View focus data
Focus data allows you to visualize and analyze the chain of events, and the associated artifacts and facets of those events, that resulted in a piece of malware or another security threat on a device. Focus data is retained for 30 days.
For devices with
CylanceOPTICSagent 2.x and earlier, the console can retrieve focus data only from devices that are online. For devices with agent 3.0 and later, devices do not need to be online because the console can retrieve the latest data available in the
If you want to enable the automatic upload of focus data for devices to the management console, turn on these options in the device policy. If you do not select this option, you must use the console to manually request focus data.
- Do any of the following:TaskStepsView focus data from device details.
View focus data from an InstaQuery.To create a new InstaQuery, see Create an InstaQuery.
- In the management console, on the menu bar, clickAssets > Devices.
- Click a device and review theThreats & Activitiessection.
- If you did not enable the automatic upload of focus data, for a threat or event, clickRequest Data.
- ClickView Data.
View focus data from a master list.
- In the management console, on the menu bar, clickCylanceOPTICS > InstaQuery > Previous Queries.
- For an InstaQuery, clickView Results.
- For a result, clickActions > Request Focus Data.
- ClickView Focus Data.
- In the management console, on the menu bar, clickCylanceOPTICS > Focus Data.The list includes the focus data that was previously requested by an administrator or automatically uploaded to the console.
- For an artifact or event, clickView Focus.
- Some artifacts or facets in the focus data may include aCreate InstaQueryoption to retrieve more information. This is known as a pivot query. The artifact or facet properties are prepopulated, you only need to specify the appropriate zones. The pivot query results are then available with the associated focus data.
- If you want to export focus data to a .csv file, click , then click .