5.2.2 PROD

1. Client Management, USB Management – Enhanced Allowlist management with  Predefined Class GUID Dropdown
2. Client Management, USB Management - Simplified USB Tracking with Friendly Name and Editable Allowlist Entries
3. Unified Reporting upgrades
4. Heimdal Threat-hunting and Action Center – External Firewall
5. PEDM – Expanded support for Azure AD (Entra) joined devices
6. PEDM – Cloud AV scanning for enhanced security
7. Email Security – M365 Exchange Connector
8. Email Security – Brand new "M365 Users" view
9. Other improvements and fixes

HEIMDAL DASHBOARD

Client Management, USB Management – Enhanced Allowlist management with  Predefined Class GUID Dropdown

Part of our quest for UX mastery, a new usability improvement has been introduced in the USB Allowlist section, available under Endpoint Settings -> General -> USB Management. This enhancement enables administrators to manage USB Class GUID entries more efficiently, using a predefined, multi-select dropdown list. 
The feature aims to streamline the allowlisting process by reducing manual input, minimizing configuration errors, and providing a consistent and reliable method for selecting known USB classes. 
The Predefined Class GUIDs dropdown contains a list of preset USB Class GUIDs, maintained by Heimdal and corresponding to the commonly used GUID classes for USB devices. Each item in the list displays the USB Class Name along with a brief description.

When an item is selected from the Predefined Class GUIDs dropdown:

• the USB Class Name is automatically populated in the Friendly name field of the USB Allowlist grid.
• the corresponding Class GUID is inserted into the Value field.

After being added, the entry remains fully editable, including the Friendly name, Value, and Type fields. In case the Value field is modified, the record is no longer associated with the predefined list and will be treated as a custom/ manual entry.
A predefined entry can be removed either by deselecting it from the dropdown list or by using the Remove button available in the USB Allowlist grid.

Client Management, USB Management - Simplified USB Tracking with Friendly Name and Editable Allowlist Entries

A new Friendly Name field is now available when managing individual USB entries, for both suppressed and non-suppressed devices in Unified Management → Client Management → USB Management. Also, a corresponding enhancement has been added to Group Policy under the USB Management sub-tab, allowing administrators to fully manage Friendly Name configurations directly within policy settings.
The Friendly Name field has been added to the USB Allowlist modal window, in Unified Management → Client Management → USB Management:

• the field becomes visible only when a single USB item is selected from the list.
  
• selecting the option opens a modal where administrators can:
  • add the Friendly Name (optional).
  • select the GP(s) which the modification is applicable to (mandatory).
  • select the Allow List Type (mandatory)

Friendly Names allow administrators to provide a meaningful, custom label for each USB device, improving identification across environments.

This capability aims to simplify USB tracking and reduce confusion when multiple devices share similar identifiers.

Within the dedicated Group Policy area (Endpoint Settings -> General -> USB Management), IT administrators can now edit all attributes associated with a USB entry (friendly name, value, type).

These values can be modified via a dedicated modal window that opens when editing a USB item in the GP, USB Allowlist grid.

This ensures that Friendly Name management is consistent across both the USB Management module and GP configuration, providing a unified workflow for device identification and policy enforcement. Together, these improvements simplify USB management by introducing meaningful naming, clearer identification, and centralized control at both the device and Group Policy levels.

Unified Reporting upgrades

Starting with the 5.2.2 PROD release, we’re introducing a completely refreshed reporting experience designed to strengthen visibility, compliance, and decision‑making. This update brings an expanded suite of reports - including coverage for modules that previously lacked dedicated reporting - along with richer content, modernized visuals, and an upgraded UI for a more intuitive workflow.

From a process‑flow perspective, most elements remain familiar. User permissions based on Access Control Lists are unchanged, and the overall handling of report generation - such as queuing behavior, the ability to create On‑Demand or Scheduled reports, scheduling alternatives, data availability timeframes, and options to email or export reports in PDF format - continues to work as before.
What has improved is the report creation experience. The redesigned Generate Report modal now consolidates nearly all modules across the Heimdal product suite, giving administrators a broader and more unified selection of reporting options.
This expanded coverage is also reflected in enhanced filtering capabilities across grids, ensuring more relevant, precise, and meaningful data visualization. 

We’ve also enriched the customization options within the generation flow. Users can now select their preferred currency for any report that includes monetary values - a setting that was previously limited to C‑level reports. The available currency list matches the options found in the Accounts section of the Heimdal dashboard, ensuring consistency across all financial‑based reporting.

We’ve saved the biggest wins for last. Across nearly every product module, report content has been enriched both in depth and quality - bringing clearer insights, more meaningful context, and stronger security and compliance value at a glance.
The UX and UI have also been elevated: detail‑oriented users can now jump directly from any report to the full underlying dataset with a single click, while design enthusiasts will appreciate the cleaner layouts and more intuitive data structure that make reports easier to read and interpret than ever.
Below is a preview of the new reporting experience, but we invite you to explore it firsthand and try out the full set of redesigned reports.

Heimdal Threat-hunting and Action Center – External Firewall

With 5.2.2 PROD, TAC evolves again. Previously, our SOC/ SIEM platform delivered real‑time intel, telemetry, and actionability across two key fronts: devices and users.
Today, we’re introducing a third dimension: External Firewall. Starting with Meraki, firewall alerts that once lived in their own noisy, isolated console are now ingested directly into TAC and transformed into actionable MXDR signals, right alongside your endpoint and user events.
Because the story isn’t about adding “yet another risk” score, it’s about Heimdal making sense of third‑party firewall data for MXDR and cutting through alert fatigue, turning noise into clarity, and letting our SOC team do the heavy lifting so your environment stays protected without constant manual oversight.
This versatility brought by this new integration extends beyond your SOC: resellers and corporate customers’ users can review the same enriched firewall intelligence and take action directly in TAC, ensuring everyone, from provider to end customer, can see, decide, and act in one place.
To see exactly how the Meraki integration works under the hood, let’s dive a bit more into the technical details of the new External Firewall capability. The integration can be enabled and configured from a new tab named Firewall Integrations -> Meraki Firewall, available under Guide -> Customer Settings. Once set up, relevant Meraki alerts telemetry will start flowing into the Threat-hunting & Action Center. Configuration is available at both reseller and corporate customer levels.


Note: to ensure proper operation of the External Firewall integration and allow the API import job to retrieve Meraki notifications, customers must allowlist the source IP address 20.160.60.23.

Reseller-Level Experience

At reseller level, the only available visualization, namely the Globe view (TAC homepage) includes a new toggle option, on the left side of the interface, allowing users to switch between:

• External Firewall
• Devices
• M365

When switching to the External Firewall view, the reseller can see:

• All active corporate customers within the selected timeframe
• Customers displayed as geographical pins on the globe
• Each customer’s average External Firewall (Meraki) risk score or number of unresolved Meraki alerts, depending on the setting made at the radio button level found in the lower section of the UI.
  

If the selection is made on the “By risk score” radio button, then the left-hand side section displays an overview of the total number of active corporate customers in the selected timeframe that have the External Firewall integration enabled. These are default sorted in descending order by average risk score, making the highest-risk customers the most visible, along with their associated device count.

Clicking a corporate customer name triggers impersonation, showing that customer’s specific data. Clicking any globe pin opens a panel (top‑right) listing all corporate customers located in that region, sorted by descending average External Firewall risk score. Selecting a customer from this list also triggers impersonation.

When the By notification count option is selected, the visualization and impersonation behavior remain unchanged; however, the display criteria shift from average risk score to the number of unresolved High and Medium‑severity Meraki firewall alerts.

Corporate Customer-Level Experience

At corporate customer level, the Globe and Map views (available TAC homepage visualizations) include a new toggle option, on the left side of the interface, allowing users to switch between:

• External Firewall
• Devices
• M365

The views can also be switched using radio buttons between data displayed by Risk Score or by Notifications count.

External Firewall – By Risk Score View

Switching to the External Firewall view allows the customer to visualize:

• All devices, grouped geographically as globe pins
• Each device’s highest calculated risk score

The left panel shows:

• Total number of devices owned by the impersonated customer
• A list of devices automatically sorted (descending) by highest risk score
  

The left panel shows:

• Total number of devices owned by the impersonated customer
• A list of devices automatically sorted (descending) by highest risk score

Each device entry displays the device name or the source IP (in case the device name can’t be mapped) and its corresponding External Firewall risk score.
Clicking a device name opens the Action Center, with the search bar automatically pre-filtered for that device. 

When clicking a pin (node) on the globe, a panel opens in the top-right corner of the page, displaying a list of devices that have their location data positioned in the same geographical region as the selected pin (node), sorted in descending order based on the device’s risk score.

External firewall – By Notifications count view

Selecting the By notifications count radio button displays the number of unresolved notifications, out of the total number of notifications.

Note: To ensure meaningful insights and prevent alert fatigue, only High and Medium severity notifications are surfaced in the External Firewall views.

When selecting a node on the Globe, a panel will open in the top‑right corner of the page, displaying a list of devices located within the same geographic region as the selected node. The node also summarizes the highest number of unresolved notifications across all devices represented in that region. The panel supports infinite scrolling and includes a search field that allows users to filter devices by name. Devices are listed in descending order based on the number of unresolved alerts. 

The Map view follows the same visualization logic as the Globe view. The only difference is the representation: hostnames are shown on a 2D map rather than on the 3D globe.
When the Meraki External Firewall integration is enabled, the Heimdal dashboard users will also see a dedicated bottom widget that provides a visually appealing, summarized view of the corresponding risk score and detection‑related information. To access the External Firewall bottom widget, navigate to Threat - hunting & Action Center -> Overview and select the External Firewall toggle, similar to the Devices and M365 TAC views.

Note: the bottom widget is available for both reseller accounts and corporate customer accounts, the only difference being how the risk score is calculated (resellers: average of the risk scores of their corporate customers; corporate customers: average of the risk scores of devices within their estate).

With the Meraki External Firewall TAC integration, we’re introducing a dedicated Action Center view - mirroring the navigation and experience you already know from the Devices and M365 sections. This Action Center aggregates and displays notifications imported from the Meraki firewall, enabling both end users and MXDR analysts to take swift, appropriate actions. It extends the unique SIEM/ SOC actionability you’re accustomed to in Heimdal, now applied to external firewall telemetry for consistent, streamlined response across your environment.
Corporate customer users can access the External Firewall Action Center either by clicking the Action Center button in the bottom widget or by selecting a device, which opens the Action Center -> Notifications view, prefiltered to show Meraki firewall notifications for that specific machine.

Aggregated Notifications view

Aggregated Notifications is a dedicated view within the Notifications/ Actions tab of the Action Center, which displays all TAC notifications, similar to the (raw) Notifications view, but with one key difference: identical notifications are automatically grouped. In this view, notifications are aggregated based on device name and alert details, using the timestamp of the most recent alert in the group. If a device name is not available, aggregation is performed using the source IP and the alert type instead. The total number of alerts grouped under each entry is shown in the Hits column.

The Heimdal dashboard user can act (Exclude, Investigate, Resolve) on Unresolved or Under Investigation alerts by selecting an option from the Select what action to take dropdown. After selecting the desired action, the user is prompted with a confirmation modal in which they can choose to Confirm or Cancel the action.


After selecting Exclude and applying the action, a pop‑up window appears allowing the user to choose the exclusion criteria (Source IP, Destination IP, Notification, or Device Name), specify the exclusion duration (7, 30, 90 days, or permanent), and then either Confirm or Cancel the action.

The Aggregated Notifications view provides the following functionalities:

• Search by: Users can search within the grid using Device / Source IP, Network / Domain, Notification Type, and Details.
• Filters: Users can refine the grid using filters for Severity (Medium, High) and Resolution (Unresolved, Resolved, Actioned, Under Investigation).

Note: All Severity options and the Unresolved Resolution filter are selected by default.

• Sorting: Users can sort the data by Hits, Timestamp, or Resolution.
• Jump to Page: Users can navigate directly to a specific page.
• Advanced Action: Users can select one or more alerts by ticking the checkbox on the left or by clicking the Resolution, Unresolved, or Under Investigation icons. They can then choose an action from the suggested actions modal.

Notifications view

The (raw) Notifications view lists all TAC notifications as individual entries, in contrast with the Aggregated Notifications.
The External Firewall Action Center, Notifications view closely mirrors the Aggregated Notifications view, offering a familiar layout and user experience with only a few notable differences. One key addition is the presence of an “Alert body” column within the grid. This column includes an expand button that, when clicked, reveals the full contents of the Meraki firewall alert in JSON format, allowing users to inspect and/ or copy the raw payload for deeper technical insights and troubleshooting. Another notable difference is that Actioned or Resolved notifications provide a dedicated history modal, accessible by clicking the corresponding icons, enabling users to quickly review the action history.

External Firewall Exclusions management

The dedicated External Firewall Exclusions section, found under Network Settings -> External Firewall Exclusions tab, enables users to manage firewall exclusion rules created either from the TAC portal (External Firewall Action Center, Aggregated Notifications, or Notifications views) or directly within this view.

Note: this functionality is available exclusively at the corporate customer level.

The External Firewall Exclusions tab is regulated by ACLs and:

• The tab is visible for a Heimdal user that has View permissions for the externalFirewallExclusions claim.
• Heimdal users who have the Edit rights can add, modify, or delete any exclusion rules.

The new Network Settings tab introduces a set of enhanced tools for managing external firewall exclusions:

• Add new exclusion - users can create a new exclusion by clicking Add new exclusion, which opens a configuration view where all rule details can be defined.
  
• Edit exclusion – clicking the pen icon in the grid opens the current configuration of an exclusion. Users can update the settings and save the changes or select Cancel to exit without applying modifications.
  

Note: Once a type is selected for either the Primary or Secondary criteria, it is removed from the list for the other field. Exclusions cannot be saved if the Primary and Secondary criteria have the same type/value combination.

• Delete exclusion - when clicking Delete, users are prompted with a confirmation dialog. The exclusion is removed only when Yes is selected.
  

The grid in the External Firewall Exclusions tab is fully searchable (by primary or secondary criteria value) and also supports exporting all exclusions to a CSV file.

HEIMDAL PRIVILEGES & APP CONTROL

PEDM – Expanded support for Azure AD (Entra) joined devices

We’ve enhanced the PEDM module to now support privilege elevation on pure Azure AD (Entra) joined machines, in addition to Hybrid and traditional AD‑joined environments.
With this update, the Heimdal agent automatically detects how each endpoint is joined (connected to a domain controller) - Azure AD, AD, Hybrid, or neither - whenever the “Heimdal.AdminPrivilege” (PEDM) service starts or checks for policy updates.
When end users successfully utilize the “Sign In” option (button in the Heimdal agent), the service retrieves the required identity attributes directly from Microsoft Graph API, based on the machine’s domain-joined status, in order to perform the elevation.
This improvement provides broader compatibility and seamless privilege management across modern, pure Entra‑based infrastructures.

PEDM – Cloud AV scanning for enhanced security

This release adds a powerful new security control to Heimdal PEDM: cloud‑based antivirus scanning performed before admin privileges are granted. This capability strengthens endpoint defense by preventing suspicious or compromised files from being executed with elevated rights and ensures safer, compliant privilege workflows across the environment.
Whether a user initiates a file elevation through Run with PEDM or executes applications during an Administrator Session, all associated files are now analyzed in real time by a multitude of cloud AV engines. Administrators can define a risk‑score threshold that enforces automated protection actions - blocking file elevations that exceed the threshold, or immediately de‑elevating users during session‑based elevations if a risky process is detected.
This new capability can be enabled via its dedicated checkbox in the Heimdal Dashboard under: Endpoint Settings → Privileges & App Control → Privilege Elevation and Delegation Management → Run as Administrator or Administrator Session GP areas. For file elevations, the option (check box) appears as “Pre‑elevation cloud AV scanning”. For Administrator Sessions, the feature is listed as “Cloud AV scanning of admin‑executed files”.
Each option also includes a configurable risk‑score slider, ranging from 0 to 100 (0 being the lowest value and 100 the highest), allowing administrators to define the threshold at which a file elevation is blocked or a user in an active Administrator Session is automatically de‑elevated.

The default risk‑score slider value is set to 0, and Heimdal strongly recommends keeping it at this level to maintain a robust security posture. Increasing the threshold may expose your estate to vulnerabilities.

Note: Enabling the Local token elevation approval method will automatically disable the Cloud AV scanning options. These scanning capabilities are available only when using Auto‑mode or Approval via Dashboard.

For file elevations, the Pre‑elevation cloud AV scanning feature automatically analyzes the file hash and calculates the risk score prior to any elevation/ execution being granted. When the elevation mode is set to Approval via Dashboard, the file is scanned immediately after the elevation request is submitted. If the resulting risk score exceeds the configured threshold, the request is flagged as potentially dangerous, allowing administrators to make an informed decision. In Auto‑approval mode, the behavior is fully enforced: any file whose risk score surpasses the threshold is automatically declined, ensuring that high‑risk files never receive elevated execution rights.
Administrator session elevations now automatically trigger cloud AV scanning, in case the “Cloud AV scanning of admin executed files” is enabled, for any file executed using Run with PEDM or when the Disable Windows consent setting is enabled. If a file’s risk score exceeds the configured threshold, the user’s elevated session will be immediately revoked. On the agent and dashboard side of things, the elevation flows are going to happen as following: 

File Elevations with Pre‑Elevation Cloud AV Scanning:

When Pre‑elevation cloud AV scanning is enabled, any end‑user file elevation request triggers an automatic hash submission & scan. Based on the scan result and the corresponding risk score, the elevation request is either forwarded/ auto‑approved or automatically blocked.

1. File Not Flagged as Infected

If the scan returns clean, the elevation flow proceeds normally, and the file’s risk score is displayed in the dashboard.

2. File Flagged as Infected

If the file is detected as infected, its risk score is evaluated against the threshold defined in the Group Policy:

• Threshold Not Exceeded - The elevation continues as usual, and the risk score is shown in the dashboard.
• Threshold Exceeded - The outcome depends on the configured approval type:
  • Auto‑approve - The elevation is blocked. A notification informs the user that the file is flagged as malicious and advises them to contact the administrator.
    

The entry appears in the History tab with the associated risk score and an auto‑denied status.

• Approval via Dashboard - The elevation request is sent to the dashboard (Pending Approvals view) with the file’s risk score for administrator review.
  

Approving one or more high‑risk requests prompts the administrator with a confirmation dialog (below examples for single and multi-entry grid selections).

If request alerts are enabled, email notifications also indicate that the request involves a file exceeding the configured risk threshold.

Administrator Session elevations with Cloud AV scanning of admin‑executed files:

When Cloud AV scanning of admin‑executed files is enabled, scanning occurs during the elevated session.

Note: system files and files executed without administrative privileges are excluded from scanning.

1. File Not Flagged as Infected

While the session is elevated, any file or process the user executes with administrative rights is automatically scanned. If the scan reports no vulnerabilities, the elevation continues uninterrupted, and no further action is required. All scanned items and their associated risk scores are displayed in the Process details/ specifics (post clicking on the “Executed Process” info, displayed in the History view)  section of the Heimdal dashboard.

2. File Flagged as Infected

If a scanned file exceeds the configured risk‑score threshold, the user is immediately de‑elevated. A pop-up notification informs the end user about the detection 

and the event - along with the file’s risk score - is logged in the History grid (Process details, upon clicking the “Executed Process”).

For any elevation where file‑level scanning occurs, the resulting risk score is displayed in a new dedicated column within the Pending Approvals grid, as showcased below.

As an additional safeguard for administrators, the History view displays a warning icon next to the Executed Processes info (for Administrator Session, File, or Run Non‑Elevated elevations) whenever at least one scanned process has a risk score greater than 0, and at hove,r an additional explanatory text is displayed.

All grids that support CSV export now include a dedicated Scan Risk Score column, making reporting and external analysis easier. Sorting is also enabled across all grids that display scanning data, simplifying investigation and trend review.

HEIMDAL EMAIL PROTECTION

Email Security – M365 Exchange Connector

We’re excited to announce a new, streamlined configuration option for our Email Security solution: the M365 Exchange Connector. This alternative to the traditional MX record setup offers a fast, practical route without compromising security. With the same robust protection you trust, the connector ensures full scanning of both inbound and outbound email flows, delivering comprehensive threat prevention while simplifying deployment for Microsoft 365 environments. 
With the introduction of this new configuration option, we’ve also enhanced the Grant Consent flow by splitting into two separate options, each addressing distinct configuration requirements:

• Grant consent billing (previously "Grant Consent") - enables license and billing synchronization by granting permissions required for automatic license counting.
  

• Grant consent M365 Exchange Connector - required to create and manage the M365 Exchange Connector for email routing, enabling both inbound and outbound mail flow through the Email Security product.
  

Coming back to the domain routing configuration options, when editing or creating a domain in Email Security, IT administrators can now choose between two mutually exclusive email routing methods:

MX record setup:

• Description: this is the existing method used for inbound scanning, where the domain’s MX records must point to Heimdal.
• Switching Behavior (from M365 Exchange Connector → MX Record Setup):
  • the Inbound Verification – Anti-Spoofing and SEPO sections under Additional Domain Settings become enabled.
  • upon saving the changes, a confirmation popup appears, warning that existing M365 Exchange Connector configurations will be removed.
    

Opting for Yes and having the Grant Consent for M365 Exchange Connector successfully conducted will lead to applying the MX Record Setup, while M365 Exchange Connector will be automatically removed. If Cancel is selected, the routing type remains unchanged, but any other domain configuration updates will be saved.

Note: If Grant Consent for M365 Exchange Connector is revoked (status becomes disabled) and the setup is switched to MX Record, the previously configured M365 Exchange Connector will not be removed automatically. It must be deleted manually by the administrator.

M365 Exchange Connector setup:

• Description: allows Heimdal to manage inbound and outbound email routing via M365 Exchange Connectors.
• Consent Requirements:
  • a valid Microsoft Entra Tenant ID.
  • Grant Consent for M365 Exchange Connector must be provided prior to configuration.
• Inbound Conditions:
  • the domain’s MX must not point to Heimdal Email Security MX record.
  • the SPF checkbox under Additional Domain Settings must be disabled.

Note: if the Inbound conditions are not met, inbound mail functionality via M365 connectors may fail.

• Outbound Conditions:
  • only one outbound connection can be configured, using the Office 365 provider
  • your SPF records must be correctly configured in your DNS before creating the connector. To do this, update your SPF record to include the appropriate Email Security SPF entry based on your geographical region:
    • include:spf-esec.heimdalsecurity.com – for customers in the Europe region.
    • include:spf-esec-us.heimdalsecurity.com – for customers in the United States region.
    • include:spf-esec-uk.heimdalsecurity.com – for customers in the United Kingdom region.
    • include:spf-esec-uae.heimdalsecurity.com – for customers in the United Arab Emirates region.
  • Switching Behavior (from MX Record Setup → M365 Exchange Connector):
    • the Inbound Verification – Anti-Spoofing and SEPO sections under Additional Domain Settings become disabled (corresponding tick boxes unchecked).
    • upon saving the changes, a confirmation popup appears showing the current configuration:
       

If Yes is selected and Grant Consent for M365 Exchange Connector is enabled, the system will apply the specified Inbound and Outbound configurations. If Cancel is chosen, the routing type remains unchanged and any other domain configuration updates will be saved.

Note: in case the Outbound conditions are not met, a warning popup will inform the user that outbound connector creation will be skipped. As a result, outbound routing will not be configured for the corresponding domain.

As part of the implementation, a new Health Check Connector option is available, and it is meant to validate the M365 Exchange Connector provisioning. This is particularly useful, as connector creation may take up to 1–2 minutes and allows IT admins to confirm readiness and operational status of the configured connector, prior to applying critical routing changes.

Email Security – Brand new "M365 Users" view

The newly introduced Email Security view (Products -> Email Protection -> Email Security -> Details tab) delivers clear visibility into Microsoft 365 users, enabling accurate automated license tracking and billing. This enhancement helps organizations align Heimdal license consumption with actual mail-enabled M365 user activity in the configured Microsoft Entra (Azure AD) tenant.

The M365 Users view is available only when both of the following conditions are met:

• A valid Microsoft Entra Tenant ID is configured.
• Grant Consent Billing has been successfully provided under Network Settings -> Email Protection -> Email Security -> Grant Consent Billing.

Note: if the aforementioned conditions are not met, the view remains disabled, and a tooltip text is displayed on hover, to inform the user of the missing requirements.

The M365 Users view presents a searchable and sortable grid containing the following columns:

• M365 User – displays the Microsoft 365 user identity (userprincipalname or UPN)
• Last Seen – indicates the timestamp of the user's most recent sign-in activity

Note: only users who meet both of the following criteria are included in the grid:

• are Members in the Microsoft 365 organization.
• have an active Exchange Online service plan.

Data in the M365 Users view is automatically refreshed every week.

OTHER IMPROVEMENTS & FIXES

Enriched TAC notifications - Operational and Security Issues

Starting with the 5.2.2 PROD release, new Threat Hunting & Action Center notification types have been fully integrated into TAC - including updates to risk scoring, filtering, bottom widget, homepage visibility (icons) and available actions - across both Device and M365 surfaces.

Under the Operational Issues category (Devices), we have introduced critical new notifications designed to highlight potential signs of severe compromise:

•    Heimdal uninstalled – triggered when the Heimdal agent is forcibly or unexpectedly removed from a device.
•    Endpoint isolated – triggered when one or more Heimdal services are stopped (disablement of Heimdal Tamper Protection), which may indicate potential malicious interference, or when the device becomes isolated as a result of Device Protection Actions configured within any of the following Endpoint Settings GP‑based Endpoint Detection modules: Next‑Gen AV, Firewall, Ransomware Encryption Protection.

The set of available actions for these new Operational Issues notifications - depending on whether they are accessed from the Aggregated Notifications view or the Notifications view - is as follows:

•    For Heimdal uninstalled: Investigate and Resolve.
•    For Endpoint isolated: Investigate, Resolve, and/or Unisolate.

Under the Security Issues category (M365), several important updates have been introduced to improve data visibility and overall actionability. Notifications related to MFA and Password state - previously available only in the User Compliance tab of the M365 Action Center - are now also displayed in both the Aggregated Notifications view and the Notifications view and can be actioned (Investigate, Resolve) directly from these views providing a more streamlined and unified workflow.

A new SEC‑I “Source” has been added across multiple areas of the M365 space - including the Action Center grids, Filtering modals, the M365 widget, and the User Specifics -> M365 tab, Risk chart - providing clearer attribution, more precise filtering, and more complete input into the Risk Score details…all in all , improved visibility and investigation workflows.


As part of this update, we have improved the mechanism used to retrieve SEC I / User Compliance notifications (Multi Factor Authentication, Password Strength, and Password Expiration checks) from the Microsoft Graph API.
The enhanced logic now considers the Microsoft Entra ID Conditional Access Policy (CAP) configurations that override the corresponding individual Graph API settings. This alignment significantly reduces false positives generated in this area. To activate this enhancement, administrators must regrant consent under the
Network Settings -> M365 User Security tab.

Enhancements to the Guide -> MXDR Permissions tab

With the introduction of the new External Firewall dimension alongside the existing Threat‑Hunting & Action Center areas for Devices and Users (M365), we have implemented several logical and valuable enhancements to the Guide → MXDR Permissions tab. These updates represent the first step toward a broader refinement of the permissions guidance framework, with additional improvements planned for upcoming releases to further increase clarity, relevance, and ease of use.

Starting with this release, Heimdal users can now configure separate contact details for the MXDR permissions corresponding to External Firewall, Device, and M365 TAC notifications or choose to apply the same contact details to all components:

•    When “Same contacts for all components” is disabled: 
o    Contact details are organized into three distinct sections: Firewall, Device, and M365.
o    When Heimdal MXDR is permitted to act on a notification, the analyst is shown the contact details of the stakeholder(s) assigned to that specific component, according to the configured settings, in the MXDR contact form.

•    When “Same contacts for all components” is enabled:
o    Contact details are consolidated into a single All view.
o    Whenever an MXDR analyst acts on an External Firewall, Device, or M365 notification, the same set of contact details is displayed for all components in the MXDR contact form.

Brand‑new Permission categories have been added to the grid, reflecting an expanded scope of activities performed by the Heimdal SOC team as they take on even more of the heavy lifting in managing your environments and reducing alert fatigue. These categories: Email Protection (Email Security and Email Fraud Prevention), Login Anomaly Detection, Ransomware Encryption Cloud, Forwarding Rules, External Firewall, and both Security and Operational Issues, enable more granular control over who can oversee and interact with detections across the platform.

Each new category aligns directly with the SOC team’s day‑to‑day operational capabilities, including continuous monitoring, deep‑dive investigation, proactive threat hunting, and automated remediation and response. By structuring permissions around these functional areas, customers gain clearer visibility into SOC workflows, finer governance over access, and stronger alignment between internal policies and Heimdal’s managed detection and response activities.

Expanded Email Protection coverage in TAC M365

TAC M365 (User Security) now includes two new categories of notifications - Email Security (ESEC) and Email Fraud Prevention (EFP) - available in both the Aggregated Notifications and (raw) Notifications tabs.

These additions provide deeper insight into email‑borne threats and enhance investigative workflows through richer contextual data and improved response capabilities. To support faster remediation, dedicated actions are now available for these new notification types, ensuring analysts can promptly address and contain emerging risks. With the inclusion of ESEC and EFP events, the M365 risk score now dynamically adjusts to reflect these additional threat vectors, offering a more accurate representation of organizational exposure. Users can also filter by the two new sources, and all related information is seamlessly reflected across every relevant area in the UI.

This update further strengthens our unified, single‑pane‑of‑glass approach, making the Microsoft 365 security posture easier to understand, manage, and act upon.

New Incident Response logs available

As part of Heimdal’s ongoing commitment to strengthening security while ensuring compliance and providing customers with deeper visibility into their environments, we are introducing a new log category: Incident Response Logs. 
The Incident Response Logs view provides customers with access to an expanded set of fetchable forensic artifacts, delivering deeper insight into activity on a specific Hostname (Endpoint). In addition to standard log data, this enhanced view includes PowerShell console history, prefetch files, and jump list traces, offering a more comprehensive foundation for investigation and incident analysis.
These logs can be accessed directly from:
Unified Management -> Device Info -> click a Hostname (Client Specifics page) -> UEM -> Logs -> Incident Response Logs. Pressing the Incident Response Logs button will open the confirmation popup modal window.


An alternative way to request these logs is to open the Client Specific Commands panel, select Request Logs, and choose Incident Response Logs from the dropdown list.


This addition enhances the platform’s reporting capabilities by offering a clearer, more structured record of incident related actions and responses performed across your estate. With this new category, users gain improved transparency, auditability, and operational insight—further supporting informed decision making and reinforcing Heimdal’s mission to deliver continuous, proactive protection.

Unified Action Center experience

Aiming to improve ease of use, reduce navigation complexity and provide a more intuitive forensic workflow, we have introduced a noteworthy UX enhancement by unifying all TAC Action Center views under a single, consolidated entry in the Heimdal Dashboard. This update removes the previous fragmented structure and replaces it with a streamlined top level navigation that now groups Devices, M365, and External Firewall into one coherent interface. With this unification, all grids, widgets, and data views now dynamically adapt to the selected top level tab, ensuring that Heimdal users always see the most relevant context - whether reviewing device activity, Microsoft 365 telemetry, or external firewall events. The result is a cleaner, more consistent experience that accelerates investigation time, enhances contextual awareness, and delivers a more efficient, unified threat action center.