Query Catalog
The Orbital Query Catalog contains a rich collection of queries that are available for use in investigating possible security breaches and incidents. The Query Catalog is a robust library that:
- Implements common useful queries
- Demonstrates how Orbital can be used for tasks
- Can be integrated into other products
- Includes queries that can solve a specific problem
- Will help you learn how to understand SQL syntax and write queries of your own
In general, the Orbital Query Catalog contains two types of query:
- Stock queries. These are pre-defined queries that have been created by the Orbital engineering team and TRE (Threat Research for Endpoint) to help you get started with using Orbital and osquery for threat hunting.
- Custom queries. These are queries that have been created by the end user to investigate a specific threat or incident, but not saved to the catalog. Custom queries can also be referred to as Organizational Queries when they are saved to the catalog.
The Query Catalog page lists all the queries that are stored in the catalog.
This page consists of the following 12 user interface elements and columns:
| Element | Description |
|---|---|
| Filters | Use the options in the Filters pane, on the left side of the Catalog page, to limit the listed queries to those queries that include the selected filters, such as: |
| • MITRE ATT&CK Tactics | |
| • MITRE ATT&CK Techniques | |
| • MITRE ATT&CK Sub-techniques | |
| Note: Filters are not exclusive. Queries that contain additional categories besides the one in the filter will also be included. | |
| Reset | Click Reset to clear all filters from the Filters pane or search terms from the Search field. The list will refresh to include all catalog queries. |
| Search Catalog | Use the Search Catalog field to search for queries that contain specific words or phrases. The Search field will accept the following search parameters: |
| • query’s name | |
| • query’s ID | |
| • endpoint’s operating system | |
| • query’s description | |
| • MITRE ATT&CK Tactics name | |
| • MITRE ATT&CK Techniques name | |
| • MITRE ATT&CK Sub-techniques name | |
| • a combination of any of the above parameters | |
| Note: The search will be limited to the selected filter options. | |
| Upload Queries | The Upload Queries feature allows you to create queries on your local machine and upload them to your Orbital catalog. Refer to section Upload Queries in the Using the Catalog topic for more in formation on how to upload queries to your catalog. |
| Download | This feature allows you to download query templates or organization-specific queries. To download either query templates or organization-specific queries, click Download, shown in the illustration below. |
 |
|
| Download query template | |
| The Download query template feature allows you to download a query template from Orbital to use to create your own queries, which can then be uploaded to Orbital. This template is useful if you are uncertain how Orbital requires the queries to be formatted and structured. Refer to the Download query template section of the Using the Catalog topic for more in formation on how to download a template from Orbital. | |
| Download organization queries | |
| The Download organization queries feature allows you to download all of the queries that your organization has stored to the Orbital catalog. The queries can be downloaded in the JSON format. Refer to the Download organization queries section in the Using the Catalog topic for more in formation on how to download your organization’s queries from Orbital. | |
| Name | This column displays the name of the catalog query. Clicking this query name will open the Query Catalog’s Details page displaying details about that query. |
| Query Action Menu | This menu ( ) provides access to functions that can be performed on the selected query. There are two versions of this menu, one that provides additional functions to stock queries and one that provides additional functions to custom queries. |
| The action menu for stock queries, shown in the figure below, lists three menu commands: | |
 |
|
| Copy - This menu command copies the highlighted query so that it can be modified and used as a custom query. | |
| Add to new query - This menu command copies the highlighted query and immediately loads it into the Query page. You can then add new endpoints or any other parameters you may need to create a new query. | |
| Favorite - This menu command marks the selected query as one of your favorite queries to run. When a query is marked as a favorite, it is displayed in the Favorites list on the Query page. | |
| The action menu for custom queries, shown in the figure below, lists five menu commands: | |
 |
|
| Copy, Add to new query, and Favorite - These three command operate in the same manor as those commands for a stock query. | |
| Edit - This menu command allows you to edit a custom query and save the edits back to the catalog. This function is covered in more detail in the The Edit Query Function section below. | |
| Delete - This menu command allows you delete a custom query from the catalog. | |
| Warning: Make certain that you are certain you need to delete a custom query from the catalog, as the deleted query cannot be recovered. | |
| OS | This column indicates which operating system or systems are used by the query. This is indicated by the displaying one or more of the following icons: |
 for Windows  for Linux  for Macintosh |
|
| Category | This column lists the category of investigation the query belongs to. The four categories of investigation are: |
| • Forensics | |
| • Live Acquisition Of Volatile Data | |
| • Posture Assessment | |
| • Threat Assessment | |
| Clicking on one of the category indicators listed in this display is the same as selecting the same filter located in the Filter pane, on the left side of the Catalog page. For example, if you clicked on the Threat Hunting category indicator, Orbital will display all of the queries that have been assigned to the Threat Hunting category. | |
| Note: The categories of investigation can only be assigned to those catalog queries that are created by the Threat Research for Endpoints team. | |
| MITRE ATT&CK | This display identifies which MITRE ATT&CK tactics and techniques the query adheres to. This adherence is displayed using the MITRE ATT&CK Tactics Indicator, shown in the figure below. |
 |
|
| Hovering over the MITRE ATT&CK Tactics indicator will display the Applied Tactics popup, shown in the figure below. | |
 |
|
| Clicking on the MITRE ATT&CK Tactics indicator will display the Tactics Detail popup, shown in the figure below. | |
 |
|
| Note: The MITRE ATT&CK Tactics Indicator is discussed in more detail in the The MITRE ATT&CK Indicator section, below. | |
| Updated | This column displays date when the catalog query was last updated. |
| ID | This column displays the unique ID that Orbital assigns to each query that is added to the catalog. The IDs assigned to stock queries are different from the custom queries. Generally, custom IDs are prefixed with the string org:. |
The Edit Query Function
Orbital allows you to edit the custom queries that you create and store in the Orbital Query Catalog. This function can be accessed from the Custom Query Action Menu, as shown in the figure below.
The Edit Query function can also be accessed from the Query Catalog Details page, as shown in the figure below.
Clicking on the either the Action Menu’s Edit Query menu command or the Query Catalog Details page’s Edit Query icon will open the Edit Query dialog, shown in the figure below.
This popup consists of five user interface elements:
| Element | Description |
|---|---|
| Name | This field is used to edit or rename of the query. |
| Description | This field is used to describe what that query is meant to do . This field allows you to update or modify the query’s description so that it matches the function of the query. |
| OS | These checkboxes are used to identify the operating system or systems that the query operates on. This element can be changed to add or remove the affected operating systems. |
| Custom SQL | This field is used to edit the SQL statement that was initially created for or added to the first draft of the query. |
| Cancel/Save Buttons | These buttons are used to either abort the changes you have made to the query or to save the changes to the catalog. Clicking Cancel will abort the changes, clicking Save will save the changes to the catalog. |