Frequently Asked Questions
What is Orbital?
Orbital is a Cisco service that provides access to osquery on Secure Endpoint-enabled devices. Orbital can be used by Cisco products to query endpoints and by Cisco customers to use osquery wherever they have Secure Endpoint installed. See What is Orbital for more information.
How long is my data retained?
Endpoints will be visible on the Endpoints page for 90 days since they were last seen. Endpoints that reconnect after the 90 day period has passed may receive a new Orbital endpoint identifier, but will otherwise function normally and appear on the Endpoints page again.
Result content is retained for up to 48 hours, including:
- osquery result data
Result metadata is retained for 90 days, including:
- Result row count
- Result creation time
- Endpoint that produced the result
Query metadata is retained for six (6) months and includes:
- Query SQL statements
- Query creator
- Query creation timestamp
In order to retrieve and store query results for a longer period of time Orbital offers result collection within this 48 hour window via the Results API endpoint, downloading results in JSON format from the Orbital UI Results page as well as the ability to configure a Remote Data Store that Orbital can deliver results to.
How many nodes can I query?
Orbital is designed to support querying all of your endpoints. You can view query results using the Orbital UI Results page, which also allows you to download query results in JSON format. The Orbital API can also be used to view results using the Results API endpoint.
Why do some of my Orbital nodes have a badge in the Orbital user interface with a Cloned from indicator?
The Orbital engine is installed by the Secure Endpoint Connector and Orbital nodes share an identity with Secure Endpoint Connectors. In the case where a deployable endpoint golden image is created after the Secure Endpoint Connector has already registered and installed Orbital it can lead to duplicated identities inside Orbital.
Orbital provides visibility into multiple endpoints configured with identical Secure Endpoint Computer GUIDs. These nodes will be identified on the UI as clones. As of Orbital Node version 1.10 cloned nodes are automatically given new and unique internal identifiers (Orbital Node ID) and the Secure Endpoint Computer GUID remains the same.
Orbital UI indicating a duplicated/cloned endpoint
The original node identifier seen by Orbital is referenced for visibility but has been replaced and is inactive.
For installation options that allow provisioning and deploying a golden image with the Secure Endpoint Connector refer to the Windows Connector Installer Command Line Switches section in the Secure Endpoint User Guide.