Leverage workspaces to streamline your incident investigation process.
Workspaces let you to organize evidence, construct investigation timelines, and triage
endpoints in your environment.
![]() |
ImportantWorkspaces automatically close 30 days after creation. Once closed:
Workspaces are permanently deleted 180 days after creation.
|
The following table outlines the actions available in workspaces.
Action
|
Description
|
||
Display workspace information
|
The tooltip message for
![]()
|
||
Add endpoints
|
Add endpoints from Endpoint Inventory by clicking Add Endpoints. You can filter endpoints by Risk Score to view endpoints in a specific range.
|
||
Filter endpoints
|
Use the search field and dropdown menus to locate specific endpoints in the workspace.
|
||
Investigate an endpoint
|
For each endpoint, you can:
|
||
Add packages
|
Click Add Evidence to add evidence packages from the Evidence Archive tab.
Allow some time for Trend Vision One to process packages and add them to the workspace. Forensics generates evidence reports for each added package.
|
||
Collect evidence
|
Collect evidence from the endpoints added to the workspace:
|
||
View, delete, and download evidence packages
|
Click the expand arrow (
![]()
|
||
Search evidence in the workspace
|
Click Evidence Search (
![]() |
||
View detailed risk profile
|
Click
![]() In the Detailed Profile, you can do the following actions:
|
||
Update impacted endpoints
|
In Case Viewer, click Update Forensics Workspace to update the
workspace with impacted endpoints.
If the case no longer includes an endpoint, Trend Vision One does not automatically remove the endpoint. You can manually remove any unimpacted
endpoints from the workspace.
|
||
Triage endpoints
|
Identify, prioritize, and manage attacked endpoints based on the severity and impact.
Learn more
|
||
Isolate an endpoint
|
Select one or more endpoints then click Isolate Endpoint to prevent
potentially malicious activities from spreading to other endpoints.
|
||
Remove unimpacted endpoints
|
Select one or more endpoints then click Remove Endpoint when the
endpoint is no longer relevant to this workspace.
|
||
View workspace-related tasks
|
Click Related Tasks to view the corresponding Task
List in a new tab.
|
||
Manage the investigation timeline
|
Click Timeline (
![]() |
||
Refresh the workspace
|
Click
![]() |