Check Pointadvanced

How to Enable Forensic Data Collection in Harmony Endpoint

Enable and configure forensic data collection in Check Point Harmony Endpoint for detailed attack analysis, incident response, and threat investigation.

11 min readUpdated January 2025

Want us to handle this for you?

Get expert help →

Check Point Harmony Endpoint's forensic capabilities provide detailed visibility into endpoint activity, enabling thorough investigation of security incidents. When a threat is detected, forensics automatically generates comprehensive reports showing the full attack chain. This guide covers enabling, configuring, and using forensic data collection.

Prerequisites

Before enabling forensics, ensure you have:

  • Infinity Portal access with Policy Administrator permissions
  • Harmony Endpoint license with forensic capabilities
  • Deployed endpoints running supported client versions (E84.10+)
  • Network connectivity for endpoints to upload forensic data

Understanding Harmony Endpoint Forensics

What Forensics Provides

Forensic data collection enables:

CapabilityBenefit
Attack chain visualizationSee complete sequence of malicious activity
Process tree analysisUnderstand parent/child process relationships
File operation trackingKnow what files were created, modified, deleted
Network connection loggingIdentify C&C and data exfiltration
Registry change monitoringDetect persistence mechanisms
User activity correlationLink actions to user context

How Forensics Works

Continuous Collection → Local Storage → Event Trigger → Analysis → Report Generation
  1. Continuous Collection: Agent monitors endpoint activity in real-time
  2. Local Storage: Data stored locally with configurable retention
  3. Event Trigger: Detection by Anti-Malware, Anti-Ransomware, or manual trigger
  4. Analysis: Check Point engines analyze collected data
  5. Report Generation: Detailed forensic report created in Infinity Portal

Enabling Forensic Data Collection

Step 1: Access Policy Settings

  1. Log in to the Infinity Portal at https://portal.checkpoint.com
  2. Navigate to Harmony Endpoint > Policy
  3. Go to Threat Prevention > Policy Capabilities
  4. Select the policy rule to configure (or create a new rule)

Step 2: Enable Forensics Capability

  1. In the Capabilities & Exclusions pane, find Forensics
  2. Set the operation mode:
    • On: Full forensic collection enabled
    • Off: Forensic collection disabled
  3. Click Save

Step 3: Configure Forensic Settings

Click the settings icon next to Forensics to configure:

Data Collection Depth:

  • Full: Maximum data collection (recommended for security-critical endpoints)
  • Standard: Balanced collection for typical endpoints
  • Minimal: Reduced collection for performance-sensitive systems

Collection Scope:

  • Process execution and command lines
  • File system operations
  • Network connections
  • Registry modifications
  • Loaded modules (DLLs)
  • Injection attempts

For comprehensive forensics, also enable:

Anti-Ransomware:

  1. Find Anti-Ransomware in capabilities
  2. Set to Prevent mode
  3. Enable Behavioral Analysis
  4. Configure backup settings for file restoration

Behavioral Guard:

  1. Find Behavioral Guard in capabilities
  2. Set to Prevent mode
  3. Enable detection categories:
    • Injection techniques
    • Exploitation attempts
    • Credential theft
    • Lateral movement

Step 5: Install the Policy

  1. Click Save to preserve configuration
  2. Click Install Policy at the top of the page
  3. Confirm the installation
  4. Monitor deployment in policy installation log

Configuring Threat Hunting (EDR)

Threat Hunting complements forensics with proactive search capabilities.

Enable Threat Hunting

  1. In Policy Capabilities, click the Analysis & Remediation tab
  2. Set Enable Threat Hunting to On
  3. Configure retention period (default 7 days)
  4. Click Save & Install

Regional Requirements

Threat Hunting is supported in specific Infinity Portal regions:

  • Verify your tenant is in a supported region
  • Contact Check Point support if Threat Hunting is not available

Client Version Requirements

  • Minimum endpoint client version: E84.10
  • For full features: E86.00 or later
  • Check client versions in Asset Management > Computers

Understanding Forensic Reports

Automatic Report Generation

Forensic reports are automatically generated when:

  • Anti-Malware detects and blocks a threat
  • Anti-Ransomware detects ransomware behavior
  • Behavioral Guard detects suspicious activity
  • Anti-Bot identifies C&C communication
  • Threat Emulation detonates a malicious file

Report Components

Executive Summary:

  • Detection type and severity
  • Affected endpoint and user
  • Key findings overview
  • Recommended actions

Attack Timeline:

10:23:15 - User opens email attachment (invoice.doc)
10:23:17 - Word launches macro, spawns PowerShell
10:23:18 - PowerShell downloads payload from malicious.site
10:23:20 - Payload executes, creates persistence in registry
10:23:22 - Check Point detects and blocks C&C communication

Process Tree:

explorer.exe (user)
└── outlook.exe
    └── winword.exe
        └── powershell.exe [MALICIOUS]
            └── payload.exe [BLOCKED]

Network Activity:

TimeProcessDestinationProtocolData
10:23:18powershell.exemalicious.site:443HTTPS245 KB
10:23:22payload.exec2.evil.com:443HTTPSBLOCKED

File Operations:

TimeOperationPathStatus
10:23:19CreateC:\Users\user\AppData\Local\Temp\payload.exeCreated
10:23:20CreateC:\ProgramData\malware.dllBLOCKED

Registry Changes:

TimeOperationKeyValue
10:23:20CreateHKCU\Software\Microsoft\Windows\CurrentVersion\Run\malwareBLOCKED

Indicators of Compromise (IOCs):

  • File hashes (MD5, SHA1, SHA256)
  • Network destinations (IPs, domains)
  • Registry paths
  • File paths

Accessing Forensic Reports

  1. Go to Logs & Events
  2. Filter for events with forensic data:
    • Set filter: Has Forensic Report = Yes
  3. Click an event to view details
  4. Click View Forensic Report
  5. Report opens in a new tab

On-Demand Forensic Collection

Manually trigger forensic analysis when needed.

Trigger from Asset Management

  1. Go to Asset Management > Computers
  2. Select the endpoint to investigate
  3. Click Actions > Trigger Forensic Analysis
  4. Collection begins immediately
  5. Report available within minutes

Trigger from Threat Hunting

  1. Run a Threat Hunting query
  2. Identify suspicious activity
  3. Click on the affected endpoint
  4. Select Trigger Forensic Analysis
  5. Review generated report

Trigger for Specific IOC

Collect forensics when a specific indicator is accessed:

  1. In Threat Hunting, create a collection rule
  2. Specify trigger criteria:
    • File path or hash
    • Network destination
    • Process name
  3. When matching activity occurs, forensics is collected

Optimizing Forensic Collection

Server Endpoints

For servers, balance forensic depth with performance:

  1. Enable Server Optimization in policy
  2. Consider Standard collection depth
  3. Exclude high-volume server processes
  4. Schedule intensive analysis during maintenance windows

VDI Environments

For virtual desktop infrastructure:

  1. Use persistent disk storage for forensic cache
  2. Configure appropriate collection depth
  3. Consider parent image exclusions
  4. Test performance impact before broad deployment

Low-Bandwidth Environments

For remote or low-bandwidth sites:

  1. Use Minimal collection depth
  2. Configure upload scheduling during off-peak hours
  3. Monitor bandwidth usage
  4. Consider local report generation where possible

Integrating Forensic Data

Export to SIEM

Send forensic events to your SIEM:

  1. Go to Settings > Integrations
  2. Configure syslog export:
    • Server address and port
    • Protocol (TCP, UDP, TLS)
    • Format (CEF, LEEF, Syslog)
  3. Map forensic fields to SIEM schema

API Access

Access forensic data programmatically:

  1. Generate API key in Infinity Portal
  2. Use Check Point Management API
  3. Query forensic reports and events
  4. Integrate with SOAR platforms

MITRE ATT&CK Mapping

Forensic data is automatically mapped to MITRE ATT&CK:

  1. Access Threat Hunting > MITRE ATT&CK
  2. View techniques observed in forensic data
  3. Click techniques for detailed event information
  4. Use for threat intelligence and reporting

Troubleshooting Forensic Collection

No Forensic Data Available

Symptoms: Alerts appear but no forensic report.

Solutions:

  1. Verify Forensics is enabled in policy
  2. Check endpoint client version (E84.10+)
  3. Ensure endpoint has disk space for local storage
  4. Verify network connectivity to Infinity Portal
  5. Check if endpoint was online during incident

Incomplete Forensic Reports

Symptoms: Reports missing expected data.

Solutions:

  1. Verify collection depth settings
  2. Check if needed capabilities are enabled
  3. Ensure endpoint was online during entire attack
  4. Review exclusions that might hide activity
  5. Increase local storage retention if needed

Forensic Upload Failures

Symptoms: Local collection works but reports don't appear.

Solutions:

  1. Check network connectivity to Check Point cloud
  2. Verify firewall allows HTTPS to *.checkpoint.com
  3. Review proxy settings on endpoint
  4. Check Infinity Portal service status
  5. Contact Check Point support with agent logs

Performance Impact

Symptoms: Endpoints slow after enabling forensics.

Solutions:

  1. Reduce collection depth to Standard or Minimal
  2. Add exclusions for high-I/O applications
  3. Increase local storage allocation
  4. Review and optimize endpoint hardware
  5. Consider enabling only for high-risk endpoints

Best Practices Summary

PracticeRecommendation
Collection depthFull for critical systems, Standard for typical
Policy targetingEnable forensics for all managed endpoints
Related capabilitiesEnable Anti-Ransomware, Behavioral Guard
RetentionBalance storage with investigation needs
IntegrationExport to SIEM for correlation
TestingValidate reports with controlled tests
DocumentationSave important reports externally

Next Steps

After enabling forensics:

  1. Test forensic collection with controlled malware sample
  2. Train security team on report interpretation
  3. Integrate with SIEM for centralized logging
  4. Create response procedures based on forensic findings
  5. Review reports regularly for threat trends

Additional Resources

Need help implementing Harmony Endpoint forensics? Inventive HQ provides expert Check Point deployment and security operations services. Contact us for a free consultation on maximizing your endpoint protection investment.

Frequently Asked Questions

Find answers to common questions

Forensics collects process execution details, file operations (create, modify, delete), registry changes, network connections, DNS queries, loaded DLLs, code injection attempts, and user activity. Data is collected continuously in the background and analyzed when threats are detected or manually triggered.

Need Professional IT & Security Help?

Our team of experts is ready to help protect and optimize your technology infrastructure.

Learn About Risk AssessmentExplore vCISO Services

Related Articles

How to Configure Firewall Rules in Check Point SmartConsole

Learn how to create and manage firewall rules in Check Point SmartConsole. Step-by-step guide covering access control policies, services, and best practices.

Read More →

How to Configure Anti-Phishing Policies in Harmony Email

Step-by-step guide to configure anti-phishing protection, confidence thresholds, and exception lists in Check Point Harmony Email.

Read More →

How to Configure DLP in Harmony Email & Collaboration

Learn to configure Data Loss Prevention (DLP) policies in Check Point Harmony Email to protect sensitive data in emails and attachments.

Read More →
Back to Check Point