Incident Response Evidence Collection Playbooks

Collect evidence to support threat investigation and incident response by creating evidence collection playbooks.

Collect detailed evidence from potentially compromised endpoints for internal investigations into critical incidents that occurred on your network and may require further attention.
Important:

  • Evidence collection requires that you enable XDR endpoint sensors on target endpoints.

  • Evidence archives use the same folder structures as the SANS Institutes and CyLR tool.

  1. Go to Workflow and Automation > Security Playbooks.
  2. On the Playbooks tab, choose Add > Create from template.
  3. Select Incident Response Evidence Collection and click Create Playbook from Template.
  4. Configure the playbook settings and click Apply.
    Note:

    You must specify a unique name for the playbook.

  5. To customize the name of the trigger node, click the settings icon.
  6. Identify target endpoints for evidence collection by endpoint names or IP addresses.
  7. Configure the manual approval settings in the first action node (default name: "Notify recipients for manual approval").
    1. (Optional) Specify a custom Name for the node.
    2. Select whether to send a notification to request manual approval to create response actions.
      Important:

      Actions pending manual approval for over 24 hours expire and cannot be performed.

    3. If you require manual approval, configure the following settings.

      Setting

      Description

      Notification method

      • Email: Sends an email notification to specified recipients

      • Webhook: Sends a notification to specified webhook channels

      Subject prefix

      The prefix that appears at the start of the notification subject line

      Recipients

      The email addresses of recipients

      The field only appears if you select Email for Notification method.

      Webhook

      The webhook channels to receive notifications

      The field only appears if you select Webhook for Notification method.

      Tip:

      To add a webhook connection, click Create channel in the drop-down list.
  8. Configure evidence collection in the next action node (default name: "Collect evidence").

    Setting

    Description

    Name

    The node name

    Evidence types

    Types of evidence to collect

    Note:

    Basic information is required.

    Upload evidence to Trend Vision One

    Uploads evidence to Trend Vision One

    Tip:

    Find uploaded evidence on the Execution Results page in the Security Playbooks app.

    Archive location on endpoint

    Location of the archive on the local endpoint

    Important:

    • The local archive does not have encryption, and remains on the endpoint until deleted. This may allow access to sensitive information to anyone with access to the file system or reveal the presence of an ongoing investigation.

    • Evidence archives take up hard drive space and may impact endpoint performance.
  9. Specify how to notify recipients of the playbook results by configuring the second path selection node.
    Note:

    You can only select one path for notification of results.

  10. For email and webhook notifications, configure the action node (default name: "Send notification of results").

    Setting

    Description

    Name

    The node name

    Notification method

    • Email: Sends an email notification to specified recipients

    • Webhook: Sends a notification to specified webhook channels

    Subject prefix

    The prefix that appears at the start of the notification subject line

    Recipients

    The email addresses of recipients

    The field only appears if you select Email for Notification method.

    Webhook

    The webhook channels to receive notifications

    The field only appears if you select Webhook for Notification method.

    Tip:

    If you need to add a webhook connection, click Create channel in the drop-down list.
  11. For ServiceNow ticket notifications, configure the two action nodes.
    1. Follow Step 7 to configure the first action node (default name: "Notify recipients for manual approval").
    2. Configure the next action node (default name: "Send ticket notification of results").

      Setting

      Description

      Name

      The node name

      Notification method

      The action node can only send "Ticket" notifications

      Ticket profile

      The ServiceNow ticket profile to use

      Tip:

      If you need to add a ticket profile, click Create ticket profile in the drop-down list.

      Ticket profile settings

      The ticket profile settings for the playbook

      Selecting a ticket profile automatically loads the settings. Changing the settings overrides the ticket profile for the playbook.

      • Assignment group: The ServiceNow assignment group you want to assign the ticket to

      • Assigned to: The ServiceNow user you want to assign the ticket to

      • Short description: A short description of the ticket which displays in ServiceNow
  12. Enable the playbook by toggling the Enable control on.
  13. Click Save.

    The playbook appears on the Playbooks tab in the Security Playbooks app.

Parent topic: Creating a Playbook From a Template