In this article, you will find information about the Ransomware Encryption Protection for Cloud functionality and how to configure it to be able to log in to the HEIMDAL Dashboard. To do that, you need to make sure that the SAML 2.0 Login feature is enabled and that your Heimdal Enterprise Customer is linked to your Azure Active Directory Tenant ID.
1. Description
2. How does Ransomware Encryption Protection for Cloud work?
3. Ransomware Encryption Protection for One Drive setup guide
4. Ransomware Encryption Protection for Cloud view
5. Ransomware Encryption Protection for Cloud settings
DESCRIPTION
Ransomware Encryption Protection for Cloud is an alternative to the Ransomware Encryption Protection product/service that is already present in the HEIMDAL suite (within the HEIMDAL Agent for Windows). This extends to business OneDrive users and prevents the spread of a ransomware attack from encrypting all your files that are stored in Cloud.
HOW DOES RANSOMWARE ENCRYPTION PROTECTION FOR CLOUD WORK?
Once enabled in the HEIMDAL Dashboard -> Network settings area, a new Enterprise application will be installed in the Azure Active Directory: Heimdal Security REP for OneDrive. This allows us to receive and monitor any notification issued by Microsoft every time a file is being updated on a user's One Drive Business account. The HEIMDAL enterprise application saves the details regarding a file for 15 minutes. In case we detect any suspicious activity on OneDrive, the user can be isolated (basically, the user will be logged off all Microsoft sessions) if Isolate user on detection is enabled. This means that the user is disconnected, to prevent the encryption or the upload of any malicious files. An alert and the affected files are reported in the HEIMDAL Dashboard. An alert is generated only if 3 files (or more) are found to be encrypted. For optimization purposes, Ransomware Encryption Protection for Cloud will stop monitoring any other files if at least 10 encrypted files are discovered.
RANSOMWARE ENCRYPTION PROTECTION FOR CLOUD setup guide
The Ransomware Encryption Protection for Cloud functionality requires you to enable SAML 2.0 Login in the Guide -> Customer settings area (within the HEIMDAL Dashboard). To set it up, just insert your Azure Active Directory Tenant ID and hit the Update button. If you need detailed instructions on how to set up SAML 2.0 Login, check out the following link: https://support.heimdalsecurity.com/hc/en-us/articles/360019971018-SAML-2-0-Login. After inserting the Tenant ID, you need to synchronize the Azure AD Users and Group by pressing the Sync Users button (this functionality is visible ONLY to the user account assigned to the ENTERPRISE customer. It is NOT visible to user accounts with Resellers roles). Managing the Ransomware Encryption Protection for Cloud is done from the Network Settings area (described in the last chapter of this article).
RANSOMWARE ENCRYPTION PROTECTION FOR CLOUD view
The Ransomware Encryption Protection for Cloud product/service reports all the intercepted events in the Cloud Detections view (Products -> Endpoint Detection -> Ransomware Encryption Protection view). This view displays a table with the following details: Email, Azure AD User Groups, Number of affected files, User's session revoked, and Timestamp.
RANSOMWARE ENCRYPTION PROTECTION FOR CLOUD settings
In order to set up Ransomware Encryption Protection for Cloud in the HEIMDAL Dashboard, you have to go to the Network Settings section -> Ransomware Encryption Protection.
Ransomware Encryption Protection - turn ON/OFF the Ransomware Encryption Protection for Cloud;
Grant consent - allows you to install the Heimdal Security REP for Cloud in your Azure AD's Enterprise applications (the Enterprise application needs specific permissions in order for REP for Cloud to work);
Isolate user on detection - enables/disables the isolation feature that logs off the user when a ransomware encryption alert is triggered;
Select Azure AD groups to monitor users' drives - allows you to select one or multiple Azure AD Groups to be monitored. The Azure AD Groups need to be synchronized in the Guide -> Customer settings area in order to be visible in the drop-down field.