Traditional DNS reporting shows which domains a device resolved, but not what the user actually did. DNS logs capture every background query, prefetch, and embedded resource, making it difficult to separate real activity from noise. For example, thousands of lookups to Facebook may reflect only a logo on a page, not active use.

CyberSight changes this by introducing Activity Logs within the Windows Agent that operate at the user level. These logs capture applications used, websites visited, and how long users engaged with them — with the added clarity of full URL visibility. Unlike DNS-only logs, this makes it possible to understand exactly what was clicked, when it happened, and for how long. Importantly, CyberSight also captures activity while devices are offline, syncing data once they reconnect, so visibility isn’t lost.

This richer log data makes investigations and incident response more effective. Security teams can filter out background noise, trace potential attack chains, and review user actions with greater accuracy — all within the product, without relying on third-party SIEMs. CyberSight Activity Logs also establish the foundation for dashboards, reporting, and behavior-based intelligence in future phases.