Module 2 — Lesson 4 of 8

Investigation Workspace

Collaborative workspaces for multi-team investigations — creating, managing, and resolving investigations from triage to documentation.
📚 Overview
🔧 Deep Dive
🛠 Hands-On
Check

The Investigation Workspace is a shared virtual war room where teams collect endpoints, data, findings, and remediation actions for a single incident. It replaces scattered browser tabs, Teams messages, and personal notes with one persistent, collaborative record.

Investigation Workflow

Triage Scope & severity 1 Investigate Collect & analyze 2 Root Cause Identify the change 3 Remediate Fix the issue 4 Document Record & share 5 How many endpoints? Business-critical? Data panels, queries, timelines, annotations What changed? Affected vs. healthy Kill, deploy, patch, rollback, restart Root cause, steps, lessons learned
👥
Multi-Team
Help desk, engineering, security all in one workspace
📝
Annotations
Timestamped notes building a chronological narrative
📈
Live Panels
Dynamic dashboards that update as data is collected
🔗
Evidence Chain
Complete audit trail from triage to resolution

Simulated: Investigation Workspace

Investigation #INV-2026-0847 — CRM Agent Memory Leak
Endpoints (8)
Timeline
Annotations (12)
Actions
Critical
Priority
In Progress
Status
8
Endpoints
3
Team Members
EndpointUserDepartmentHealthCRM VersionStatus
CAEI778766jsmithAccounting384.2.0-betaAffected
CAEI782014mgarciaClaims424.2.0-betaAffected
CAEI779301tchenMarketing354.2.0-betaAffected
CAEI780455kwilsonAccounting784.1.2Healthy
CAEI781208rpatelClaims814.1.2Healthy
ANNOTATION -- S. Cabrera, 2:45 PM
All 3 affected endpoints have CRM Desktop Agent 4.2.0-beta (installed yesterday). Healthy endpoints still on 4.1.2. Memory leak confirmed -- CRMAgent.exe consuming 3+ GB RAM on all affected machines. Recommend rollback to 4.1.2.
ANNOTATION -- J. Martinez, 3:10 PM
Killed CRMAgent.exe on CAEI778766 as test. Health score recovering. Deploying 4.1.2 rollback package to all 3 affected endpoints now.

3 Ways to Create an Investigation

🎫
From Alert/Ticket
ServiceNow ticket or Tanium alert triggers the investigation, linked for traceability
🔍
From SEV
Issue is more complex than expected -- escalate from SEV to full workspace
💡
Ad-Hoc
Proactively investigate a trend before it becomes a ticket

Workspace Visualizations

Investigation Lifecycle

New

Investigation created, endpoints being added

In Progress

Active data collection, analysis, annotation

Pending

Waiting for additional data or a change window

Resolved

Root cause found, remediation applied

Closed

Documentation complete, searchable for future reference

Best Practice

Start documenting from the very first step. Real-time annotations ensure no finding is lost, make handoffs seamless, and produce a much more accurate post-incident record than reconstructing from memory.

Scenario: What Would You Do?

Help Desk Ticket #INC0084721

Reported by: Maria Garcia, Claims Department
Subject: "Laptop extremely slow since this morning"
Details: Applications take forever to open, Outlook keeps freezing. Restarted twice -- no improvement. Colleague sitting next to her says her laptop is fine.

What is your first step?

Correct! Start with the SEV to get a quick assessment. Escalate to a full workspace only if the issue is complex or multi-endpoint.
Not quite. The SEV is the natural starting point for individual endpoint issues. Start there, then escalate to a workspace if complexity warrants it.

Maria restarted twice and the issue persists. What does this tell you?

Correct! A reboot-persistent issue points to something installed or configured that recreates the problem on every startup -- a software update, driver issue, or startup config change.
Not quite. The fact that two restarts didn't help is a strong diagnostic clue: the problem is persistent, not transient, so look at what runs on every boot.

Maria's colleague is unaffected. What comparison would be most valuable?

Correct! The workspace's comparison view lets you identify what is different between an affected and healthy endpoint -- different software version, missing patch, or extra startup process.
Not quite. The most valuable comparison is software, patches, and configuration -- identify what is different between the affected machine and the healthy one.

✍ Knowledge Check

1. What is the main advantage of an Investigation Workspace over investigating endpoints individually?

Correct! The workspace centralizes all endpoints, data, findings, and annotations in one shared place for multi-team collaboration.
Not quite. The key advantage is centralization and collaboration -- all relevant data in one shared location with a persistent record.

2. Which is a valid way to create a new investigation?

Correct! Investigations can be created from multiple starting points: tickets/alerts, SEV sessions, or proactively as ad-hoc research.
Not quite. Investigations can be triggered from several sources: alerts, SEV sessions, or proactively.

3. What happens to workspace data after the investigation is resolved?

Correct! Resolved investigations remain as searchable records, preserving the evidence chain and resolution documentation.
Not quite. Workspaces are persistent -- even after resolution, the complete record is preserved and searchable.

🏆 Progress Checkpoint — Lessons 1-4

You have completed the first half of Module 2. Answer all 5 questions to test your understanding before moving forward.

1. What are the five pillars of Tanium Investigate?

Correct! The five pillars are Data Collection, Data Enrichment, Data Visualization, Collaboration, and Remediation.
Not quite. The five pillars are: Data Collection, Data Enrichment, Data Visualization, Collaboration, and Remediation.

2. What data source does the SEV use when an endpoint is offline?

Correct! TDS stores historical snapshots so the SEV can display the last known state even when offline.
Not quite. TDS continuously caches endpoint data. When offline, the SEV displays the most recent cached snapshot.

3. Which data type requires a live query and cannot be reliably obtained from cache?

Correct! Active network connections are ephemeral -- cached data quickly becomes stale and irrelevant.
Not quite. Network connections open and close constantly, so cached data is unreliable. Hardware specs and OS version rarely change.

4. What is the primary purpose of annotations in an Investigation Workspace?

Correct! Annotations are timestamped notes that document findings, hypotheses, actions, and handoff instructions.
Not quite. Annotations create a timestamped narrative of what was found, hypothesized, tried, and concluded.

5. In the investigation workflow, what comes immediately after identifying the root cause?

Correct! The workflow is: Triage, Investigate, Root Cause, Remediate, Document. After root cause, remediation is next.
Not quite. The five phases are: Triage, Investigate, Root Cause, Remediate, Document. Remediation follows root cause identification.
← Previous: Data Collection Next: Direct Connect →
Mercury Insurance — Digital Workplace Team
DEX Specialization Training © 2026