Views:

Use workspaces to organize evidence, construct investigation timelines, and triage endpoints in your environment.

Important
Important
  • Workspaces automatically close 30 days after creation. Once closed, workspaces become read-only and evidence packages are removed. You can still access investigation packages and query results, but evidence reports are no longer available.
  • Workspaces are permanently deleted 180 days after creation.
The following actions are available in workspaces:
Action
Description
View threat analysis report
Turn on the toggle to view vulnerabilities, attacks, and recommended remediation actions for each endpoint in the workspace.
Investigate an endpoint
Click the endpoint name to display the evidence report in another tab.
Add packages
Click Add Evidence to add evidence packages from the Evidence Archive tab.
Collect evidence
Select one or more endpoints and click Collect Evidence to collect evidence from endpoints in the workspace.
Triage endpoints
Identify, prioritize, and manage attacked endpoints based on the severity and impact.
View related tasks
Click Related Tasks to view the task list in a new tab.
View investigation timeline
Click Timeline (clock_icon=4b003b65-3058-4609-b2e5-a7e5b7b57973.png) to open the investigation timeline.
Isolate or remove endpoints
Select one or more endpoints then click Isolate Endpoint or Remove Endpoint.
Update impacted endpoints
In Case Viewer, click Update Forensics Workspace to update the workspace with impacted endpoints.
Note
Note
You must manually remove endpoints from the workspace. If a case no longer includes an endpoint, Trend Vision One does not automatically remove the endpoint.