Orbital Nodes

Orbital nodes are software services that are installed on endpoints (computer hardware) to aid in the collection of system information used when searching for system and network threats.

Support Policy for Orbital Node Versions

In order for Orbital to be able to detect the latest system threats, Orbital nodes must be updated on a regular basis. To accommodate this need, Cisco has enabled a scheduled, automated update system that will install the latest version of the node when the it becomes available.

However, this may conflict with an organization’s own schedule, so customers have been given a certain level of control over when Orbital will install the latest node. This comes in the form of allowing the customer to define an update window.

Allowing the customer to choose when an update is installed introduces the possibility of running nodes that are out-of-date and, therefore, unsupported. Nodes that are out-of-date will most likely not have the latest features or support for the tables necessary to provide the full scope of information.

In order to support allowing the customer to define when nodes can be updated, Cisco has adopted a node version support policy where they will support the current version and one previous minor version; Cisco version numbering takes the format {major}.{minor}.{patch}.

Note: Patch releases are not considered to be a new node version and are not taken into consideration by this node version support policy.

This node version support policy has been implemented in Orbital through the definition of three version categories, Supported, Unsupported, and Rejected.

Supported nodes are those nodes that are up-to-date or are only one version behind the current node version. These nodes are allowed to connect to the Orbital service and are identified by a green icon, a circle with a checkmark in it (Supported Icon), and by green text.

Unsupported nodes are those nodes that are two or more versions behind the current version (current version and one version older than the current version). These nodes are still allowed to connect to the Orbital service and can be queried by Orbital, however, they should be updated as soon as possible. These nodes are identified by a yellow icon, a triangle with an exclamation mark in it (Unsupported Icon), and by yellow text.

Rejected nodes are those nodes that are old enough that they are no longer supported by the Orbital service. These nodes are not allowed to connect to the Orbital service and are identified by a red icon, an octagon with an “x” in it (Rejected Icon), and by red text.

Orbital’s Dashboard and Endpoints tabs display the node version status in an information card, similar to the one shown in the figure below.

Node Version Status Information Card

The Orbital Node’s Impact on Network and Endpoint Infrastructure

The impact that Orbital’s nodes have on the endpoints they are installed on and the networks they are connected to will depend on several factors.

The tables that Orbital uses can impact endpoint performance. Tables that collect information, such as running processes, logged in users, and so on, do not have much impact on endpoint processes. Tables that gather information on resources like file systems, and so on, will require more resources to perform their tasks. If performance of one or more endpoints is a concern for a given period of time, it is recommended that simple queries be run.

Query complexity will also affect the performance of the network the endpoint is attached to. If a query must return a large amount of data to Orbital, it will take up more space on the network and, therefore, slow down the network.

It is important to understand that node activity is serialized. This means that only one query is run on an endpoint’s node at any given time, no matter how many queries are queued to run on that node.

Additionally, Orbital, through osquery, can subscribe to operating system events. This allows the node to return information that is current; however, it can also overload the endpoint’s CPU, so tables that record events have been disabled for Windows and macOS.

Orbital Node Version Releases

Nodes for the different operating systems will have staggered releases and will not necessarily have the same version numbers upon release. This means, for example, that the Linux node may have a version number of 1.17, whereas both the Windows and macOS nodes may have the version number 1.14.

The node version numbers are reflected in the Node Version Status tiles located on the Dashboard and Endpoints page, as shown below.

Node Version Status Tile

The Supported [version number] field in the figure above shows a value of 1.14+. This listing shows the oldest node version supported, which in our example is 1.14. The plus (+) symbol tells you that nodes that have version numbers greater than the oldest node version are also supported. For example, version 1.15, version 1.16, version 1.17, etc, are supported by Orbital.

Additionally, Orbital, through osquery, can subscribe to operating system events. This allows the node to return information that is current; however, it can also overload the endpoint’s CPU, so tables that record events have been disabled for Windows and macOS.

Return to Table of Contents