Check Point Harmony Endpoint provides comprehensive alert investigation capabilities including automated forensics, threat hunting, and MITRE ATT&CK mapping. This guide walks you through investigating security alerts to identify threats, understand attack scope, and take appropriate remediation actions.
Prerequisites
Before investigating alerts, ensure you have:
- Infinity Portal access with Security Analyst or Administrator permissions
- Harmony Endpoint with Threat Hunting enabled
- Connected endpoints generating security events
- Understanding of your organization's baseline activity
Understanding the Alert Workflow
The typical investigation workflow follows these stages:
Alert Generated → Triage → Investigation → Scope Assessment → Remediation → Documentation
| Stage | Goal | Tools |
|---|---|---|
| Alert Generated | Detection triggers notification | Policy rules, ThreatCloud |
| Triage | Prioritize and categorize | Alert dashboard, severity |
| Investigation | Understand what happened | Forensics, Threat Hunting |
| Scope Assessment | Find all affected systems | Cross-endpoint search |
| Remediation | Contain and eliminate threat | Quarantine, isolate, terminate |
| Documentation | Record findings | Reports, tickets |
Accessing Alerts and Events
Navigate to the Alerts Dashboard
- Log in to the Infinity Portal at https://portal.checkpoint.com
- Navigate to Harmony Endpoint from the left menu
- Click Logs & Events for the main event view
- Or click Dashboards > Security Overview for summary metrics
Understanding Alert Severity
Alerts are categorized by severity:
| Severity | Color | Meaning | Response Time |
|---|---|---|---|
| Critical | Red | Active threat, immediate action needed | Immediate |
| High | Orange | Likely malicious, investigate quickly | Within 1 hour |
| Medium | Yellow | Suspicious activity, needs review | Within 4 hours |
| Low | Blue | Informational, policy violation | Within 24 hours |
Initial Alert Triage
Step 1: Review Alert Details
When an alert appears:
- Click the alert to open details
- Review key information:
- Detection type: What triggered the alert
- Affected endpoint: Computer name and IP
- User: Logged-in user at time of detection
- File/Process: What was detected
- Action taken: Blocked, quarantined, or detected only
Step 2: Assess Initial Risk
Determine if immediate action is needed:
Indicators requiring immediate action:
- Ransomware detection
- Active command and control (C&C) communication
- Credential theft attempts
- Lateral movement indicators
- Data exfiltration attempts
Indicators for standard investigation:
- Potentially unwanted programs (PUPs)
- Policy violations
- Suspicious but unconfirmed activity
- User-initiated risky behavior
Step 3: Check for Related Alerts
- Look for other alerts from the same endpoint
- Search for alerts with similar indicators
- Check if the same detection occurred on multiple endpoints
Deep Investigation with Forensics
Access Forensic Reports
For alerts with forensic data:
- Click the alert to open details
- Click View Forensic Report if available
- The report opens showing the full attack analysis
Understanding the Forensic Report
The forensic report contains:
Attack Timeline:
- Chronological sequence of events
- Initial infection vector
- Subsequent malicious activities
- Network connections made
- Files created or modified
Process Tree:
- Parent/child process relationships
- Shows how malware executed
- Identifies injection or hijacking
Network Activity:
- Connections to external IPs
- DNS queries made
- Data transfer volumes
- Protocol analysis
File Operations:
- Files created, modified, or deleted
- Registry changes
- Persistence mechanisms
Interpreting Forensic Data
Look for these indicators:
| Indicator | Meaning | Investigation Action |
|---|---|---|
| Unknown parent process | Possible injection | Review parent process legitimacy |
| Connection to rare IP | Potential C&C | Check IP reputation, block if malicious |
| Registry run key modification | Persistence attempt | Remove persistence, scan for additional changes |
| Encoded PowerShell | Obfuscation | Decode and analyze commands |
| Multiple network connections | Data staging | Check data loss, block connections |
Threat Hunting for Advanced Investigation
Threat Hunting provides proactive search capabilities across all endpoints.
Enable Threat Hunting
If not already enabled:
- Go to Policy > Threat Prevention > Policy Capabilities
- Click the Analysis & Remediation tab
- Set Enable Threat Hunting to On
- Click Save & Install
Note: Threat Hunting requires Endpoint Security Client version E84.10 or higher.
Access Threat Hunting
- Go to Threat Hunting from the Harmony Endpoint menu
- The interface shows the search query builder and MITRE dashboard
Basic Threat Hunting Queries
Search for specific file hash:
file.sha1 = "da39a3ee5e6b4b0d3255bfef95601890afd80709"
Search for process execution:
process.name = "powershell.exe" AND process.commandline CONTAINS "-enc"
Search for network connections:
connection.remote_ip = "192.168.1.100" OR connection.remote_port = 4444
Search for file creation:
file.path CONTAINS "\\Temp\\" AND file.extension = "exe"
Using Predefined Queries
- Click Predefined Queries in Threat Hunting
- Browse categories:
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Exfiltration
- Command and Control
- Select a query to run
- Review results across all endpoints
MITRE ATT&CK Dashboard
The MITRE dashboard maps all observed activity to the ATT&CK framework:
- Click MITRE ATT&CK in Threat Hunting
- View the matrix showing observed techniques
- Colored cells indicate detected activity:
- Red: Malicious confirmed
- Orange: Suspicious
- Yellow: Anomalous
- Click a technique for details and related queries
- Drill down to specific events
Investigating Specific Threat Types
Malware Investigation
- Identify the malware family from detection name
- Find the initial infection vector:
- Email attachment
- Web download
- USB drive
- Network share
- Map the attack chain:
- Initial execution
- Persistence mechanisms
- Payload delivery
- Lateral movement attempts
- Check for additional infections:
- Search for file hash across endpoints
- Look for similar behavior patterns
Ransomware Investigation
- Immediate containment:
- Isolate affected endpoint
- Block network communication
- Assess encryption scope:
- Review file operations in forensics
- Check for encrypted file extensions
- Identify targeted directories
- Check anti-ransomware protection:
- Verify backup snapshots exist
- Plan restoration if needed
- Identify strain and attack vector:
- Note ransom message details
- Research specific ransomware family
- Report to law enforcement if required
Credential Theft Investigation
- Identify theft method:
- Memory scraping (Mimikatz-style)
- Keylogging
- Browser credential access
- Network credential sniffing
- Determine affected accounts:
- Review process access to credential stores
- Check LSASS process access
- Identify impacted users
- Remediation:
- Force password resets
- Revoke sessions
- Enable MFA if not already active
Lateral Movement Investigation
- Map affected systems:
- Review network connections
- Check authentication events
- Identify accessed resources
- Identify movement technique:
- PsExec or similar tools
- WMI execution
- Remote services
- Pass-the-hash/ticket
- Contain spread:
- Isolate compromised endpoints
- Block identified C&C
- Reset compromised credentials
Taking Remediation Actions
Isolate Endpoint
Disconnect a compromised endpoint from the network:
- In the alert or Asset Management, select the endpoint
- Click Actions > Isolate
- The endpoint can only communicate with Check Point cloud
- Investigate and remediate while isolated
- Click Un-isolate when safe to reconnect
Terminate Process
Stop a malicious process:
- In Threat Hunting results or alert details
- Select the malicious process
- Click Actions > Terminate Process
- Confirm the action
- Process is killed on the endpoint
Quarantine File
Move a malicious file to quarantine:
- In alert details or Threat Hunting
- Select the file (by path or hash)
- Click Actions > Quarantine File
- File is moved to secure quarantine
- Access quarantine in Asset Management > Quarantine
Trigger Forensic Analysis
Collect detailed forensic data on demand:
- Select the endpoint or specific event
- Click Actions > Trigger Forensic Analysis
- Wait for data collection (may take several minutes)
- Review generated forensic report
Block IOC Across Environment
Prevent indicator from executing on any endpoint:
- In alert details, identify the IOC (hash, domain, IP)
- Click Actions > Block IOC
- Select IOC type and value
- Block applies to all connected endpoints
- Monitor for additional detections
Creating Investigation Reports
Export Alert Data
- In Logs & Events, filter to relevant alerts
- Click Export
- Select format (CSV, PDF, or JSON)
- Include forensic data if available
- Save for documentation
Generate Incident Report
For formal incident documentation:
- Go to Reports > Create Report
- Select Incident Report template
- Include:
- Executive summary
- Timeline of events
- Affected systems
- IOCs discovered
- Remediation actions taken
- Recommendations
- Export in desired format
Best Practices for Alert Investigation
Investigation Efficiency
| Practice | Benefit |
|---|---|
| Triage by severity first | Focus on critical threats |
| Check for scope early | Find all affected systems quickly |
| Document as you go | Avoid missing details |
| Use predefined queries | Leverage Check Point expertise |
| Correlate across time | Find related historical activity |
Common Investigation Mistakes
| Mistake | Better Approach |
|---|---|
| Investigating alerts one at a time | Group related alerts as incidents |
| Focusing only on detected malware | Look for persistence and lateral movement |
| Closing alerts without scope check | Always search for IOCs across environment |
| Trusting file names | Verify with hashes and certificates |
| Skipping timeline review | Always understand full attack chain |
Integrating with External Tools
SIEM Integration
Export alerts to your SIEM for correlation:
- Go to Settings > Integrations
- Configure syslog or API export
- Map Check Point fields to SIEM schema
- Create correlation rules in SIEM
SOAR Integration
Automate investigation and response:
- Configure API access for your SOAR platform
- Create playbooks for common alert types
- Automate enrichment (VirusTotal, WHOIS, etc.)
- Orchestrate response actions
Troubleshooting Investigation Issues
No Forensic Data Available
Solutions:
- Verify Forensics is enabled in policy
- Check endpoint client version supports forensics
- Ensure endpoint was online during incident
- Trigger manual forensic collection
Threat Hunting Returns No Results
Solutions:
- Verify Threat Hunting is enabled
- Check query syntax
- Expand time range
- Verify endpoints are reporting data
- Check region compatibility
Slow Query Performance
Solutions:
- Narrow time range
- Add more specific filters
- Use indexed fields when possible
- Run complex queries during off-peak hours
Next Steps
After investigating alerts:
- Update policies based on findings
- Add exclusions for legitimate false positives
- Share IOCs with threat intelligence platforms
- Conduct lessons learned for major incidents
- Train team members on new threat patterns
Additional Resources
- Harmony Endpoint Threat Hunting Guide
- Analysis & Remediation Documentation
- MITRE ATT&CK Framework
- Check Point Research Threat Intelligence
- Check Point CheckMates Community
Need help investigating security incidents? Inventive HQ offers incident response services backed by Check Point certified engineers. Contact us for rapid response assistance.