Views:

Collect evidence to support threat investigation and incident response by creating evidence collection playbooks.

Collect detailed evidence from potentially compromised endpoints for internal investigations into critical incidents that occurred on your network and may require further attention.
Important
Important
  • Evidence collection requires that you enable XDR endpoint sensors on target endpoints.
  • Evidence archives use the same folder structures as the SANS Institutes and CyLR tool.

Procedure

  1. Go to Workflow and AutomationSecurity Playbooks.
  2. On the Playbooks tab, choose AddCreate from template.
  3. Select Incident Response Evidence Collection and click Create Playbook from Template.
  4. Configure the playbook settings and click Apply.
    Note
    Note
    You must specify a unique name for the playbook.
  5. To customize the name of the trigger node, click the edit icon (edit=6bab3fa2-ec74-4134-97fb-784f64900103.png).
  6. Identify target endpoints for evidence collection by endpoint names or IP addresses.
    • To collect evidence from endpoints by Endpoint name, specify the endpoint names in the Endpoint name text box.
    • To collect evidence from endpoints by IP address, specify the IP address or IP range in the IP address text box.
      A maximum of 10 IP ranges can be used. Examples of the IP range are as follows:
      • 10.1.0.*
      • 192.168.1.0/24
      • 192.168.1.10–192.168.1.20
      In CIDR notation, the prefix length should range from 16 to 32. When using the Start IP–End IP format, the first two octets (representing the network portion) must be identical for all IP addresses within the range.
  7. Configure the manual approval settings in the first action node (default name: Notify recipients for manual approval).
    1. (Optional) Specify a custom Name for the node.
    2. Select whether to send a notification to request manual approval to create response actions.
      Important
      Important
      Actions pending manual approval for over 24 hours expire and cannot be performed.
    3. If you require manual approval, configure the following settings.
      Setting
      Description
      Notification method
      • Email: Sends an email notification to specified recipients
      • Webhook: Sends a notification to specified webhook channels
      Subject prefix
      The prefix that appears at the start of the notification subject line
      Recipients
      The email addresses of recipients
      The field only appears if you select Email for Notification method.
      Webhook
      The webhook channels to receive notifications
      The field only appears if you select Webhook for Notification method.
      Tip
      Tip
      To add a webhook connection, click Create channel in the drop-down list.
  8. Configure evidence collection in the next action node (default name: Collect evidence).
    Setting
    Description
    Name
    The node name
    Evidence types
    Note
    Note
    Basic information is required.
    Archive location on endpoint
    Location of the archive on the local endpoint
    Important
    Important
    • The local archive does not have encryption, and remains on the endpoint until deleted. This may allow access to sensitive information to anyone with access to the file system or reveal the presence of an ongoing investigation.
    • Evidence archives take up hard drive space and may impact endpoint performance.
    Upload evidence to Trend Vision One
    Uploads evidence to the Forensics app in the Trend Vision One console
    Important
    Important
    The playbook requires credits to upload the collected evidence to the Forensics app in the Trend Vision One console. Configure the data allowance in Forensics before you set up the playbook to upload evidence.
    If the data allowance is not configured, all playbooks created before October 13, 2023 with Upload evidence to Trend Vision One turned on will not be able to collect evidence, store it locally, or upload it to the Forensic app.
    Tip
    Tip
    Find uploaded evidence on the Execution Results page in the Security Playbooks app.
  9. Specify how to notify recipients of the playbook results by configuring the second path selection node.
    Note
    Note
    You can only select one path for notification of results.
  10. For email and webhook notifications, configure the action node (default name: Send notification of results).
    Setting
    Description
    Name
    The node name
    Notification method
    • Email: Sends an email notification to specified recipients
    • Webhook: Sends a notification to specified webhook channels
    Subject prefix
    The prefix that appears at the start of the notification subject line
    Recipients
    The email addresses of recipients
    The field only appears if you select Email for Notification method.
    Webhook
    The webhook channels to receive notifications
    The field only appears if you select Webhook for Notification method.
    Tip
    Tip
    If you need to add a webhook connection, click Create channel in the drop-down list.
  11. For ServiceNow ticket notifications, configure the two action nodes.
    1. Follow Step 7 to configure the first action node (default name: Notify recipients for manual approval).
    2. Configure the next action node (default name: Send ticket notification of results).
      Setting
      Description
      Name
      The node name
      Notification method
      The action node can only send Ticket notifications
      Ticket profile
      The ServiceNow ticket profile to use
      Tip
      Tip
      If you need to add a ticket profile, click Create ticket profile in the drop-down list.
      Ticket profile settings
      The ticket profile settings for the playbook
      Selecting a ticket profile automatically loads the settings. Changing the settings overrides the ticket profile for the playbook.
      • Assignment group: The ServiceNow assignment group you want to assign the ticket to
      • Assigned to: The ServiceNow user you want to assign the ticket to
      • Short description: A short description of the ticket which displays in ServiceNow
  12. Enable the playbook by toggling the Enable control on.
  13. Click Save.
    The playbook appears on the Playbooks tab in the Security Playbooks app.