Key features of CylanceOPTICS
You can use the management console to query the device data collected by the
CylanceOPTICSagent to investigate security incidents and discover indicators of compromise. When
CylanceOPTICSidentifies a file as a potential threat, you can retrieve the file from the device for further analysis.
InstaQuery allows you to interrogate a set of devices about a specific type of forensic artifact, and allows you to determine whether an artifact exists on devices and how common that artifact is. Advanced query is an evolution of InstaQuery that provides more granular search capabilities using EQL syntax to enhance your ability to identify threats.
You can use the following visualization features to assist your forensic analysis:
Detect and respond to events
CylanceOPTICSuses the Context Analysis Engine (CAE) to analyze and correlate events as they occur on devices in near-real time. You can configure
CylanceOPTICSto take automated response actions when the CAE identifies certain artifacts of interest (for example, display a notification or log off the current user), providing an additional layer of threat detection and prevention to complement the capabilities of
You can customize the detection capabilities of
CylanceOPTICSto suit your organization's needs. You can create detection rule sets with your desired configuration of rules and responses, you can clone and modify existing detection rules or create your own custom rules, and you can create detection exceptions to exclude specific artifacts from detection.
Deploy packages to collect data
You can use the package deploy feature to remotely and securely run a process (for example, a
CylanceOPTICSdevices to collect and store desired data in a specified location for further analysis. For example, you can run a process to collect browser data. You can use the
CylanceOPTICSdata collection packages that are available in the management console or you can create your own.
Lock devices to isolate threats
You can lock an infected or potentially infected device, disabling its LAN and
Wi-Finetwork capabilities to stop command and control activity, the exfiltration of data, or the lateral movement of malware. Various lockdown options are available to suit your organization's needs.
Send actions to devices
You can use the remote response feature to securely execute scripts and run commands on any
CylanceOPTICS-enabled device directly from the management console, using a familiar command line interface.