Collect evidence from endpoints manually using the Trend Micro Incident Response Toolkit or by executing a playbook to support threat investigation and incident response.
ImportantEvidence archives use the same folder structures as the SANS Institutes and CyLR tool.
|
Procedure
- In the Trend Vision One console, go to .
- Click Collect Evidence.
- Choose whether to collect evidence from Windows endpoints, Linux endpoints, or
to initiate automated evidence collection using the Incident Response Evidence Collection playbook.
Important
The Incident Response Evidence collection playbook currently only supports Windows. - For manual collection, configure the following settings.SettingDescriptionEvidence typesThe types of evidence to collect.
Note
-
For Windows endpoints, basic information is required.
-
For Linux endpoints, the following information is required:
Archive location on endpointLocation of the evidence package on the local endpoint.Important
-
The local archive does not have encryption, and remains on the endpoint until deleted. This may allow access to sensitive information to anyone with access to the file system or reveal the presence of an ongoing investigation.
-
Evidence archives take up hard drive space and may impact endpoint performance.
-
- Click Download TMIRT () to download the Trend Micro Incident Response Toolkit.
- Deploy the toolkit to the endpoints on which you want to collect evidence.
- Execute the toolkit.
- Extract the contents of the zip archive.
- Run TMIRT.
-
For Linux, execute
TMIRT.sh
as the root user. -
For Windows, execute
TMIRT.ps1
as an administrator.
-
- Upload the evidence packages the toolkit generates to the Forensics app.
Tip
You can upload multiple files at once. Each file must not exceed 4 GB.
The Forensics app begins
processing the uploaded evidence packages.
Important
|