Skip Navigation

Create an advanced query

The advanced query feature allows you to build custom queries to enhance your threat hunting activities. Advanced query offers deep visibility into your
CylanceOPTICS
environment, expansive query options, and optimized workflows that allow you to combine related searches to reveal new insights. Advanced query is supported for devices with the
CylanceOPTICS
agent version 3.0 or later.
Advanced query is available only to customers who have requested and obtained
CylanceOPTICS
version 3.0 or later from
BlackBerry
.
Advanced query relies on the use of EQL syntax. You use EQL to construct queries for events, and the results provide information about the artifacts that were involved in those events. The advanced query UI includes syntax information to help you build EQL queries.
  1. In the management console, on the menu bar, click
    CylanceOPTICS > Advanced Query
    .
  2. Do one of the following:
    Task
    Steps
    Create a new advanced query
    If you want to use an existing query template to create a new query, click
    Show Template List
    and click a template, then skip the first step below.
    1. Click
      Add New Query
      .
    2. In the query field, type or paste the EQL syntax for the query.
      If you want to save the current query as a template, click
      Save As Template
      . Type a name and description and select whether you want the template to be private or available to all administrators. Click
      Save
      . You can pin, edit, and delete queries from the templates list.
    3. To set the scope of the query, under
      Search devices
      , click
      By Zone
      or
      By Device
      . Select one or more zones or devices, then click
      Save
      . If you don't set the scope, the query applies to all zones and devices.
    4. To set a date and time range for the query, click Date range icon and configure the range. Click
      Apply
      . If you don't set a range, the query applies to all available data.
    5. Do one of the following:
      • If you want to run the query, click
        Search
        .
      • If you want to schedule the query to run at a specific date and time or on a regular interval, click
        Schedule Query
        . Type a name and description, select whether you want the query to be private or visible to all users, and set the date, time, and optional recurrence settings. Click
        Schedule Query
        . You can view and edit scheduled queries, and view and export the results, on the
        Scheduled Queries
        tab.
    If you want to save query results to view them later from the
    Query Snapshots
    tab, in the results section, click Save icon.
    View a query snapshot
    1. On the
      Query Snapshots
      tab, click a query.
    2. Click
      Search
      . Note that this displays the original results of the query when it was saved and is not a new query.
  3. In the query results, expand the menu to view the available actions for each result. Depending on the type of result, this can include:
    • Globally quarantine a file. The file appears in
      Settings > Global List > Global Quarantine
      , in
      Protection > Threats
      , and in the
      Threats
      section of the device details.
    • Request and download a file. If path information is available for files associated with other artifact types, you can also download those files. The file is compressed and password-protected to ensure that it is not accidentally executed. The password is “infected".
      The size limit for file retrieval is 50 MB. Artifacts and files are retained by
      CylanceOPTICS
      for 30 days (this period can be increased based on your organization's licensing).
If you want to export the query results to a .csv file, click The Export icon. Type a name and description, specify whether you want the exported results to be private (visible only to you) or public (visible to all administrators), and click
Export
. You can download the file from the
Exported Results
tab when it is ready.