Skip Navigation

Key features of

You can use the management console to query the device data collected by the
agent to investigate security incidents and discover indicators of compromise. When
identifies a file as a potential threat, you can retrieve the file from the device for further analysis.
InstaQuery allows you to interrogate a set of devices about a specific type of forensic artifact, and allows you to determine whether an artifact exists on devices and how common that artifact is. Advanced query is an evolution of InstaQuery that provides more granular search capabilities using EQL syntax to enhance your ability to identify threats.
You can use the following visualization features to assist your forensic analysis:
  • The InstaQuery facet breakdown provides an interactive visual display of the different facets involved in a query so that you can identify and follow their relational paths.
  • Focus data allows you to visualize and analyze the chain of events, and the associated artifacts and facets of those events, that resulted in a piece of malware or another security threat on a device.
Detect and respond to events
uses the Context Analysis Engine (CAE) to analyze and correlate events as they occur on devices in near-real time. You can configure
to take automated response actions when the CAE identifies certain artifacts of interest (for example, display a notification or log off the current user), providing an additional layer of threat detection and prevention to complement the capabilities of
CylancePROTECT Desktop
You can customize the detection capabilities of
to suit your organization's needs. You can create detection rule sets with your desired configuration of rules and responses, you can clone and modify existing detection rules or create your own custom rules, and you can create detection exceptions to exclude specific artifacts from detection.
Deploy packages to collect data
You can use the package deploy feature to remotely and securely run a process (for example, a
script) on
devices to collect and store desired data in a specified location for further analysis. For example, you can run a process to collect browser data. You can use the
data collection packages that are available in the management console or you can create your own.
Lock devices to isolate threats
You can lock an infected or potentially infected device, disabling its LAN and
network capabilities to stop command and control activity, the exfiltration of data, or the lateral movement of malware. Various lockdown options are available to suit your organization's needs.
Send actions to devices
You can use the remote response feature to securely execute scripts and run commands on any
-enabled device directly from the management console, using a familiar command line interface.