From the flowchart, Forensics App lets users interact with Trend Vision One Agent for incident investigation. Refer to the following steps:

1. During the incident investigation, create a new workspace in Forensics App to correspond the specific incident.
2. In Workspace, define the "Impact Scope" by Endpoint Selector. This will list all the Windows Endpoint with sensor installed.

   

3. Once you identify those endpoints and import into Workspace, start triage process on those endpoints based on OSQuery and Yara Scan. Triage process can help identify the compromised endpoints that respond with indicator from your OSQuery and Yara Rule. Select the endpoints in workspace you would like to conduct query or scan.

   

4. Forensics App also provides the Evidence Collection to help investigator snapshot the evidence such as AmCache, ShimCache, AutoRun, Event Log and MFT.

   

5. You can further analyze those evidence to compose attack timeline and reveal the context of this incident.
6. The investigator can also pivot to Search App and OAT to dig out more details about these compromised endpoints.

   

7. During live investigation, Trend Vision One Workbench will also monitor the endpoint telemetry to deliver the critical alert once the incident has further propagation or malicious activities.

   You may consider going back to Yara Scan and OSQuery to deliver new investigation and triage query which can help identify new discovered indicator from Trend Vision One.