Investigate

Orbital detects and blocks attacks using Query for search and Script for attack mitigation. Queries and scripts are created and executed on the Investigate page using Orbital Builder.

The Investigate page initially defaults to using queries. Once you have used the Builder, it will default to the last activity used.

By default, the Investigate page uses a vertical layout. Click the Layout button to switch to a horizontal view.

Query/Script Builder

The Query/Script Builder is where you define the code and parameters of the query or script.

Refer to the Builder topic for more details.

History

The History section lists the queries and scripts you executed recently and the devices they ran on.

Favorites

The History section lists queries and scripts that you saved for easy access.

To add a query or script to your favorites, go to the Catalog page, click the name of the query or script, and click the Star icon.

Explore

The Explore section lists a randomly selected set of queries and scripts from the Orbital Catalog and Talos Threat Advisories.

• Click Explore more to reload the set.

• Click View to see the Catalog entry for the script or query in the side drawer.

• Click Use to load the script or query in the Builder.

Results

The Results section lists the results of a query or script that was run immediately. It consists of:

• The list of devices that ran the query or script. Click Hostname to view it on the Device Details page.

• The MITRE ATT&CK Indicator associated with the query or script results if any.

• A link to view the results on the Results page.

• A Download button to view the results in CSV or JSON format.

 

More Info

• Builder

• Queries

• Scripts

• Connect Scripts to Linked Queries