Views:

Leverage workspaces to streamline your incident investigation process.

Workspaces let you to organize evidence, construct investigation timelines, and triage endpoints in your environment.
Important
Important
Workspaces automatically close 30 days after creation. Once closed:
  • Workspaces become read-only.
  • Evidence packages are removed from workspaces. You can still access investigation packages and query results.
  • Evidence reports are no longer available.
Workspaces are permanently deleted 180 days after creation.
The following table outlines the actions available in workspaces.
Action
Description
Display workspace information
The tooltip message for Information icon includes the following information:
  • If the workspace is part of a case in Case Management:
    • Case: The case linked to the workspace.
    • Last sync with case: The last time the workspace got information from the case.
  • Closing date: Forensics automatically closes a workspace 30 days after creation.
  • Deletion date: Forensics automatically deletes a workspace 180 days after creation.
Add endpoints
Add endpoints from Endpoint Inventory by clicking Add Endpoints. You can filter endpoints by Risk Score to view endpoints in a specific range.
Important
Important
Forensics does not currently support macOS endpoints.
Filter endpoints
Use the search field and dropdown menus to locate specific endpoints in the workspace.
Investigate an endpoint
For each endpoint, you can:
  • Click the endpoint name to display the evidence report in another tab.
  • Click options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png and select Remove Endpoint from a Workspace when the endpoint is no longer relevant to this workspace.
  • Click options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png and select View Endpoint in Search to open the Search app in a new tab.
  • Click options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png and select View Endpoint in Observed Attack Techniques to open Observed Attach Techniques in a new tab.
Add packages
Click Add Evidence to add evidence packages from the Evidence Archive tab.
Allow some time for Trend Vision One to process packages and add them to the workspace. Forensics generates evidence reports for each added package.
Collect evidence
Collect evidence from the endpoints added to the workspace:
  1. Select one or more endpoints from the list.
  2. Click Collect Evidence.
  3. Select the operating system.
    Forensics adds the evidence to the workspace.
View, delete, and download evidence packages
Click the expand arrow (simulationsRightArrow=20220525102311.png) to the left of an endpoint to view related evidence packages. For each package, you can:
  • Click the package ID to display the evidence report in another tab.
  • Click options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png and select Delete Evidence from a Workspace to remove the package.
  • Click options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png and select Download Package to make a local copy of the evidence package.
Search evidence in the workspace
Click Evidence Search (searchPackage_icon=bc64049a-6ccc-46c1-bc44-92c79081dd42.png) to search for evidence across all packages added to the workspace.
View detailed risk profile
Click Details to view the detailed profile for the asset risk.
In the Detailed Profile, you can do the following actions:
  • Click Display asset risk assessment in Attack Surface Discovery to display the assessment in Attack Surface Discovery in a new tab.
    For information about risk scores, read More than a Number: Your Risk Score Explained.
  • Click Customize criticality in Attack Surface Discovery to change the criticality in Attack Surface Discovery in a new tab.
Update impacted endpoints
In Case Viewer, click Update Forensics Workspace to update the workspace with impacted endpoints.
If the case no longer includes an endpoint, Trend Vision One does not automatically remove the endpoint. You can manually remove any unimpacted endpoints from the workspace.
Triage endpoints
Identify, prioritize, and manage attacked endpoints based on the severity and impact. Learn more
Isolate an endpoint
Select one or more endpoints then click Isolate Endpoint to prevent potentially malicious activities from spreading to other endpoints.
Remove unimpacted endpoints
Select one or more endpoints then click Remove Endpoint when the endpoint is no longer relevant to this workspace.
View workspace-related tasks
Click Related Tasks to view the corresponding Task List in a new tab.
Manage the investigation timeline
Click Timeline (clock_icon=4b003b65-3058-4609-b2e5-a7e5b7b57973.png) to open the investigation timeline.
Refresh the workspace
Click Refresh icon to update and redisplay the data for this workspace.