Using Orbital Queries

Use the Orbital Query page to construct and execute live, ad hoc queries on endpoints in order to gather more information from them. Orbital uses osquery, which allows you to query your devices like a database using basic SQL commands.

Orbital’s Query page

There are several ways to access the Query page on the Orbital console:

If necessary, click Log in with Cisco SecureX to authenticate using your existing Secure Endpoint Console credentials. Refer to the SecureX Sign-On Quick Start Guide for more information on logging in through SecureX.

Endpoints - Choose the Query Target

In the Endpoints field, enter the ID of one or more endpoints in your organization that will be queried for information, as shown in the figure below.

First endpoint

To remove an endpoint from the field, click the X at the right end of the endpoint label.

Alternatively, you can add multiple random endpoints. Click Random Endpoints at the right end of the field, as show in the figure below.

Add Random Endpoints button

The Add Random Endpoints dialog opens:

Add Random Endpoints

The default Amount is 10 endpoints but you can also enter another number, or use the up and down arrows to choose another number.

Prefixes for Endpoint Input

Use prefixes to add endpoints to your query in formats other than Node ID and Connector GUID.

Using the Orbital SQL Query Catalog

The Orbital Query Catalog contains a rich collection of pre-defined SQL queries that have been created by the Orbital engineering team and TRE (Threat Research for Endpoint) to help you get started with using Orbital and osquery for threat hunting. The Orbital Catalog is a robust library that:

The Query Catalog page provides access to all of the queries that are stored in the catalog:

Catalog page

SQL - Enter a Query

You can enter or paste a SELECT statement in the SQL field, or select one from the Query Catalog.

  1. Click Browse Query Catalog. The Query Catalog dialog opens:

    Query Catalog

    This catalog contains a rich collection of pre-defined queries that have been created by the Orbital engineering team and TRE (Threat Research for Endpoint) to help you get started. This information should help you quickly learn the power of Orbital and osquery for threat hunting.

    A Search field appears at the top of the dialog. The query list will automatically adjust to display only those catalog queries that contain the search term(s).

  2. Click on a query name to view detailed information:

    Query Catalog

  3. Choose a query from the list.

    Query Catalog

    The query detail dialog includes a detailed query description, plus the ID, OS, Categories, ATT&CK™ Techniques and Tactics, information and warning messages, and the SQL SELECT statement. You can copy the SQL by clicking the clipboard icon, or click the + icon to add the SQL statement to your query:

    Query Catalog

    Note: Some catalog queries will require additional parameters once they have been added. These queries will display one or more Parameters fields describing the required information after they’ve been added.

    Query Catalog

Note: The SQL statements of queries added from the Catalog will be hidden by default. To display the SQL, click on the name of the catalog query.

Other useful cataloged queries to start with include:

Saving A Query To the Catalog

To save a custom query to the Orbital catalog:

  1. Navigate to Orbital’s Query page, as shown in the first figure of this topic.

  2. Place your cursor in the Custom SQL field, shown in the figure below.

    Custom SQL Field

  3. Type your SQL statement into the Custom SQL field. You will notice that as you type your SQL statement, the Save Query button is displayed, as shown in the figure below.

    Save Query Button

    • If you need to type a multi-statement query, click the plus located at the right end of the Custom SQL field, shown in the figure below.

      Additional SQL Statements

      This will clear the Custom SQL field and place the previous SQL statement at the bottom of the page.

  4. Click Save Query. This will display the Save Query dialog, shown in the figure below.

    Save Query Dialog

  5. Type the name that the query will be saved under in the catalog in the Query Name field.

  6. Type a description of the query into the Description field.

  7. Select the operating system or operating systems that the query will be run against, using the OS checkboxes. This defaults to no operating systems selected. Once you have selected one or more operating systems, the Save button will be displayed.

  8. Click Save. This will remove the Save Query dialog from the screen and return to the Query page. The newly saved query is listed at the bottom of the page, as shown in the figure below.

    Query Is Saved

Live Query

Study the results and the SQL statement to learn how to edit catalog queries and write your own SQL to follow your investigation wherever it leads. You can edit the query and click Live Query again; the results will refresh.

Download all as [Format Type]

The Download all as [Format Type] function allows you to download the records of all the results of the active live query. The records retrieved using the Download all as [Format Type] can be either formatted in a Comma Separated Value (CSV) file or a JavaScript Object Notation (JSON) file.

Refer to Setting the Download File Type for instructions on setting the download file type.

To download the active live query results:

  1. Click Download all as [Format Type]. This will display the Preparing download… message, as shown below.

Preparing download…

When the results file is ready to download, Orbital will display the download is ready message, as shown below.

download is ready

  1. Click [Date and Time] download is ready.

    This will download the active live query results in a ZIP file.

More Info

Return to Table of Contents