Skip Navigation

Using InstaQuery and advanced query to analyze artifact data

InstaQuery and advanced query are
CylanceOPTICS
features that allow you to analyze artifact data to discover indicators of compromise and to determine their prevalence on your organization’s devices. The results of a query will not tell you about how or when an artifact was used, but they will indicate whether an artifact has ever been observed in a forensically significant way that can signal a threat to your organization’s devices and data.
InstaQuery allows you to interrogate a set of devices about a specific type of forensic artifact, and allows you to determine whether an artifact exists on devices and how common that artifact is. Advanced query is an evolution of InstaQuery that provides more granular search capabilities using EQL syntax to enhance your ability to identify threats.
Advanced query is currently available only to customers who have requested and obtained
CylanceOPTICS
version 3.0 or later from
BlackBerry
.
After you install and enable the
CylanceOPTICS
agent on a device, the agent collects artifacts and stores them in the
CylanceOPTICS
database. With
CylanceOPTICS
agent 2.x and earlier, the database is stored locally on the device. With
CylanceOPTICS
agent 3.0 and later, the agent automatically uploads and stores data in the
CylanceOPTICS
cloud database. When you create a query, forensically significant data is retrieved from the
CylanceOPTICS
database. You can view and explore the results in the management console.
For devices with
CylanceOPTICS
agent 2.x and earlier, a query can complete successfully only when a device is online. For devices with agent 3.0 and later, the device does not need to be online because the query will use the latest data available in the
CylanceOPTICS
cloud database.
A single query will display and retain a maximum of 10,000 results. The results of a query are retained for 60 days.
Note the following details about specific artifacts that you can query:
Artifact
Details
Files
You can query specific files that were created, modified, or deleted after the
CylanceOPTICS
agent was installed on the device.
CylanceOPTICS
focuses on files that can be used to execute content (for example, executable files,
Microsoft Office
documents, PDFs, and so on).
Network connections
You can perform queries against both IPv4 and IPv6 destination IP addresses.
CylanceOPTICS
discards private, non-routable, multicast, link-local, and loopback network traffic.
Processes
All processes are indexed in the
CylanceOPTICS
database, with the following restrictions:
  • Command lines are limited to 1 KiB of data
  • Process names are limited to 256 characters
  • Process image file paths are limited to 512 characters
  • Command lines that are altered after the process has started are not monitored
Registry keys
CylanceOPTICS
monitors only persistence points and file deletion points. They are areas typically exploited by malware.
For a detailed list of registry keys and values monitored by
CylanceOPTICS
, see KB66266.
To learn more about how
CylanceOPTICS
monitors persistence points in the registry, see KB66357.