The Orbital Query Catalog contains a rich collection of queries that are available for use in investigating possible security breaches and incidents. The Query Catalog is a robust library that:
- Implements common useful queries
- Demonstrates how Orbital can be used for tasks
- Can be integrated into other products
- Includes queries that can solve a specific problem
- Will help you learn how to understand SQL syntax and write queries of your own
In general, the Orbital Query Catalog contains two types of query:
- Stock queries. These are pre-defined queries that have been created by the Orbital engineering team and TRE (Threat Research for Endpoint) to help you get started with using Orbital and osquery for threat hunting.
- Custom queries. These are queries that have been created by the end user to investigate a specific threat or incident. These queries can also be referred to as organizational queries.
The Query Catalog page lists all the queries that are stored in the catalog.
This page consists of the following 12 user interface elements and columns:
|Filters||Use the options in the Filters pane, on the left side of the Catalog page, to limit the listed queries to those queries that include the selected filters, such as:|
|• Mitre ATT&CK Tactics|
|• Mitre ATT&CK Techniques|
|• Mitre ATT&CK Sub-techniques|
|Note: Filters are not exclusive. Queries that contain additional categories besides the one in the filter will also be included.|
|Reset||Click Reset to clear all filters from the Filters pane or search terms from the Search field. The list will refresh to include all catalog queries.|
|Search Catalog||Use the Search Catalog field to search for queries that contain specific words or phrases. The Search field will accept the following search parameters:|
|• query’s name|
|• query’s ID|
|• endpoint’s operating system|
|• query’s description|
|• Mitre Att&ck Tactics name|
|• Mitre Att&ck Techniques name|
|• Mitre Att&ck Sub-techniques name|
|• a combination of any of the above parameters|
|Note: The search will be limited to the selected filter options.|
|Upload Queries||The Upload Queries feature allows you to create queries on your local machine and upload them to your Orbital catalog. Refer to section Upload Queries in the Using the Catalog topic for more in formation on how to upload queries to your catalog.|
|Download Organization Queries||The Download Organization Queries feature allows you to download all of the queries that your organization has stored to the Orbital catalog. The queries can be downloaded in either CSV or JSON format. Refer to the Download Organization Queries section in the Using the Catalog topic for more in formation on how to download your organization’s queries from Orbital. Also, refer to the Setting the Download File Type section of the Orbital Settings My Account Tab topic for more information on setting the file type for query downloads.|
|Download Query Template||The Download Query Template feature allows you to download a query template from Orbital to use to create your own queries, which can then be uploaded to Orbital. This template is useful if you are uncertain how Orbital requires the queries to be formatted and structured. Refer to the Download Query Template section of the Using the Catalog topic for more in formation on how to download a template from Orbital.|
|Name||This column displays the name of the catalog query. Clicking this query name will open the Query Catalog’s Details page displaying details about that query.|
|Query Action Menu||This menu () provides access to functions that can be performed on the selected query. There are two versions of this menu, one that provides additional functions to stock queries and one that provides additional functions to custom queries.|
|The action menu for stock queries, shown in the figure below, lists three menu commands:|
|Copy - This menu command copies the highlighted query so that it can be modified and used as a custom query.|
|Add to new query - This menu command copies the highlighted query and immediately loads it into the Query page. You can then add new endpoints or any other parameters you may need to create a new query.|
|Favourite - This menu command marks the selected query as one of your favorite queries to run. When a query is marked as a favorite, it is displayed in the Favorites list on the Query page.|
|The action menu for custom queries, shown in the figure below, lists five menu commands:|
|Copy, Add to new query, and Favorite - These three command operate in the same manor as those commands for a stock query.|
|Edit - This menu command allows you to edit a custom query and save the edits back to the catalog. This function is covered in more detail in the The Edit Query Function section below.|
|Delete - This menu command allows you delete a custom query from the catalog.|
|Warning: Make certain that you are certain you need to delete a custom query from the catalog, as the deleted query cannot be recovered.|
|OS||This column indicates which operating system or systems are used by the query. This is indicated by the displaying one or more of the following icons:|
|for Windows for Linux for Macintosh|
|Category||This column lists the category of investigation the query belongs to. The four categories of investigation are:|
|• Live Acquisition Of Volatile Data|
|• Posture Assessment|
|• Threat Assessment|
|Clicking on one of the category indicators listed in this display is the same as selecting the same filter located in the Filter pane, on the left side of the Catalog page. For example, if you clicked on the Threat Hunting category indicator, Orbital will display all of the queries that have been assigned to the Threat Hunting category.|
|Note: The categories of investigation can only be assigned to those catalog queries that are created by the Threat Research for Endpoints team.|
|Mitre Att&ck||This display identifies which Mitre Att&ck tactics and techniques the query adheres to. This adherence is displayed using the Mitre Att&ck Tactics Indicator, shown in the figure below.|
|Hovering over the Mitre Att&ck Tactics indicator will display the Applied Tactics popup, shown in the figure below.|
|Clicking on the Mitre Att&ck Tactics indicator will display the Tactics Detail popup, shown in the figure below.|
|Note: The Mitre Att&ck Tactics Indicator is discussed in more detail in the The Mitre Att&ck Indicator section, below.|
|Updated||This column displays date when the catalog query was last updated.|
|ID||This column displays the unique ID that Orbital assigns to each query that is added to the catalog. The IDs assigned to stock queries are different from the custom queries. Generally, custom IDs are prefixed with the string org:.|
The Edit Query Function
Orbital allows you to edit the custom queries that you create and store in the Orbital Query Catalog. This function can be accessed from the Custom Query Action Menu, as shown in the figure below.
The Edit Query function can also be accessed from the Query Catalog Details page, as shown in the figure below.
Clicking on the either the Action Menu’s Edit Query menu command or the Query Catalog Details page’s Edit Query icon will ope the Edit Query dialog, shown in the figure below.
This popup consists of five user interface elements:
|Name||This field is used to edit or rename of the query.|
|Description||This field is used to describe what that query is meant to do . This field allows you to update or modify the query’s description so that it matches the function of the query.|
|OS||These checkboxes are used to identify the operating system or systems that the query operates on. This element can be changed to add or remove the affected operating systems.|
|Custom SQL||This field is used to edit the SQL statement that was initially created for or added to the first draft of the query.|
|Cancel/Save Buttons||These buttons are used to either abort the changes you have made to the query or to save the changes to the catalog. Clicking Cancel will abort the changes, clicking Save will save the changes to the catalog.|
Mitre Att&ck® Adherence
Orbital adheres to Mitre Att&ck. Mitre Att&ck is a knowledge base that contains listings and descriptions of tactics, techniques, and sub-techniques used by adversaries to attack an organization’s infrastructure. This knowledge base is based on real-world observations and investigations. It is useful for threat risk assessment, security improvements, and verifying defence effectiveness.
The Att&ck knowledge base is employs a hierarchical structure, employing tactics at the top, followed by techniques, and then sub-techniques. Techniques are mapped to tactics using the tactic’s ID and a technique can apply to more than one tactic; however, not all tactics have techniques. Sub-techniques relate to techniques in a similar manor to the method that techniques relate back to tactics. Sub-techniques are detailed descriptions of specific implementations of a technique.
For more information on ATT&CK® TACTICS, refer to the MITRE ATT&CK® Tactics web page. Additionally, for more information on ATT&CK® TECHNIQUES, refer to the MITRE ATT&CK® Techniques web page.
The Mitre Att&ck Indicator
The Mitre Att&ck Indicator, shown in the figure below, is used to indicate which Mitre Att&ck Tactics, Techniques, and Sub-techniques a given stock query adheres to.
The Mitre Att&ck Indicator contains 14 dots, each dot corresponds to a different tactic. Starting on the left, the severity of the tactics increases for each dot, as you move to the right, as shown in the figure below.
Starting on the left, each dot corresponds to a specific tactic, as defined below.
|Dot №||Corresponding Tactic|
|12||TA0011:Command and Control|
The way in which Orbital identifies with tactic a particular query adheres to is to display the corresponding dot as darker than the others. If, for example, the third dot from the left is darker than the surrounding dots, it means that the query adheres to the TA0001:Initial Access Mitre Att&ck. If all of the dots in the Mitre Att&ck Indicator are grey, it means that the query does not adhere to any Mitre tactics.
When you hover over the Mitre Att&ck Indicator, Orbital will display the Applied Tactics popup, shown in the figure below, which corresponds to the table above.
Clicking the Mitre Att&ck Indicator will display the Tactics Detail popup, shown in the figure below.
This popup will list only those tactics, techniques, and sub-techniques that the query adheres to. In addition to listing the names of the tactics, techniques, and sub-techniques the Tactics Detail popup provides a description of the related tactics, techniques, and sub-techniques and provides a link to the Mitre Att&ck website that describes the particular tactic, technique, or sub-technique.
Return to Table of Contents