Skip Navigation
  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Cylance Endpoint Security Overview and Architecture
  4. What is CylanceOPTICS?
  5. Data flow: Detecting and responding to events and storing event data (CylanceOPTICS 3.x and later)

Data flow: Detecting and responding to events and storing event data (
CylanceOPTICS
 3.x and later)

Data flow demonstrating how CylanceOPTICS detects and responds to events and stores events in the cloud
  1. An administrator uses the management console to configure detection rules and assigns the rules to a device policy.
  2. The
    CylanceOPTICS
     cloud services send the detection rules over a secure WebSocket connection to a device with the
    CylanceOPTICS
     agent. The rule data also includes the configured responses for each event (for example, log off all users, suspend processes, and so on).
  3. The
    CylanceOPTICS
     agent factors the detection rules into the Context Analysis Engine (CAE) that it uses to analyze and correlate events.
  4. The
    CylanceOPTICS
     sensors detect an event.
  5. The CAE determines whether the event satisfies a detection rule. If it does, one of the following occurs:
    • If the
      CylanceOPTICS
       agent is already configured with the event response, the agent executes the response.
    • If the agent requires additional data to execute the response (for example, if the response requires a playbook package that the device does not have yet), the agent sends the detection data to the
      CylanceOPTICS
       cloud services over a secure WebSocket connection. The
      CylanceOPTICS
       cloud services process the detection and provide the data that the agent requires to execute the response.
  6. The agent prioritizes and sends the event data to the
    CylanceOPTICS
     cloud services over a dedicated event channel using a secure TLS connection. The
    CylanceOPTICS
     cloud services receive and process the event data, storing it in the secure
    CylanceOPTICS
     cloud database.
  7. An administrator uses the management console to request detections data or to initiate an InstaQuery, advanced query, or focus view request. The management console interacts with the
    CylanceOPTICS
     cloud services using HTTP over TLS.
  8. The
    CylanceOPTICS
     cloud services validate and process the request, retrieve the requested data from the
    CylanceOPTICS
     cloud database, and return the data to the management console.
  9. The detection data, query result, or focus data is displayed in the management console.