Catalog

The Orbital Catalog contains hundreds of predefined queries and scripts. They can be used to investigate possible security breaches and incidents, and to explore, examine, and mitigate additional incidents found during investigation. Custom queries and scripts that you create can be saved in the Catalog.

The Catalog contains two types of query or script:

• Stock - Queries and scripts created by the Orbital engineering team and TRE (Threat Research for Endpoint) to aid in threat hunting.

• Custom - Queries and scripts created by you to investigate a specific threat or incident and deal with a specific threat or incident. Custom queries and scripts are not saved to the catalog automatically.

Filters

The Catalog page includes a Filters pane that allows you to refine the displayed queries and scripts. Use these filtering options to limit the results based on specific criteria. Use the Search Catalog field to search for queries or scripts that contain specific words or phrases. The Search field will accept the following search parameters:

• Query/script name.

• Query/script ID.

• Endpoint operating system.

• Query/script description.

• MITRE ATT&CK Tactics name.

• MITRE ATT&CK Techniques name.

• MITRE ATT&CK Sub-techniques name.

• A combination of any of the above parameters.

You can further refine you search with the available filter categories are: Organization, Favorite, New, Deprecated, Operating System, Type, Categories, ATT&CK® Tactics, ATT&CK® Techniques, and ATT&CK® Sub-Techniques.

Additionally, the Applied filters component appears as you add search terms. This component now provides a dynamic summary of your active filters. This component appears only when you have applied filters, including any search text you enter or selections made from categories like Operating System or Type (Query or Script). You can also click on the main Filters option to add further filters to your search. To remove a filter criteria, click the x next to the item you want to remove.

Filters are not exclusive. Queries and scripts that contain additional categories besides the one in the filter will also be included.

Click Clear Filters to clear all filters from the Filters pane or search terms from the Search field. Clearing the active filters will refresh the list to include all catalog queries and scripts

Upload Queries

The Upload Queries allows you to create queries on your local machine and then upload them directly to your Orbital catalog. This provides flexibility for developing and managing queries outside of the Orbital UI. It is only available for use with queries; you cannot upload scripts to the Orbital Catalog using this feature. For more information on Upload Queries, see Upload Queries in the Using Catalog.

Download

The Download provides various options for exporting queries and scripts from your Orbital catalog.

Download Query Template

The Download query template allows you to obtain a pre-formatted query template from Orbital. Use this template as a guide when creating your own queries on your local machine, especially if you are uncertain about the required Orbital query formatting and structure.

For more information on how to download a template from Orbital, see the Download Query Template section of the Using Catalog.

Download Organization Queries

The Download organization queries enables you to download all the queries your organization has stored in the Orbital catalog. These queries are downloaded in JSON format.

For more information on how to download your organization's queries from Orbital, see Download Organization Queries or Scripts section in the Using Catalog.

Download Organization Scripts

The Download organization scripts allows you to download all the scripts your organization has stored in the Orbital catalog. These scripts are downloaded in JSON format.

For more information on how to download your organization's scripts from Orbital, see the Download Organization Queries or Scripts section in the Using Catalog.

Catalog table

Name

This column displays the name of the catalog query or script. Clicking this query name will open the query or script's Catalog's Details page displaying details about that query or script.

A warning icon () displayed beside the name of the query or script indicates that the user should take care when running the query or script. It will appear on the query or script's Detailed Catalog page.

Action Menu

This menu provides access to functions that can be performed on the selected query or script. There are two versions of this menu, one that provides additional functions to stock queries and scripts, and one that provides additional functions to custom queries and scripts.

The action menu for stock queries and scripts lists three menu commands:    

Copy

This menu command copies the highlighted query or script so that it can be modified and used as a custom query or script.

Use query/script

This menu command copies the highlighted query or script and immediately loads it into the Orbital Builder. You can then add new endpoints or any other parameters you may need to create the new query or script.

Favorite

This menu command marks the selected query or script as one of your favorite queries or scripts to run. When a query or script is marked as a favorite, it is displayed in the Favorites list on the Investigate page.

 

The action menu for custom queries and scripts has these commands:    

Edit

This menu command allows you to edit a custom query or script and save the edits back to the catalog. This function is covered in more detail in The Edit Query/Script Function section below.

Delete

This menu command allows you delete a custom query or script from the catalog.

Deleting a custom query from the Catalog is permanent and irreversible. You cannot recover a query once it is deleted.

 

OS

This column indicates which operating system or systems that are used by the endpoints that the query or script will be run against.

Category

This column lists the category of investigation the query or script belongs to. The nine categories of investigation are:

• Containment

• Eradication

• Forensics

• Identification

• Live Acquisition Of

• Volatile Data

• Posture Assessment

• Recovery

• Threat Hunting

• Vulnerability Mitigation

Clicking on one of the category indicators listed in this display is the same as selecting the same filter located in the Filter pane, on the left side of the Catalog page. For example, if you clicked on the Threat Hunting category indicator, Orbital will display all of the queries and scripts that have been assigned to the Threat Hunting category.

 

The categories of investigation can only be assigned to those catalog queries that are created by the Threat Research for Endpoints team.

 

MITRE ATT&CK

This display identifies which MITRE ATT&CK tactics and techniques the query involves.

Hover over the MITRE ATT&CK Tactics indicator to display the Applied Tactics.

Click on the MITRE ATT&CK Tactics indicator to display the Tactics Detail.

The MITRE ATT&CK Tactics Indicator is discussed in more detail in the MITRE ATT&CK Indicator section, of the What is MITRE Att&ck topic.

 

Updated

This column displays date when the query or script was last updated.

ID

This column displays the unique ID that Orbital assigns to each query that is added to the catalog. The IDs assigned to stock queries are different from the custom queries. Generally, custom IDs are prefixed with the string org:.

The settings for the Catalog table will be retained during each login session.

 

Edit a Query or Script

Orbital allows you to edit the custom queries and scripts that you create and have stored in the Orbital Catalog. This function can be accessed from the Custom Action Menu, shown in the figure below. To access the Custom Action Menu, click the menu button to the right of the query or script's name.

The Edit Query/Script function can also be accessed from the query or script's Catalog Details page.

Clicking on either the action menu's Edit command or the Catalog Details page's Edit icon will open the Edit Query/Script dialog.

 

Edit Query Popup

The Edit Query popup consists of the following five user interface elements:

Name

This field is used to edit or rename of the query or script. Entry into this field is mandatory.

Description

This field is used to describe what that query or script is meant to do. This field allows you to update or modify the query or script's description so that it matches the function of the query or script. Entry into this field is optional.

OS

These checkboxes are used to identify the operating system or systems that the query or script operates on. This element is used to add or remove operating systems that the query or script will be run against. Entry into this field is mandatory.

Custom SQL

This field is used to edit the SQL statement that was initially created for, or added to the first draft of the query. The number of SQL statements saved in the custom query is displayed in the top-right corner of the field. Entry into this field is mandatory.

Custom SQL Labels

The label at the bottom of the Edit Query popup, as shown in the figure below, is used to identify each of the SQL statements that are contained in the saved query. These labels are only for queries. When you create a new custom query and save it to the Catalog, Orbital assigns a label to the Custom SQL statement. The label name is based on the primary select statement.

If you add a new SQL statement, using the Add SQL button (), a new label to the query that reflects new select statement.

Clicking the pencil icon () will allow you to edit the name of the label.

Edit Script Popup

The Edit Script popup consists of the following five user interface elements:

Name

This field is used to edit or rename of the script. Entry into this field is mandatory.

Description

This field is used to describe what that script is meant to do. This field allows you to update or modify the script's description so that it matches the function of the query or script. Entry into this field is optional.

OS

These checkboxes are used to identify the operating system or systems that the query or script operates on. This element is used to add or remove operating systems that the query or script will be run against. Entry into this field is mandatory.

Custom Script

This field is used to edit the Python statement that was initially created for, or added to the first draft of the script.

 Entry into this field is mandatory.

Parameters

The Parameters area of the popup is where you will define the parameters that the Python script will use.

Name

This field accepts the name of the parameter whose value must be defined. For more information on the syntax requirements for this field, refer to Creating Python Scripts in the Orbital Builder topic.

Value

This field accepts the value you wish to assign to the parameter.

 

Each Name/Value field row can be thought of as a singleparameter definition. If you wish to add another parameter definition, use Add parameter, discussed above. If you wish to remove a parameter definition, X to the right of the Value field.

 

Get parameters from custom script

This feature will force Orbital to review the script typed in the editor and populate the parameter definitions fields with any parameter names and values that have been defined in the script.

 

Add parameter

This feature will add another parameter definition row to the Parameters area.

 

More Info

• Catalog Details

• Using Catalog