Dear Heimdal Customer,
We would like to inform you that a new version of the Heimdal Release Candidate (RC) dashboard, version 4.5.0, is now live.
Starting Friday, November 22nd, 2024, the Heimdal RC Agent will be available for download in the dashboard's "Guide" section under the "Download and Install" tab. It will be deployed on a roll-out basis over the course of the coming weeks. Some massive upgrades in store with the new version of the Heimdal Release Candidate (RC) dashboard, version 4.5.0, and we’d like to commence by presenting you with those very ones: Flagship Features
1. Application Control AppFencing
2. Sandbox implementation and integration in TAC
3. Enhancements to the Windows 3rd Party Patch Management
4. Device Info notifications overhaul
5. Option to define the number of characters required for the elevation reason
6. "For Privilege Elevation and Delegation Management Statistics" API enhancement - addition of an extra parameter (elevation actual end time)
7. ConnectWise PSA integration - Integration Settings flows' streamlining
8. Align the "Schedule Scan" Next-Gen AV GP functionality scheduler to the Patch & Assets ones
9. Unified Endpoint Management -> Client Management -> Scripting - Addition or Error log mechanism
Heimdal Privileges & App. Control
Application Control AppFencing
This new, revolutionary feature brings a major breakthrough in regard to the management of processes (or applications) that can be executed on hostnames and how they are executed. AppFencing is a feature that allows you to control in a granular, versatile, and intuitive way the restrictions that you want to impose at the application (process) level, thus keeping your IT environment safeguarded and compliant. AppFencing allows you to manage cross-application interactions, files, data, or Internet access by acting as an extra security layer for running processes and by actively ensuring that the software that you run does not overstep its defined mark. This new feature is presented as a checkbox in the App Control Rules table from the Endpoint Settings -> Privileges & App Control -> Application Control section of the Heimdal dashboard. A new, “AppFencing,” column was added to the App Control Rules grid, which contains a tick box (enable/disable) and an edit functionality.
By default, the AppFencing option is disabled for both new and existing App Control rules (the edit button is greyed out until the AppFencing feature is enabled for that specific rule). Enabling it will disable the “Spawns” checkbox, regardless of its state.
Note: The AppFencing feature is available only for the App Control rules having an “Allow” action type.
Clicking the edit button opens a new modal window that will give the user the possibility to configure rule restrictions.
Network/Internet access:
- This section is available only when the parent rule type is Path or Wildcard. For all other rule types, this particular tab is greyed out;
-
Default block all traffic toggle:
- this functionality allows the addition of extra “allow” or “block” rules/exceptions, meant to customize the permissions of the corresponding process (depending on the default state of the network/internet access);
- in its default state, this option is disabled (“off”);
- when disabled, no action is required until the dashboard user manually adds additional rules. If a block rule is added, all access is allowed, except the one matching the port or external IP provided in the rule;
- when enabled, a general block, Firewall rule, is added to the selected application/process, to restrict the internet access (inbound and outbound). If the user adds an allow rule, internet access is permitted only on the provided external IP or port according to the rule. -
Adding a Network/Internet access rule:
- allows the user to add specific Firewall rules exceptions to customize the internet access permissions of the application;
- the dashboard user can enter a remote IP or a port, select the permission type and the rule profile type;
- the corresponding grid includes all manually added rules and the option to edit or delete the rule.
Application interactions:
- when enabled, this functionality allows the dashboard user to bespoke spawns permissions for the corresponding Application Control rule;
-
Default block all spawns:
- this functionality allows a streamlined management of process spawns;
- the default state of the toggle is “off";
- when it is disabled, all spawns are allowed, and no action is required until the user manually adds permission exceptions. If the user adds a block rule, all spawns are permitted, except for those matching the block permission rule;
- when enabled, all spawns are blocked by default. If the user adds an allow rule, all spawns remain blocked, except the allowed one, according to the spawn permission rule;
- to add a new spawn permission, the user must select the rule type and action, then fill in the subject and priority (by default, the priority will always have the highest value, but it can be altered).
Processes monitored by AppFencing rules will be displayed in the App Control product tables (under the different pertaining views), and in the “Status” column, next to the actual status, when hovering over the “i” icon, the tooltip will mention the AppFencing rule which determined that particular state.
Heimdal Threat-hunting and Action Center
Sandbox implementation and integration in TAC
A brand-new functionality – Sandbox – is now available in the Heimdal dashboard. The Heimdal Sandbox is a file analysis tool designed to assist our customers with their computer forensics endeavors. It can be found under the Threat-hunting & Action Center section of the Heimdal dashboard (left-hand side menu: Products -> Threat-hunting & Action Center -> Sandbox), augmenting the already powerful threat intel and hunting toolkit offered by TAC. It equips, to an even greater extent, security leaders, operations teams, and managed service providers with the ability to detect next-gen threats and respond by using the other relevant product modules encompassed in the Heimdal product stack.
The Upload Button opens a pop-up window, from which customers can choose the file they want to import, specify the file's password (where applicable) and/or specify the file's execution arguments (where applicable).
Note: The Heimdal Sandbox scans only files that have a size <= 1MB. Files must have a .exe or .zip extension (only the first .exe file archived is scanned), otherwise an "Invalid file extension" error will be displayed. Also, an “Invalid file name” message will be displayed in cases where the users attempt to upload a file with spaces in its name.
The Sandbox, Standard view, contains a stat icon displaying the scanned files, in the selected timeframe, which can be observed in the header section. The corresponding grid consists of 4 columns: “File name”; “Uploaded by”; “Resolution” and “Timestamp”. The grid also offers the possibility to search based on “File name” and “Uploaded by” and filter (green “Filters” button) based on “Resolution”.
File analysis and Resolutions
When uploading a file in the Sandbox, Standard view, the file is added as an entry in the data table with a “New” resolution for a brief time. The file's resolution is then changed to “Pending Upload” (also briefly displayed) until it is fully uploaded. After being uploaded, the resolution changes to “Queued” until the file analysis begins and when the file analysis begins, the resolution value adjusts to “In Progress.” The “outcome” resolutions could be: “Completed” (files that have been successfully analyzed) and “Error” (files for which the analysis failed). Files that have been analyzed successfully (resolution “Completed”) have an “eye” icon next to their file name, which, if pressed, will lead the dashboard user to a dedicated “File analysis” page, where granular details (including a “process tree” visualization) are available.
With this implementation, a change on all the product views where the “Upload for Analysis” command was present has taken place, namely the replacement of the “Upload for Analysis” with the “Upload to Storage” command. The functionality itself remained unchanged. A new command “Upload to storage & Send to Sandbox” has been implemented in different product modules’ grids of the Heimdal dashboard: DNS Security – Endpoint -> Latest Threats view; Next-Gen AV -> Latest Infections/Quarantine and Zero-trust Execution Protection views; Ransomware Encryption Protection -> Endpoint Detections view + the corresponding Client Specifics (click on a hostname) views. Also, this new command can be accessed from the TAC widgets corresponding to the earlier mentioned product modules, as well as from the TAC Action Center (Notifications and Aggregated Notifications views).
Heimdal Patch & Asset Management
Enhancements to the Windows 3rd party patch management mechanism
We’ve improved the 3rd party patch management submodule performance (optimizing the flows and queries) and also enhanced the reporting capabilities, allowing our users to visualize all the entries related to 3rd party software. Besides the aforementioned flagship feature, you are invited to discover, in continuation, the other main features and improvements rolling in with the new 4.5.0 RC:
Heimdal Dashboard
Device Info notifications overhaul
In order to provide more flexibility and versatility to our dashboard users, we’ve completely rethought the Device Info (formerly known as Active Clients) notifications flow. A lot of enhancements were made in order to streamline the usage, considering also the implications that this area has on the PSA Integrations feature. To begin with, we’ve added to the Group Policy pages the option to select which notifications will be received from the Windows and Linux Heimdal agents. A dedicated management tab, called “Device Info Notifications,” was added to the Endpoint Settings -> Windows and Linux GP -> click on a group policy -> General tab.
For the Windows group policies, there are 22 types of notifications (some of them are default enabled – when new GPs are created) which can be turned on or off, divided into 5 sections. For the Linux group policies, there are 3 types of notifications (one of them, “Restart required” being default enabled). Some of the notifications will be disabled if the user does not have that respective product enabled (Next-Gen AV, Firewall, OS Updates). For the Linux Group Policy page, the “General” tab has been divided into 2 smaller tabs, “General Management” and “Device Info Notifications”.
Windows GP “Device Info Notifications” tab
Linux GP “Device Info Notifications” tab
Note: The device info notifications settings will only apply to new and updated agents. The settings will only apply to agents with newer versions (starting from 4.5.0), after they get the latest GP.
The GP Excel export functionality has also been updated to include the new settings. The Device Info CSV exports (for the Standard and Hardware tabs) have been updated to display:
- The notification text, if there are active notifications, and the module and the notification type are enabled in the GP;
- “NO,” if the module and the notification type are enabled in the GP, but there are no active notifications;
- if the product is not enabled or if that/those specific notification(s) is/are disabled.
When it comes to Device Info CSV exports, the order of the columns has been adjusted:
- Standard Export – new notification columns have been added;
- Hardware (Verbose) Export – all notifications columns are displayed at the end of the file, before the DNS information (as opposed to the previous way, where they were divided into 2 groups); new notification columns have been added.
On this occasion, we’ve also introduced a new Device Info notification, called “Disk Utilization Above Limit” which, as the name suggests, if enabled, will trigger a notification whenever the disk utilization level is above the one set in the GP (slider threshold available under the check box).
Heimdal Privileges & App. Control
Option to define the number of characters required for the elevation reason
Small yet powerful enhancement at UX and compliance levels. This new feature introduces the capability to set the message length (no. of characters) for the "Reason" field, from the end user pop-up window, when elevating in an “Administrator Session” or a “Run As Administrator” session scenario, with the “Require reason” functionality being enabled. This setting can be configured via Group Policy by navigating to Endpoint Settings -> Windows GP -> click on a GP -> Privileges & App Control -> Privilege Elevation and Delegation Management -> Run as Administrator or Administrator Session -> Elevation reason no. of characters.
The functionality includes two text fields, meant to specify the minimum (default 1) and maximum (255 characters) character limits for the "Reason" field. Note: if the feature is disabled and an elevation, falling under the aforementioned scenario, is requested, the default character range will remain between 30 and 1000, as before.
“For Privilege Elevation and Delegation Mgmt. Statistics” API enhancement – addition of an extra parameter (elevation actual end time)
This reporting enhancement, to our PEDM module, introduces a new parameter, namely the actual “EndTime” of an elevation, in the PEDM API. This parameter represents the clear-cut time when the elevation ended. For new data extracts (post-release of the 4.5.0 RC version), EndTime will be calculated directly, whereas, for older data, it will be determined by adding the duration of the elevation to the StartTime.
This enhancement brought some small changes to the dashboard too: in the Products -> Privileges & App Control -> PEDM -> History view (left-hand side vertical menu) and the corresponding client specifics view (click on a hostname), the ex. “Duration” column was replaced by “End time.”
Other improvements & fixes
ConnectWise PSA integration – Integration Settings flows’ streamlining
In order to better cater to the needs of our customers and allow them to fully benefit from the Heimdal dashboard – ConnectWise PSA integration options, a few changes have been conducted to the ConnectWise setup flows. These changes will allow a more customizable setup, where users can also select existing boards and ticket types. Similarly to the Autotask and HaloPSA integrations, the Guide -> Customer Settings -> Integrations -> ConnectWise PSA page has been split into 3 sections:
- Integration Settings
- Matching Settings
- ConnectWise Customer Integration (visible only at reseller level)
Addition of the “Test Connection” and “Save” buttons
In the Integration Settings section, two new buttons, namely “Test Connection” and “Save” have been added. In order to fill out the Integration Settings, the Heimdal dashboard user needs to input the Company Identifier, Base API URL, Public Key, and Private Key. After performing this step, we recommend testing the connection by using the “Test Connection” button. This check will perform a dedicated API call and, in case the positive outcome response is received, the “Save” button becomes enabled. Click the “Save” button and ensure that the “green – font” message is received, thus confirming that the connection was saved successfully. The tickets configuration buttons, found under the Matching Settings subsection (“Configure Heimdal Operations,” “Configure Heimdal Cyber Alerts” and “Sync customers” – reseller level only) are going to be disabled until the settings are saved. Once the setup is saved, the buttons become enabled, allowing the user to change the settings. If the users change an existing setting, a confirmation pop-up window will be displayed, when saving, to confirm whether to keep the Ticket and Customer Settings. This allows the users to retain settings without reconfiguring, if not needed.
Tickets configuration changes:
Since more details will be added for matching, the “Configure boards” flows have been replaced by “Board selection” flows. The dashboard user can select any board available in his ConnectWise instance.
By clicking either “Configure Heimdal Operations” or “Configure Heimdal Cyber Alerts,” a configuration popup will be displayed, retrieving a list of ticket fields from the ConnectWise API, based on the established connection settings. Firstly, the user should select a ConnectWise board. Once the board is selected, the user should match the board-related fields. Different items can be selected for mapping purposes and subsequently used for tickets’ creation. The ticket configurations list of fields is the following:
- Type: to be selected from the type set available for the previously chosen board;
-
Subtype: to be selected from the subtype set available for the selected board;
- Heimdal Operations - CPU, MEM, DISK, MU, AV, DNSP, FW;
- Heimdal Cyber Alerts - REP, PAM, NextGen Antivirus, VND, ZT; - Status on ticket creation/update: to be selected from the status set available for the selected board;
Note: The status on ticket update is only available for Heimdal Operations type of tickets; - Item: to be selected from the item set available for the selected board;
- Priority: to be selected from the priority set.
All the selections, except “Priority,” will be made based on the selected board. Ensure that all fields are configured and confirm the settings.
Align the "Schedule Scan" Next-Gen AV GP functionality scheduler to the Patch & Assets ones
Starting with the 4.5.0 RC release, the “Schedule Scan” NGAV functionality has been upgraded so that the scheduler allows users to opt for recurring schedules at the week level.
Unified Endpoint Management -> Client Management -> Scripting - Addition of Error log mechanism
In order to provide more granularity regarding the outcome of scripts’ deployment, with the new RC release, we have implemented an Error log mechanism by updating the Standard view (+ Client Specifics corresponding view – post clicking a hostname) and adding the aforementioned mechanism, meant to assist customers in easily troubleshooting scripts with erroneous outcomes. Logged Errors can be reviewed by clicking the newly implemented “View details” button, present in the Resolution column. The corresponding icon is only displayed for entries with the “Error” resolution.
The actual error message is displayed in a pop-up window, as exemplified below. The resulting Error message (from the dashboard) is composed of the Error Logs generated in the Windows Event Viewer and the error generated by the script itself. The script error info is written in a log file stored in the Scripting directory.
The Scripting Error Log files are created in the (...\Heimdal\Scripting\Logs) directory, with the filename comprised of timestamp + PID, as showcased in the picture below.