Create an InstaQuery

  1. In the management console, on the menu bar, click Focus > InstaQuery.
  2. Do one of the following:

    Task

    Steps

    Create a new InstaQuery.
    If you want to clone a previous query, expand the Previous Queries section, find the query, and click Clone Query.
    1. In the Search Term field, type a value that you want to search for (for example, a file name, hash, process, registry value, and so on). If you want to search for an exact match, select the Exact Matching check box.
    2. In the Artifact drop-down list, click an artifact type.
    3. In the Facet drop-down list, click the appropriate facet.
    4. In the Zone drop-down list, select one or more zones.
    5. Type a name and description for the query.
    6. Click Submit Query.
    7. The current status of the query is displayed in the Previous Queries section. When the query is complete, click View Results.

    View a previous InstaQuery.
    1. Expand the Previous Queries section.
    2. For the query that you want to view, click View Results.
  3. In the InstaQuery Results section, you can expand the Actions menu to access the available actions for each result. Depending on the type of result, this can include:
    • Request and view focus data.
    • Globally quarantine a file. The file is displayed in Settings > Global List > Global Quarantine, in Protection > Threats, and in the Threats section of the device details.
    • Request and download a file. If path information is available for files associated with other artifact types, you can also download those files. The file is compressed and password-protected to ensure that it is not accidentally executed. The password is “infected”.

      The size limit for file retrieval is 50 MB. Artifacts and files are retained by Aurora Focus for 30 days (this period can be increased based on your organization's licensing).

  4. To view the InstaQuery facet breakdown, in the InstaQuery Results section, click the facet breakdown icon.