Collect Evidence Task

Collect evidence to support threat investigation and incident response.

After adding endpoints to a workspace in the Forensics and Analysis app, you can collect evidence using context menus in the Trend Vision One console.

  • Evidence collection requires that you enable XDR endpoint sensor on target endpoints.

  • Evidence archives use the same folder structures as the SANS Institutes and CyLR tool.

  1. In the Forensics and Analysis, create a workspace and add endpoints to the workspace.
  2. Collect evidence from the desired endpoint.
    1. After identifying the desired endpoint, click the options icon () at the end of the row, and click Collect Evidence Task.
    2. Specify the evidence types you want to collect.
    3. (Optional) Specify a Description for the response or event.
    4. Click Create.

      Trend Vision One creates the task and displays the current command status on the Response Management app.

  3. Monitor the task status.
    1. Open the Response Management app.
    2. (Optional) Locate the task using the Search field or by selecting Collect Evidence from the Action drop-down list.
    3. View the task status.
      • In progress... (): Trend Vision One sent the command to the managing server and is waiting for a response

      • Queued (): The managing server queued the command because the agent was offline

      • Successful (): The managing server successfully received the command

      • Unsuccessful (): An error or time-out occurred when attempting to send the command to the managing server, the agent is offline for more than 24 hours, or the command execution timed out