Orbital Release Notes 2021

Orbital releases can be:

• Service Release - Maintenance, upgrades, and updates to the Orbital service or console.

• Node Release - Maintenance, upgrades, and updates to the Orbital node that runs on endpoints.

 

Orbital Linux Node 1.17, 2021-12-01

• Orbital node support for Linux, shipping with osquery version 4.8.0. See the supported platforms for details on specific versions.

• The new machine: prefix can be used for endpoint selection on the Query page and endpoint search on the Endpoints page to identify the Linux endpoint with the given machine ID.

• The new anyconnectudid prefix can be used for endpoint selection on the Query page and endpoint search on the Endpoints page to identify the Linux endpoint with the given AnyConnect UDID.

Orbital 1.17, 2021-11-29

• Added a Save Empty Results toggle to the Schedule Orbital Job form, on the Query page. This function allows the user to only send the results that have rows to a remote data store. In the Query API the related field is set with the RequireRows parameter, which defaults to false, preserving the legacy behavior of sending all results to the Remote Data Store.

• Added the ability to rename scheduled queries from the context menu on the Jobs page. Clicking on the vertical ellipsis menu () will display the Jobs context menu from which you can select the new Rename menu command.

• Added the Run Once radio button to the Schedule Orbital Job form, on the Query page. This function allows you the same functionality as that of specifying a zero (0) value for the Scheduled query's interval parameter. Refer to the Scheduled Query’s Run Once function section for more information.

• Added the ability to type an existing query's name (or its name and queryId, if there are more than one queries with the same name) as a value for the link: parameter. The link: parameter is typed into the Endpoints field on the Query page

Orbital 1.16, 2021-10-19

• Linked Queries are new to Orbital in release 1.16. They allow you to use the node list from one or more existing queries as the node list or lists for a new query, provided that the existing query or queries return results that are not empty. For more information, refer to Linked Queries.

• The ellipsis menu Ellipsis Menu () and the related Random Endpoints menu on the Query page have been replaced with individual icons. The new icons are:

• Clear Endpoints () - This is the Clear Endpoints icon. Clicking this icon will remove any endpoints listed in the Endpoints field.

• Copy Endpoints () - This is the Copy Endpoints icon. Clicking this icon will copy all of the endpoints listed in the Endpoints field.

• Linked Queries () - This is the Linked Endpoints icon. Clicking this icon will display a list of existing queries that can be used by the Linked Queries feature.

• Add Random Endpoints () - This is Add Random Endpoints icon. Clicking this icon will display the Add Random Endpoints menu, from which you can specify how many randomly selected endpoints will be added to the Endpoints field.

• An Operating System Filter popup has been added to Orbital's Query page, under the left-side of the Endpoints field. This popup will help you narrow the endpoints to a specific operating system and is related to the allowos prefix introduced in Release 1.15. The Operating System Filter popup is accessed by clicking the Operating System Filter icon Operating System Filter ().

Known Issues in 1.16

There is an issue in version 4.8.0 and onwards of osquery that can cause an error to be returned when running queries against the windows_eventlog table. The error triggers only when certain log data is present in the Windows Event Log. Subsequent custom queries run against an affected node will return results without issue. Subsequent Orbital catalog queries will also return results but will return an error alongside the query: bookkeeping osquery failed. This will not affect the returned results, however the error will persist until the Orbital node service is restarted on the endpoint.

If this issue is encountered, the WMI class table Win32_NtLogEvent can be used as a workaround for affected queries.

Orbital 1.15, 2021-08-25

• Community Features:

• Organizational Catalog (called Organization Queries in UI) - users may save custom queries

• My Recent Queries

• My Favorite Queries

• Netmask prefix support in endpoint search

• Added allowos prefix (see Specifying Nodes as Subjects of Queries)

• Features to support beta release of macOS Orbital node (see below)

• Added support for mac, macos, and darwin as`os prefix values

• Ability to select random macOS nodes

Orbital Node, 2021-08-26

Orbital node support for macOS version 10.15 or later.

Note:

Customers must be running Secure Endpoint (formerly AMP for Endpoints) Connector version 1.16.0 and enable the Orbital policy. Customers are advised that this release should be considered an in-field Beta and refer to the macOS Troubleshooting page for any issues.

• Support for Forensic Snapshots initiated in Secure Endpoint

• Support for 41 macOS-specific and 46 cross-platform queries

Support for Apple’s current beta of their next major release - Monterrey (v.12) - is not supported at this time.

Orbital Node 1.14, 2021-07-26

Orbital now supports the use of proxy settings that users configure in their Secure Endpoint policy settings.

Note:

Secure Endpoint Connector version 7.4.1 or later must be installed before you can use proxies. Refer to your Secure Endpoint users' guide for more information on configuring your Secure Endpoint connector policy settings.

OSQuery version 4.8.0 is included in the Orbital Node 1.14 update.

An Orbital node version policy has been implemented. This policy allows nodes to be identified by Orbital as being Supported Unsupported or Rejected

• Supported nodes are those nodes that are up-to-date or are only one version behind the current node version. These nodes will be identified in green and are allowed to connect to Orbital.

• Unsupported nodes are those nodes that are two or more versions behind the current version (current version and one version older than the current version). These nodes are identified in yellow. They are still allowed to connect to Orbital and be queried by Orbital, but should be updated.

• Rejected nodes are those nodes that are old enough that they are no longer supported by the Orbital service. These nodes are identified in red and will not be allowed to connect to the Orbital service.

Refer to the Support Policy for Orbital Node Versions section in the Nodes topic for more information on the node version policy

Orbital 1.14, 2021-06-29

Orbital 1.14 provides a number of bug fixes, internal improvements, and user facing features:

• Assets page renamed to Endpoints.

• Ability to add labels to custom SQL stanzas to better identify results.

• Display human readable hostnames when random nodes are selected for a query.

• Historical data is now easier to visualize with mini line charts for organization metrics, and results line charts.

Endpoints can now be targeted in queries with a netmask prefix. Several prefixes now support wildcards in both query targeting and node search.

Previously, each time an S3 Remote Data Store (RDS) was created or associated with an Orbital Query, a small ping file was created in the user's bucket to verify connectivity and write access. Now, S3 RDS pings update a single file named orbital-rds-ping.json, which can be safely removed at any time.

Soon, Secure Endpoint users will have more control over when they upgrade their node. Orbital will categorize nodes into three states according to their version: supported, accepted, and rejected. A range of node versions will be supported, which means they contain the latest features. A range of nodes will be accepted, which means that while they can still connect to the service with the same functionality they've always had, they no longer support the latest functionality. The final category are those nodes that are refused connection to Orbital. Rejected nodes must upgrade in order to connect again.

• A Node version status tile is provided on the dashboard to display a summary for the organization.

• The current node version, as well as the minimum supported and accepted node versions are available in the /ok endpoint.

• Node version and version status is displayed in the Endpoints table and Endpoint Details view.

• Nodes that have not connected in 90 days will no longer be displayed on the Endpoints page.

Orbital 1.13, 2021-05-04

Orbital 1.13 provides a number of improvements and bug fixes.

• A powerful new way to target endpoints in a query, and search for endpoints on the Endpoints page. Note that endpoints that have not connected to the Orbital service for many months may lack the necessary metadata to be accessible through the nodeversion and osqueryversion prefix.

• Query page displays featured queries and other queries to explore.

• The Query Catalog has been expanded and updated.

Orbital 1.12, 2021-04-03

• Orbital 1.12 provides a number of internal changes in preparation for supporting SecureX.

Orbital 1.11, 2021-01-06

Orbital 1.11 provides a number of bug fixes and improvements.

• New Job Results page displays details for up to 25 endpoint responses per page; the first 500 endpoint responses can be downloaded. See Jobs for more information.

• Orbital offers increased time ranges for metrics data: Last hour, Last 24 hours, Last 7 days, Last 30 days, Last 60 days, and Last 90 days.