This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
OneITguy
Participant
‎2025-07-16 08:49 AM
Jump to solution

Looking for a comprehensive guide to forensics interpretation

Greetings. I am posting this request for references to any guides pertaining to the review and interpretation of results in Harmony Endpoint forensics results.

I am a relative novice when it comes to deciphering the significance of events being reported by Endpoint, and although I would enthusiastically say that it is in a whole nother galaxy compared to my previous platform (Datto AV/EDR), there is a LOT of information presented and I am unsure about how to put some of the details in context. I have been using Endpoint now for a few months, and am happy with the performance of detection and remediation, but I feel like there is more to understand about the various elements of a forensics report than the documentation provides.

What I need is a more complete walk through of the forensics report that breaks down each of the details in each section, ideally with some examples of events and remediation. My goal is to be able to identify what, if any, further action should be taken based on results. As an example, there have been a couple of events that clearly required restoring files from quarantine, such as components of our remote desktop broker product, TSPlus, that was effectively crippled as a result of the various triggers Endpoint executed. This also led to a hands on real time training on the ways to use Smart Exceptions. I am gradually getting a better understanding of what I am looking at in forensics, but it would be helpful to have a protocol to follow for reviewing all the info.

If there are videos or other resources available to admins that provide some guidance about proper Endpoint forensics review and follow up, I would be eternally grateful to whoever could point me in the right direction. In the mean time, I will continue to muddle through and hope that I am not missing something. 

Thanks in advance.

-That One IT guy

0 Kudos
2 Solutions

Accepted Solutions
OneITguy
Participant
‎2025-08-05 08:51 AM
Jump to solution

For anyone else trying to find specific content related to insight about Endpoint forensics, this YT search brought up a few relevant vids.

https://www.youtube.com/results?search_query=harmony+endpoint+forensics

View solution in original post

Don_Paterson
MVP Gold
MVP Gold
‎2025-08-05 09:04 AM
Jump to solution

Have a look at the links in this collection of links (multiple collections in some).

The ATRG is more architectural but may hold some valuable info. 

I am not sure if anything more comprehensive was ever created to fully cover the Forensics report.

Maybe they assumed it was enough but there's a gap that needs to be filled and we can look for help on that since you've identified the gap here. 

Let me know what you think. 

I can put something together in the meantime but it wouldn't be an official guide from Check Point as such. 

 

https://support.checkpoint.com/results/sk/sk164695

 

https://community.checkpoint.com/t5/Endpoint/Collection-of-Harmony-Endpoint-links-resources/td-p/226...

 

Jump to around 1/3 into this video to see info on forensics 

https://community.checkpoint.com/t5/Endpoint/Advanced-Investigation-amp-Remediation-Using-Harmony-En...

View solution in original post

11 Replies
Danny
MVP Platinum
MVP Platinum
‎2025-08-05 07:45 AM
Jump to solution

I recommend the Harmony Endpoint Specialist R81.20 (CCES) course.

0 Kudos
OneITguy
Participant
‎2025-08-05 08:25 AM
In response to Danny
Jump to solution

OK, thanks for replying.

I suppose I should have further qualified my inquiry by explicitly stating that I am NOT interested in paying an obscene amount of money for a 2 day course that may or may not cover what I would consider far more information than can reasonably be included in a 2 day course, and for information that should be covered in documentation right out of the gate. 

So, if you have any OTHER information that meets the parameters, I would love to hear about it.

0 Kudos
Danny
MVP Platinum
MVP Platinum
‎2025-08-05 08:31 AM
In response to OneITguy
Jump to solution

Then you might want to contact your Check Point representative and ask for an individual session based on your demand.

0 Kudos
OneITguy
Participant
‎2025-08-05 08:37 AM
In response to Danny
Jump to solution

Did. And was then advised to come here to seek insight from the community. So far, goose eggs.

0 Kudos
OneITguy
Participant
‎2025-08-05 08:51 AM
Jump to solution

For anyone else trying to find specific content related to insight about Endpoint forensics, this YT search brought up a few relevant vids.

https://www.youtube.com/results?search_query=harmony+endpoint+forensics

Don_Paterson
MVP Gold
MVP Gold
‎2025-08-05 09:04 AM
Jump to solution

Have a look at the links in this collection of links (multiple collections in some).

The ATRG is more architectural but may hold some valuable info. 

I am not sure if anything more comprehensive was ever created to fully cover the Forensics report.

Maybe they assumed it was enough but there's a gap that needs to be filled and we can look for help on that since you've identified the gap here. 

Let me know what you think. 

I can put something together in the meantime but it wouldn't be an official guide from Check Point as such. 

 

https://support.checkpoint.com/results/sk/sk164695

 

https://community.checkpoint.com/t5/Endpoint/Collection-of-Harmony-Endpoint-links-resources/td-p/226...

 

Jump to around 1/3 into this video to see info on forensics 

https://community.checkpoint.com/t5/Endpoint/Advanced-Investigation-amp-Remediation-Using-Harmony-En...

OneITguy
Participant
‎2025-08-05 09:05 AM
In response to Don_Paterson
Jump to solution

THIS is genuinely helpful. THANK YOU!

To be clear, I am not concered about "official". Anything that sheds more light is getting me further along than I was before.

Don_Paterson
MVP Gold
MVP Gold
‎2025-08-05 09:12 AM
In response to OneITguy
Jump to solution

ACK

Understood  

It's still good feedback for the vendor here. Part of the reason for CheckMates. 

I'll put the other info in here, when I can put it together, and try to have more good reference info available.

0 Kudos
OneITguy
Participant
‎2025-08-05 09:16 AM
In response to Don_Paterson
Jump to solution

Awesome. I appreciate your efforts and willingness to share your knowledge and experience. 

0 Kudos
Don_Paterson
MVP Gold
MVP Gold
‎2025-08-05 09:54 AM
In response to OneITguy
Jump to solution

You are welcome. Glad I can help.

Let me know if the attached is along the right lines of what you would have expected to find, if you have time.

It's a first draft, a skeleton of a document, something Check Point might be able to use as a new SK or to contribute to an Admin Guide, e.g.

https://sc1.checkpoint.com/documents/R81.20/SmartEndpoint_OLH/EN/Content/Topics-EPSG-R81.20/SandBlas... 

 

Otherwise I can just add to it and keep it in my library and in here for reference 🙂

 

Preview file
306 KB
0 Kudos
(1)
Don_Paterson
MVP Gold
MVP Gold
‎2025-08-06 12:38 AM
In response to Don_Paterson
Jump to solution

I don't think this is in any of the collections but might be useful for insights into logging, event analysis (reports) and forensics in general. 

https://support.checkpoint.com/results/sk/sk167102

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events