Orbital APIs
Orbital offers a simple interface for applications that lets them schedule queries and collect the results. All Orbital APIs expect and return information formatted as JSON, and require basic authentication using a client ID and secret generated by an Orbital user.
POST /v0/oauth2/token– Exchanges your client ID and secret for an access token.GET /v0/ok– Confirms that credentials work and gets information about the client.POST /v0/query– Schedules a query to be performed one or more times, returns a job object.GET /v0/jobs/{jobid}/results– Retrieves the results of your queries.POST /v0/webhooks– Create a remote data store as a result destination for scheduled queries.GET /v0/webhooks– Get all remote data stores for the user’s organization.GET /v0/webhooks/{webhookid}– Get a specific remote data store by ID.GET /v0/stock– Orbital maintains a large catalog of prepared osquery queries for common problems such as threat hunting, posture assessment, host monitoring, or simply searching for entities. The user can retrieve this query catalog using thev0/stockAPI. When called, it will return a list of all catalog queries and associated metadata, contained in a ZIP archive.
Examples
All of our API examples use HTTPie and JQ, and the following environment variables:
$service– Your Orbital Service Address.$client– Your Orbital Client ID, see Orbital API Authentication.$secret– Your Orbital Client Secret, see Orbital API Authentication.$token– Your Orbital API Access Token, see Orbital API Authentication.
Orbital Service Addresses
The following DNS names are the addresses of the Orbital service. (All APIs are available on TCP port 443 via HTTPS).
orbital.amp.cisco.comfor North American customers.orbital.eu.amp.cisco.comfor European customers.orbital.apjc.amp.cisco.comfor Asian and Pacific customers.
Request ID
Note that every API calls returns a response header that can be used to troubleshoot the request.
X-Orbital-Request-Id: 0def5acd-2336-8d85-c7e6-471b7dd67519