Snapshot of a forensic investigation for enterprise threat detection

What is claimed is: 1. A computer-implemented method, comprising: establishing an enterprise threat detection (ETD) forensic workspace according to a particular timeframe and permitting defining a selection of data types from available log data for an evaluation of events associated with one or more entities, wherein the forensic workspace is configured with functionality to define a filter path containing a series of filters to define a particular sub set of the available log data; defining a chart illustrating a graphical distribution of a particular data type in the forensic workspace; generating a snapshot associated with the chart, the snapshot saving a copy of all data necessary to re-create the chart into an associated snapshot object; associating the snapshot with a snapshot page for containing the snapshot; and saving the snapshot page within the ETD forensic workspace. 2. The computer-implemented method of claim 1 , wherein the chart includes a structured query language (SQL) SELECT statement for selecting events from the available log data and a user interface (UI) permitting interactive functionality with the chart. 3. The computer-implemented method of claim 1 , wherein the snapshot page is a data container that is persisted with a reference to the snapshot stored in a data store. 4. The computer-implemented method of claim 1 , wherein the data saved by the snapshot includes at least one of log data, environmental variables, environmental conditions, chart data, chart UI information, a selected path and filter data or functionality to search for the same configuration of the chart at a different timeframe. 5. The computer-implemented method of claim 1 , comprising configuring the snapshot object as immutable once the snapshot is generated. 6. The computer-implemented method of claim 1 , comprising: loading the saved snapshot page within the ETD forensic workspace; retrieving data from the snapshot object of the snapshot associated with the saved snapshot page; and re-creating the chart on the snapshot page. 7. The computer-implemented method of claim 1 , comprising transferring the saved snapshot page to a third-party for collaborative analysis. 8. A non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations comprising: establishing an enterprise threat detection (ETD) forensic workspace according to a particular timeframe and permitting defining a selection of data types from available log data for an evaluation of events associated with one or more entities, wherein the forensic workspace is configured with functionality to define a filter path containing a series of filters to define a particular sub set of the available log data; defining a chart illustrating a graphical distribution of a particular data type in the forensic workspace; generating a snapshot associated with the chart, the snapshot saving a copy of all data necessary to re-create the chart into an associated snapshot object; associating the snapshot with a snapshot page for containing the snapshot; and saving the snapshot page within the ETD forensic workspace. 9. The non-transitory, computer-readable medium of claim 8 , wherein the chart includes a structured query language (SQL) SELECT statement for selecting events from the available log data and a user interface (UI) permitting interactive functionality with the chart. 10. The non-transitory, computer-readable medium of claim 8 , wherein the snapshot page is a data container that is persisted with a reference to the snapshot stored in a data store. 11. The non-transitory, computer-readable medium of claim 8 , wherein the data saved by the snapshot includes at least one of log data, environmental variables, environmental conditions, chart data, chart UI information, a selected path and filter data or functionality to search for the same configuration of the chart at a different timeframe. 12. The non-transitory, computer-readable medium of claim 8 , comprising one or more instructions to configure the snapshot object as immutable once the snapshot is generated. 13. The non-transitory, computer-readable medium of claim 8 , comprising one or more instructions to: load the saved snapshot page within the ETD forensic workspace; retrieve data from the snapshot object of the snapshot associated with the saved snapshot page; and re-create the chart on the snapshot page. 14. The non-transitory, computer-readable medium of claim 8 , comprising one or more instructions to transfer the saved snapshot page to a third-party for collaborative analysis. 15. A computer-implemented system, comprising: a computer memory; and a hardware processor interoperably coupled with the computer memory and configured to perform operations comprising: establishing an enterprise threat detection (ETD) forensic workspace according to a particular timeframe and permitting defining a selection of data types from available log data for an evaluation of events associated with one or more entities, wherein the forensic workspace is configured with functionality to define a filter path containing a series of filters to define a particular subset of the available log data; defining a chart illustrating a graphical distribution of a particular data type in the forensic workspace; generating a snapshot associated with the chart, the snapshot saving a copy of all data necessary to re-create the chart into an associated snapshot object; associating the snapshot with a snapshot page for containing the snapshot; and saving the snapshot page within the ETD forensic workspace. 16. The computer-implemented system of claim 15 , wherein the chart includes a structured query language (SQL) SELECT statement for selecting events from the available log data and a user interface (UI) permitting interactive functionality with the chart. 17. The computer-implemented system of claim 15 , wherein the snapshot page is a data container that is persisted with a reference to the snapshot stored in a data store. 18. The computer-implemented system of claim 15 , wherein the data saved by the snapshot is configured as immutable once the snapshot is generated and wherein the snapshot includes at least one of log data, environmental variables, environmental conditions, chart data, chart UI information, a selected path and filter data or functionality to search for the same configuration of the chart at a different timeframe. 19. The computer-implemented system of claim 15 , further configured to: load the saved snapshot page within the ETD forensic workspace; retrieve data from the snapshot object of the snapshot associated with the saved snapshot page; and re-create the chart on the snapshot page. 20. The computer-implemented system of claim 15 , further configured to transfer the saved snapshot page to a third-party for collaborative analysis.