In this article

Use this article to understand what CyberSight captures and how it supports security, operational insight, and incident investigation.

CyberSight is a device activity logging tool included with the Windows Roaming Client v3.2.0+. It records time-stamped user behavior to help administrators understand what occurred around security events, DNS blocks, and operational issues.

CyberSight provides a behavioral timeline that complements DNS data and endpoint alerts.

CyberSight provides the “why” behind user activity by combining URL visibility, application usage, and device state changes into a single timeline. This context strengthens investigations, improves response workflows, and enables more informed decisions across security, compliance, and IT operations.

With CyberSight, IT admins can:

CyberSight helps identify the actions that led to an endpoint alert, suspicious executable, or risky download. This reduces investigation time and clarifies whether the event was user-driven or automated.

By matching a DNS block timestamp with device activity, CyberSight can reveal whether a user clicked a link, opened a file, or interacted with an application that triggered the request.

Unexpected activity—such as new applications opening while the device is idle or unfamiliar websites loading automatically—can help surface early signs of compromise.

CyberSight provides an objective record of browsing activity, app usage, and device state. This enables consistent evaluation without invasive monitoring.

CyberSight records full browser URLs even when a device uses its own proxy or alternate DNS resolver. This stops students from hiding activity by bypassing DNSFilter and ensures visibility into attempted circumvention and off-policy behavior.

Activity Logs can help identify what the device was doing during an outage, slowdown, or service interruption, making operational issues easier to diagnose.