You can view or designate any entity as evidence which enables you to reconstruct attack chains and piece together key pieces of verification for root cause discovery.

In the

War Room

you can mark any entity as evidence by clicking the flag next to each entry. You can view the evidence in the

War Room

or open the evidence entry from the

Evidence Board

. When adding evidence you need to add a description which should contain enough details that can be used for future reference. Adding a tag helps you to find the evidence by searching for the tag. You can also add an occurrence date and time.

The Evidence board stores key artifacts for current and future analysis. You can view and manage evidence entities that were detected in the

War Room

and designated as Evidence.

You can search for evidence and select the date range when the evidence occurred.

Evidence can be viewed in

Table View

or

Summary View

. In the

Table View

, you can remove, export, or show in the

War Room

. In the

Summary View

you can remove or edit the evidence.