What Are Orbital Nodes?
Orbital nodes are software services that are installed on devices to aid in the collection of system information used when searching for system and network threats.
Support Policy for Orbital Node Versions
To detect the latest system threats, Orbital nodes must be updated on a regular basis. To accommodate this need, Cisco has enabled a scheduled, automated update system that will install the latest version of the node when it becomes available.
However, this may conflict with an organization's own schedule, so customers have some control over when Orbital will install the latest node. This allows customers to define an update window, which may lead to running unsupported nodes. Such nodes will not have the latest features or support for the tables necessary to provide the full scope of information.
Cisco has adopted a node version support policy where the current and one previous minor version is supported. Cisco version numbering uses the format: {major}.{minor}.{patch}.
Patch releases are not considered to be a new node version and are not taken into consideration by this node version support policy.
This node version support policy has been implemented in Orbital through the definition of three version categories, Supported, Unsupported, and Rejected. The Devices page displays the node version status in an information card.
-
Supported: up-to-date or one version behind the current node version. These nodes are allowed to connect to the Orbital service and are identified by a blue icon with a checkmark.
-
Unsupported: two or more versions behind the current version (current version and one version older than the current one). These nodes are still allowed to connect to the Orbital service and can be queried or have scripts run by Orbital. However, they should be updated as soon as possible. These nodes are identified by a yellow icon with an exclamation mark.
-
Rejected: no longer supported by the Orbital service. These nodes are not allowed to connect to the Orbital service and are identified by a red icon with an x.
Impact on Network and Device Infrastructure
The tables that Orbital uses can impact device performance. Tables that collect information, such as running processes and logged-in users, have minimal impact on device processes. Tables that gather information on resources, such as file systems, will require more resources to perform their tasks. If the performance of one or more devices is a concern for a given period of time, it is recommended that simple queries or scripts be run.
Query or script complexity will also affect the performance of the network the device is attached to. If a query must return a large amount of data to Orbital, it will take up more space on the network and, therefore, slow down the network.
The node activity is serialized: only one query or script is run on a device's node at any given time, no matter how many queries or scripts are queued to run on that node.
Orbital, through osquery, can subscribe to operating system events, which allows the node to return current information. However, it can also overload the device's CPU, so tables that record events have been disabled for Windows and macOS.
Orbital Node Version Releases
Nodes for the different operating systems will have staggered releases and will not necessarily have the same version numbers upon release. This means, for example, that the Linux node may have a version number of 1.17, whereas both the Windows and macOS nodes may have the version number 1.14.
The node version numbers are reflected in the Node version status tile located on the Devices page.
The Supported [version number] field in the figure above shows a value of 1.14+. This listing shows the oldest node version supported, which in our example is 1.14. The plus (+) symbol tells you that nodes that have version numbers greater than the oldest node version are also supported. For example, version 1.15, version 1.16, version 1.17, etc, are supported by Orbital.
Orbital Nodes Targeting
Nodes that were deployed via Secure Client can now be targeted by their Secure Client UID using the following methods:
-
For live queries or scripts running directly from the Investigate page
-
For schedule queries or scripts configured in the Orbital console
-
For any query or script operations executed via Orbital APIs