We've been aware of the possibility to push raw forensic data to an ELK stack for a little while now (through a sales representative meeting), but I've been unable to find any documentation on the topic.
Has anyone actually implemented this and do you find it at all useful?
We manage a number of environments and a good number of them use On-Prem Endpoint servers meaning we lack access to Threat Hunting. Being able to pipe these datasets into a database would potentially be a very good stopgap measure between something more official on the EDR front for On-Prem managed devices.
I ask because in the E86.50 agent release notes this functionality is explicitly mentioned.
Enterprise Endpoint Security E86.50 Windows Clients (checkpoint.com)
|AHTP-24628||Forensics data can now be sent from the Endpoint's client computer directly to a local Elastic DB.|