Frequently Asked Questions

How long is my data retained?

Endpoints will be visible on the Endpoints page for 90 days since they were last seen. Endpoints that reconnect after the 90 day period has passed may receive a new Orbital endpoint identifier, but will otherwise function normally and appear on the Endpoints page again.

Result content is retained for up to 48 hours, including:

  • osquery result data

Result metadata is retained for 90 days, including:

  • Result row count

  • Result creation time

  • Endpoint that produced the result

Query metadata is retained for six (6) months and includes:

  • Query SQL statements

  • Query creator

  • Query creation timestamp

In order to retrieve and store query results for a longer period of time than listed above, Orbital offers several options. You can:

  • use the Results API to collect the results, as long as you collect the results within the 48 hour retention window.

  • download the results in both the CSV and JSON formats for query results and the CSV format for script results.

  • configure an external Remote Data Store that Orbital can deliver results to.

How many nodes can I query?

Orbital is designed to support querying all of your endpoints. You can view query results using the Results page. This allows you to download your query results in either CSV or JSON format, or your script results in CSV format. The Orbital API can also be used to view results using the Results API.

Why do some of my Orbital nodes have a badge in the Orbital user interface with a Cloned from indicator?

The Orbital engine is installed by the Secure Endpoint Connector and Orbital nodes share an identity with Secure Endpoint Connectors. In the case where a deployable endpoint golden image is created after the Secure Endpoint Connector has already registered and installed Orbital it can lead to duplicated identities inside Orbital.

Orbital provides visibility into multiple endpoints configured with identical Secure Endpoint Computer GUIDs. These nodes will be identified on the UI as clones As of Orbital Node version 1.10 cloned nodes are automatically given new and unique internal identifiers (Orbital Node ID) and the Secure Endpoint Computer GUID remains the same.

The original node identifier seen by Orbital is referenced for visibility but has been replaced and is inactive.

For installation options that allow provisioning and deploying a golden image with the Secure Endpoint Connector refer to the Windows Connector Installer Command Line Switches section in the Secure Endpoint User Guide.

How do I know when the nodes are ready for use with Script?

Once Orbital's Script feature has been enabled and the endpoint's node is ready for use, a line containing the string python is enabled will be added to the Operating System's logs. The following three sections discuss viewing the logs in Windows, macOS, and Linux.

Viewing Logs in Windows

In Windows Event Viewer, the path to access the log entry is:

Event Viewer->Windows Logs->Application

The value for the Event Viewer's Source column will be CiscoOrbital.

The event log listing will have the string python is enabled displayed in the message field of the General tab.

Viewing Logs in macOS

To view the appropriate log entry to check to see if Python is activated on the endpoint's node, type the following command into a Terminal window:

log show --predicate 'subsystem == "com.cisco.endpoint.orbital"' | grep python

The resulting output will look similar to the output below:

1923-09-11 21:02:48.101010-0600 0x10a8 Default 0x0 540 0 orbitalhelper: [can.cisco.endpoint.orbital:service] {"level": "info", "time": "1923-09-11T09:02:48Z"," message": "python is enabled"}

Viewing Logs in Linux

To view the appropriate log entry to check to see if Python is activated on the endpoint's node, type the following command into a terminal:

grep python /var/log/messages

The output should list the string python is enabled.