Orbital is a service that uses osquery to provide you and your applications with information about your hosts. osquery exposes an entire operating system as a relational database that you can query with SQL to gather information about the host. Orbital can be used by both Cisco customers and their applications to query their computers wherever Orbital has been deployed.
Orbital operates in near real time, delivering queries and returning results in seconds. While Orbital provides hundreds of carefully researched and tested queries, you can also write your own queries using osquery or import them from osquery query packs.
Orbital is intended to be integrated with Cisco products and other applications, with simple to use APIs and easy deployment if you already have Secure Endpoint.
Orbital For Cisco Secure Endpoint Advantage Customers
Secure Endpoint Advantage customers can deploy Orbital on supported platforms with a simple configuration change in the Secure Endpoint console. Up to 30m later, Orbital will be available and ready for queries.
Once deployed, Orbital can provide detailed forensic snapshots, run live queries and schedule periodic queries. Orbital works well in combination with Secure Endpoint host isolation to provide a means of quarantining a suspicious host while performing an investigation.
See How Do I Get Orbital? for a guide to installing Orbital on Secure Endpoint endpoints.
Using Orbital With Cisco Threat Response
Cisco Threat Response (CTR) provides a view of threats from diverse products and intelligence sources. CTR can use Orbital to query computers under investigation and search for computers that have observable suspicious entities, such as malicious processes, or are interacting with network addresses under investigation.
Orbital can also notify CTR threat intelligence services when it observes entities as part of an ongoing investigation.
Using Orbital From Cisco Threat Grid
Threat Grid customers can use Orbital to search for computers that show indications of compromise from a Threat Grid sample analysis. This enables quick transitions from analyzing a threat in Threat Grid to searching for at risk hosts in your environment.
Running Queries Using Orbital APIs
Orbital provides simple APIs that enable running custom or predefined queries and collecting the results. Advanced users can also set up servers that Orbital will notify via webhooks when there are new results so you can integrate findings into your own applications.
Querying Windows endpoints with WMI using Orbital
Orbital provides the ability to query your endpoints using a custom extended set of tables that utilize Windows Management Instrumentation (WMI) queries. See Querying Windows endpoints with WMI using Orbital for more information.