Orbital Integration

Cisco Orbital is an advanced capability in Cisco Secure Endpoint that is designed to make security investigation and threat hunting simple by providing an implementation of powerful Osquery technology on each of your Secure Endpoint-enabled endpoints. Orbital allows you to create custom queries to look across your network for anything of interest, but also comes with over a hundred pre-canned queries, allowing you to quickly run complex queries on any or all endpoints. This capability enables you to gain deeper visibility on what happened to any endpoint at any given time by taking a snapshot of its current state. Whether you are doing an investigation as part of incident response, threat hunting, IT operations, or vulnerability and compliance, we get you the answers you need about your endpoints fast. Orbital can enrich information presented in the relations graph by pivoting into Orbital to query and gather additional intelligence about your host, IP, IP4, IP6, MAC, and OS, etc. The Orbital app is available on the ribbon and it allows you to run a live query. You can view metrics and your recent queries in the right panel.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Cisco tab and navigate to the Orbital integration.

  3. Click Get Started. The Orbital integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Orbital integration in Cisco XDR.

You can perform the following tasks after you integrate Orbital with Cisco XDR:

  • Investigations - Start a new investigation into any combination of a known Orbital IP, observable, or asset and the results will include any records of them found in your Orbital. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know Orbital has recent information. For details, see Investigate.

  • Pivot Menu - Use the Pivot menu to access actions in Orbital. Available actions include investigating observables in Orbital.

  • Assets - View devices as reported by Orbital. For more information, including how to filter the view to only the reports from Orbital, see Devices.

  • Cisco XDR Ribbon - Access the Orbital app from the ribbon to query your network's devices, using SQL, and then use Python scripts to respond to any found threats.  For more information, see Ribbon and Orbital App.

  • Automation:

    • Atomic Actions - The atomic actions for Orbital can be used as building blocks in custom workflows. These can be found as available Actions in the left menu of the Workflow Editor. See Atomic Actions and Workflows.

    • Workflows - The workflows for Orbital can be installed from the Automation Exchange. See Workflows and Exchange.

    • Target - The Orbital target is automatically created for out-of-box and custom workflows. See Targets Created From Integrations.