Investigate
The primary activities of Orbital are to search for attacks on your organization's network and endpoints and take action to stop the attacks and secure the network infrastructure. These activities are performed using Query for searches and Script for attack mitigation. Both queries and scripts are created and executed on the Investigate page using the Orbital Builder.
| Note: | This page initially defaults to using queries. Once you have used the Builder, it will default to the last activity used, Query or Script. |
Query/Script Builder
The Query/Script Builder is where you define the code and parameters of the query or script you need to run. It is also where you can schedule your query or script to run and where you can save a custom query or script to the Orbital catalog.
See Orbital Builder for more details.
Recent History
The Recent History area lists the last six queries or scripts you ran. Click the name of a previously run query or script to load it in the Builder.
Explore More
The Explore More area lists a randomly selected set of queries and scripts from the Orbital Catalog and Talos Threat Advisories. Click the Refresh button (
) to load another random set in the pane.
-
Click View to see the Catalog entry for the script or query in the side drawer.
-
Click Use to load the script or query in the Builder.
Results
The Results area lists the results of a query or script that has been run immediately and not scheduled to be run.
The Results Area User Interface Elements
The Results area of the Investigate page consists of:
-
The list of endpoints that ran the query or script. Click on a Hostname to view it on the Endpoint Details page.
-
The MITRE ATT&CK Indicator associated with the query or script results if any.
-
A link to view the results on the Results Page.
-
Download the results in CSV or JSON format.