Create an InstaQuery
- In the management console, on the menu bar, clickCylanceOPTICS > InstaQuery.
- Do one of the following:TaskStepsCreate a new InstaQueryIf you want to clone a previous query, expand thePrevious Queriessection, find the query, and clickClone Query.
View a previous InstaQuery
- In theSearch Termfield, type a value that you want to search for (for example, a file name, hash, process, registry value, and so on). If you want to search for an exact match, select theExact Matchingcheck box.
- In theArtifactdrop-down list, click an artifact type.
- In theFacetdrop-down list, click the appropriate facet.
- In theZonedrop-down list, select one or more zones.
- Type a name and description for the query.
- ClickSubmit Query.
- The current status of the query is displayed in thePrevious Queriessection. When the query is complete, clickView Results.
- Expand thePrevious Queriessection.
- For the query that you want to view, clickView Results.
- In theInstaQuery Resultssection, you can expand theActionsmenu to access the available actions for each result. Depending on the type of result, this can include:
- Globally quarantine a file. The file is displayed inSettings > Global List > Global Quarantine, inProtection > Threats, in theThreatssection of the device details.
- Request and download a file. If path information is available for files associated with other artifact types, you can also download those files. The file is compressed and password-protected to ensure that it is not accidentally executed. The password is “infected”.The size limit for file retrieval is 50 MB. Artifacts and files are retained byOpticsfor 30 days (this period can be increased based on your organization's licensing).
- To view the InstaQuery facet breakdown, in theInstaQuery Resultssection, click the facet breakdown icon.