Builder

The Builder is where you can create queries and scripts to investigate malicious activities on endpoints in your organization and respond to any attacks found. Select Query or Script at the top of the page then complete the rest of the information in the Builder.

Create a Query

1. Click Query at the top of the Builder.

2. Add the endpoints you want to investigate. Add by:

   • Hostname.

   • IP address.

   • MAC address.

   • Node ID.

   • Connector GUID.

3. [Optional] Click Filters to limit the query to endpoints running certain operating systems.

4. [Optional] Click the link queries button to link another script or query to an existing query to run on your endpoints. See Linked Queries for more information. Select one or more scripts or queries and click Add.

5. [Optional] Click the add random endpoints button to specify a number of endpoints to add to your query. This is useful to test a new query on a limited set of endpoints before running it against a wider sample. You should only run queries that read information and not those that make changes on random endpoints.

6. Add a catalog query. Type in the field to search for a certain query or click Browse to open a drawer with the Catalog of queries sorted to each category. You can search for a specific query or browse the categories.

   • Click on a query name to open the Catalog Details. See Catalog for more details.

   • Click Use Query to add it to the Builder.

7. Add any required parameters for the query. The parameters are defined in the Catalog entry for the query.

8. [Optional] Add your own custom SQL queries.

   • Click Save Query to save it to the Catalog for your organization. Provide a name, description, and OS versions for the query.

   • Click Add to add your SQL to the current query.

9. Click Run Query to run it immediately on the endpoints you specified in step 1.

10. Click Schedule Query to have the query run at a certain frequency. You can specify these parameters:

    • The frequency the query will run from every 5 minutes to every 30 days.

    • Limit the frequency of the query from 5 minutes to 2 years.

    • Run the Query once at the specified time.

    • The Remote Data Store where the query results will be saved.

11. Data from completed queries can be viewed on Results Page.

Note:

Orbital will wait a maximum of 10 minutes for a query to complete before it times out.

Create a Script

1. Click Script at the top of the Builder.

2. Add the endpoints you want to investigate. Add by:

   • Hostname.

   • IP address.

   • MAC address.

   • Node ID.

   • Connector GUID.

3. [Optional] Click Filters to limit the script to endpoints running certain operating systems.

4. [Optional] Click the link queries button to link another script or query to an existing script to run on your endpoints. See Linked Queries for more information. Select one or more scripts or queries and click Add.

5. [Optional] Click the add random endpoints button to specify a number of endpoints to add to your script. This is useful to test a new script on a limited set of endpoints before running it against a wider sample. You should only run scripts that read information and not those that make changes on random endpoints.

6. Add a catalog script. Type in the field to search for a certain script or click Browse to open a drawer with the Catalog of scripts sorted to each category. You can search for a specific script or browse the categories.

   • Click on a script name to open the Catalog Details. See Catalog for more details.

   • Click Use Script to add it to the Builder.

7. Add any required parameters for the script. The parameters are defined in the Catalog entry for the script.

8. [Optional] Add your own custom script.

   • Click Save Script to save it to the Catalog for your organization. Provide a name, description, and OS versions for the script.

9. Click Run Script to run it immediately on the endpoints you specified in step 1.

10. Click Schedule Script to have the script run at a certain frequency on the endpoints you specified in step 1. You can specify these parameters:

    • The frequency the script will run from every 5 minutes to every 30 days.

    • Limit the frequency of the script from 5 minutes to 2 years.

    • Run the Script once at the specified time.

    • The Remote Data Store where the script results will be saved.

11. Data from completed scripts can be viewed on Results Page.

Note:

Orbital will wait a maximum of 10 minutes for a script to complete before it times out.

 

More Info

• Investigation

• Using Queries

• Using Custom Queries

• Using Scheduled Queries

• Using Linked Queries

• Using Scripts

• Using Custom Scripts

• Using Scheduled Scripts

• Connecting Scripts to Linked Queries