Script Catalog
The Orbital Script Catalog contains a rich collection of scripts that are available for use in exploring, examining, and mitigating, any possible security breaches and incidents. The Script Catalog is a robust library that:
- Implements common useful Python scripts
- Can be integrated into other products
- Includes scripts that are specifically designed to solve specific problems
In general, the Orbital Script Catalog contains two types of script:
- Stock scripts. These are pre-defined scripts that have been created by the Orbital engineering team and TRE (Threat Research for Endpoint) to help you get started using Orbital for threat hunting.
- Custom scripts. These are scripts that have been created by the end user to deal with a specific threat or incident found using a query. These scripts can also be referred to as organizational scripts.
The Script Catalog page lists all the scripts that are stored in the catalog.
This page consists of the following 11 user interface elements and columns:
Element | Description |
---|---|
Filters | Use the options in the Filters pane, on the left side of the Catalog page, to limit the listed scripts to those scripts that include the selected filters, such as: |
• MITRE ATT&CK Tactics | |
• MITRE ATT&CK Techniques | |
• MITRE ATT&CK Sub-techniques | |
Note: Filters are not exclusive. Scripts that contain additional categories, besides the one in the filter, will also be included. | |
Reset | Click Reset to clear all selected filters from the Filters pane or search terms from the Search field. Clearing the active filters will refresh the list to include all catalog queries. |
Search Catalog | Use the Search Catalog field to search for queries that contain specific words or phrases. The Search field will accept the following search parameters: |
• script’s name | |
• script’s ID | |
• endpoint’s operating system | |
• scripts’s description | |
• MITRE ATT&CK Tactics name | |
• MITRE ATT&CK Techniques name | |
• MITRE ATT&CK Sub-techniques name | |
• a combination of any of the above parameters | |
Note: The search will be limited to the selected filter options. | |
Download | This feature allows you to download organization-specific scripts. To download either organization-specific scripts, click Download, shown in the illustration below. |
Download organization scripts | |
The Download organization scripts feature allows you to download all of the scripts that your organization has stored to the Orbital catalog. The scripts can be downloaded in the JSON format. Refer to the Download organization scripts section in the Using the Script Catalog topic for more information on how to download your organization’s scripts from Orbital. | |
Name | This column displays the name of the catalog script. Clicking this query name will open the Script Catalog’s Details page displaying details about that query. |
Script Action Menu | This menu () provides access to functions that can be performed on the selected script. There are two versions of this menu, one that provides additional functions to stock scripts and one that provides additional functions to custom script. |
Stock Scripts | |
The action menu for stock scripts, shown in the figure below, lists three menu commands: | |
Copy Script - This menu command copies the highlighted script so that it can be modified and used as a custom script. | |
Use script - This menu command copies the highlighted script and immediately loads it into the Investigate page’s Builder. You can then add new endpoints or any other parameters you may need to create a new script. | |
Favorite - This menu command marks the selected script as one of your favorite scripts to run. When a script is marked as a favorite, it is displayed in the Favorites list on the Investigate page. | |
Custom Scripts | |
The action menu for custom scripts, shown in the figure below, lists five menu commands: | |
Copy script, Use script, and Favorite - These three command operate in the same manor as those commands for a stock script. | |
Edit - This menu command allows you to edit a custom script and save the edits back to the catalog. This function is covered in more detail in the The Edit Script Function section below. | |
Delete - This menu command allows you delete a custom script from the catalog. | |
Warning: Make certain that you need to delete a custom script from the catalog, as the deleted script cannot be recovered. | |
OS | This column indicates which operating system or systems are used by the script. This is indicated by the displaying one or more of the following icons: |
for Windows for Linux for Macintosh | |
Category | This column lists the category of investigation the script belongs to. The nine categories of investigation are: |
• Containment | |
• Eradication | |
• Forensics | |
• Identification | |
• Live Acquisition Of Volatile Data | |
• Mitigation | |
• Posture Assessment | |
• Recovery | |
• Threat Assessment | |
Clicking on one of the category indicators listed in this display is the same as selecting the same filter located in the Filter pane, on the left side of the Catalog page. For example, if you clicked on the Threat Hunting category indicator, Orbital will display all of the scripts that have been assigned to the Threat Hunting category. | |
MITRE ATT&CK | This display identifies which MITRE ATT&CK tactics and techniques the script adheres to. This adherence is displayed using the MITRE ATT&CK Tactics Indicator, shown in the figure below. |
Hovering over the MITRE ATT&CK Tactics indicator will display the Applied Tactics popup, shown in the figure below. | |
Clicking on the MITRE ATT&CK Tactics indicator will display the Tactics Detail popup, shown in the figure below. | |
Note: The MITRE ATT&CK Tactics Indicator is discussed in more detail in the The MITRE ATT&CK Indicator section of the Investigate topic. | |
Updated | This column displays date when the catalog script was last updated. |
ID | This column displays the unique ID that Orbital assigns to each script that is added to the catalog. The IDs assigned to stock scripts are different from the custom script. Generally, custom IDs are prefixed with the string org:. |
The Edit Script Function
Orbital allows you to edit the custom scripts that you create and store in the Orbital Script Catalog. This function can be accessed from the Custom Script Action Menu, as shown in the figure below.
The Edit function can also be accessed from the Script Catalog Details page, as shown in the figure below.
Clicking on the either the Action Menu’s Edit Script menu command or the Script Catalog Details page’s Edit icon will open the Edit Script dialog, shown in the figure below.
This popup consists of five user interface elements:
Element | Description |
---|---|
Name | This field is used to edit or rename of the script. |
Description | This field is used to describe what that script is meant to do . This field allows you to update or modify the script’s description so that it matches the function of the script. |
OS | These checkboxes are used to identify the operating system or systems that the script operates on. This element can be changed to add or remove the affected operating systems. |
Custom SQL | This field is used to edit the Python statement that was initially created for or added to the first draft of the script. |
Cancel/Save Buttons | These buttons are used to either abort the changes you have made to the script or to save the changes to the catalog. Clicking Cancel will abort the changes, clicking Save will save the changes to the catalog. |