4.9.1 PROD

1. Dashboard homepage graphs clickable.
2. Implementation of automatic elevation approval/ denial message.
3. Firewall module and changes to the Firewall Alerts view.
4. Brand new “Users compliance” M365 User Security tab.

We would like to inform you that a new version of the Heimdal Production dashboard, version 4.9.1, is now live.
Starting Friday, August 29th 2025, the Heimdal Prod. Agent will be available for download in the dashboard's "Guide" section under the "Download and Install" tab. It will be deployed on a roll-out basis over the course of the coming weeks.

Here are the main features and improvements rolling in with the new 4.9.1 Prod.
 

Heimdal Dashboard

• Dashboard homepage graphs clickable.

The updated 4.9.1 Prod. version of the Heimdal Dashboard reintroduces the ability to click on homepage graphs data points and get redirected to the relevant product pages, pre-filtered based on the homepage graph area/ segment that the user clicked on.

This endeavor further increases the user experience, forensics and reporting capabilities, rendering efficiency and relevance to the cybersecurity data from your IT estate.

• USB Management: ability to search based on Class & Hardware IDs

Two new options have been added to the Unified Endpoint Management -> Client Management -> USB Management -> Standard view, Search functionality. Our dashboard users are now able to search devices based on Class ID or Hardware ID. These two new options are now included in the search criteria drop-down list.

• On-demand/ real-time Hostname Groups synchronization.

This implementation allows a “bypass” of the server messages “24 hours” sync mechanism related to changes of the Hostname groups. We have also added the possibility to search (wildcard included) for particular hostnames within a group.

The new/ real-time server message will be sent each time one of the following actions is taken: editing of an existing hostname group, addition of an endpoint to an existing hostname group and/ or deletion of an endpoint from an existing hostname group.

• Option to clear AAD cache memory and resync on demand.

Starting with 4.9.1 Prod. the Heimdal Dashboard users are able to apply a new server command meant to send a real-time message to the Heimdal Agent, clearing the AAD cache and performing a resync of the AAD groups.

The new action can be found in Unified Endpoint Management -> Device Info -> Standard view, in the “Select what action to take” drop-down list.

Note: the new server command is available only if Azure AD sync is configured (Guide -> Customer Settings -> Login Setup -> Azure login).

When the Clear AAD cache and resync, action is taken, a new server command is created under the Server Commands grid.

On the Server Commands gird entries the following actions can be taken, depending on the resolution of the command:

• Cancel: only if resolution is "Pending" or "In Progress";
• Retry: only if resolution is "Error".

A new command type “Clear AAD Cache and Resync” has been added to the Server Commands view filters, while the corresponding resolutions for the new server command have also been added to the grid: Pending - request sent to Agent; In progress - request received by the Agent, execution in progress; Completed - request successfully executed; Cancelled - command cancelled; Error - command could not be executed (when hovering, an info bubble is displayed with the reason of the failure). Also, this data is available in the .csv export.

Heimdal Privileges & App. Control

• App Control – Option to add an allow rule entry when approving Run non-elevated/ one-off execution requests

Testimony to our continuous improvement endeavors, as a small, but handy enhancement to our “Run non-elevated file” 4.7.0 release – launched feature, we’re now providing the option to the dashboard user (IT admin) to create an allow rule for the processes corresponding to approved one-off execution requests, directly from the PEDM -> Pending approvals grid.

After approving the file execution, a modal window appears asking the approver if they would also like to create an Application Control allow rule for the corresponding process. The IT admin can choose “Yes”, in order to proceed with creating the rule, which opens the Allow Execution pop-up window, or “No”, in order to cancel the action.

• PEDM – Option to select validity for the “Local token elevation”

Another small, yet powerful end user enhancement, namely the option to customize the validity of the token used when option for the PEDM local token elevations.
The customization of the time can be done using the dedicated slider bar found under the Local token elevation tick box (if enabled) and the time can be set in the 1 to 5 minutes interval. The functionality is available for both Run as administrator (file) and Administrator Session types.

After changing the token validity, an agent resync is required, for the new value to be applied and reflected in Device Info, under the Privileges & App Control tab of the selected hostname, when generating the code.

• PEDM – Implementation of automatic elevation approval/ denial message

Our PEDM IT admins were already accustomed to the “manual” elevation management (approval/ denial) Administrator message, available, in the shape of a tick box + text field, post choosing to approve/ deny an elevation from the PEDM -> Pending Approvals view, but now, starting with our new Prod. release, they can be even more efficient, while still being user friendly, leveraging the new “Automatic Administrator message” GP option.

In the PEDM Group Policy tab (Endpoint Settings -> Privileges & App Control -> Privilege Elevation and Delegation Management, Additional Settings area) we added a new option called “Automatic Administrator message”. When it is enabled, two new sub-settings called “Approve message” and “Deny message” and their corresponding text fields are displayed.

Note: at least one of the two sub-settings must be enabled and if any of the two is enabled, a corresponding message needs to be configured, otherwise the GP will not be validated.

If enabled, we will automatically configure the GP set message (approval or denial one) and display it in the “Status” column’s info bubble.

Depending on the set configuration, when the elevation is approved or denied, the message will be displayed for the end user in a pop-up window.
Note: this message is set when the elevation is requested, taking the configured message directly from the GP. Due to this, you can have elevations on the same device with different automatic messages.

To provide the ability to update any obsolete messages, we have added a new option in the Administrator message pop-up called “Overwrite automatic administrator message”. When enabled, the automatic message will be overwritten with the message that is manually inputted in the text field.

Heimdal Endpoint Detection

• Streamlined performance for the Endpoint Detection -> Firewall module and changes to the Firewall Alerts view

Starting with the 4.9.1 Prod. release, we have completely revamped the Endpoint Detection -> Firewall module architecture and flows, ensuring both enhanced performance, as well as a more streamlined UI and more relevant alerting, tightening the overall security of your computer estate.

The formerly known as “Firewall Alerts” view has been renamed to “Brute Force Attacks”, together with the “Firewall Alerts” stats. We have also removed the “Failed Local Password Attempt” filtering option. 
A “Select view” drop-down list has been added to the “Brute Force Attacks” view, supplying, thus, more versatility when it comes to visualizing and reporting BFAs in different modes: Standard (default view), BFA by Country, BFA by IP, BFA by User.

Standard View

The Standard View contains the previously displayed Firewall Alerts data with the following changes to the grid/ table:

• addition of the “Main Source Country” column, displaying the country associated with the most targeted public IP;
• addition of the “Main Source IP” column, displaying the most targeted IP;
• upon selecting an/ multiple entry/ entries and new action becomes available: Add to Allowlist, which, if performed adds the corresponding IP to the Firewall allowlist (at specific GPs level or global level, with the option to apply the allowlisting only on Active GPs);

BFA by Country

This view presents data grouped by country, allowing users to analyze attack patterns based on geographic location:

• detailed view option: clicking on the device number (attempts registered to that specific country) displays all alerts originating from that location;
• upon selecting an/ multiple entry/ entries from the detailed view (post clicking on a country) a new action becomes available: Add to Allowlist (at specific GPs level or global level, with the option to apply the allowlisting only on Active GPs);

Details page

BFA by IP

This view presents data grouped by IP, providing insight into attack sources:

• detailed view option: clicking on the number of devices displays all alerts originating from that IP address, in a “raw” view;
• upon selecting an/ multiple entry/ entries from the primary view, a new action becomes available: Add to Allowlist (at specific GPs level or global level, with the option to apply the allowlisting only on Active GPs);  

Details page

BFA by User

This view showcases data grouped by user, helping track targeted accounts. Clicking on number of devices displays all alerts associated with that user account, along with the relevant information.

Details page

In the Device Info Details view (Unified Endpoint Management → Device Info → Detailed view for/ click on selected device → Endpoint Detection) the UI remains mostly the same as before, having some small enhancements/ additions like the two earlier-mentioned columns, Main Source IP and Main Source country, thus offering enhanced forensic details to the Dashboard users.

But the enhancements do not stop here. A brand new alert type has been introduced: in case multiple failed logon attempts are followed by a successful login, a BFA Critical alert will be reported and on hovering on the Risk level, the dashboard user will be able to get the details of the alert "Multiple failed login attempts followed by a successful login".

With the introduction of this new type of BFA alert, some changes have been made to the Aggregated Notifications and Notifications TAC views (Threat - hunting & Action Center -> Action Center).

If the BFA alert sent to the dashboard is marked as critical (in terms of risk level), we will append “Critical” to the detection type, in the notification name. We will also update the severity to "Critical."

Heimdal Threat-hunting and Action Center, M365 User Security

• Brand new “Users compliance” M365 User Security tab

This completely new view (found in the Products -> Threat – hunting & Action Center -> Overview -> M365 -> Action Center) is displaying a list of “non-compliant” M365 Users/ Azure Active Directory accounts having at least one of the following settings disabled in Azure Ad: MFA, Strong password or Password expiration.

In order for this new tab to be fully operational, M365 User Security has to be enabled from Network Settings -> M365 User Security (formerly known as Login Anomaly Detection) and the corresponding User Compliance Settings must also be active (enabled).

Note: Depending on which of the 3 sub-options are enabled (these being default on), checks will be performed, and the results will be displayed in M365 Action Center > Users at risk tab. In case one of the options is disabled, a yellow exclamation mark with its corresponding hover text will be displayed in the Users at risk tab.

In order to be able to visualize and/ or take actions in the new “Users at risk” tab, the Heimdal dashboard user needs to have the following ACLs enabled: View M365 User Security data and/ or Perform actions on M365 User Security data.

The dashboard user can take the following actions on users at risk:

• Logout user: the user will be disconnected from all Microsoft web sessions where they are logged in;
• Reset password: the user will be disconnected from all Microsoft web sessions where they logged and required to change the current password;
• Disable user account: the user account will be disabled, and the user can no longer log in;
• Enable user account: the user account will be enabled, and the user will be allowed to log in;

Note: this action is available only on a disabled account (after the Disable user account action was taken).

The same actions are available on the Users Details page, post clicking a user.

The new grid offers various data visualization options: search based on user, filter based on the “non-compliance” criteria and last login timeframe, sort, pagination.

In order to enhance data visualization and forensics, a new icon, warning the IT admin about users at risk (accompanying text on hover “Security issues”), has been added to the M365 home page. 

On top of the earlier mentioned compliance criteria, a fourth column has been added to the User Compliance view grid, namely “90 days inactive”. It showcases if the end user has been inactive or not for the last 90 days, based on the last login time stamp. 

Note: this is only an informative extra information that does not influence the inclusion or not of an end user in the “User Compliance” view, the deciding factors for this inclusion or not being the state of the MFA, Strong password or Password expiration in AAD/ Entra ID settings.

Other improvements & fixes

• BitLocker management - Implement Trusted Platform Module (TPM) as a stand-alone protector type for OS drives

More versatility is available in our BitLocker management module with the introduction of TPM as a stand-alone protector type for OS drives.
When navigating to Endpoint Settings -> Windows GPs -> Select GP -> BitLocker Management tab, you can now use TPM as a dedicated protector type for OS volumes.

Opposed to the “TPM and PIN or Passphrase” protector types, which, if set, prompts the end user, during encryption, to input a PIN or a Passphrase, the TPM stand-alone protector type will be applied “silently” prompting the end user for a restart only, to apply the protection.

• Email Security – Automatic Notification for Greylisted Senders

A new outbound notification mechanism has been introduced for greylisted emails sent from external (non-ESEC) users to ESEC-protected recipients. When such an email is marked as greylisted, the system will automatically reply to the original sender, notifying them of the action taken.

The functionality is activated when the “Domain Greylisting” is enabled at domain level (Network Settings -> Email Protection -> [Edit Domain] -> Blocklist, Allowlist & Greylist ta -> Domain Greylisting). Once enabled, the platform will handle outbound replies to greylisted senders automatically, using a dedicated IP address to avoid deliverability issues or spam classification.

    Note: auto reply is sent only once per greylisting event, per email.