In this article

Use this article to activate CyberSight, capturing browser activity and user behavior to provide deeper visibility across managed Windows devices.

CyberSight is included with Pro and Enterprise plans and stores activity data for up to one year.

CyberSight is an activity logging feature available with the Windows Roaming Client v3.2.0+. It provides visibility into end-user behavior for security investigations and operational analysis.

CyberSight tracks:

• Full URLs (supported browsers only)
• Usage:
  • Application usage
  • Website traffic
  • Streaming activity, which includes video conferencing, training videos, and streaming content
• Login and logout events
• Machine lock and unlock events
• Idle time, recorded after two minutes of inactivity, which is intelligently differentiated from active engagement in streaming activities like meetings or training videos

CyberSight does not capture network traffic. It only logs browser and device-level activity.

CyberSight installs a browser extension automatically with the Windows Roaming Client v3.2.0+.

Full support:

• Google Chrome
• Microsoft Edge

Other Windows-compatible browsers may load the extension but provide limited visibility. For example, Firefox does not support full URL visibility and may only report high-level usage, such as time spent in the application.

🚨 Important: Security tools that provide browser protection like ThreatLocker or CrowdStrike can block CyberSight from installing. Follow vendor documentation to allow the extension prior to deploying the Windows agent.

Once CyberSight is unblocked by the security tool, restart the device to trigger the installation.

Enable CyberSight at the Organization level after deploying the Windows Roaming Client v3.2.0 or higher.

✍️ Note: The CyberSight extension requires an up-to-date browser. Install any pending browser updates before activation.

1. From the Roaming Clients page, select Control Center
2. Select CyberSight
3. Toggle on CyberSight Analytics and Browser Extension URL
4. Save the changes

Activity begins populating in the dashboard within five minutes of successful activation. The extension appears in the browser’s extension list and end-user controls are managed by the Organization by default.

CyberSight and DNS analytics measure different activity:

• CyberSight logs user interactions with their device
• DNS Query Log and Insights record DNS requests

These tools operate independently and will not show the all same data.

Here are two example use cases:

When an endpoint detection and response (EDR) tool reports suspicious activity, Activity Logs can provide the surrounding context:

Filter Activity Logs to the alert timestamp

• Review which Applications were active
• Check recent Websites visited
• Confirm whether the device was Active, Idle, or Locked
• Review the Window Titles column to identify documents, meeting names, or content themes

This sequence helps determine what led to the alert. DNS query logs can then be used to validate whether any network connections occurred during the same window, building a full event timeline for triage.

When DNS filtering blocks a risky or suspicious domain, Activity Logs can identify the user action that triggered the block:

• Match the DNS block time with Activity Logs
• Identify which browser tab or application was active
• Determine whether the user clicked a link, opened a file, or retried the connection
• Assess whether the activity originated from user behavior or automated processes

This insight helps determine intent, identify phishing attempts or malware execution, and validate whether the block prevented a legitimate threat.