Catalog Details

The Orbital Catalog Details page displays a query or script's specific information. Each query or script catalog detail page includes a description of the query or script, the query's SQL statement, the script's Python statement and the query or script's associated MITRE tactics and techniques, if the query or script is stock.

To open a query or script's Details Catalog page, click the desired query or script name link on the Catalog page.

Filters

The filters pane allows you to refine the displayed queries and scripts. Use filtering options to limit the results based on specific criteria.

Use the Search catalog field to search for specific queries or scripts.

You can also use filter categories:

• Organization

• Favorite

• New
• Deprecated
• Operating System
• Type
• Category
• ATT&CK tactic
• ATT&CK technique
• ATT&CK sub-technique

The Applied filters component appears as you add search terms. This component provides a dynamic summary of your active filters. To remove a filter criteria, select the Remove button (shown as an X icon) on the item you want to remove.

Filters are not exclusive. Queries and scripts that include categories beyond the one specified in the filter will also be included.

Click Clear filters to clear all filters from the Filters pane or search terms from the Search field.

Upload Queries

You can develop and manage queries outside Orbital. For this, create queries on your device and click Upload queries to upload them to your Orbital catalog. You can upload queries in JSON format only.

We recommend using a query template to ensure the file has the correct format and fields. Refer to the Download Query Template section for more details.

You cannot upload scripts to the Orbital catalog. For more information, refer to the Using Catalog topic.

Download

The Download option allows you to export queries and scripts from your Orbital catalog.

For more information, refer to the Using Catalog topic.

Catalog table

Name

This column displays the name of the catalog query or script. Click the query name to open a Catalog details window.

A warning icon () advices to be careful when running the query or script. The Catalog details window displays additional warning information.

Action Menu

Click the three-dot icon to open an action menu.

• Copy query/script: copies the highlighted query or script. You can modify and use it as a custom query or script.

• Copy URL: copies the URL of the highlighted query or script.

• Use query/script: copies the highlighted query or script and immediately loads it into the Orbital Builder. You can add new devices or other parameters to create the new query or script.

• Favorite: marks the selected query or script as one of your favorite queries or scripts to run. When a query or script is marked as a favorite, it is displayed in the Favorites list on the Investigate page.

  Deprecated queries or scripts will be automatically removed from your Favorites list.

• Edit (available for custom queries/scripts): allows you to edit a custom query or script and save it to the catalog. Refer to the Using Catalog topic for more information.

• Delete (available for custom queries/scripts): allows you to delete a custom query or script from the catalog.

Deleting a custom query from the Catalog is irreversible. You cannot recover a query once it is deleted.

OS

This column shows the operating systems used by devices that the query or script will be run against.

Category

This column lists the investigation category of the query or script:

• Containment - limiting an active infection.

• Eradication - removal of artifacts and objects.

• Forensics - acquisition of information for forensics and incident response purposes.

• Identification - identify artifacts and objects like file type, file hashes, associations, etc.

• Live Acquisition Of Volatile Data - retrieval of data which may be considered volatile for forensics or incident-response purposes.

• Posture Assessment - these queries access the security posture of the host. They can uncover weaknesses, configuration discrepancies, anomalous startup-items or provide visibility into specific aspects of a host's current status.

• Recovery - recovery of lost artifacts and objects.

• Threat Hunting - queries that determine presence of unusual, anomalous, suspicious or outright malicious attributes on hosts.

• Vulnerability Mitigation - mitigation of vulnerabilities and threats.

The investigation categories can only be assigned to the queries and scripts created by the Talos team.

MITRE | ATT&CK

This column identifies which MITRE ATT&CK tactics and techniques the query involves. It is available only for stock queries and scripts.

Click the MITRE |ATT&CK Tactics indicator to display the Tactics Detail window.

Refer to the MITRE ATT&CK Indicator topic for more information.

Updated by

This column displays the user who updated the query or script.

Updated

This column displays the date when the query or script was last updated.

ID

This column displays the unique ID that Orbital assigns to each query. The IDs assigned to stock queries are different from the custom queries. Custom IDs have an org: prefix.

The settings for the Catalog table will be retained during each login session.

 

More Info

• Orbital Catalog

• Using Catalog

• Queries

• Script

• The Orbital Builder

• Using Queries

• Using Scripts