Query

Use the Orbital Query page to construct and execute live, ad hoc queries on endpoints in order to gather more information from them. Orbital uses osquery, which allows you to query your devices like a database using basic SQL commands.

There are several ways to access the Query page on the Orbital console:

• Go to Management -> Computers and locate your computer. Expand the pane and click Orbital Query. The Orbital console opens to the Query page, with the GUID of the computer you selected added to the Endpoints field.
• You can also access the Orbital console by going to Analysis -> Search and clicking the Search your endpoints with Orbital link.
• Open the Orbital console directly at https://orbital.amp.cisco.com/query.

If necessary, click Log in with Cisco SecureX to authenticate using your existing Secure Endpoint Console credentials. Refer to SecureX Sign-on for more information on signing in to your account using SecureX.

Endpoints - Choose the Query Target

In the Endpoints field, enter the ID of one or more endpoints in your organization that will be queried for information, as shown in the figure below.

To remove an endpoint from the field, click the X at the right end of the endpoint label.

Alternatively, you can add multiple random endpoints. Click at the right end of the field, as show in the figure below.

The Add Random Endpoints dialog opens:

The default Amount is 10 endpoints but you can also enter another number, or use the up and down arrows to choose another number.

• Click Add. The endpoints are added to the Endpoints field:

  

Prefixes for Endpoint Input

Use prefixes to add endpoints to your query in formats other than Node ID and Connector GUID.

SQL - Enter a Query

You can enter or paste a SELECT statement in the SQL field, or select one from the Query Catalog.

• Click Browse Query Catalog. The Query Catalog dialog opens:

  

  This catalog contains a rich collection of pre-defined queries that have been created by the Orbital engineering team and RET (Research and Efficacy Team) to help you get started. This information should help you quickly learn the power of Orbital and osquery for threat hunting.

  A Search field appears at the top of the dialog. The query list will automatically adjust to display only those catalog queries that contain the search term(s).

• Click on a query name to view detailed information:

  

• Choose a query from the list.

  

  The query detail dialog includes a detailed query description, plus the ID, OS, Categories, ATT&CK™ Techniques and Tactics, information and warning messages, and the SQL SELECT statement. You can copy the SQL by clicking the clipboard icon, or click the + icon to add the SQL statement to your query:

  

  Note: Some catalog queries will require additional parameters once they have been added. These queries will display one or more Parameters fields describing the required information after they’ve been added.

  

Note: The SQL statements of queries added from the Catalog will be hidden by default. To display the SQL, click on the name of the catalog query.

Other useful cataloged queries to start with include:

• Inventory System Information
• Process Mutex Search
• SHA-256 Hash of Running Processes
• Logged In Users

Live Query

• To send the query to the specified endpoints click Live Query. The results will be returned in the right pane:

  

Study the results and the SQL statement to learn how to edit catalog queries and write your own SQL to follow your investigation wherever it leads. You can edit the query and click Live Query again; the results will refresh.

Download all as [Format Type]

The Download all as [Format Type] function allows you to download the records of all the results of the active live query. The records retrieved using the Download all as [Format Type] can be either formatted in a Comma Separated Variable (CSV) file or a JavaScript Object Notation (JSON) file.

Refer to Setting the Download File Type for instructions on setting the download file type.

To download the active live query results:

1. Click Download all as [Format Type]. This will display the Preparing download… message, as shown below.

When the results file is ready to download, Orbital will display the download is ready message, as shown below.

2. Click [Date and Time] download is ready.

   This will download the active live query results in a ZIP file.

Schedule Orbital Query

You can save and run a query on a scheduled basis and have the results sent to an application or remote data store of your choice.

1. Click Schedule Query. The Schedule Orbital Query popup window opens:

   

   • Query Name - Enter a query name or keep the date/time default name.

   • Remote Data Store - Choose a remote data store from the dropdown list. The remote data store is the location where your saved query results will be sent. It is from a list of webhooks your organization has configured. (Click Add Remote Data Store if you need to add a new option to the dropdown list.)

       Refer to the Remote Data Store Errors section in the Remote Data Store topic for more information on Remote Data Store Errors.

   • Schedule - Choose the schedule Period and Interval from the dropdown lists. The Interval is how often the scheduled query will run, and the Period is the time frame for running the schedule.

     For example, if you want to run a query once an hour for the next 24 hours, select an Interval of 1 hour and a Period of 24 hours. If you want to run a query once every 10 minutes for the next hour, select an Interval of 10 minutes and a Period of 1 hour. Selecting the Interval will alter the Period options accordingly.

     The number of expected result sets per endpoint is displayed at the bottom of the Schedule section.

2. Click Schedule. The query is scheduled and listed on the Results page.

More Info

• What is osquery - Help topic on osquery
• About osquery - osquery website
• Query Basics