The HEIMDAL Sandbox is a file analysis tool designed to assist with computer forensics endeavors, augmenting the already powerful threat intel and hunting toolkit offered by TAC.
1. Description
2. Analysis and resolution
DESCRIPTION
The Sandbox equips, to an even greater extent, security leaders, operations teams, and managed service providers with the ability to detect next-gen threats and respond by using the other relevant product modules encompassed in the Heimdal product stack. When uploading a file to the Sandbox, the file is added as an entry in the data table with a New resolution for a brief time. The file's resolution is then changed to Pending Upload (also briefly displayed) until it is fully uploaded. After being uploaded, the resolution changes to Queued until the file analysis begins, and when the file analysis begins, the resolution value adjusts to In Progress, and when the analysis is done, the status turns to Completed or Error (files for which the analysis failed).
The corresponding grid consists of 4 columns: File name, Uploaded by, Resolution, and Timestamp.
Uploading a file to the sandbox is done with the Upload Button oflaspens a pop-up window, from which customers can choose the file they want to import, specify the file's password (where applicable), and/or specify the file's execution arguments (where applicable).
ANALYSIS AND RESOLUTION
Files that have been analyzed successfully have an eye icon next to their file name, which, if pressed, will lead the HEIMDAL Dashboard user to the dedicated File analysis, where granular details (including a process tree visualization) are available.
IMPORTANT
The HEIMDAL Sandbox only scans files that have a size of under 1MB (or equal to 1MB). Files must have a .exe or .zip extension (only the first .exe file archived is scanned). Also, an Invalid file name message will be displayed in cases where the users attempt to upload a file with spaces in its name.
The Upload to Storage & Send to Sandbox command is a key feature available across various product modules within the HEIMDAL Dashboard, designed to streamline threat analysis and response. This functionality can be found in the following sections:
- DNS Security - Endpoint - Accessible within the Latest Threats view.
- Next-Gen Antivirus - Available in the Latest Infections/Quarantine and Zero-Trust Execution Protection views.
- Ransomware Encryption Protection - Available in the Endpoint Detections view, as well as the corresponding Client Specifics views (accessible by clicking on a hostname).
The command is also fully integrated into the TAC widgets associated with these modules and is accessible via the TAC Action Center, specifically within the Notifications and Aggregated Notifications views. This feature ensures administrators have a robust toolset for handling and analyzing potential threats efficiently, reinforcing comprehensive endpoint security management.