Catalog

The Orbital Catalog contains hundreds of predefined queries and scripts. They can be used to investigate possible security breaches and incidents, and to explore, examine, and mitigate additional incidents found during investigation. Custom queries and scripts that you create can be saved in the Catalog.

The Catalog contains two types of query or script:

  • Stock - Queries and scripts created by the Orbital engineering team and TRE (Threat Research for Endpoint) to aid in threat hunting.

  • Custom - Queries and scripts created by you to investigate a specific threat or incident and deal with a specific threat or incident. Custom queries and scripts are not saved to the catalog automatically.

The Catalog page consists of:

Filters

Use the options in the Filters pane to limit the listed queries and scripts to those queries and scripts that are included in the selected filters. The filters and filter categories are:

  • Filters

  • Reset

  • Organization

  • Favorites

  • New

  • Deprecated

  • Operating System

  • Type

  • Categories

  • ATT&CK® Tactics

  • ATT&CK® Techniques

  • ATT&CK® Sub-Techniques

 

Note: Filters are not exclusive. Queries and scripts that contain additional categories besides the one in the filter will also be included.

 

Reset

Click Reset to clear all filters from the Filters pane or search terms from the Search field. Clearing the active filters will refresh the list to include all catalog queries and scripts.

Search Catalog

Use the Search Catalog field to search for queries or scripts that contain specific words or phrases. The Search field will accept the following search parameters:

  • query/script's name

  • query/script's ID

  • endpoint's operating system

  • query'/scripts description

  • MITRE ATT&CK Tactics name

  • MITRE ATT&CK Techniques name

  • MITRE ATT&CK Sub-techniques name

  • a combination of any of the above parameters

 

Note: The search will be limited to the selected filter options.

 

Upload Queries

The Upload Queries feature allows you to create queries on your local machine and upload them to your Orbital catalog. Refer to section Upload Queries in the Using Catalog topic for more in formation on how to upload queries to your catalog.

This user interface element is only available for use with queries. Scripts cannot be uploaded to the Orbital Catalog.

Download

Download query templates, organization-specific queries,or organization-specific scripts.

 

Download query template

The Download query template feature allows you to download a query template from Orbital to use to create your own queries, which can then be uploaded to Orbital. This template is useful if you are uncertain how Orbital requires the queries to be formatted and structured. Refer to the Download Query Template section of the Using Catalog topic for more in formation on how to download a template from Orbital.
 

Download organization queries

The Download organization queries feature allows you to download all of the queries that your organization has stored to the Orbital catalog. The queries can be downloaded in the JSON format. Refer to the Download Organization Queries or Scripts section in the Using Catalog topic for more in formation on how to download your organization's queries from Orbital.
 

Download organization scripts

The Download organization scripts feature allows you to download all of the scripts that your organization has stored to the Orbital catalog. The scripts can be downloaded in the JSON format. Refer to the Download Organization Queries or Scripts section in the Using Catalog topic for more information on how to download your organization's scripts from Orbital.

Name

This column displays the name of the catalog query or script. Clicking this query name will open the query or script's Catalog's Details page displaying details about that query or script.

A warning icon () displayed beside the name of the query or script indicates that the user should take care when running the query or script. It will appear on the query or script's Detailed Catalog page.

Action Menu

This menu () provides access to functions that can be performed on the selected query or script. There are two versions of this menu, one that provides additional functions to stock queries and scripts, and one that provides additional functions to custom queries and scripts.

The action menu for stock queries and scripts lists three menu commands:    
 

Copy

This menu command copies the highlighted query or script so that it can be modified and used as a custom query or script.
 

Use query/script

This menu command copies the highlighted query or script and immediately loads it into the Orbital Builder. You can then add new endpoints or any other parameters you may need to create the new query or script.
 

Favorite

This menu command marks the selected query or script as one of your favorite queries or scripts to run. When a query or script is marked as a favorite, it is displayed in the Favorites list on the Investigate page.

 

The action menu for custom queries and scripts has these commands:    
 

Edit

This menu command allows you to edit a custom query or script and save the edits back to the catalog. This function is covered in more detail in The Edit Query/Script Function section below.
 

Delete

This menu command allows you delete a custom query or script from the catalog.

 

Warning: Make certain that you are certain you need to delete a custom query from the catalog, as the deleted query cannot be recovered.

 

OS

This column indicates which operating system or systems that are used by the endpoints that the query or script will be run against.

Category

This column lists the category of investigation the query or script belongs to. The nine categories of investigation are:

  • Containment

  • Eradication

  • Forensics

  • Identification

  • Live Acquisition Of

  • Volatile Data

  • Posture Assessment

  • Recovery

  • Threat Hunting

  • Vulnerability Mitigation

Clicking on one of the category indicators listed in this display is the same as selecting the same filter located in the Filter pane, on the left side of the Catalog page. For example, if you clicked on the Threat Hunting category indicator, Orbital will display all of the queries and scripts that have been assigned to the Threat Hunting category.

 

Note: The categories of investigation can only be assigned to those catalog queries that are created by the Threat Research for Endpoints team.

 

MITRE ATT&CK

This display identifies which MITRE ATT&CK tactics and techniques the query involves.

Hover over the MITRE ATT&CK Tactics indicator to display the Applied Tactics.

Click on the MITRE ATT&CK Tactics indicator to display the Tactics Detail.

 

Note: The MITRE ATT&CK Tactics Indicator is discussed in more detail in the MITRE ATT&CK Indicator section, of the What is MITRE Att&ck topic.

 

Updated

This column displays date when the query or script was last updated.

ID

This column displays the unique ID that Orbital assigns to each query that is added to the catalog. The IDs assigned to stock queries are different from the custom queries. Generally, custom IDs are prefixed with the string org:.

Edit a Query or Script

Orbital allows you to edit the custom queries and scripts that you create and have stored in the Orbital Catalog. This function can be accessed from the Custom Action Menu, shown in the figure below. To access the Custom Action Menu, click the menu button () to the right of the query or script's name.

The Edit Query/Script function can also be accessed from the query or script's Catalog Details page.

Clicking on either the action menu's Edit command or the Catalog Details page's Edit icon will open the Edit Query/Script dialog.

Edit Query Popup

The Edit Query popup consists of the following five user interface elements:

Name

This field is used to edit or rename of the query or script. Entry into this field is mandatory.

Description

This field is used to describe what that query or script is meant to do. This field allows you to update or modify the query or script's description so that it matches the function of the query or script. Entry into this field is optional.

OS

These checkboxes are used to identify the operating system or systems that the query or script operates on. This element is used to add or remove operating systems that the query or script will be run against. Entry into this field is mandatory.

Custom SQL

This field is used to edit the SQL statement that was initially created for, or added to the first draft of the query. The number of SQL statements saved in the custom query is displayed in the top-right corner of the field. Entry into this field is mandatory.

Custom SQL Labels

The label at the bottom of the Edit Query popup, as shown in the figure below, is used to identify each of the SQL statements that are contained in the saved query. These labels are only for queries. When you create a new custom query and save it to the Catalog, Orbital assigns a label to the Custom SQL statement. The label name is based on the primary select statement.

If you add a new SQL statement, using the Add SQL button (), a new label to the query that reflects new select statement.

Clicking the pencil icon () will allow you to edit the name of the label.

Cancel/Save Buttons

These buttons are used to either abort the changes you have made to the query or script, or to save the changes to the catalog. Clicking Cancel will abort the changes, clicking Save will save the changes to the catalog.

Edit Script Popup

The Edit Script popup consists of the following five user interface elements:

Name

This field is used to edit or rename of the script. Entry into this field is mandatory.

Description

This field is used to describe what that script is meant to do. This field allows you to update or modify the script's description so that it matches the function of the query or script. Entry into this field is optional.

OS

These checkboxes are used to identify the operating system or systems that the query or script operates on. This element is used to add or remove operating systems that the query or script will be run against. Entry into this field is mandatory.

Custom Script

This field is used to edit the Python statement that was initially created for, or added to the first draft of the script.

 Entry into this field is mandatory.

Parameters

The Parameters area of the popup is where you will define the parameters that the Python script will use.

 

Name

This field accepts the name of the parameter whose value must be defined. For more information on the syntax requirements for this field, refer to Creating Python Scripts in the Orbital Builder topic.

 

Value

This field accepts the value you wish to assign to the parameter.

 

Each Name/Value field row can be thought of as a singleparameter definition. If you wish to add another parameter definition, use Add parameter, discussed above. If you wish to remove a parameter definition, X to the right of the Value field.

 

Get parameters from custom script

This feature will force Orbital to review the script typed in the editor and populate the parameter definitions fields with any parameter names and values that have been defined in the script.

 

Add parameter

This feature will add another parameter definition row to the Parameters area.

Cancel/Save Buttons

These buttons are used to either abort the changes you have made to the script, or to save the changes to the catalog. Clicking Cancel will abort the changes, clicking Save will save the changes to the catalog.

More Info