Leverage workspaces to streamline your incident investigation process.
Workspaces allow you to organize evidence, construct investigation timelines, and
quickly
triage endpoints in your environment.
Important
|
The following table outlines the actions available in workspaces.
Action
|
Description
|
||
Display workspace information
|
The tooltip message for includes the following information:
|
||
Add endpoints
|
Click Add Endpoints to select endpoints from your Endpoint
Inventory. Filter by Risk score to view endpoints in a specific range.
|
||
Filter by endpoint, IP address, or operating system
|
|
||
Investigate an endpoint
|
For each endpoint, you can perform the following actions:
|
||
Add packages
|
Click Add Evidence to add evidence packages from the Evidence Archive tab.
Allow some time for packages to be processed and added to the workspace. Forensics generates evidence reports for each added package.
|
||
Collect evidence
|
Collect evidence from the endpoints added to the workspace:
|
||
View, delete, and download evidence packages
|
Click the expand arrow () to the left of an endpoint to view related evidence packages. For
each package, you can perform the following actions:
|
||
Search evidence in the workspace
|
Click Evidence Search () to search for evidence
across all packages added to the workspace.
|
||
View detailed risk profile
|
Click to view the detailed profile for the asset risk.
In the Detailed Profile, you can perform the following actions:
|
||
Update impacted endpoints
|
In Case Viewer, click Update Forensics Workspace to update the
workspace with impacted endpoints.
If the case no longer includes an endpoint, Vision One does not automatically remove
the
endpoint. You can manually remove any unimpacted endpoints from the workspace.
|
||
Triage endpoints
|
Identify, prioritize, and manage attacked endpoints based on the severity and impact:
|
||
Isolate an endpoint
|
Select one or more endpoints then click Isolate Endpoint to prevent
potentially malicious activities from spreading to other endpoints.
|
||
Remove unimpacted endpoints
|
Select one or more endpoints then click Remove Endpoint when the
endpoint is no longer relevant to this workspace.
|
||
View workspace-related tasks
|
Click Related Tasks to view the corresponding Task
List in a new tab.
|
||
Manage the investigation timeline
|
Click Timeline () to open the investigation timeline.
|
||
Refresh the workspace
|
Click to update and redisplay the data for this workspace.
|