Orbital Release Notes 2020

Orbital releases can be:

  • Service Release - Maintenance, upgrades, and updates to the Orbital service or console.

  • Node Release - Maintenance, upgrades, and updates to the Orbital node that runs on endpoints.

 

Orbital 1.10, 2020-10-30

Orbital now supports sending results via Remote Data Store to Splunk and Amazon S3, with a choice of internal payload formats.

Orbital 1.10 also provides a number of bug fixes and internal improvements, and several user facing features:

  • Orbital will provide announcements via the UI.

  • Results sent to the Private Intelligence Data Store can be searched by Job ID.

  • Endpoints can be searched by any identifier prefix.

  • Orbital provides visibility into multiple endpoints configured with identical Secure Endpoint Computer GUIDs by automatically giving those endpoints new and unique internal identifiers. These nodes will be identified on the UI as clones Endpoints in this situation that have not updated to Orbital endpoint (node) version 1.10 will remain connected but unable to process queries until they update. For more details see the FAQ.

Orbital 1.9, 2020-09-08

Orbital 1.9 provides a number of bug fixes and internal performance and infrastructure improvements.

Beginning with Orbital 1.9, scheduling a Job with a Remote Data Store will ping the data store to verify it exists and can be authenticated to before allowing the query to proceed. This will prevent avoidable result delivery failures.

This release also begins the process of discovering when multiple endpoints are configured with identical Secure Endpoint Computer GUIDs, so each of those nodes can be uniquely identified. In 1.9, nodes in that scenario will not be allowed to run queries.

Orbital 1.8, 2020-07-10

Orbital 1.8 provides a number of bug fixes and internal improvements.

The Query API allows specifying a random set of nodes as targets for a query.

Orbital 1.7, 2020-06-10

Orbital 1.7 moves our installers from S3 to our own update servers, so Orbital can be installed on hosts under Secure Endpoint host isolation. This lets you investigate a host while it is isolated without having previously enabled Orbital. This change also makes it possible to add Orbital's installation servers to firewall policies by IP address. (See Required Server Addresses for Proper Secure Endpoint & Secure Malware Analytics Operations for more information.)

This update also integrates information from WMI in osquery. This lets us disable our osquery event subscriptions, which were causing performance issues on hosts that had unusually high volumes of Windows events.

The following tables are available in Orbital 1.7 on Windows, in addition to those in osquery, using WMI classes. (The table names are taken directly from their associated WMI classes.)

  • AntiVirusProduct -- Installed Windows Antivirus products.

  • FirewallProduct -- Information about installed firewall products.

  • Malware -- Malware sightings reported to SecurityCenter by antivirus products.

  • Win32_DeviceGuard -- Status of Windows DeviceGuard on Windows 10 Professional and Server endpoints.

  • Win32_NtEventLogFile -- Information about Windows Event Log files.

  • Win32_NtLogEvent -- Windows log events.

  • Win32_OptionalFeature -- Status of installed Windows features.

  • Win32_OSRecoveryConfiguration -- Windows recovery configuration.

  • Win32_Printer -- Installed printers.

  • Win32_Registry -- Information about Windows registry files.

  • Win32_ShortcutFile -- Information about Windows shortcuts.

  • Win32_Tpm -- Is a Trusted Platform Module active and enabled?

  • Win32_UserAccount -- Lists user accounts registered with Windows.

  • Win32_WinSat -- Windows System Assessment scores.

In addition, we have added the following tables:

  • dns_cache -- Access to the Windows DNS cache for identifying recent domain name lookups.

We have also had to remove the following tables, which depended on the osquery eventing framework and were nonperformant on hosts with high volumes of Windows log events:

  • powershell_events -- Use orbital_powershell_events, which uses the same data source but uses WMI instead of the eventing framework.

We regret this change, since it may disrupt existing queries and requires changing powershell_events to orbital_powershell_events when using queries from the osquery community.

Orbital 1.6, 2020-05-04

Orbital 1.6 makes some subtle changes in how we identify the type of observable values in query results. Previously, we used a set of regular expressions to make an educated guess about whether a value was a SHA-256 hash, domain name or network address so we can use Cisco Threat Response (CTR) to provide context and actions. Now, Orbital 1.6 will look at the column name infer the type based on some simple rules:

  • Is the column name the same as one of the CTR observable types, like: domain sha256 or ip? If so, that is the type.

  • Does the column name start with one of the observable types, like domain_1? If so, use that.

  • Otherwise, does the column name end with one of the observable types, like dst_ip? If so, we use that.

This change does not affect our catalog of stock queries, which already contain metadata that specifies the observable type for each column. With this change, you can now send the results of your custom queries to your CTR Private Intelligence repository. (Previously, you could only send the results of stock queries, which carries metadata that identifies the observable types.)

Frequently Used Observable Types

CTR and the Cisco Threat Intelligence Model (CTIM) define a large number of observable types, here are a few that are frequently used:

  • sha256 -- The SHA-256 hash of a file or other entity, in hexadecimal encoding. (See also md5 and sha1 for other hashes.)

  • ip -- A IPv4 network address. (See ipv6 for IPv6 addresses.)

  • domain -- A DNS domain name.

  • hostname -- A computer host name.

For an exhaustive list, see Observables in CTIM Sightings.

Orbital 1.5, 2020-04-07

Orbital 1.5 lets customer administrators authorize other users to use Orbital and introduces support for Windows Server 2016 and later. We have also started aggregating metrics for Cisco SecureX components and APIs. There are a lot of changes below the waterline this release that we are eager to share when SecureX is ready for beta.

  • Orbital for Non-Administrators. Administrators can manage access to Orbital for other users in their organization.

  • Windows Server Support. We now support Windows Server 2016 and later.

Orbital 1.4, 2020-03-11

Orbital 1.4 builds on last month's release by adding Cisco Threat Response (CTR) pivot menus to common observables and provides support for automatically sending results to private intelligence stores. This advanced feature enables configuring periodic queries associated with current threats to CTR so you can monitor for affected hosts.

We have also exposed the Orbital API v0 which lets customers build applications that can run queries and collect results. This feature is important to our objective of exposing information about your endpoints to your security applications.

  • API Documentation. Without documentation, it would be very difficult to discover and learn how to use Orbital APIs. We are working on a Python reference module as well.

  • Theme support. You can switch Orbital to high contrast, white on black or low contrast greys on blues.

  • Orbital Pivot Menus. Orbital can present actions from your CTR modules next to observable types, such as domain names, file hashes and network addresses.

Orbital 1.3, 2020-02-14

Orbital 1.3 adds Cisco Threat Response (CTR) to our user interface. We send common observables while you view results to CTR to identify values that are known malicious or innocuous by your team and intelligence providers. This also adds support for Casebook so you can quickly send observables from your query results to CTR for later investigation.

  • Documentation. As Orbital adds more features, it is even more important to show you how they work and inform you about changes.

  • Guided UI for new users. Orbital's live query user interface is unique to our product, and we find it necessary to coach new users on how to specify nodes, use the catalog and schedule queries.

Orbital 1.2, 2020-01-31

Orbital 1.2 introduces independent clouds for EU and APJC customers. We consider your information to be most sensitive, and we want to be sure you can choose the regulatory region that you and your organization can trust. We are growing our operations team to ensure we have coverage around the world in case there are any support issues.

  • Secure Malware Analytics integration. Secure Malware Analytics's expert system will suggest Orbital queries based on sample analysis to search your environment for hosts that may be at risk.