We want to inform you about the release of a new Heimdal™ Release Candidate Dashboard version, 2.5.400, that is now live. The Heimdal™ R.C. Agent will be available for download in the dashboard (“Guide” section, “Download and install” tab), starting Tuesday, January 25th 2022 and deployed, on a roll-out basis, over the course of the coming weeks.
Here are the main features and improvements rolling in with the new 2.5.400 R.C.:
Heimdal™ Dashboard
- Enhanced Endpoint Settings management – Access Control for specific and full Group Policy access
In the Accounts -> Access Control tab of the Heimdal Dashboard three new Claim categories have been added: “Manage Windows Endpoint Settings area”, “Manage MacOS Endpoint Settings area” and “Manage Android Endpoint Settings area”. To each of the earlier mentioned claim categories two claim types have been added:
- "Full access device settings" – allowing the owner of the claim to perform changes on all the Group Policies
- "Specific access device settings" – allowing the owner of the claim to perform changes only on specific Group Policies
A user can’t have both permissions at the same time. The “Specific access device settings” claim does not allow performing operations such as: creating, duplicating, deleting, or changing Group Policy priorities.
Heimdal™ Threat Prevention Network:
- "Prevented Attacks" & "Hostname" clickable in DarkLayer Guard™ Network
As a further improvement to the addition of the “Prevented Attacks” column in Threat Prevention Network -> DarkLayer Guard™ Network -> Standard view, we are now allowing the dashboard user to click the “Hostname”, “Approved Requests” and “Prevented Attacks” fields, thus providing more granular forensic info.
Clicking on the “Hostname” will lead the user to the Client Specifics view (providing a grid-like visual overview of queries intercepted by the TPN LogAgent and servers, for a specific endpoint). The user will be able to see the raw data only if the machine is found under Active Clients.
In the “Domain” column, the user has the option to click on the “I”/ Information icon which will redirect the user to the Investigate View, providing multiple data points related to that domain; there is also a VirusTotal icon, which, if clicked on, takes the user to the Virus Total domain info page.
When clicking on the “Approved Requests”, respectively “Prevented Attacks” number, the dashboard user is taken to a “DNS queries” view, showcasing the accepted or blocked DNS requests (filter preset on “DNS Query Passed”, respectively on “DNS Query Blocked”).
- Threat Prevention Network Block by Category
This functionality allows the dashboard user to block groups of domains related to specific categories (illegal content, gambling, sexuality, etc.). The functionality can be enabled/ disabled from the Network Settings -> Threat Prevention tab and, if enabled, a drop-down list containing preset “to be blocked” categories will be available (single and multiple selections are offered).
- Threat Prevention Network Custom block page
This functionality (check box), found in Network Settings -> Threat Prevention, provides the dashboard user the option to import a .html file with their Custom Block page layout, instead of using the Heimdal standard Block Page. The custom or standard block pages are displayed whenever blocked, category blocked or blacklisted domains try to be accessed. Please be aware that, when importing a custom block page, the change may take up to 30 minutes to take effect.
- Threat Prevention Network LogAgent Settings
In the Network Settings -> Threat Prevention GP area, we created a dedicated “LogAgent Settings” area, containing new settings related to our TPN LogAgent app. These new settings are:
- “Log unknown hostnames” – when enabled, this setting will display, in the Standard and Latest Threats dashboard views, both unknown hostname entries as well as known hostname entries
- “Log local domains” - enabling this option, makes the LogAgent app. record entries related to local domains too
We also added a “Policy Check Interval” slider which sets the frequency (minutes) that TPN LogAgent uses to update its local settings.
Heimdal™ Threat Prevention Endpoint:
- DarkLayer Guard™ Endpoint and Network forensic enhancements
The carried-out enhancements consist of the addition of the “Investigate view” (new tab) in the Threat Prevention Network -> DarkLayer Guard™ Network dashboard area and in enriching the information provided in both the DarkLayer Guard™ Endpoint, as well as DarkLayer Guard™ Network Investigate views.
In the Investigate View fresh data related to the most encountered processes accessing the queried domain and Domains/ URLs related to the queried domain’s IP was added. In both cases, TOP 3 info will be displayed.
The most encountered processes accessing the queried domain will be showcased from two perspectives:
- Your Matches TPE: the number of times, in the selected time frame, the domain has been intercepted via Threat Prevention Endpoint in the customer’s environment
- Global Matches TPE: the number of times, in the selected time frame, the domain has been intercepted via Threat Prevention Endpoint in all the Heimdal customers’ environments
The top domains/ URLs related to the queried domain’s IP will be also presented in two dimensions:
- Your Matches TPE + TPN: the number of times, in the selected time frame, the related domain has been intercepted via both Threat Prevention Network and Threat Prevention Endpoint in the customer’s environment
- Global Matches TPE + TPN: the number of times, in the selected time frame, the domain has been intercepted via both Threat Prevention Network and Threat Prevention Endpoint in all the Heimdal customers’ environments
- VectorN Detection™ alerts “Hide” button
In the Threat Prevention -> VectorN Detection™ module, Standard & Client Specifics views, we have implemented the option to temporarily dismiss (for 30 days) a VectorN Detection™ alert. This option is useful in case of any considered false positives and in the context in which, you’d want to be able to elevate through Privileged Access Management, when having the module on and the “De-elevate and block elevation for users with risk or infections” check box enabled.
When selecting an endpoint or multiple endpoints with detections and using the “Select what action to take” drop-down list, the user will discover a new option, “Hide”, allowing to dismiss the alert for 30 days. Also, there is a “Show dismissed matches” filter, which if enabled, will also display, in a faded manner, the dismissed/ hidden alerts.
In the Heimdal™ agent pop–up message that an end-user gets when trying to request PAM elevations, in the scenario in which there is an active VectorN Detection™ and the “De-elevate and block elevation for users with risk or infections” Endpoint Settings -> Privileges & App Control -> Privileged Access Management tick box is enabled, the following text will be displayed: “VectorN has detected malware in your system. Contact your IT administrator in order to dismiss the detection and/ or click here for more info.”
Heimdal™ Endpoint Detection, Next-Gen Antivirus & MDM:
- Next-Gen AV Exclusions List enhancement
In the Endpoint Settings -> Endpoint Detection -> Next-Gen Antivirus tab, Next-Gen AV Exclusion List area you can now add up to 10 exclusions/ page and are also able to export the list into a .csv format file, containing the File Name/ Path, Type, and Priority information. Another small improvement consists of not allowing duplicate entries in the Exclusions List.
Heimdal™ Privileges & App. Control, Application Control:
- Show logs in a different view (raw data)
In the Dashboard -> Privileges & App Control -> Application Control tab we added another view called “Raw data” (the view is also available in the Management -> Active Clients section of the Heimdal™ dashboard). The view displays all the intercepted processes, in the selected timeframe, without aggregating the data.
Given the large amount of data stored, we highly recommend selecting smaller time frames (minutes or maximum hours), in order to avoid timeout exceptions. The view displays a maximum of 10.000 intercepted applications. We’ve also enhanced all the App Control views, enabling the Dashboard user to sort the data based on the “Status” and to view and sort by the “Timestamp” (when the interception took place).
Other improvements:
- Patch & Asset management API optimization
We conducted further enhancements to the 3rd party software Corporate Customers API, in the sense that we added a new status parameter named “latest” which if specified in the API call will show only the latest updates statuses for patched applications (e.g.: https://dashboard.heimdalsecurity.com/api/heimdalapi/thirdparty?customerId=195670&status=latest). We’ve also added the “release date” info, mentioning the date when the patch was added to the system.
- Detect “user context” apps. & display them in the 3rd Party Software, Assets view
An enhancement was carried to the Patch & Asset Management -> 3rd Party Software -> Assets view and now, applications installed under a user context are discoverable and shown in this view.
- Excel download option of Endpoint Settings (GPs and settings)
A “Download” button was created in the Endpoint Settings GP management view (all 3 tabs: Windows GP, MacOS GP, and Android GP), which, if pressed on, will provide an excel option that will export the Group Policies and their settings. The downloaded data contains all the fields values from settings (scheduler, text values, check box, etc.) except for collections’ lists (Next-Gen AV Exclusions list, Domains Blacklist/ Whitelist values, etc.).
- Addition of the Azure AD groups column to Endpoint Settings, Windows GP management view
An “Azure AD groups” column was added to the Endpoint Settings -> Windows GP tab, Windows GPs management view/ table. This will specify is one or more AAD groups are associated with a specific GP. In case there are more AAD groups linked to a Group Policy there is an option to expand the view and visualize all the information.
- Addition of the Next-Gen Antivirus functionality issues to the Corporate Customers and Partner reports
Next-Gen AV functionality issues information has been added to the Heimdal™ Endpoint Detection - Next-Gen AV report (Accounts section of the dashboard), letting the customers and partners know if there are any malfunctions encountered in the Antivirus product (e.g.: Virus Definitions not updated, clashes with another AV product, etc.).
A dedicated section providing hostname, Error details, and timestamp info was included in the Most Affected Endpoints part of the existing report.
- Access Control List claim for Remote Desktop Supporters’ management
A new Claim Category (“Remote Desktop connection”) and Claim Type (“Remote desktop connect full access”) were added in the Accounts -> Access Control tab of the dashboard, in order to allow the granular control over Remote Desktop connection options awarded to Supporters (either to specific GPs or to all the GPs).
There are four possible scenarios, described below:
• Scenario 1: “Specific access device settings Windows area” is enabled, but “Remote desktop connect full access” is disabled => the supporter is able to connect only to end-user computers which are included in the GPs specified under “Specific access device settings windows”
• Scenario 2: “Full access device settings windows” is enabled => the supporter is able to connect to any endpoint, regardless of the “Remote desktop connect full access” is awarded or not
• Scenario 3: “Remote desktop connect full access” is enabled => the supporter is able to connect to any endpoint, regardless of the GP to which the endpoint is assigned
• Scenario 4: “Full access device settings windows”, “Specific access device settings windows” and “Remote desktop connect full access” are disabled => the Supporter is not able to connect to any endpoint.