The most common issues on the Firewall product were related to the Brute Force Attack functionality that isolates an endpoint when a Brute Force detection is being made.
Investigating brute force attacks
BEHAVIOR: I see a lot of BruteForceAttacks being reported in the HEIMDAL Dashboard -> Endpoint Detection -> Firewall -> Firewall Alerts:
SOLUTION: the detection of Brute Force Attacks is based on Event ID 4625 which can be found in the Event Viewer -> Windows Logs -> Security -> Audit Logs (Logon category).
The Logon events will give you more information on where the BruteForceAttack is initiated from. Identifying an IP Address will allow you to block access from the specific IP Address (if this is an external IP Address) or mitigate the issue locally on the specific endpoint (if this is an internal IP Address).