Result Details
This page provides detailed information on a single query or script's results. This page can be accessed by clicking the query or script's Name link from the Results page.
This page consists of two major areas, the Query/Script Details area and the Query/Script Result Details area. The Query/Script Details area displays the same type of information irrespective of whether or not the results are from a query or a script. The Query/Script Result Details will have a different information layout depending on whether or not the results are from a query or a script.
Query/Script Details
This area of the Result Details page is composed of Result Detail Controls and General Information.
Result Detail Controls
The Result Detail Controls is used to control the information displayed on the Result Details page.
The Show empty rows toggleswitch is only displayed in the Result Detail Controls sub-area that is controlling results for a specific query. This element is not displayed for the results of a script.
The Result Detail Controls displays:
-
Results link - This link will return you to the Orbital Results page.
-
Query/Script Name - This displays the name of the query or script that was run. The action menu contains commands that you can use on the query or script.
-
MITRE ATT&CK Indicator - This display identifies which MITRE ATT&CK tactics and techniques the query or script adheres to. Refer to the What is MITRE Att&ck? topic for more information on MITRE ATT&CK.
The MITRE ATT&CK Indicator will only be displayed if the query was a stock query. Refer to the Orbital Catalog topic for more information on Stock Queries.
Latest results
This dropdown is used to filter the displayed results:
-
Latest results - displays the last result received from each endpoint.
-
Custom - used to define the date range of the results that will be displayed on the Results Details page.
Show empty rows
This toggle is displayed if the listed results are for a query. It allows you to include or exclude rows that have not returned queried information to the query results. The default setting is off.
Refreshed
Click Refreshed to display any new results that were collected from endpoints that were non-responsive during the query's previous run. Any changes are displayed immediately, assuming the data is still available.
Download
Click the Download icon to display the File Type Selector. Select the file format, either JSON or CSV to download the host information in.
General Information
The General Information displays information specific to the query or script being displayed.
-
Name - The name assigned to the query or script.
-
Status - Current status of the query or the script. If the query or scriptis in progress, a progress indicator will be displayed. If the query or script has finished execution, the date and time that the query or script finished executing is displayed.
-
Catalog - The name of the query or script as it is listed in the Catalog. If the query or script has been created by the user, the value for this field will be Custom.
-
Endpoints - The number of endpoints that have returned query or script results.
-
Results - The total number of times that Orbital has received a response from all of the endpoints targeted by the query or script, over the duration of the query or script.
-
Result Rows -Total number of rows of results that have been returned for the query or script.
-
Frequency - Displays whether the query or script is a scheduled or non-scheduled query or script.
-
Source - the name of the Cisco service where the query or script originated, such as Threat Response or Secure Endpoint.
If the query originates from Orbital itself, the Source field will be left blank.
-
Errors - The number of query or script results that are returned containing errors.
-
Created - The date and time that the query or script was started. This can be the date and time that the user created and ran a custom query or script, or the date and time that the user started running a stock query or script.
-
Creator - The name of the user that created and/or ran the query or script.
-
Interval - Only displays a value if the query or script is scheduled. If it is scheduled, this field displays the schedule's frequency value. This value is discussed in greater detail in the Schedule Query/Script Dialog section of the Orbital Builder topic.
-
Remote Data Store - Name of the remote data store that the query has sent the results to. This field will only display a value if the remote data store has been set.
The Query/Script Result Details Area
The Query/Script Result Details area of the Result Details page is composed of two panes. The information displayed in these panes will change, depending on whether your are viewing the results for a query or script.
If you are viewing query results, the left-side pane will list the endpoints that have responded to the query and the right-side pane will display the results of the query, for that specific endpoint.
If you are viewing script results, the left-side pane will display the Python script that has been run, along with the script's parameters. The right-side pane will display the results of the script.
Query Result Details
When you are viewing the result details for a query, you will see the Result Details area.
The left-side pane is the endpoint list and is where Orbital lists all of the endpoints that have responded to the query.
This listing of endpoints is identical to the Endpoint List of the Results area of the Investigation page. Refer to the Endpoint List entry in the Investigation topic for more information on endpoint listing.
The right-side pane is the endpoint detailed results pane. This pane lists the detailed results for the query that is highlighted in the endpoint list. The information displayed in this pane will change depending on the tables being queried, the parameters of those queries, and the results being returned by the endpoint.
Script Result Details
When you are viewing the result details for a script, you will see the Result Details.
The left-side pane displays the script that was run and any parameters that the script required.
The right-side pane is the endpoint detailed results pane. This pane lists the detailed results for the script that is highlighted in the endpoint list. The information displayed in this pane will change depending on the script being run.