CPC H04L 63/302 (2013.01) [H04L 63/145 (2013.01); H04L 63/1408 (2013.01); H04L 63/308 (2013.01)] | 20 Claims |
1. A computer-implemented method, comprising:
executing a query, the query including an association specifying types of forensic data to collect from one or more endpoint devices in an information technology (IT) environment when execution of the query identifies an occurrence of a security threat at an endpoint device of the one or more endpoint devices;
identifying, based on the executing of the query, an occurrence of the security threat at the endpoint device;
based on the identifying of the occurrence of the security threat at the endpoint device, collecting, from the endpoint device, forensic data corresponding to the types of forensic data specified by the association; and
storing the forensic data in a data store.
|