This first example illustrates how to run a live query on endpoints in an organization in order to gather information from them. The process is straightforward: first, enter or choose the endpoints you wish to query (you can also select a random sampling); next, construct the query - the question - to ask of the endpoints. Orbital includes a robust catalog of pre-existing queries that you can use, and then edit based on the results.
Step 1 - Select the Endpoint(s) to Query
Click the Query tab to open the Live Query page:
In the Endpoints field, enter the ID of one or more endpoints in your organization that will be queried for information:
To remove an endpoint from the field, click the grey
Alternatively, you can add multiple random endpoints. Click the button under the lower-right corner of the field:
The Add Random Endpoints dialog opens:
The default Number is 10 endpoints but you can also enter another number, or use the up and down arrows to choose another number.
The default OS is to have all three operating systems selected, Windows, Mac, and Linux.
Choose Windows from the dropdown if you wish to limit the query to that OS.
Click Add. The endpoints are added to the Endpoints field:
Step 2 - Enter a Query
You can enter or paste a
SELECT statement in the SQL field, but for this quick start exercise we suggest that you start by selecting a query from the catalog, to begin familiarizing yourself with this powerful resource.
Click Browse Query Catalog. The Query Catalog popup window opens:
This catalog contains a rich collection of pre-defined queries that have been created by the Orbital engineering team and TRE (Threat Research for Endpoint) to help you get started. The query catalog is a rich collection of information to help you quickly learn the power of Orbital and osquery for threat hunting.
A Search field is provided at the top; the query list will automatically adjust to only include the catalog queries that contain the search term(s).
Click on a query name to view detailed information:
Choose a query from the list.
The query detail popup includes a detailed query description, plus the ID, OS, Categories, ATT&CK™ Techniques and Tactics, information and warning messages, and the SQL SELECT statement. You can copy the SQL by clicking the clipboard icon, or click the + icon to add the SQL statement to your query:
Note that some catalog queries will require additional parameters once then have been added. These queries will display a Parameters field describing the required information after they’ve been added.
Other useful cataloged queries to start with include: * Inventory System Information * Process Mutex Search * SHA-256 Hash of Running Processes * Logged In Users
Step 3 - Run the Query and View the Results
Click Query to send the query to the specified endpoints. The results will be returned in the right pane:
Study the results and the SQL statement to learn how to edit catalog queries and write your own SQL to follow your investigation wherever it leads. You can edit the query and click Run again; the results will refresh.
Step 4 - Schedule a Query
Queries can be run on the fly as live queries, or you can create a Scheduled Query to save and run on a scheduled basis, with the results sent to an application or data store of your choice.
If you are happy with the results you’re seeing in your live query and you’d like to save it and schedule it to run on a regular basis, click Schedule Query. The Schedule Query popup window opens:
Return to Table of Contents