Abstract
Triage collection supports a wide range of artifacts that can be used to help understand the event that occurred on the endpoint.
Triage enables you to do a in-depth analysis of a specific endpoint to fully understand the activities that occurred on that endpoint.. The triage functionality is configurable and supports the collection of all the currently supported forensic artifacts, user-defined file paths, a full file listing for all of the connected drives, full event logs, and registry hives. The amount of data collected during a triage can be large, so triages are limited to ten or fewer endpoints per collection.