Result Details

To access Result Details, go to the Results page and click the query or script name.

• Results link - Returns you to the Results page.

• Query/Script Name - Displays the name of the query or script that was run. The action menu contains commands that you can use on the query or script.

• MITRE ATT&CK Indicator - Identifies which MITRE ATT&CK tactics and techniques the query or script adheres to. Refer to the MITRE ATT&CK topic for more information.

  The MITRE ATT&CK Indicator will be displayed if the query is stock. Refer to the Catalog topic for more information on stock queries.

General Information

• Name - The name assigned to the query or script.

• Status - Current status of the query or script. If it is in progress, a progress indicator will be displayed. If the query or script has finished execution, the completion date and time are shown.

• Created - The date and time when the custom/stock query or script was created and started.

• Creator - The username of the person who created or ran the query or script.

• Catalog - The name of the query or script as it is listed in the Catalog. If the query or script was created by the user, the value for this field will be Custom.

• Type - query or script.

• Devices - The number of devices that have returned query or script results.

• Errors - The number of query or script results that contain errors.

• Results - The total number of times that Orbital has received a response from all the devices targeted by the query or script.

• Result Rows -Total number of results rows that have been returned for the query or script.

• Frequency - Displays whether the query or script is scheduled or non-scheduled.

• Interval - Displays a value for the scheduled query or script. For more details, refer to the Orbital Builder topic.

• Remote Data Store - Name of the remote data store that the query has sent the results to. This field will only display value if the remote data store has been set.

• Source - the name of the Cisco service where the query or script originated, such as Threat Response or Secure Endpoint.

  If the query originates from Orbital, the Source field is blank.

Details

Latest results

This drop-down menu is used to filter the displayed results:

• Latest results - displays the latest result received from each device.

• Custom - used to define the date range of the results that will be displayed on the Results Details page.

Show empty rows

The Show empty rows toggle is displayed in the Result Detail Controls area that controls results for a specific query or script.

Refresh

Click Refresh to display any new results that were collected from devices that were non-responsive during the previous run. Any changes are displayed immediately, assuming the data is still available.

Download

Click Download to download the results in JSON or CSV format.

The Query/Script Used

This pane displays the query or Python script with its parameters.

Query/Script Result Details

This listing is identical to the Results area on the Investigate page. Refer to the Investigate topic for more details.

 

More Info

• Orbital Results

• Using Queries

• Using Scripts