Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Legend
Legend
Jump to solution

Software tracking on harmony endpoint client

Hey guys,

I dont work much on harmony endpoint, so figured would post customer's question here to see if anyone knows. We opened TAC case, but still waiting for response. I looked myself everywhere on the portal options and through policy, but could not find anything that would cover the request.

Question:

****************************

Does Check Point have the ability to track the software installed on our endpoints?

We're looking at having a list of allowed software, and then to have alerting set up when an endpoint is in violation of the allowed software policy.

Can you also generate a daily/periodic report on newly installed software? I don't know if this is feasible and/or if a list like this would be extremely large, but we would like to see if something like that is possible, to see if either a user or a malicious actor is installing software on any of our endpoints.

******************************

Any insight is greatly appreciated!!

0 Kudos
1 Solution

Accepted Solutions
Swiftyyyy
Collaborator

I suppose a 6 month time investment into fiddling with the Compliance blade might do the trick, but it'd be much nicer to have things done in the same sort of way Harmony Mobile does.
Just a nice list of applications and their versions.

This is a feature one of our potential customers missed when doing a POC, so I'd love to see it.
In general I feel like Harmony Endpoint isn't getting as much love as it should and it somewhat falling behind in terms of visibility the admin gets.
Threat Hunting is great, don't get me wrong, but it's Cloud exclusive and not all that practical for the more "general" overview. As the name says; it's "Threat" hunting, not "Inventory" hunting.

That said, pratically all the information is already being captured, it just needs to be placed in a usable UI or heck.. even just an export button for a CSV file with options like "Processes which ran on this system".

You can definitely produce such a list by extracting the data directly from the SQLite database on the Endpoint itself, though that's not really scalable (and supposedly it's possible to pipe data into an ELK stack the same way you would to Threat Hunting, though documentation regarding that of course doesn't exist)

View solution in original post

5 Replies
skandshus
Collaborator

They do not unfortunately.. their Endpoint solution leaves a LOT to be desired  🙂

 

 

the_rock
Legend
Legend

I sort of figured, but lets wait for an official TAC answer : - )

0 Kudos
Chris_Atkinson
Employee
Employee

The questions are more probably something for your SE.

Have a look at the Appscan tool / Application Control for app whitelisting it should yield some more useful hits in terms of SK articles etc.

0 Kudos
Swiftyyyy
Collaborator

I suppose a 6 month time investment into fiddling with the Compliance blade might do the trick, but it'd be much nicer to have things done in the same sort of way Harmony Mobile does.
Just a nice list of applications and their versions.

This is a feature one of our potential customers missed when doing a POC, so I'd love to see it.
In general I feel like Harmony Endpoint isn't getting as much love as it should and it somewhat falling behind in terms of visibility the admin gets.
Threat Hunting is great, don't get me wrong, but it's Cloud exclusive and not all that practical for the more "general" overview. As the name says; it's "Threat" hunting, not "Inventory" hunting.

That said, pratically all the information is already being captured, it just needs to be placed in a usable UI or heck.. even just an export button for a CSV file with options like "Processes which ran on this system".

You can definitely produce such a list by extracting the data directly from the SQLite database on the Endpoint itself, though that's not really scalable (and supposedly it's possible to pipe data into an ELK stack the same way you would to Threat Hunting, though documentation regarding that of course doesn't exist)

the_rock
Legend
Legend

Thanks for your response, its very useful! I agree about threat hunting, but as you said, its not inventory hunting : ). 

0 Kudos