Orbital Scripts

Script is a companion to Orbital’s Query feature. Query allows you to search out malicious attacks and possible use of your networked assets. Script provides the ability to counteract any threats found using Query.

Script accomplishes this by providing you with the means to either create a Python script or select one from the Catalog, send it to one or more endpoints, execute the script on the endpoint or endpoints, and receive the results of the script’s execution. Additionally, it is possible that scripts can return information that osquery does not report which further extends Orbital’s Query feature.

For more information on Orbital’s use of Python, refer to the Python section in the Orbital Nodes topic. There are some important points you should be aware of while using Orbital’s Script. Some of these points of note are:

• Endpoints will only run one script at a time. You cannot run multiple scripts at the same time on a node.
• If you send an ad hoc script to the node and the node is busy, it will return a node busy message and ignore the script. If the script is scheduled, the node will put it in a queue and run it in its turn.
• If a user is deactivated while one of their scheduled scripts is running, the script will continue to run until it is finished.
• If a script is running and the administrator turns off scripting, any running scripts will complete and no more scripts will be run.
• No new scripts can be run after the Script feature has been turned off. This function is immediate.
• If your organization does not have the Script feature turned on, you will not see any scripts listed in the Explore More area on the right side of the Investigate page. You will only see queries. For more information on the Explore More area, refer to the Explore More section in the Investigate topic.

Some endpoint tasks that you can perform with Script are:

• start and stop services and processes
• deleting files
• end point shutdown or reboot
• applying patches
• perform deeper forensics investigations
• much more

Turning Off Script

If you decide to turn off Orbital’s Script feature, certain Orbital functions will be stopped. The functions that will stop or change are:

• The Script option will no longer available in the Orbital Builder.
• All Type filters are removed from Catalog page.
• All scripts stored in the Orbital Catalog, both stock and organizational, will be removed from use.
• Any currently executing scripts will be allowed to complete.
• Any scheduled scripts that have yet to run, will be cancelled, thereby preventing future executions.
• All Python libraries on Windows and Linux systems will be disabled.

Linkable Scripts

Orbital allows you to link a script to an existing query. Like queries, linking a script to an existing query will allow the script to use the endpoint list from the query linked to. This means that the linked script will only act on those endpoints that the query identifies as meeting its criteria.

Important Note: Scripts can only be linked to an existing query. They cannot be linked to another script nor can queries be linked to existing scripts. Additionally, the Link Query command will only be listed in action menus, located on the Results page, that are associated with queries. It will not be listed in the action menus for existing scripts.

Linking scripts to queries follows the same process as linking queries to other queries. As such, you can follow the instructions laid out in the Using Linked Queries topic; however, instead of linking from a query to a query, your action will be to link from a script to an existing query.

More Info

• Turning On the Script Feature
• Turning Off the Script Feature
• Schedule Orbital Scripts
• Using Orbital Scripts
• Script Results

Return to Table of Contents