https://community.checkpoint.com/t5/Endpoint/Harmony-Endpoint-for-Linux-Event-Log/m-p/180719#M7017 <P>Seen and read that file.<BR />What I'm after is an equivalent of running "cpefrcli -b backup.db" on a Windows instance of Endpoint Security.<BR />This command copies the Forensics database (SQLite format DB) which can then be examined for a very detailed view of everything that happened on the system.<BR /><BR />Such information should exist somewhere on the system, even if briefly since a large dataset gets piped to Threat Hunting.<BR />I'm wondering if there's a way to capture this dataset locally just as we are able to with Windows Harmony Endpoint.</P> Fri, 12 May 2023 08:50:34 GMT Swiftyyyy 2023-05-12T08:50:34Z https://community.checkpoint.com/t5/Endpoint/Harmony-Endpoint-for-Linux-Event-Log/m-p/180696#M7015 <P>Hello!<BR /><BR />Would you happen to know if Harmony Endpoint for Linux also stores a local database of events similar to the Windows variant.<BR />I am talking about the SQLite database into which the Forensics blade deposits information about Socket operations, Running processes, File operations and more.</P><P>As the Linux variant of Harmony Endpoint became supported for On-Premises appliances where Threat Hunting of course isn't available, at least having this database available somewhat adds some value.</P><P>&nbsp;</P> Fri, 12 May 2023 05:27:33 GMT https://community.checkpoint.com/t5/Endpoint/Harmony-Endpoint-for-Linux-Event-Log/m-p/180696#M7015 Swiftyyyy 2023-05-12T05:27:33Z https://community.checkpoint.com/t5/Endpoint/Harmony-Endpoint-for-Linux-Event-Log/m-p/180716#M7016 <P>See <A href="https://support.checkpoint.com/results/sk/sk170198" target="_blank" rel="noopener"><SPAN>sk170198: <STRONG>Harmony</STRONG> Endpoint for <STRONG>Linux</STRONG></SPAN></A><SPAN><STRONG>&nbsp;and <A href="https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/Topics-HEP/Harmony-Endpoint-for-Linux-Commands.htm?Highlight=linux" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/Topics-HEP/Harmony-Endpoint-for-Linux-Commands.htm?Highlight=linux</A><BR /></STRONG></SPAN></P> <P class="Procedure_Heading">To show detections of <STRONG><SPAN class="mc-variable Vars_Endpoint_SandBlast.tp_amal variable">Anti-Malware</SPAN></STRONG>, run:</P> <TABLE class="TableStyle-TP_Table_Code" style="mc-table-style: url('../Resources/TableStyles/TP_Table_Code.css');" cellspacing="0"><COLGROUP><COL /> </COLGROUP> <TBODY> <TR class="TableStyle-TP_Table_Code-Body-Body1"> <TD class="TableStyle-TP_Table_Code-BodyA--Body1"> <P><CODE>cpla am detections</CODE></P> </TD> </TR> </TBODY> </TABLE> <TABLE class="TableStyle-TP_Table_Notes" style="margin-left: 0; margin-right: auto; mc-table-style: url('../Resources/TableStyles/TP_Table_Notes.css');" cellspacing="0"><COLGROUP><COL class="TableStyle-TP_Table_Notes-Column-Column_Style_Image" /> <COL class="TableStyle-TP_Table_Notes-Column-Column_Style_Text" /> </COLGROUP> <TBODY> <TR class="TableStyle-TP_Table_Notes-Body-Body"> <TD class="TableStyle-TP_Table_Notes-BodyB-Column_Style_Image-Body"><BR /> <P>&nbsp;</P> </TD> <TD class="TableStyle-TP_Table_Notes-BodyA-Column_Style_Text-Body"> <P><SPAN class="Note">Note</SPAN> - To limit the number of detections displayed, use the parameter --limit &lt;number_of_detections&gt;. Default is 100.</P> </TD> </TR> </TBODY> </TABLE> <P class="Procedure_Heading">&nbsp;</P> <P class="Procedure_Heading">To show the latest detections of <STRONG>Behavioral Guard</STRONG>, run:</P> <TABLE class="TableStyle-TP_Table_Code" style="mc-table-style: url('../Resources/TableStyles/TP_Table_Code.css');" cellspacing="0"><COLGROUP><COL /> </COLGROUP> <TBODY> <TR class="TableStyle-TP_Table_Code-Body-Body1"> <TD class="TableStyle-TP_Table_Code-BodyA--Body1"> <P><CODE>cpla bg detections</CODE></P> </TD> </TR> </TBODY> </TABLE> <TABLE class="TableStyle-TP_Table_Notes" style="margin-left: 0; margin-right: auto; mc-table-style: url('../Resources/TableStyles/TP_Table_Notes.css');" cellspacing="0"><COLGROUP><COL class="TableStyle-TP_Table_Notes-Column-Column_Style_Image" /> <COL class="TableStyle-TP_Table_Notes-Column-Column_Style_Text" /> </COLGROUP> <TBODY> <TR class="TableStyle-TP_Table_Notes-Body-Body"> <TD class="TableStyle-TP_Table_Notes-BodyB-Column_Style_Image-Body"><BR /> <P>&nbsp;</P> </TD> <TD class="TableStyle-TP_Table_Notes-BodyA-Column_Style_Text-Body"> <P><SPAN class="Note">Note</SPAN> - To limit the number of detections displayed, use the parameter --limit &lt;number_of_detections&gt;. Default is 100.</P> </TD> </TR> </TBODY> </TABLE> <H2>Logs</H2> <P class="Procedure_Heading">To collect the logs of the product:</P> <TABLE class="TableStyle-TP_Table_Code" style="mc-table-style: url('../Resources/TableStyles/TP_Table_Code.css');" cellspacing="0"><COLGROUP><COL /> </COLGROUP> <TBODY> <TR class="TableStyle-TP_Table_Code-Body-Body1"> <TD class="TableStyle-TP_Table_Code-BodyA--Body1"> <P><CODE>cpla collect-logs</CODE></P> </TD> </TR> </TBODY> </TABLE> <TABLE class="TableStyle-TP_Table_Notes" style="margin-left: 0; margin-right: auto; mc-table-style: url('../Resources/TableStyles/TP_Table_Notes.css');" cellspacing="0"> <TBODY> <TR class="TableStyle-TP_Table_Notes-Body-Body"> <TD class="TableStyle-TP_Table_Notes-BodyB-Column_Style_Image-Body"> <P>&nbsp;</P> </TD> <TD class="TableStyle-TP_Table_Notes-BodyA-Column_Style_Text-Body"> <P><SPAN class="Note">Note</SPAN> - When you use this command, it prepares a Zip file which you can send to the support manually.</P> </TD> </TR> </TBODY> </TABLE> Fri, 12 May 2023 08:29:35 GMT https://community.checkpoint.com/t5/Endpoint/Harmony-Endpoint-for-Linux-Event-Log/m-p/180716#M7016 G_W_Albrecht 2023-05-12T08:29:35Z https://community.checkpoint.com/t5/Endpoint/Harmony-Endpoint-for-Linux-Event-Log/m-p/180719#M7017 <P>Seen and read that file.<BR />What I'm after is an equivalent of running "cpefrcli -b backup.db" on a Windows instance of Endpoint Security.<BR />This command copies the Forensics database (SQLite format DB) which can then be examined for a very detailed view of everything that happened on the system.<BR /><BR />Such information should exist somewhere on the system, even if briefly since a large dataset gets piped to Threat Hunting.<BR />I'm wondering if there's a way to capture this dataset locally just as we are able to with Windows Harmony Endpoint.</P> Fri, 12 May 2023 08:50:34 GMT https://community.checkpoint.com/t5/Endpoint/Harmony-Endpoint-for-Linux-Event-Log/m-p/180719#M7017 Swiftyyyy 2023-05-12T08:50:34Z https://community.checkpoint.com/t5/Endpoint/Harmony-Endpoint-for-Linux-Event-Log/m-p/180721#M7019 <P>Ask TAC and post the answer here ! I can not test if the details from <SPAN class="css-13y3t3g"><SPAN class="css-vy7rm">sk164695</SPAN></SPAN> are true for EPS Linux clients...</P> Fri, 12 May 2023 09:59:06 GMT https://community.checkpoint.com/t5/Endpoint/Harmony-Endpoint-for-Linux-Event-Log/m-p/180721#M7019 G_W_Albrecht 2023-05-12T09:59:06Z https://community.checkpoint.com/t5/Endpoint/Harmony-Endpoint-for-Linux-Event-Log/m-p/180819#M7024 <P>Hello Swiftyyyy,</P> <P>Harmony EndPoint for Linux does not yet contain full Forensics DB capabilities, but it is absolutely on our roadmap.</P> <P>Opening an RFE for this capability can assist in prioritizing it further.<BR /><BR /></P> <P>Thank you,</P> <P>Doron Zuckerman<BR />Harmony EndPoint R&amp;D Group Manager</P> Sun, 14 May 2023 07:17:20 GMT https://community.checkpoint.com/t5/Endpoint/Harmony-Endpoint-for-Linux-Event-Log/m-p/180819#M7024 Doron_Zuckerman 2023-05-14T07:17:20Z