Views:

Collect evidence to support threat investigation and incident response.

This task is supported by the following services:
  • Trend Vision One
    • Windows agent
After creating a workspace and adding endpoints to the workspace in the Forensics app, you can collect detailed evidence from potentially compromised endpoints for internal investigations into critical incidents that occurred on your network and may require further attention.
Important
Important
  • Evidence collection requires that you enable XDR endpoint sensor on target endpoints.
  • Evidence archives use the same folder structures as the SANS Institutes and CyLR tool.

Procedure

  1. In the Trend Vision One console, go to XDR Threat InvestigationForensics.
  2. Click the name of the workspace that has the endpoints you want to triage.
    Note
    Note
    This task automatically adds all collected evidence to the workspace.
  3. Collect evidence from the desired endpoints.
    1. Select one or more endpoints.
    2. Click Collect Evidence.
    3. Specify the evidence types you want to collect.
    4. Specify a Description for the response or event.
    5. Click Create.
      Trend Vision One creates the task and displays the current task status in Response Management.
  4. Monitor the task status.
    1. Open Response Management.
    2. (Optional) Locate the task using the Search field or by selecting Collect Evidence from the Action dropdown list.
    3. View the task status.
      • In progress (in_progress=GUID-A55897DB-3DEA-4F5C-B7F9-70B3D7FB9EDE=1=en-us=Low.jpg): Trend Vision One sent the command and is waiting for a response.
      • Queued (queued=GUID-65C0DF81-E50D-4D51-9602-2E9B7A0E5F14=1=en-us=Low.jpg): The managing server queued the command because the agent was offline.
      • Successful (successful=GUID-1E31AD86-DE2E-48B5-85F7-7C78A3E8BB11=1=en-us=Low.jpg): The command was successfully executed.
      • Unsuccessful (error=5cc21722-7ceb-480c-b9c2-a47d420cf1cc.jpg): An error or time-out occurred when attempting to send the command to the managing server, the agent is offline for more than 24 hours, or the command execution timed out.