topic Re: Looking for a comprehensive guide to forensics interpretation in Endpoint

Looking for a comprehensive guide to forensics interpretation

OneITguy — Wed, 16 Jul 2025 15:49:55 GMT

Greetings. I am posting this request for references to any guides pertaining to the review and interpretation of results in Harmony Endpoint forensics results.

I am a relative novice when it comes to deciphering the significance of events being reported by Endpoint, and although I would enthusiastically say that it is in a whole nother galaxy compared to my previous platform (Datto AV/EDR), there is a LOT of information presented and I am unsure about how to put some of the details in context. I have been using Endpoint now for a few months, and am happy with the performance of detection and remediation, but I feel like there is more to understand about the various elements of a forensics report than the documentation provides.

What I need is a more complete walk through of the forensics report that breaks down each of the details in each section, ideally with some examples of events and remediation. My goal is to be able to identify what, if any, further action should be taken based on results. As an example, there have been a couple of events that clearly required restoring files from quarantine, such as components of our remote desktop broker product, TSPlus, that was effectively crippled as a result of the various triggers Endpoint executed. This also led to a hands on real time training on the ways to use Smart Exceptions. I am gradually getting a better understanding of what I am looking at in forensics, but it would be helpful to have a protocol to follow for reviewing all the info.

If there are videos or other resources available to admins that provide some guidance about proper Endpoint forensics review and follow up, I would be eternally grateful to whoever could point me in the right direction. In the mean time, I will continue to muddle through and hope that I am not missing something.

Thanks in advance.

-That One IT guy

Re: Looking for a comprehensive guide to forensics interpretation

Danny — Tue, 05 Aug 2025 14:45:03 GMT

I recommend the Harmony Endpoint Specialist R81.20 (CCES) course.

Re: Looking for a comprehensive guide to forensics interpretation

OneITguy — Tue, 05 Aug 2025 15:25:46 GMT

OK, thanks for replying.

I suppose I should have further qualified my inquiry by explicitly stating that I am NOT interested in paying an obscene amount of money for a 2 day course that may or may not cover what I would consider far more information than can reasonably be included in a 2 day course, and for information that should be covered in documentation right out of the gate.

So, if you have any OTHER information that meets the parameters, I would love to hear about it.

Re: Looking for a comprehensive guide to forensics interpretation

Danny — Tue, 05 Aug 2025 15:31:43 GMT

Then you might want to contact your Check Point representative and ask for an individual session based on your demand.

Re: Looking for a comprehensive guide to forensics interpretation

OneITguy — Tue, 05 Aug 2025 15:37:19 GMT

Did. And was then advised to come here to seek insight from the community. So far, goose eggs.

Re: Looking for a comprehensive guide to forensics interpretation

OneITguy — Tue, 05 Aug 2025 15:51:14 GMT

For anyone else trying to find specific content related to insight about Endpoint forensics, this YT search brought up a few relevant vids.

https://www.youtube.com/results?search_query=harmony+endpoint+forensics

Re: Looking for a comprehensive guide to forensics interpretation

Don_Paterson — Tue, 05 Aug 2025 16:04:33 GMT

Have a look at the links in this collection of links (multiple collections in some).

The ATRG is more architectural but may hold some valuable info.

I am not sure if anything more comprehensive was ever created to fully cover the Forensics report.

Maybe they assumed it was enough but there's a gap that needs to be filled and we can look for help on that since you've identified the gap here.

Let me know what you think.

I can put something together in the meantime but it wouldn't be an official guide from Check Point as such.

https://support.checkpoint.com/results/sk/sk164695

https://community.checkpoint.com/t5/Endpoint/Collection-of-Harmony-Endpoint-links-resources/td-p/226342

Jump to around 1/3 into this video to see info on forensics

https://community.checkpoint.com/t5/Endpoint/Advanced-Investigation-amp-Remediation-Using-Harmony-Endpoint/td-p/114510

Re: Looking for a comprehensive guide to forensics interpretation

OneITguy — Tue, 05 Aug 2025 16:07:11 GMT

THIS is genuinely helpful. THANK YOU!

To be clear, I am not concered about "official". Anything that sheds more light is getting me further along than I was before.

Re: Looking for a comprehensive guide to forensics interpretation

Don_Paterson — Tue, 05 Aug 2025 16:12:53 GMT

ACK

Understood

It's still good feedback for the vendor here. Part of the reason for CheckMates.

I'll put the other info in here, when I can put it together, and try to have more good reference info available.

Re: Looking for a comprehensive guide to forensics interpretation

OneITguy — Tue, 05 Aug 2025 16:16:05 GMT

Awesome. I appreciate your efforts and willingness to share your knowledge and experience.

Re: Looking for a comprehensive guide to forensics interpretation

Don_Paterson — Tue, 05 Aug 2025 16:54:15 GMT

You are welcome. Glad I can help.

Let me know if the attached is along the right lines of what you would have expected to find, if you have time.

It's a first draft, a skeleton of a document, something Check Point might be able to use as a new SK or to contribute to an Admin Guide, e.g.

https://sc1.checkpoint.com/documents/R81.20/SmartEndpoint_OLH/EN/Content/Topics-EPSG-R81.20/SandBlast-Agent-Use-Case.htm?tocpath=Harmony%20Endpoint%20Anti-Ransomware%252C%20Behavioral%20Guard%20and%20Forensics%7C_____7

Otherwise I can just add to it and keep it in my library and in here for reference 🙂

Re: Looking for a comprehensive guide to forensics interpretation

Don_Paterson — Wed, 06 Aug 2025 07:38:51 GMT

I don't think this is in any of the collections but might be useful for insights into logging, event analysis (reports) and forensics in general.

https://support.checkpoint.com/results/sk/sk167102