An enterprise threat detection (ETD) forensic workspace is established according to a particular timeframe and permitting defining a selection of data types from available log data for an evaluation of events associated with one or more entities. A chart is defined illustrating a graphical distribution of a particular data type in the forensic workspace. A snapshot associated with the chart is generated, the snapshot saving a copy of all data necessary to re-create the chart into an associated snapshot object. The snapshot is associated with a snapshot page for containing the snapshot and the snapshot page is saved within the ETD forensic workspace.