Script
Script is a companion to the Orbital Query feature. A query lets you search for malicious attacks and potential misuse of your devices. Script can counteract any threats found using Query.
Script lets you create or select a Python script from the Catalog, send it to one or more devices, execute the script, and get the results. Scripts may return information that osquery does not report, extending the Orbital Query feature.
For more information, refer to the Python topic.
Guidelines for using Orbital Script
Devices will only run one script at a time. You cannot run multiple scripts on a node at the same time.
-
If you send an ad hoc script to a node while it is busy, it will return a node busy message and ignore the script. If the script is scheduled, the node will put it in a queue and run it in its turn.
-
If a user is deactivated while a scheduled script is running, the script will continue to run until it is finished.
-
If a script is running and the administrator disables scripting, the running script will complete, and no more scripts will be allowed to run.
-
No new scripts can be run after the Script feature has been disabled. This function is immediate.
-
If your organization does not have the Script feature enabled, you will not see any scripts listed in the Explore More area on the right side of the Investigate page. You will only see queries. For more information, refer to the Investigation topic.
Device tasks that you can perform with script:
-
Start and stop services and processes.
-
Delete files.
-
Shut down or reboot the endpoint.
-
Apply patches.
-
Perform deeper forensic investigations.
Disabling Script
To learn how to disable the Script feature, refer to the Organizations topic.
If you disable the Orbital Script feature, certain functions will stop:
-
The Script option will no longer be available in the Orbital Builder.
-
All Type filters will be removed from theCatalog page.
-
Stock and organizational scripts stored in the Orbital Catalog will be removed from use.
-
Any currently executing scripts will be allowed to complete.
-
Any scheduled scripts that have not yet run will be canceled, preventing future executions.
-
All Python libraries on Windows and Linux systems will be disabled.
Linking Scripts
Orbital lets you link a script to an existing query. Linking allows the script to use the device list from the queries you have linked. The linked script only acts on devices that meet the query criteria.
Linking scripts to queries follows the same process as linking queries to other queries. However, instead of linking from a query to a query, you should link from a script to an existing query.