Orbital

Orbital is a cloud-based attack research and response tool. It lets you gather system and security information from networked devices in your organization and respond to any threats found. Orbital also features native integrations with Cisco XDR and Cisco Secure Endpoint, with many of its functionalities available within the consoles of those products.

Orbital allows you to query devices through osquery with SQL, then use Python scripts to respond to any threats. Create and run Orbital queries and scripts on the Investigate page. Go to the Results page to view the results for the run queries and scripts. The Catalog provides researched and tested queries and scripts to use. You can also write custom SQL queries and Python scripts that can be saved in the Catalog.

For more information on Orbital, see Orbital Help.

To get started with Orbital:

  1. Go to Client ManagementDeployments to create a deployment that includes the Orbital module. For more information, see the Create Deployment help topic.
  2. Download and install the deployment on your devices.
  3. Only users with an Administrator role can access the Orbital console and the Orbital app in ribbon. To grant users with non-Administrator role access to Orbital queries within your organization, you must change the access level to write on the Users page in Orbital. For details, see Manage User Accounts help topic in Orbital Help.
  4. If applicable, configure exclusions for Orbital in your third-party endpoint detection and response products to prevent them from interfering with Orbital's functionality. For details, see the Orbital Exclusions help topic in Orbital Help.
  5. By default, the script feature is disabled in Orbital. If you are setting up Orbital for the first time, ensure that the script feature is enabled in Orbital. For details, see the Configure Your Organization help topic in Orbital Help.

You can perform the following tasks after you install the Orbital deployment on your devices:

  • Investigations - Start a new investigation into any combination of a known Orbital IP, observable, or asset and the results will include any records of them found in your Orbital. To verify that this integration is working, and to see what kind of data is returned, investigate one or more observables about which you know Orbital has recent information. For details, see Investigate.

  • Pivot Menu - Use the Pivot menu to access actions in Orbital. Available actions include investigating observables in Orbital.

  • Assets - View devices as reported by Orbital. For more information, including how to filter the view to only the reports from Orbital, see Devices. Orbital contributes to the following device details: FQDN, Windows Security Center (if applicable), Associated Users, and Top vulnerabilities. For more information, see Device Overview.

  • Ribbon - Access the Orbital app from the ribbon to query your network's devices, using SQL, and then use Python scripts to respond to any found threats.  For more information, see Ribbon and Orbital App.

  • Automation:

    • Atomic Actions - The atomic actions for Orbital can be used as building blocks in custom workflows. These can be found as available Actions in the left menu of the Workflow Editor. See Atomic Actions and Workflows.

    • Workflows - The workflows for Orbital can be installed from the Automation Exchange. See Workflows and Exchange.

    • Target - The Orbital target is automatically created for out-of-box and custom workflows. See Targets Created From Integrations.