Orbital App

Note: Only users with an Administrator role can access the Orbital console and Orbital app in ribbon. To grant users with non-Administrator role access to Orbital queries within your organization, you must change the access level to write on the Users page in Orbital. For details, see Manage User Accounts help topic in Orbital Help.

Cisco Orbital is a cloud-based, attack research and response tool. It allows users to gather system and security information from the client's networked devices and to respond to any threats found.

The Orbital app is available in ribbon and it allows you to query your network's devices, using SQL, and then use Python scripts to respond to any found threats. Orbital uses osquery to allow SQL queries to run against your organization's devices. You can view your recent queries in the right panel. For example, if My Results is selected, only queries created by the currently logged in user are displayed.

Cisco XDR Orbital investigation interface with query/script options, endpoint input, and pre-defined queries.

You can hover over the (Information) icon next to My Results in the right panel to view more information on the Get devices button and the recent query metric data in a tooltip.

Use the Query tab in the Orbital app to construct and execute live, ad-hoc queries on devices to gather more information from them. For more information about running queries in Orbital, see the Queries help topic in Orbital.

  1. Devices - The first step is to enter the ID of one or more devices in your organization that will be queried for information. There are several ways to do this:

    • Click Get devices to extract the observables on the page as devices to query. This will extract RFC1918 IPV4 addresses, and if a web page uses specific HTML attributes it will include hostnames, Connector GUIDs or Orbital IDs. Observables are extracted from raw unformatted text in the web page.

    • You can also enter the ID of one or more devices in your organization that will be queried for information. Separate each ID with a comma and a space.

    • Alternatively, click the (Add random devices) icon to add multiple random devices:

      • In the Add random devices popup, specify the number of devices in the Number field (default is 10) and check the check box of the operating system you want to limit the query in the OS area (for example, choose Windows to limit the query to that OS).
      • Click Add to insert the devices into the Devices field.

    • Click the (Operating system filter) icon to narrow the devices to a specific operating system.

    • Click the (Link queries) icon to use the node list from one or more existing queries as the node list or lists for a new query, provided that the existing query or queries return results that are not empty. For more information, see the Using Linked Queries help topic in Orbital.

    • Click the (Clear devices) icon to remove all the IDs from the Devices field or click the (Copy) icon to copy all the IDs in the Devices field to your clipboard.

  2. Search Query Catalog - Next, select an existing query from the catalog.

    • From the Catalog queries drop-down list, choose a catalog query. The Orbital query catalog contains a rich collection of pre-defined queries that have been created by the Orbital engineering team and TRE (Threat Research for Endpoint) to help you get started. The query catalog helps you quickly learn the power of Orbital and osquery for threat hunting. A Search field is provided at the top of the list; the query list will automatically adjust to only include the catalog queries that contain the search term(s).
    • Choose a query from the list. The name of the query and the SELECT statement are added to the bottom of the panel. Note that some catalog queries will require additional parameters once they have been added. These queries will display a Parameters field describing the required information.

  3. Custom SQL - If you are fluent in writing SQL queries, you can enter a custom SQL SELECT statement in this field instead of choosing a catalog query.

  4. Click Run query to send the query to the specified devices. The metrics in the right panel are updated.

    Cisco XDR Orbital query interface displaying endpoint selection, catalog queries, custom SQL, and run/schedule options.

  5. Click View to pivot into Orbital and see the results on the Results page for your query. For more information on the Results page, see the Orbital Results help topic in Orbital.

You can schedule your query to run on a regularly scheduled basis and have the results sent to an application or remote data store of your choice. For details, see the Using Scheduled Queries help topic in Orbital.

  1. Create your query following the steps in Run Query.

  2. Click Schedule Query. The Schedule Query dialog box opens.

    Schedule Query form. Query set to run every 24 hours for 24 hours. Remote Data Store is None.

    • Query Name - The default name is the date and time. Keep the default or edit as needed to be more meaningful.

    • Schedule - Choose the schedule from the drop-down lists, specifying the job interval and duration. First select the time interval (every) then the duration (for). For example, run the query every 24 hours, for 24 hours will result in 1 job being run in the next 24 hours.

      For example, if you want to run a query once an hour for the next 24 hours, select every 1 hour for 24 hours. If you want to run a query once every 10 minutes for the next hour, select every 10 minutes for 1 hour.

      The number of expected result sets per device is displayed to the right of the Schedule drop-down lists.

    • Run Once - Click the toggle button to tell Orbital to run the query being scheduled only once over the subsequent 24 hours.

    • Remote Data Store - Choose a remote data store from the drop-down list. The remote data store is the location where your saved query results will be sent.

  3. Click Schedule. The query is scheduled and listed on the Results page.

Use the Script tab in the Orbital app to create, send, and execute a Python script to one or more devices to gather more information from them. For more information on scripts, see the Scripts help topic in Orbital.

Note: Script is only available to users with an Administrator role and the Script feature must be enabled in Orbital. For details, see the Configure Your Organization help topic in Orbital.

  1. Devices - The first step is to enter the ID of one or more devices in your organization that will have the script run against them. There are several ways to do this:

    • Click Get devices to extract the observables on the page as devices to run the script against them. This will extract RFC1918 IPV4 addresses, and if a web page uses specific HTML attributes it will include hostnames, Connector GUIDs or Orbital IDs. Observables are extracted from raw unformatted text in the web page.

    • You can also enter the ID of one or more devices in your organization that will have the script run against them. Separate each ID with a comma and a space.

    • Alternatively, click the (Add random devices) icon to add multiple random devices:

      • In the Add random devices popup, specify the number of devices in the Number field (default is 10) and check the check box of the operating system you want to run the script against in the OS area (for example, choose Windows to limit the script to that OS).
      • Click Add to insert the devices into the Devices field.

    • Click the (Operating system filter) icon to narrow the devices to a specific operating system.

    • Click the (Link queries) icon to link a script to an existing query. Like queries, linking a script to an existing query will allow the script to use the device list from the query linked to. This means that the linked script will only act on those devices that the query identifies as meeting its criteria. For details, see the Linkable Scripts section in the Scripts help topic in Orbital.

    • Click the (Clear devices) icon to remove all the IDs from the Devices field or click the (Copy) icon to copy all the IDs in the Devices field to your clipboard.

  2. Search Scripts Catalog - Next, select an existing Python script from the catalog.

    • From the Catalog scripts drop-down list, choose a catalog script. The Orbital script catalog contains a rich collection of pre-defined scripts that have been created by the Orbital engineering team and TRE (Threat Research for Endpoint) to help you get started. The script catalog helps you quickly learn the power of Orbital for threat hunting. A Search field is provided at the top of the list; the query list will automatically adjust to only include the catalog queries that contain the search term(s).
    • Choose a script from the list. The script name and details are added to the bottom of the panel. Note that some catalog scripts will require additional parameters once they have been added. These scripts will display a Parameters field describing the required information.

  3. Custom script - If you are fluent in writing Python scripts, you can enter a custom Python script in this field instead of choosing a catalog script.

  4. Click Run script to run the script and view the results. The results will be returned in the right panel.

    Cisco XDR Orbital's Investigate section, featuring query input for endpoints, catalog queries, and script options.

  5. Click View to pivot into Orbital and see the results on the Results page for your script. For more information on the Results page, see the Orbital Results help topic in Orbital.

You can schedule your scripts to run on a regularly scheduled basis and have the results sent to an application or remote data store of your choice. For details, see the Using Scheduled Scripts help topic in Orbital.

  1. Create your script following the steps in Run Scripts.

  2. Click Schedule Script. The Schedule Script dialog box opens.

    Script scheduling dialog with fields for name, schedule frequency, duration, and remote data store selection.

    • Name - The default name is the date and time. Keep the default or edit as needed to be more meaningful.

    • Schedule - Choose the schedule from the drop-down lists, specifying the job interval and duration. First select the time interval (every) then the duration (for). For example, run the query every 24 hours, for 24 hours will result in 1 job being run in the next 24 hours.

      For example, if you want to run a script once an hour for the next 24 hours, select every 1 hour for 24 hours. If you want to run a script once every 10 minutes for the next hour, select every 10 minutes for 1 hour.

      The number of expected result sets per device is displayed to the right of the Schedule drop-down lists.

    • Run Once - Click the toggle button to tell Orbital to run the script being scheduled only once over the subsequent 24 hours.

    • Remote Data Store - Choose a remote data store from the drop-down list. The remote data store is the location where your saved script results will be sent.

  3. Click Schedule. The script is scheduled and listed on the Results page.