Investigate
The script and query features complement each other and are used together in the investigation of threats against your organization’s endpoints. The Investigate page is where you will create and run those queries and scripts.
When you first access Orbital or open this page, you will be presented with the Investigate landing page, as shown in the figure below. This page defaults to using queries.
The investigate page consists of four areas, shown in the figure below, the Builder area, the Favorites area, the My Recent History area, and the Explore More area. These areas will be displayed whether your are using query or script.
Builder
The Builder area, shown in the figure below, is where you will build the queries and scripts you will use to investigate malicious activities on your organization’s endpoints and to respond to any attacks found.
Six elements comprise the Builder area. These elements are defined below.
Note: When you begin to use the Builder, Orbital will clear the right-side of the window so that the results of the query or script can be displayed.
| Element | Description |
|---|---|
| Endpoints Selector | This element, shown in the figure below, is where you will define the organizations that you will run your queries or scripts on. |
 |
|
| The Endpoint Selector has three components, the Operating System Filter, the Linked Queries Selector, and the Add Random Endpoints Selector. | |
| Operating System Filter | |
This component can be used to select the operating system or systems that are running on the selected endpoints. Clicking  will display the filter selector, shown in the figure below. |
|
 |
|
| Linked Queries Selector | |
This component can be used to link a script or another query to an existing query. Clicking  will display the Linked Query Selector, shown in the figure below. |
|
 |
|
| The Linked Query selector is made up of three components. These three components are: | |
| Show Non-Scheduled Queries Toggleswitch | |
| This component, shown in the figure below, is used to either list or hide non-scheduled queries from the linkable queries list. | |
 |
|
| Available Linkable Queries List | |
| This component, shown in the figure below, is used to select the existing queries that the current query or script will be linked to. | |
 |
|
| Add | |
| This component, shown in the figure below, is used to accept the selected query or queries to link to. | |
 |
|
| Add Random Endpoints Selector | |
This component can be used to add a specified number of random endpoints to the Endpoint Selector, based on the operating system running on the endpoint. Clicking  will display the popup, shown in the figure below. |
|
 |
|
| The Add Random Endpoints Selector is made up of the following three components. | |
| Number of Endpoints | |
| This field, shown in the figure below, is used to define the number of random endpoints Orbital will run the query or script against. This field can be typed into or you may use the spinner at the right end of the field to increase or decrease the value. | |
 |
|
| OS Selector | |
| This selector, shown in the figure below, allows you to select which operating system the endpoints are running. | |
 |
|
| Add | |
| This button, shown in the figure below, is used to accept the selected query or queries to link to. | |
|
|
| Query/Script Selector | This element, shown in the figure below, is where you will choose whether you want to create a query or script. |
 |
|
| Catalog Search | This element, shown in the figure below, allows you to search through either the query or script catalog, depending on if you are creating queries or scripts. |
 |
|
| The Search Catalog function searches through the Orbital Catalog for queries or scripts that match the string you type into the Search Catalog field. | |
| Catalog Browse | |
| This component is used to browse or search for queries or scripts saved in the catalog. Clicking Browse will display Browse/Search Catalog, shown in the figure below. | |
 |
|
| Search History | |
This component will list all of the queries or scripts that you have previously searched for. Clicking Search History (  ) will display the Search History List, shown in the figure below. |
|
 |
|
| Custom SQL/Script Editor | This element, shown in the figure below, is where you will create or edit the desired query or script. The Custom Query/Script Editor will change depending on whether you are creating a query or script. |
 |
|
| Creating SQL Queries | |
| The Custom Query/Script Editor will default to creating or editing queries. When you are using queries, the editor will expect you to write your queries in SQL. The editor will indicate that it is expecting SQL by displaying the field title Custom SQL (shown in the figure above) and provide a simple example beside the title. | |
| The Custom SQL Editor can accept more than one SELECT statement. In order to add more than one statement, click the plus (+) located at the right end of the editor. This will copy the completed SQL statement below the editor, as shown in the figure below, and clear the editor. | |
 |
|
| Clicking the Pencil icon will allow you to rename the displayed query. Clicking the X at the right-top corner of the query will delete the completed query from Orbital. | |
| Creating Python Scripts | |
| The Custom Query/Script Editor requires that you select Script from the Query/Script Selector, discussed above, in order to create Python scripts. The editor will indicate that it is expecting Python by displaying the field title Custom Script. | |
| Note: Orbital will wait a maximum of 10 minutes for a script to complete before it times out. | |
| Once you start typing your script into the editor, Orbital will display the Parameters dialog, shown in the figure below. | |
 |
|
| Note: The Parameters dialog will always be displayed irrespective of the script that is in the Builder. | |
| Clicking on the Get parameters from custom script will cause the Builder to review the script typed in the editor and populate the Parameters fields, shown in the figure below, with any parameters defined in the script. | |
 |
|
The Name field accepts the name of the parameter whose value must be defined. When you are writing your Python script in the editor, you will use the syntax {{ .parameter }} to indicate where in the script the parameter’s value is to be placed. The parameter name that you have defined between the curly brackets is the string you will type in the Name field, less the period and the curly braces. |
|
| The Value field is the value you wish to assign to the parameter. | |
| Click + Add Parameter, if you wish to add another parameter value pair before you run the script. | |
| Click the X at the right end of the parameter value pair will delete that row of parameter values. | |
| Run Query/Script | This element, shown in the figure below, is used to run the query or script that you have selected or created. Depending on whether you have selected use queries or scripts, the Run button will display Run Query or Run Script. |
 or  |
|
| Schedule Query/Script | This element is the Schedule popup. Depending on if you are using queries or scripts, the Schedule function will display either Schedule Query or Schedule Script. Clicking  will display the Schedule dialog, shown in the figure below. |
 |
|
| For more information on the Schedule popup, refer to the Schedule Orbital Query Popup section of the Schedule Orbital Queries topic. |
Favorites
The Favorites area is where queries and scripts that you have identified as those you will use frequently, are listed. Clicking the name of a favorite query or script will load the query or script into the Builder and require you to identify the endpoints you wish to run it against.
This area will list a maximum of six (6) favorite queries and scripts.
My Recent History
The My Recent History area lists the the last six (6) queries and/or scripts that you have run. Clicking the name of a previously run query or script will load that query or script into the Builder, including the targeted endpoints.
Explore More
The Explore More area lists a randomly selected set of six (6) queries and scripts from the Orbital Catalog.
If the query or script named on the tile is for a catalog query or script, clicking the name or arrow beside the name of the tile will take you to the catalog listing for that query or script. If; however, the tile is associated with a Talos Threat Advisory, clicking the name or arrow beside the name will take you to the associated Cisco Talos Threat Advisory page that the query or script is designed to handle.
Clicking Use on the desired query or script listing will load the query or script into the Builder and require you to identify the endpoints you wish to run it against.
MITRE ATT&CK® Adherence
Orbital adheres to MITRE ATT&CK. MITRE ATT&CK is a knowledge base that contains listings and descriptions of tactics, techniques, and sub-techniques used by adversaries to attack an organization’s infrastructure. This knowledge base is based on real-world observations and investigations. It is useful for threat risk assessment, security improvements, and verifying defence effectiveness.
The ATT&CK knowledge base is employs a hierarchical structure, employing tactics at the top, followed by techniques, and then sub-techniques. Techniques are mapped to tactics using the tactic’s ID and a technique can apply to more than one tactic; however, not all tactics have techniques. Sub-techniques relate to techniques in a similar manor to the method that techniques relate back to tactics. Sub-techniques are detailed descriptions of specific implementations of a technique.
For more information on ATT&CK® TACTICS, refer to the MITRE ATT&CK® Tactics web page. Additionally, for more information on ATT&CK® TECHNIQUES, refer to the MITRE ATT&CK® Techniques web page.
Note: All predefined catalog queries and scripts have MITRE ATT&CK tactics and techniques assigned to them.
The MITRE ATT&CK Indicator
The MITRE ATT&CK Indicator, shown in the figure below, is used to indicate which MITRE ATT&CK Tactics, Techniques, and Sub-techniques a given stock query adheres to.
The MITRE ATT&CK Indicator contains 14 dots, each dot corresponds to a different tactic. Starting on the left, the severity of the tactics increases for each dot, as you move to the right, as shown in the figure below.
Starting on the left, each dot corresponds to a specific tactic, as defined below.
| Dot № | Corresponding Tactic |
|---|---|
| 1 | TA0043:Reconnaissance |
| 2 | TA0042:Resource Development |
| 3 | TA0001:Initial Access |
| 4 | TA0002:Execution |
| 5 | TA0003:Persistence |
| 6 | TA0004:Privilege Escalation |
| 7 | TA0005:Defense Evasion |
| 8 | TA0006:Credential Access |
| 9 | TA0007:Discovery |
| 10 | TA0008:Lateral Movement |
| 11 | TA0009:Collection |
| 12 | TA0011:Command and Control |
| 13 | TA0010:Exfiltration |
| 14 | TA0040:Impact |
The way in which Orbital identifies with tactic a particular query adheres to is to display the corresponding dot as darker than the others. If, for example, the third dot from the left is darker than the surrounding dots, it means that the query adheres to the TA0001:Initial Access MITRE ATT&CK. If all of the dots in the MITRE ATT&CK Indicator are grey, it means that the query does not adhere to any MITRE tactics.
When you hover over the MITRE ATT&CK Indicator, Orbital will display the Applied Tactics popup, shown in the figure below, which corresponds to the table above.
Clicking the MITRE ATT&CK Indicator will display the Tactics Detail popup, shown in the figure below.
This popup will list only those tactics, techniques, and sub-techniques that the query adheres to. In addition to listing the names of the tactics, techniques, and sub-techniques the Tactics Detail popup provides a description of the related tactics, techniques, and sub-techniques and provides a link to the MITRE ATT&CK website that describes the particular tactic, technique, or sub-technique.