Using the Catalog

You can use Filters and Search catalog to locate the needed query or script.

For more information on Filters and Search catalog function, refer to the Catalog Details page.

Edit a Custom Query or Script

  1. Go to the Catalog page.

  2. Navigate to the needed query or script.

  3. Click the thee-dot menu icon () to open actions.

  4. Click Edit. The edit query/script window appears.

  5. Make the necessary changes:

    • Name: Rename the script or query. This field is mandatory and cannot be blank.

    • Description: Provide a description of the functionality.

    • OS: Select the operating systems the script or query executes on. This field is mandatory.

    • Custom SQL (available for query): This field is used to edit the SQL statement.

    • Custom SQL labels (available for query): Create a new label or edit/delete an existing label. When you create a new custom query and save it to the Catalog, Orbital assigns a label to the Custom SQL statement. The label name is based on the primary select statement. To add a Custom SQL label, enter the SQL and click Add. To edit a label, click the Edit label and SQL button () and select Update changes.

    • Custom script (available for script): Edit the Python statement that was initially created or added to the script. This field is mandatory.

    • Parameters (available for script): Define parameters that the Python script will use. You can add custom parameters by entering their name, type, and value or click Get parameters from custom script to use the default script parameters.

  6. Click Save to save the changes.

Upload Queries

This function is only available for queries.

The Upload queries feature uses query packs to add new queries to the Orbital Query Catalog. Query packs can contain one or more queries that allow you to group similar queries together. This feature lets you create and test your queries on a local device without affecting your operating environment. Once uploaded, queries can be used by anyone in your organization.

Query packs are contained in a JSON file. The structure of the JSON file is outlined in the queryPackTemplate.json file. Refer to the Download Query Template section for more information on the file structure.

To upload queries:

  1. Go to the Catalog page.

  2. Click Download > Download query template.

    This step is optional, but the template helps to define the information and structure for the query packs.

  3. Open the downloaded template file.

  4. Rename the template file to describe the query or set of queries the file contains. Do not change the file extension.

  5. Edit the template file to include one or more queries you want to add to the Catalog. Refer to the Download Query Template section for more information.

    6. The query name that will appear in the Query Catalog page is taken from the Query Name field in the query pack file.

  6. Save your changes.

  7. Return to the Catalog page.

  8. Click Upload queries. A file navigation window opens.

  9. Select your query pack file.

  10. Click Open. This will upload your query pack file to Orbital. Once the query pack has been uploaded and successfully stored in the Catalog, it will be displayed on the Query Catalog List pane.

Download Query Template

This function is only available for queries.

To save a query template, click the Download button and select Download query template. You can use the template to create an osquery Query Pack. This query pack can contain one or more queries that can be uploaded to the Orbital Catalog. Refer to the Upload Queries section for more details.

Orbital will accept a value populating the Version field; however, currently Orbital ignores this value.

Download Organization Queries or Scripts

This download feature will not include stock scripts in the downloaded file.

The Download organization queries/scripts option lets you download all the queries or scripts your organization has stored in the Orbital Catalog in JSON format.

 

More Info