Builder
The Builder is where you can create queries and scripts to investigate malicious activities on devices in your organization and respond to any attacks found.
Create a Query
-
Click Query at the top of the Builder.
-
In the Devices field, add the devices you want to investigate. Add by:
-
Hostname
-
IP address
-
MAC address
-
Node ID
-
Connector GUID
-
-
Optional: Click Filters to set the operating systems (OS).
-
Optional: Click the Link queries icon (
) to link another script or query to an existing query to run on your devices. Refer to the Linked Queries topic for more information. Select queries and click Add. -
Optional: Click the Add random devices icon (
) to specify a number of devices and select their OS. It is useful to test a new query on a limited set of devices before running it against a wider sample. Only run queries that read information; do not run queries that make changes on random devices. -
Add a catalog query. Enter a query name to search for a query or click Browse catalog to open a drop-down list with the queries Catalog.
-
Click a query name to open the Catalog Details. Refer to the Catalog topic for more details.
-
Click Use query to add it to the Builder.
-
-
Optional: Add a custom SQL query.
-
Click Save query to save it to the Catalog for your organization. Enter a name, description, and OS versions for the query.
-
Click Add to add your SQL to the current query.
-
-
Click Run query to run it immediately on the specified devices.
-
Click Schedule query to have the query run at a certain frequency. For more details, refer to the Scheduled Queries topic.
-
Data from completed queries can be viewed on Orbital Results.
Orbital will wait a maximum of 10 minutes for a query to complete before it times out.
Create a Script
Creating a script flow is similar to creating a query. For a detailed information, refer to the Create a Query guide.
More Info