1. Enhancements to the Azure Active Directory groups synchronization mechanism
2. Automatic Heimdal Dashboard login for Okta users
3. Heimdal® Threat-hunting and Action Center
4. Enhancements to the USB management functionalities
5. Option to create App. Control Allow and/ or Block rules straight from PEDM grids
6. Ability to keep the end user elevated on lock screen
7. Email Fraud Prevention merged in Email Security ATP
8. Option for IT admin to deny specific emails release from ESEC quarantine report
9. Ability to exclude certain domains from "Force TLS transmission to any domain"
10. Other improvements & fixes
Dear Heimdal Partner and Customer,
2. Automatic Heimdal Dashboard login for Okta users
3. Heimdal® Threat-hunting and Action Center
4. Enhancements to the USB management functionalities
5. Option to create App. Control Allow and/ or Block rules straight from PEDM grids
6. Ability to keep the end user elevated on lock screen
7. Email Fraud Prevention merged in Email Security ATP
8. Option for IT admin to deny specific emails release from ESEC quarantine report
9. Ability to exclude certain domains from "Force TLS transmission to any domain"
10. Other improvements & fixes
Dear Heimdal Partner and Customer,
Starting Monday, November 11th, 2024, the Heimdal PROD Agent will be available for download in the Dashboard's Guide section under the Download and Install tab. It will be deployed on a roll-out basis over the coming weeks.
Here are the main features and improvements rolling in with the new 4.4.3 PROD:
Heimdal Dashboard
Enhancements to the Azure Active Directory groups synchronization mechanism
The improvement consists of the option to search and synchronize multiple AAD groups directly from the Group Policy, rather than from the Customer Settings. Efficiency is also improved, considering that Heimdal will perform a call directly to the Microsoft Graph API in order to retrieve groups for the tenant that have been synchronized.
Note: At least four characters from a group name are needed in order to perform the search and the search result will display the first 100 AAD groups that match the search criteria.
When the Group Policy is updated, we will save in the Heimdal database all Azure AD groups selected by a user.
Automatic Heimdal Dashboard login for Okta users
It is common knowledge that end users enjoy versatility and convenience, which is why, starting with the 4.4.3 PROD release, we’ve introduced a new single sign-on method, namely the Okta login. Users that pertain to organizations that are using Okta as an integrated identity and mobility management service can now log in to the Heimdal dashboard with a single click of a button. In order for this to happen an Okta application must be set up and the corresponding details have to be fed in the newly created “Okta Login” subtab (Login Setup tab from Guide -> Customer Settings tab).
Details that need to be entered within Okta settings:
• Client ID – the ID of the newly created Application;
• Client Secret – the Secret that can be found within a specific Okta Application under Client Secrets;
• Authorization Endpoint and Token Endpoint – The Authorization Endpoint and Token Endpoint are the URLs of the specific endpoints of your Okta organization that can be found at:
https://[your-Okta-organization-name].Okta.com/.well-known/openid-configuration
Additionally, the dashboard user must provide the email domains of the users for which the Okta Login should be enabled.
Note: More than one domain can be added, however, there always needs to be at least one. Once a domain is added and the settings are saved, duplicate entries (same domain) can’t be entered by other customers/ partners. Domains from most of the public email providers cannot be added (e.g.: Google, Yahoo, Hotmail, Outlook, Yandex etc.);
A detailed guide on creating an Okta identity app and setting up the Okta login is available here.
From an end user perspective, we have added, to the Heimdal dashboard login page a new button called “Okta” and renamed the old “Azure login” button to “Azure”.
Selecting the “Okta” button will redirect the end user to a page where they will be prompted to fill out their Okta email.
After filling out the “Okta Email” field and selecting “Login with Okta”, the end user will be redirected to the Okta organization login, based on the settings of their Okta Application, which had been previously configured. Subsequently, if all the details within the Okta Login step have been entered successfully, the end user will be logged in to the Heimdal Dashboard.
Heimdal® Threat-hunting and Action Center
In this release, the effortless, real-time threat hunting and actionability, in a one-stop-shop approach, became a reality also on the end users’ side. This was made possible with the introduction of the brand-new M365 end-user security component of our SOC/ SIEM tool. From a licensing option perspective (Admin section of the Heimdal dashboard), a dedicated licensing option, called “M 365 User Security”, can be found under TAC -> TAC UI.
But before going into the M365 User Security specifics, we would like to introduce you to a brand-new product module called Login Anomaly Detection (LAD), which is an essential part of the M365 User Security Threat Hunting & Action Center view. Using the Login Anomaly Detection module, a customer/ reseller can monitor suspicious activity at the network level, as the module offers relevant telemetry for AAD-joined users in terms of multiple failed login attempts, logged in from another country info or both: failed login attempts happening from another country.
The Login Anomaly Detection module can be activated from Network Settings -> Login Anomaly Detection. For the module to be enabled, the customer should have the Azure Active Directory Tenant ID configured & synchronized (Guide -> Customer settings -> Login setup -> Azure login tab) and grant consent.
The Login Anomaly Detection module can be activated from Network Settings -> Login Anomaly Detection. For the module to be enabled, the customer should have the Azure Active Directory Tenant ID configured & synchronized (Guide -> Customer settings -> Login setup -> Azure login tab) and grant consent.
Note: If the customer does not have the Azure AD setup configured and the tenant ID synchronized, we will display a toast message - “A tenantID needs to be configured to be able to grant consent.”
Post the setup process is complete, the LAD module will provide info about three types of detections:
• Unusual login - login from another country;
• Failed consecutive logins - multiple failed login attempts;
• Failed login from unknown location - failed login attempts from another country;
LAD functionalities:
• Grant consent - if approved, allows the access to the specified resources;
• Logout user on detection - if this feature is enabled when an unusual login is detected, the user that generated it will be disconnected from all Microsoft web sessions where the user is logged in;
• Exclusions list - displays in a grid the list of countries excluded from the detection of login anomalies, with the following options:
o Add – enables the dashboard user to add a new country in the grid (press "Select country", search the country or navigate to it, select it, and press "Add");
o Delete – enables the dashboard user to delete a country (select the country from the grid and press the delete icon from the "Action" column);
o Sort – the Country column can be sorted;
Now that you know the essentials related to the Login Anomaly Detection module, let us get back to the specifics of M365 User Security.
Reseller view
Getting to the M365 User Security TAC view could not be easier: a dashboard user just needs to use the toggle found on the TAC homepage (globe). The Reseller can visualize all Corp customers grouped geographically with a pin on the globe, and also their highest risk score.
On the left side of the page there is an overview containing the total number of Corp. customers pertaining to that reseller, with a M365 User Security licensing option activated and the correlated list sorted descendently based on M365 User Security average risk score (the sorting is customizable and the reseller can opt to sort their corp. customers based on LAD, ESEC or REP for Cloud detections).
The reseller can also visualize the number of Login Anomaly Detections (LAD), REP for cloud and Email Security detections, as well as the corp. customer M 365 User Security average risk score and the total number of end users/ corp. customers. Clicking on the Corp. customer name will impersonate that specific customer, displaying data related said customer’s end users. When clicking a pin (node) on the globe, a panel opens in the top-right corner of the page, displaying a list of corp. customers that have their location data positioned in the same geographical region as the selected pin (node), sorted in descending order based on the M 365 User Security average risk score.
Clicking on a corp. customer name from the panel will impersonate that specific customer.
Corp. Customer view
Switching to M365 User Security view (using the designated toggle), the customer can visualize all of their end users, grouped geographically with a pin on the globe, and their corresponding risk score.
On the left side of the page, we are displaying the total number of end users under the impersonated corp. customer and the list of users, sorted descendently by the Risk Score. On top of the earlier mentioned info, we’re also displaying, at user level, the number of Login Anomaly Detections (LAD), REP for cloud and Email Security detections (the dashboard users also have the option to switch from the default sorting on risk score, to a custom sorting based on either LAD, REP for cloud or ESEC detections).
When clicking a pin (node) on the globe, a panel opens in the top-right corner of the page, displaying a list of users that have their location data positioned in the same geographical region as the selected pin (node), sorted in descending order based on the user’s risk score.
Post selecting an end user from the list, the panel will switch to displaying user-related details.
• The details displayed in the panel comprise of the most recent five LAD, REP and ESEC detections, as following:
o LAD - red color;
o ESEC - orange color;
o REP - grey color
• Pressing the three dots menu from the top-right corner of the panel displays two options:
o Threat Telemetry Details - redirect the customer to M365 User Details view;
o Action Center - opens the M365 User Security Action Center modal window;
When a user who has LAD or ESEC detections is selected, the detections are displayed on the globe with their corresponding colors.
Note: LAD detections pins are generated based on unusual login activity IP. ESEC detections pins are generated based on the location of the email server where the detections are originating from.
Clicking on an ESEC detection will open the “Email Detection specifics” view in the right-side panel
and the route of the email will be graphically displayed on the globe, from the originating email server (Envelope icon), through all the “hoops” email servers, until the recipient’s latest location (User icon).
The M365 User Security user details/ specifics view (clicking on an end-user/ email address from the left-hand side vertical menu) is based on 3 modules: ESEC (Email Security), REP (Ransomware Encryption Protection for Cloud and LAD (Login Anomaly Detection). When the dashboard users get to the dedicated tabs they have the same views, can perform the same actions, etc. as from the corresponding product pages, but only for the emails, REP for cloud, and LAD detections about the end user that they clicked on (pre-filtering is applied). In addition, in all 3 earlier mentioned tabs plus the M365 one, the dashboard users can log the selected user out using the “Force User Logout” button.
Note: The “Force User Logout” action button is enabled only if the customer tenant ID is synchronized, and consent is granted.
The LAD (Login Anomaly Detection) User specifics tab grid provides info, at end user level, about the Alert name (unusual login or failed login), its description (user logged in from “Country” or user had 5 failed login attempts within 60 minutes) and the timestamp (when the alert has been generated).
Also, this view allows the dashboard user to:
• Search by Alert Description column;
• Download data in .csv format;
• Sort by Alert Name column and by the Timestamp column;
• Leverage advanced filtering by Unusual, Consecutive Failed, Failed from unknown location type of alerts (green “Filters” button);
If one or multiple Unusual login notifications are selected, the dashboard users can take the “Acknowledge” action, which means that, for the next 30 days, the dashboard user won't get this type of notification anymore.
There is also an “M365” tab, containing generic information at the selected end user level. In the header the username and last login info are displayed.
In the upper section of the M365 tab, the dashboard user will find the User Score (overall risk score at the user level), as well as relevant end-user Info. End user info data is populated from the Azure Active Directory when synchronized:
• User Score – displays a circular progress bar with the user risk score and severity level;
• User Info – displays AAD information about the user (Principal Name/ UPN, Display Name, Last IP, Country);
The Risk Chart container (bottom section of the page) displays a visual representation of the user risk score derived from the three modules (ESEC, LAD, REP for Cloud). When clicking on either of them, in the spider web chart, the right-hand side will populate the risk score for that particular module and a preview of relevant info, with the option to navigate towards the respective tab, by clicking on the “Investigate View” button.
The M365 User Security bottom widget (expanded by pressing the blue arrow at the bottom of the page) displays details about the end users’ risk score and notifications (count + quick access to the M365 Action Center), in a very similar way to the TAC bottom widget.
The M365 User Security Action Center is made of 2 tabs (similar to the TAC Action Center), namely the Notifications tab (displaying a grid with all M365 User Security notifications generated by LAD and REP for Cloud) and the Aggregated Notifications one (containing identical M365 User Security notifications grouped under one notification with multiple hits).
Note: ESEC notifications are not available in the M365 Action Center but are taken into consideration for the M365 User Security risk score calculation.
The functionalities of both M365 User Security tabs/ views are the same as the ones of the Threat-hunting & Action Center (searching, filtering, sorting, pagination, actionability, actions history, default action definition etc.), the only difference being the source of the notifications (the 2 formerly mentioned product modules) and some of the actions that can be taken on said notifications.
Heimdal Endpoint Detection
Enhancements to the USB management functionalities
Commencing with the 4.4.3 PROD release, our dashboard users will benefit from nifty enhancements carried out to the USB management related features. A new “USB Reporting mode” is now available in the Endpoint Settings -> General -> USB Management tab. This option is mutually exclusive with the “Disable USB Ports” option and enabling “Disable USB Ports” automatically deactivates “USB Reporting Mode”. When USB Reporting Mode is enabled, the Heimdal agent will monitor all the plugged in USB devices, but without taking any action. All detected USB devices will be listed in the new “USB Management” repository view, located in the dashboard’s left-hand side menu, under Unified Endpoint Management -> Client Management.
The above-mentioned table will allow the Heimdal users to take the following actions (“Select what action to take” drop down list):
• Add to Allowlist – if the command is applied, a modal window is triggered entitling the user to select if the allowlist should be Global (added to all Group Policies) or GP specific, with an option to select the desired GPs, as well as the option to “Apply only to active GPs”.
Three allowlist criteria are available: Hardware ID, Class ID & Device instance path.
• Suppress – if this command is selected, the corresponding device will be moved to the “Suppressed Devices” view and will not be displayed anymore in the “USB Management” -> Standard view (unless the device is plugged in again).
In order to visualize the list of suppressed devices, a radio button is available in the UI and if selected, will allow the user to switch to a Suppressed Devices view (same layout as the Standard view, but with a filter applied).
The USB Management standard view allows the dashboard users to filter the entries (green “Filters” button) based on their Status (“Action”) and select to view all devices, the allowed ones or the blocked ones.
On this occasion, we have also made some changes to the GP, USB Allowlist section, namely the addition of a third allowlist option - Device instance path.
and the addition of the “Friendly name” option (not mandatory to be filled in), for easier navigation in the USB Allowlist.
Two more, smaller, yet valuable, enhancements have been carried out: the option to import and export (.csv format) info to and from the USB Allowlist.
Heimdal Privileges & App. Control
Option to create App. Control Allow and/ or Block rules straight from PEDM grids
This new feature comes as another statement that strengthens our unitary, cross - module approach. It enhances user experience, providing a swift, handy, and practical new way of adding Application Control rules from the Products -> Privileges & App Control -> PEDM -> Most used processes view. A new checkbox was introduced, at row level, enabling the dashboard user to select certain entries and then choose, from the “Select what action to take” drop down list, to create an App Control Allow/ Block rule. The remaining flow is exactly the same as the one from the App Control views.
Ability to keep the end user elevated on lock screen
This enhancement to our PEDM module will allow end users to remain elevated even if their machine’s screen is locked (in the current PEDM flow, when the screen is locked, the end user’s elevated session is stopped). This setting can be configured via Group Policy by navigating to Endpoint Settings -> Privileges & App Control -> Privilege Elevation and Delegation Management -> Administrator Session -> “Keep user elevated on screen lock” (default state: disabled).
Note: The following actions will de-elevate the current user:
• Shutdown - turning off the computer will terminate all user sessions, including that of the current user;
• Restart - rebooting the system will also close all active sessions, causing the current user to lose their elevated privileges or session state;
• Sign out – this action will end the user's session, de-elevating their privileges;
• Other user connected with RDP to the machine - if another user connects to the machine via Remote Desktop Protocol (RDP), it can force the current user to be logged out, which also results in de-elevation;
• Another user signing into a different account on the same machine - if this occurs while the main account is in an elevated session, the main account will lose its elevated status;
Heimdal Email Protection
Email Fraud Prevention merged in Email Security ATP
Our Email Fraud Prevention agent-based module was taken to the cloud and merged in ESEC ATP, meaning that, from a licensing perspective (Admin section of the Heimdal dashboard) the trial and license control are now managed from the ESEC ATP licensing option.
In the Network Settings -> Email Protection space we have deprecated the old Email Security subtab and moved all of its contents straight to the Email Protection one.
A new dedicated entry/ tab was added to the ESEC left-hand side menu – Email Fraud Prevention. From this entry you can now control all the EFP related settings.
From a product page, Heimdal dashboard perspective, only small changes took place. EFP will still have its dedicated product page (Products -> Email Protection -> Email Fraud Prevention) with the breakdown in 2 sub views: Homepage and Details. In the ESEC Details view, Advanced Filter (Products -> Email Protection -> Email Security) we’ve added a new drop down list called EFP Rule Category (same as the one present in the EFP Details, Advanced Filter view) having the following categories: Targeted Spear Phishing, Targeted Fraud, Spear Phishing, Phraseology attempt or General Fraud, and Modified or Malicious attachment.
In the same Advanced Filter area, we have added EFP as a new email type in the “Type” drop down and the corresponding emails are displayed in the Inbound and Outbound views.
All the earlier mentioned additions are also present in the End User Console. When using the “Show details” button from the ESEC Inbound and Outbound views, users will be able to visualize details related to EFP detected emails, in a dedicated new tab called EFP.
Note: The EFP tab is available (not faded) only if the Advanced Filter selection on Type is made for EFP type emails.
The other relevant mentions related to the EFP dedicated Homepage are:
a) Summary report – “Total Malicious” represents the total number of emails that have type EFP and were Quarantined (status “Quarantine”);
b) User Anomalies – formerly known as “User AI anomalies”, in the old EFP home page; has the same approach as the Email Security Homepage tile, the only difference being that the emails are filtered based on AI Anomalies detection in the email (the AI outlier is displayed in the EFP tab, from email Details view);
c) Domain Status – displays all the configured Domains and replaces the old Address Book tile; this tile contains the same information as the Email Security Homepage tile;
d) Data tiles view – contain emails statistics based on the earlier described specific Rule Categories. When selecting a specific point in the chart, the user will be redirected to the Details tab with the Advanced Filter selection made on EFP Rule Category and Type EFP;
The stats are computed by comparing the past 30 days from the current date vs. the previous 30 days. Each tile displays the increase/ decrease in the number of emails (both as a number and as a percentage) and a chart presenting the activity for each interval.
The EFP Details view contains the exact data as the one displayed in the Email Security Details view, however, the entries are filtered to only view the “EFP” type. In the Quarantine Settings ESEC tab, Advanced Threat Protection section, we have also added the “EFP” type; the functionality flow is the same as for all the previous email types.
Option for IT admin to deny specific emails release from ESEC quarantine report
The new functionality is meant to allow an IT Administrator to specifically deny email release, from the ESEC quarantine report, for the end users, although the “Release” option is enabled in the Network Settings -> Email Protection -> Email Security, Quarantine Settings tab of the Heimdal Dashboard. When selecting emails (with “Quarantine” status) from the Products -> Email Protection -> Email Security, Details view of the dashboard, an Admin now has the option to set the selected emails to be denied for release by the end users.
Upon selecting the Deny for release option, the admin is prompted with a confirmation modal.
If the above-mentioned action is taken, the end users will not be able to Release that/ those specific email(s) from the ESEC Quarantine report. Within the End User Console emails’ grid, the entries that are denied for release are flagged using a warning icon (!) accompanied by hover text, in the Status field: “Email is denied for release for end users. IT admins can still release the email from the dashboard”.
When accessing the Details view of an entry, in the End User Console, that is currently denied for release, the release button from email details is disabled and a mouse-over message is displayed: “This action is not allowed by your IT admin.”
In the “regular” dashboard, after an email release is denied, the admin can reselect the email and from the action drop down menu “Select what action to take” and apply the “Allow email release” option. When selected, a new confirmation modal is displayed.
Post confirmation, the email(s) will be once again available for end users’ release.
The “Release” button is reactivated in the End User Console too and, when generating/ receiving a new Quarantine Report, in which the email(s) is/ are included, the “Release” button is enabled.
Ability to exclude certain domains from "Force TLS transmission to any domain"
When editing or configuring a domain (Network Settings -> Email Protection -> Email Security), the Heimdal dashboard user has now the option to exclude certain domains from “Force TLS transmission to any domains” (which if activated, applies to all domains).
In order to use this new functionality, found within the “Additional Domain Settings” tab, the dashboard user needs to use the “Forced TLS Settings” (formerly known as “Forced TLS”).
Note: The option “Force TLS transmission to any domains” was moved to the modal window that is showcased when the “Forced TLS Settings” button is pressed.
Subsequently, the user needs to go to the “Add TLS exceptions” section of the modal (available only if the “Force TLS transmission to any domains” is enabled) and add the domains that will be excluded from the TLS transmission (these will be displayed in the dedicated list and can be removed, if needed).
Other improvements & fixes
Enriched DNS related info (DNS Security-Endpoint) in the Heimdal agent
In order to streamline the end user experience, we have added new info, namely “Adapter Name”, “Static DNS” and “Dynamic DNS” within the Heimdal Agent UI. The new info can be found under the “Settings” area of the agent, DNS Security -> DarkLayer Guard™ tab.
Send email notification when a machine is Isolated
A new email alert/ notification has been created for instances in which an “automatic” machine isolation occurs (either as a result of the selection made in “Device Protection Actions” or as a result of the “Isolate on Taper Protection” functionality kicking in). The email notification will be generated and sent to the users (corp. customers and reseller levels) who have the Next-Gen Antivirus alert enabled, within the “Accounts” section of the Heimdal dashboard.
Move USB settings from under “Next-Gen Antivirus” to the “General” GP tab
In order to provide more flexibility and relevance to our product, we’ve moved the USB management settings (“Disable USB Ports” & “USB restrictive mode”) from the Endpoint Settings -> Endpoint Detection -> Next-Gen Antivirus tab, General Settings section to the brand-new USB Management tab, located under Endpoint Settings -> General tab.