We want to inform you about the release of a new Heimdal™ Production Dashboard version, 2.5.395, that is now live. The Heimdal™ Prod. The agent will be available, for download, in the dashboard (“Guide” section, “Download and install” tab), starting mid-next week and will be gradually deployed, over the coming weeks.
Here are the main features and improvements rolling in with the new 2.5.395:
Heimdal™ Threat Prevention Network:
- Addition of “Prevented Attacks” in the Network Standard view grid
In the Threat Prevention Network module, DarkLayer Guard™ Network, Standard view we added a new column called “Prevented Attacks” which displays the number of blocked DNS requests per hostname. We will be further enhancing this functionality, in the upcoming releases, making the number clickable and providing granular info about the prevented attacks.
Heimdal™ Patch and Asset Management:
- Provision of 3rd party patches and deployment through Intune
We’ve enhanced our 3rd party patches API by offering the possibility to query all the Heimdal™ 3rd party software that can be deployed through Intune. Please note that this enhancement is available only if you have the Infinity Management sub-module licensed.
Intune can be used to deploy applications and patches to enrolled devices. It can be used to deploy a large variety of apps, including mobile ones. There are only two kinds of apps that are taken into consideration for 3rd Party integration: Line of Business (.msi) and Win32 Windows apps.
Intune Support API
This API can be found in the “Guide” section, “Your HS API Key” tab of the Heimdal™ dashboard, as per the below screenshot.
The API call outputs a JSON that lists all the patches that have Intune Support enabled and have a Type of Default (not Archive), grouped by application. There is the required parameter of the customer that is used to validate the API key and an optional parameter appName the can be used to filter the patches based on the application name.
The complete documentation related to the Intune API can be made available by our Support department.
Heimdal™ Endpoint Detection, Firewall:
- Brute Force Detection reporting mode
To further increase the cybersecurity of your organization, Heimdal™ Security introduced a new feature, called “Brute Force Detection reporting mode” which allows you to get a view of the Brute Force Attacks conducted against your environment even if you don’t have the Heimdal™ Firewall module licensed and/ or enabled. Given the informative nature of the feature, we won’t take any action to protect your environment against Brute Force Attacks, we will just notify you about these, in case this function is enabled.
To activate/ deactivate the function, you will need to contact our Support dept. or reach out to your Heimdal™ Sales representative, as this is an Admin Setting, which is not visible in the Endpoint Settings, General tab, section of the dashboard.
Customers that do not have the Firewall module licensed or enabled will be able to see on the dashboard homepage the Endpoint Detection, Firewall graph with the corresponding Firewall alerts:
Also, in the left-hand side dashboard menu, in the “Products” section, the Firewall module will be activated, displaying only the Firewall Alerts view as per the below screenshot.
Customers that do have the Firewall module enabled, but have the “Brute Force Detection reporting mode” check box enabled, won’t see any change in the dashboard view (the only change being the fact that we won’t actively block ports/ ensure protection in case this feature is active).
In terms of the notifications corresponding to the “Brute Force Detection reporting mode” functionality, these will be available for both Corporate Customers, as well as for Partners in the shape of email reports, which can be set, in terms of receiving frequency, from a 7 up to 30-day interval (in the report we will showcase only the latest 5 Brute Force Attacks, while you can get a full picture of the situation in the Heimdal™ dashboard).
For Corp. Customer's reports can be enabled/ disabled from the “Accounts” section of the dashboard (Account tab, Reports subsection), “Brute Force Attacks report interval” as per the below screenshot.
Partners can enable/ disable the email report from the Accounts -> Account -> Partner Reports section of the dashboard, BFA reports.
Below you can get a taste of the Email report that will be received when Brute Force Detection reporting mode is on:
Heimdal™ Privileges & App. Control, Application Control:
- Define internal port for Application Control
In the Endpoint Settings -> Privileges & App. Control -> Application Control tab we added a new checkbox called “Internal port for AppControl” which, if enabled, allows you to change the custom port used for this module (we will display the default port used for App. Control, namely “8001” and when the tick box is enabled, you will be able to change it).
Heimdal™ Privileges & App. Control, Privileged Access Management:
- Revoke existing local admin rights enhancements
Enhancements were conducted to the “Revoke local admin rights” functionality, found in the Endpoint Settings -> Privileges & App. Control -> Privileged Access Management tab, in the sense that the search by Username has been automated by introducing a dropdown functionality (displaying the username and group name), replacing the existing textbox. If the dashboard user will select first a hostname, the username’s dropdown will display all local admins for the selected hostname. If there isn’t any hostname selected, the username’s dropdown will display all local admins from all the active clients that have the current group policy applied and were active in the specified timeframe.
An import “Exclusions .csv file” functionality was also added above the Preserved Users grid, enabling you to bulk upload and whitelist previous users that had admin rights.
The “Preserved Users” info bubble (when hovered over) provides the ability to download a sample for a .csv file with examples of how to define users for the whitelist.
The asterisk character (*) represents the fact that the whitelisting will be applied to all hostnames or all usernames from that hostname (only previous admin members). In the case depicted in the screenshot:
• row 1: MyCustomUser will be whitelisted for all computers that received this group policy;
• row 2: on the computer named MyCustomHostname, all admin users will be removed, except Username, and on
Other improvements:
- Dashboard homepage graphs
A user enhancement was conducted to the dashboard home page, Product graphs, namely: when clicking on the graphs outside of the data points, you will be taken to the first view/ tab from the Product page corresponding to that product (e.g.: Privileges & App. Control -> Privileged Access Management graph will lead to the Privileged Access Management -> Pending Approvals view).
- Enhancement to Master Reseller Group Policy
The Resellers now can create Multiple Reseller Master Group Policies, post activating the “Reseller Master GP Distribution” tick box. These will be signaled by dedicated tags (Master GP).
The settings comprised in the Reseller Master GPs will be applied to the customers, underneath that Reseller, that have the “Opt-in Reseller Master GP” functionality enabled. We’ve also created an email alert, received by the Reseller, at the moment in which one of its customers changed the priority of the Group Policies and one of the Reseller Master GP is no longer the top priority.
Also, in the case in which a customer, who has opted in for the Reseller Master GP, unchecks the “Opt-in Reseller Master GP” tick box, the Reseller will receive an email notification stating which of his customers has opted out of Reseller Master GP.
- Enhancements to the Reseller API (“For Active Clients Details” and “For Customer Operations”
We have conducted some enhancements for the Reseller API (Guide -> You HS API Key) which are listed below:
- added Device Info (“For Active Clients Details”)
- option to Create Customers (“For Customer Operations”)
- option to Delete Customers (“For Customer Operations”)
- option to Restore Customers (“For Customer Operations”)
- option to Update Customers (“For Customer Operations”)
- Customization of the blocked Remote Desktop Protocol port
You will now have the option to select the RDP port which gets blocked in case of Brute Force Attacks. This functionality can be found in the Endpoint Settings -> Endpoint Detection -> Firewall tab, Firewall Management subsection and, if enabled, will allow you to customize the default 3389 port by mentioning a specific port for a specific Group Policy.
- Microsoft Updates Force and Normal Reboot agent pop–up warning
Knowing how important it is not to disrupt the work of our end-users, thus enhancing productivity and user experience, we implemented a Heimdal™ agent pop–up window, which will warn you 10 minutes, respectively 5 minutes before a Microsoft Updates - generated force or normal reboot taking place on your machine.
If you need help with anything, don’t hesitate to contact corpsupport@heimdalsecurity.com.