto Elevation feature by the Application Control module and the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status and Timestamp. - Raw data
This view displays a table with all the processes that are intercepted by the Application Control module with the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status and Timestamp. The data in this view updates in real-time and requires a short timeframe selection due to the 10,000-entry limitation of our database. We recommend a timeframe of hours/minutes.
You can Allow or Block one or multiple processes by selecting them from the Full Logging or Raw Data views. Clicking on the Number of Executions will redirect you to the process details where you can see the Process Name, the Software Name, the Publisher, the MD5, the Hostname of the computer, the Username, the Version, the Intercepted time, the Group Policy applying to the computer and the Status.
From any of the views, you can select one process and Allow it or Block it in Application Control. Once you select a process, you can choose whether to Block or Allow the process from the dropdown menu:
After hitting the Allow or the Block button, a modal that enables configuration of the rule will appear:
Global Update - creates the rule in all existing Group Policies;
Custom Policy Update - creates the rule in the selected Group Policies;
Rule Type - Path (you can specify the process' file path), Software name (you can specify the process' name as it appears in Control Panel -> Programs and Features), MD5 (you can specify the process' MD5 hash), Publisher (you can specify the process' publisher), Signature (you can specify the process' digital signature thumbprint), Wildcard Path (you can specify a wildcard path) , Command Line (C:\Documents\test.pdf, *.pdf, C:\*\My Folder\*.pdf);
Subject - add the value of the selected Rule Type. Selecting a Rule Type will automatically fill in the Subject field;
Priority - rules are processed based on priority numbers (the higher the number is the higher the priority is). Leaving gaps between each rule is recommended (10, 20, 30, 40, etc.) in order to have an easy and neat rule organization, without having to edit existing rules (priority ranges between 0 and 1000);
Allow auto elevation - allows the process to run as Administrator (available only for Allow rules);
Include spawns - allows the process to spawn other child processes (available only for Allow rules).
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Status.
EMAIL PROTECTION - EMAIL SECURITY
The Email Protection - Email Security view displays all the information regarding the Inbound Mail Flow and the Outbound Mail Flow in your organization. The collected information refers to emails that are DELIVERED, QUARANTINED, QUEUED, UNDELIVERED, or REJECTED.
On the top, you see a statistic regarding the number of Scanned Emails, the number of Spam Emails, the number of Virus detections, and the number of detected Advanced Threats.
The Inbound view and Outbound view display all the emails that are being filtered by the Email Security engines, while the Domain Status view displays the status of the MX, SPF ad DMARC Records that are set up on your domain(s).
The Advanced Filter allows you to filter your searches by Domain, To, From, Type, Status, Spam Classification, Minimum Spam Score, and Maximum Spam Score.
In the Inbound view, you can see a list of all inbound emails, the recipient, the sender, the timestamp, the email subject, the type, the email status, and the details of each email (the Inbound view has a refresh rate of 60 seconds). Selecting one or more emails pops up a dropdown menu where you can select one of the following actions:
- Release - this action will release the selected email in case it has been quarantined and you think is safe;
- Resend - this action will resend the selected email;
- Report - this action will automatically mark the selected email as Spam.
In the Outbound view, you can see a list of all outbound emails, the recipient, the sender, the timestamp, the email subject, the type, the email status, and the details of each email (the Outbound view has a refresh rate of 60 seconds). Selecting one or more emails pops up a dropdown menu where you can select one of the following actions:
- Resend - this action will resend the selected email;
- Report - this action will automatically mark the selected email as Spam.
The Show Details button will display a popup with various email details (Main, Advanced, Header, and Body). In the Main tab, you can use the Select a domain dropdown field to take actions for the specified domains.
- Blacklist sender - adds the sender (the one who sends the email) to the blacklist of the selected domain(s);
- Whitelist sender - adds the sender (the one who sends the email) to the whitelist of the selected domain(s);
- Blacklist domain - adds the sender's domain (the one who sends the email) to the blacklist of the selected domain(s);
- Whitelist domain - adds the sender's domain (the one who sends the email) to the whitelist of the selected domain(s);
- Whitelist email based on subject - adds the sender's email to the whitelist of the selected subject(s). Unchecking the SPF/DMARC scanning will still perform an SPF/DMARC check to increase security;
- Blacklist email based on subject - adds the sender's email to the blacklist of the selected subject(s).
In the Advanced Status tab, you can use the Select a domain dropdown field to take more actions for the specified domains.
- Blacklist Source IP - adds the Source IP Address (the source IP Address of the sending server) to the blacklist of the selected domain;
- Blacklist Destination IP - adds the Destination IP Address (the destination IP Address where the email is sent to) to the blacklist of the selected domain;
- Whitelist Source IP - adds the Source IP Address (the source IP Address of the sending server) to the whitelist of the selected domain;
- Whitelist Destination IP - adds the Destination IP Address (the destination IP Address where the email is sent to) to the whitelist of the selected domain.
In the Header tab, you see information about the Envelope-From the Header-From:
EMAIL PROTECTION - EMAIL FRAUD PREVENTION
The Email Protection - Email Fraud Prevention view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the emails scanned by the HEIMDAL Agent when Outlook is running. On the top, you see a statistic regarding the number of Scanned emails, the number of Malicious emails, and the number of Emails in risk assessment.
The collected information is placed in the following views: Inbound, and Outbound.
- Inbound
This view displays a table with the following details: To, From, Date, Subject, Resolution, and Risk Score.
You can select one or multiple emails and take the following actions:
Delete - will delete the mail from Outlook;
Restore - will restore the email to the initial folder - where the email was intercepted;
Cancel - will cancel one of the actions above if were not been processed yet. - Outbound
This view displays a table with the following details: To, From, Date, Subject, Resolution, and Risk Score.
You can select one or multiple emails and take the following actions:
Delete - will delete the mail from Outlook;
Restore - will restore the email to the initial folder - where the email was intercepted;
Cancel - will cancel one of the actions above if were not processed yet.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Status.
REMOTE DESKTOP
The Remote Desktop view displays all the computers running on Windows OS that are visible in the Management -> Active Clients view. The collected information is placed in four views: Standard, History, and Recordings. On the top, you see a statistic regarding the number of Attended sessions and the number of Unattended sessions.
- Standard
This view displays a table with all the endpoints in your environment and the following details: Hostname, Username, Supporter, Non Agent Connections, IP Address, Version, Last Seen, and Actions.
The Filters button allows you to filter All entries, by Endpoint, by Supporter with invite permissions, or by Supporter without invite permissions. - History
This view displays a table with the following details: From (Hostname), To (Hostname), To (Username), Session Duration, Start Time, and Session Type.
This view refreshes and populates with new information every 24 hours. - Recordings
This view displays a table of the recordings saved to the HEIMDAL storage and the following details: Recorded on (Hostname), Filename, Timestamp, Password, and Action.
The Show Only Supporters radio button allows you to filter only the hostnames that have been assigned the Supporter role. The Invite to remote session button allows the administrator to invite another user to a private remote session by sending a session code that the user can use to download the HEIMDAL RD Client and join the remote session. The Download CSV functionality allows you to generate and download a CSV report that includes all the information corresponding to each view.
ACCOUNTS
The Accounts page is the area where you can create a new enterprise/reseller accounts and assign them to a specific Enterprise/Reseller customer or edit existing ones and manage their configuration.
A. Enterprise customers can create/edit Enterprise accounts that can get the Administrator role (can view/add/edit HEIMDAL Dashboard settings) or the Visitor role (can view the HEIMDAL Dashboard information but cannot add/edit any settings).
B. Reseller customers can create/edit Reseller accounts that can get the Reseller role (can view/add/edit HEIMDAL Dashboard settings for all of its Enterprise customers). Also, Reseller customers can create/edit Enterprise accounts to any of their Enterprise customers that can get the Administrator role (can view/add/edit HEIMDAL Dashboard settings) or the Visitor role (can view the HEIMDAL Dashboard information but cannot add/edit any settings).
C. Distributor customers can create/edit Distributor accounts that can get the Distributor role (can view/create/edit Reseller customers) but they cannot perform any changes on the HEIMDAL products Also, Distributor customers can create/edit Reseller accounts that can be assigned to any Reseller customer under the Distributor account.
Account
The Account section allows you to create a new HEIMDAL Dashboard account that can be appointed to an Enterprise customer, to a Reseller customer, or to a Distributor customer (with their specific roles).
Here, a name, email address (used for logging in), time zone, currency, the range of IPs accepted for login, and the customer (or Reseller or Distributor) to which the Dashboard account is assigned, can be set.
The Display Mode option, when activated, will refresh the data from the page every 3 minutes but it will not refresh the whole page itself (like F5 - Refresh does).
Custom Role Management
The Custom Role Management section allows you to create/edit/delete a custom role that can be assigned to a HEIMDAL Dashboard user account or multiple user accounts. This functionality is handled through the newly-added claims in the Access Control of each user account (View Custom Role Management area & Full Control Custom Role Management area). A Custom Role can be assigned to users who login into the HEIMDAL Dashboard using the SAML 2.0 mechanism based on synced Azure Active Directory group (the Azure AD Groups must be synced in the Guide -> Customer settings area first in order to become visible in the dropdown menu where you sync an AD Azure Group to a Custom Role).
The newly-created Custom Role can be assigned to one or more accounts by editing the user accounts settings in the Miscellaneous Settings. The Custom Role functionality is available to Reseller and Enterprise customer user accounts only.
IMPORTANT
A Custom Role applying to a user account supersedes the individual Access Control settings of the user account. This means that disabling the Manage account claims on the Custom Role applying to a user, will automatically supersede the user account's claims and disable the individual Manage account claims that were configured on the user account's Access Control.
Access Control
Reseller accounts can set up or edit Access Control settings for Enterprise accounts where the owner of the Enterprise account can get claims to perform specific actions in the HEIMDAL Dashboard:
Manage Custom Roles - Ability to view and/ or edit (create and delete) custom roles in your organization.
- View Custom Role Management area
- Full control Custom Role Management area
Manage account - Ability to view and/ or edit (create and delete) the allowed dashboard account logins.
- View account
- Create account
- Edit account
- Delete account
Manage API key - Ability to view and/ or edit (create and delete) and view the API key and data.
- View API key
- Edit API key
Manage Endpoint Settings area - Ability to view and/ or edit the Endpoint Settings area.
- View Endpoint Settings area
- View DarkLayer Guard™ endpoint settings
- View VectorN Detection™ endpoint settings
- View 3ʳᵈ Party Patch Management endpoint settings
- View Operating System Updates endpoint settings
- View Next-Gen Antivirus endpoint settings
- View Firewall endpoint settings
- View Ransomware Encryption Protection endpoint settings
- View Privileged Access Management endpoint settings
- View Application Control endpoint settings
- View Zero Trust endpoint settings
- View Email Fraud Prevention endpoint settings
- View Remote Desktop endpoint settings
- Edit Endpoint Settings area
- Edit DarkLayer Guard™ endpoint settings
- Edit VectorN Detection™ endpoint settings
- Edit 3ʳᵈ Party Patch Management endpoint settings
- Edit Operating System Updates endpoint settings
- Edit Next-Gen Antivirus endpoint settings
- Edit Firewall endpoint settings
- Edit Ransomware Encryption Protection endpoint settings
- Edit Privileged Access Management endpoint settings
- Edit Application Control endpoint settings
- Edit Zero Trust endpoint settings
- Edit Email Fraud Prevention endpoint settings
- Edit Remote Desktop endpoint settings
Manage Windows Endpoint Settings area - Ability to select access rights on Windows Endpoint Settings area.
- Full access device settings windows
- Specific access device settings windows
Manage macOS Endpoint Settings area - Ability to select access rights on Mac OS Endpoint Settings area.
- Full access device settings macOS
- Specific access device settings macOS
Manage Linux Endpoint Settings area - Ability to select access rights on Linux Endpoint Settings area.
- Full access device settings Linux
- Specific access device settings Linux
Manage Android Endpoint Settings area - Ability to select access rights on Android Endpoint Settings area.
- Full access device settings mobile
- Specific access device settings mobile
Manage Threat Prevention Network Settings area - Ability to view and/ or edit the Threat Prevention Network data/Settings area.
- View threat prevention network data
- View threat prevention network settings
- Edit threat prevention network settings
Manage Email Security Network Settings area - Ability to view and/ or edit the Email Security Network Settings area.
- View email security network settings
- Full control of email security network settings
Manage Email Security data - Ability to manage Email Security settings at specific or all domain levels (view, release, blacklist, whitelist) + view data related to body and attachments.
- View email security data
- View email security sensitive
- Release email security
- Whitelist blacklist email security
- Full access email security domain
- Specific access email security domain
Manage customer data on all product/ module grids - Ability to view data and/ or perform actions on all the Heimdal products/ modules' grids (e.g.: quarantined files, excluded files, Group Policy settings, Isolated machines, Approved/ Denied PAM escalation requests etc.).
- View products data
- View Threat Prevention Endpoint data
- View VectorN Detection™ data
- View 3ʳᵈ Party Patch Management data
- View Infinity Management data
- View Operating System Updates data
- View Next-Gen Antivirus data
- View Firewall data
- View Ransomware Encryption Protection data
- View Privileged Access Management data
- View Application Control data
- View Zero Trust data
- View Forensics data
- View Email Fraud Prevention data
- View Remote Desktop data
- Perform actions on products data
- Perform actions on Threat Prevention Endpoint data
- Perform actions on VectorN Detection™ data
- Perform actions on 3ʳᵈ Party Patch Management data
- Perform actions on Infinity Management data
- Perform actions on Operating System Updates data
- Perform actions on Next-Gen Antivirus data
- Perform actions on Firewall data
- Perform actions on Ransomware Encryption Protection data
- Perform actions on Privileged Access Management data
- Perform actions on Application Control data
- Perform actions on Zero Trust data
- Perform actions on Forensics data
- Perform actions on Email Fraud Prevention data
- Perform actions on Remote Desktop data
Manage PAM elevations for Windows endpoints
- Full access PAM elevations Windows
- Specific access PAM elevations Windows
Manage PAM elevations of macOS endpoints
- Full access PAM elevations Windows
- Specific access PAM elevations Windows
Manage Active Clients area - Ability to edit the Active Clients area.
- Edit Active Clients area
- View Active Clients Custom columns
- Edit Active Clients Custom columns
- View Hostname groups
- Edit Hostname groups
Generate email reports - Ability to generate Email Security reports.
- Generate email reports
Manage customer settings - Ability to manage settings in the GUIDE section of the Heimdal Dashboard, Customer Settings tab.
- Manage customer settings
View customer license - Ability to view the license key in the Guide section of the Heimdal Dashboard.
- View customer license
View uninstall password - Ability to view the Master Password for uninstalling the Heimdal Agent.
- View uninstall password
Invite to remote session - Ability to invite other users to a remote session
- Remote desktop invite to session
Remote Desktop connection - Ability to connect to any endpoint regardless of GP access rights
- Remote desktop connect full access
GUIDE
The Guide page is the area where you get information about the HEIMDAL license key, the API Key, the latest versions of the HEIMDAL installers, and your Customer settings (restriction of the data for the HEIMDAL Security employees, SAML 2.0, Azure AD Group synchronization).
Pressing the Send email button (for the Android Setup email) will send an activation email with an URL pointing towards a HEIMDAL page that allows you to Activate the HEIMDAL license key without needing to type it manually.
In order to activate the Thor Mobile Security app, you need to access the URL in the Android setup email from the device where you are trying to activate using the Activate button.
GENERATE REPORTS
The Generate Reports button (available for Enterprise accounts) triggers the report sending of all reports that are enabled on each email account assigned to the customer via email.
IMPORTANT
Endpoint Detection reports can include detections/warnings that extend to 31 days (ignoring the configured timeframe).
SUPPORT
The Support button redirects you to the HEIMDAL Security Support and Knowledge Base section where you can find support articles for all of our products and solutions to known problems. In this section, you can also get in contact with our Support Team (via the customized forms).
GLOBAL SCALABILITY
The Global Scalability button points you to the Demo section of our TAC Portal.