Catalog Details

The Orbital Catalog Details page displays a query or script's specific information. Each query or script catalog detail page includes a description of the query or script, the query's SQL statement, the script's Python statement and the query or script's associated MITRE tactics and techniques, if the query or script is stock.

To open a query or script's Details Catalog page, click the desired query or script name link on the Catalog page.

This page consists of:

Catalog

This element is a link back to the main Catalog page. Click this link to take you back to the main Catalog page.

query or script ID

This element lists the Orbital identification of the script or query. If the query or script is a stock query or script, this element will display the name assigned by the Threat Research for Endpoint team. If the query and script is an organizational query or script, the ID displayed will be the ID assigned by Orbital when you save the query or script.

Favorite (☆)

This element allows you to designate the current query or script as a favorite query or script. Clicking the star icon so that it is filled in will designate the query or script as a favorite. If you clear the star icon will unfavorite the query or script. After you designate the query or script as a favorite, it will appear in the Favorites area, as discussed in Favorites section of the Investigation topic.

Name

This element displays the name of the query or script being displayed on the Detailed Catalog page.

Created

This element displays the name of person who created the query or script and the date and time the query or script was created.

Description

This element displays the description that has been assigned to the query or script.

ID

This element displays the ID that has been assigned to the query or script either by the Threat Research for Endpoint team or by Orbital itself. The value displayed here is the same as the value displayed in the above mentioned query or script ID beside the Catalog link.

OS

This element displays the endpoint operating system or systems that the query or script will run against. The valid values displayed here are Windows, Linux, and macOS.

Type

This element displays if the type of script is either a query or script. Clicking on this element will display only queries or scripts on the Catalog page, depending on the query or script currently being displayed.

Categories

This element displays the category or categories assigned to the query or script by the Threat Research for Endpoint team. This element is only displayed if the query or script is a stock query or script.

Parameters

This element displays the values assigned to a script's parameters for both the parameter name and associated value. This element is only displayed for scripts.

SQL/Script Content

This element will display the SQL content or Python script that comprises the query or script.

Copy ()

This element allows you to copy the content of the query or script to use with a new query or script in the Orbital Builder. For more information on the Builder, refer to the Orbital Builder topic.

Use query/script

This element allows you to use the query or script in the Orbital Builder. Clicking this element will load the query or script into the Orbital Builder for use as a custom or organizational query or script.

Edit

This element allows you to edit the query or script. For more information on editing queries and scripts, refer to the Edit Query/Script Function section of the Orbital Catalog topic. This element is only active on those queries or scripts that are custom or organizational queries or scripts.

Delete

This element allows you to delete the displayed query or script. Clicking on this element will display the Confirm Delete Query/Script dialog. This element is only active on those queries or scripts that are custom or organizational queries or scripts.

MITRE ATT&CK®

This element displays the MITRE ATT&CK Tactics and Techniques associated with the query or script being displayed. This element is only displayed for stock queries and scripts.

More Info