Orbital API

Query API

This reference page describes how to create scheduled queries and live queries with the Orbital API. Use scheduled queries when results may arrive over time and use live queries when you want an immediate response from nodes that are currently online. See the Results API for result retrieval and Authentication for bearer token setup.

Regional Base URLs

The canonical OpenAPI document defines these regional API servers:

North America: https://orbital.amp.cisco.com/v0
Asia Pacific, Japan, and China: https://apjc.orbital.amp.cisco.com/v0
Europe: https://eu.orbital.amp.cisco.com/v0

Examples on this page use the North America host. Replace it with the host for your region when needed.

Query Types

Scheduled Queries

Scheduled queries are created with POST /query. They can run once or on an interval, can include postbacks, and are intended for jobs whose results may arrive over time.

Live Queries

Live queries are created with POST /query/run. They run immediately against nodes that are currently connected. The canonical request model for live queries does not include postbacks, expiry, or interval.

Stock Queries

Both scheduled and live query requests can run a stock query by using stock and optional stockArgs.

Custom osquery Queries

Both scheduled and live query requests can run custom osquery statements by using osQuery.

stock and osQuery are alternative request styles. Do not combine them in the same request.

Endpoints

Purpose	Method and path	Canonical request model
Create a scheduled query	`POST /query`	`Query`
Create a live query	`POST /query/run`	`LiveQueryRequest`
Disable a scheduled query	`DELETE /query/{jobid}`	n/a

Common Request Fields

These fields are shared across scheduled and live query creation unless otherwise noted by the canonical schema.

Field	Type	Notes
`name`	string	Human-readable query name.
`nodes`	array	Node selectors such as `host:NAME`, `orb:ID`, `os:windows`, or `netmask:CIDR`.
`os`	array	Adds all hosts with the listed operating systems to the target set.
`allowOS`	array	Filters returned results to the listed operating systems without changing target selection.
`osQuery`	array	One or more custom osquery statements. Cannot be combined with `stock`.
`stock`	string	Stock catalog query identifier. Cannot be combined with `osQuery`.
`stockArgs`	object	Arguments passed to a stock query. Use only with `stock`.

Scheduled Query Fields

The canonical Query schema also includes these scheduled-query fields:

Field	Type	Notes
`expiry`	integer	Unix epoch time after which the query stops accepting new work.
`interval`	integer	Query interval in seconds. Use this field only with `POST /query`.
`context`	object	Opaque metadata stored with each result and forwarded to postbacks.
`postbacks`	array	One or more postback destinations for scheduled-query results.

This page treats interval consistently as a scheduled-query-only field. The canonical OpenAPI schema models it as an integer and does not publish additional minimum or maximum validation rules on this page.

Live Query Fields

The canonical LiveQueryRequest schema uses this live-query-specific field:

Field	Type	Notes
`expiryInMinutes`	string	Optional live-query expiry window. If omitted, the schema says the default is 10 minutes.

Live query requests do not use postbacks, expiry, or interval.

osQuery Objects

Use osQuery to send one or more custom osquery statements.

[
  {
    "label": "list_applications",
    "name": "List Applications",
    "sql": "SELECT * FROM applications;"
  }
]

Postback Objects

postbacks is an array of postback objects used only with scheduled queries. Each object can reference an existing webhook or define a destination inline.

Postback Fields

Field	Type	Notes
`webhookid`	string	ID of a saved webhook.
`url`	string	Destination URL, including any required query arguments.
`token`	string	Optional bearer token sent to the remote destination.
`fingerprint`	string	SHA256 fingerprint of the destination certificate when required.
`format`	string	Output format such as `compact` or `expanded`.
`bucket`	string	S3 bucket when using an S3 format.
`region`	string	S3 region when using an S3 format.
`accessKey`	string	S3 access key when using an S3 format.
`secretKey`	string	S3 secret key when using an S3 format.
`requirerows`	boolean	When `true`, send only results with non-zero rows.

Specifying Nodes

Orbital supports multiple selector prefixes in the nodes array. You can combine selectors to target explicit nodes, operating systems, versions, or network ranges.

Prefix	Example	Description
`allowOS`	`allowOS:darwin`	Result filter applied after target selection
`amp`	`amp:348301bf-2082-4d83-b340-e6ab2e58579c`	Secure Endpoint computer GUID
`ampuuid`	`ampuuid:348301bf-2082-4d83-b340-e6ab2e58579c`	Secure Endpoint computer GUID
`cm`	`cm:528601bf-2082-4d83-b340-e6ab2e58579c`	Secure Client computer GUID
`cmid`	`cmid:528601bf-2082-4d83-b340-e6ab2e58579c`	Secure Client computer GUID
`anyconnectudid`	`anyconnectudid:163F665789D42AA0EB883A023D67D8CE391DF362`	AnyConnect UDID
`host`	`host:DESKTOP-XYZ`	Host name
`hostname`	`hostname:WOPR`	Host name
`hwaddr`	`hwaddr:02:42:c8:1f:7d:fa`	MAC address
`orb`	`orb:oLPkT67m4nj-QpdGDPNCmQ`	Orbital ID
`orbital`	`orbital:oLPkT67m4nj-QpdGDPNCmQ`	Orbital ID
`ip`	`ip:10.0.0.1`	IPv4 or IPv6 address
`ip4`	`ip4:10.0.0.1`	IPv4 address
`ipv4`	`ipv4:10.0.0.1`	IPv4 address
`ip6`	`ip6:fe80::3926:f1ac:d0cf:d1d7`	IPv6 address
`ipv6`	`ipv6:fe80::3926:f1ac:d0cf:d1d7`	IPv6 address
`mac`	`mac:02:42:c8:1f:7d:fa`	MAC address
`machine`	`machine:48469d02bacd44eba481a1a3f0020ea1`	Unique machine identifier
`os`	`os:windows`	All nodes with the given operating system
`nodeversion`	`nodeversion:1.12.6`	Orbital node version
`osqueryversion`	`osqueryversion:4.4.0`	osquery version
`netmask`	`netmask:192.168.1.168/24`	IPv4 network range in CIDR notation
`random`	`random:5`	Random endpoints
`queryId`	`queryId:zfmCLhXjFO6aIvV3frhg_w`	Reuse an existing query definition

Wildcard matching is supported on some prefixes, for example ipv4:127.0.0.%.

Example 1: Scheduled Query With Custom osquery

curl --request POST \
  --url https://orbital.amp.cisco.com/v0/query \
  --header 'accept: application/json' \
  --header 'authorization: Bearer eyJ...' \
  --header 'content-type: application/json' \
  --data '{
    "name": "Front desk process inventory",
    "nodes": ["host:FRONT-DESK-123"],
    "expiry": 1767225600,
    "interval": 0,
    "osQuery": [
      {
        "label": "processes",
        "name": "List Processes",
        "sql": "SELECT * FROM processes;"
      }
    ]
  }'

Example 2: Live Query With Custom osquery

curl --request POST \
  --url https://orbital.amp.cisco.com/v0/query/run \
  --header 'accept: application/json' \
  --header 'authorization: Bearer eyJ...' \
  --header 'content-type: application/json' \
  --data '{
    "name": "Front desk live process check",
    "nodes": ["host:FRONT-DESK-123"],
    "expiryInMinutes": "10",
    "osQuery": [
      {
        "label": "processes",
        "name": "List Processes",
        "sql": "SELECT * FROM processes;"
      }
    ]
  }'

Example 3: Scheduled Stock Query

curl --request POST \
  --url https://orbital.amp.cisco.com/v0/query \
  --header 'accept: application/json' \
  --header 'authorization: Bearer eyJ...' \
  --header 'content-type: application/json' \
  --data '{
    "name": "ARP cache inspection",
    "nodes": ["host:FRONT-DESK-123", "ip:1.2.3.4"],
    "expiry": 1767225600,
    "interval": 600,
    "stock": "arp_cache_inspection",
    "stockArgs": {
      "ip_to_mac_count": ["2"],
      "ip_address": ["%"],
      "mac_address": ["%"]
    },
    "os": ["windows"]
  }'

Example 4: Scheduled Query With a Saved Webhook Postback

curl --request POST \
  --url https://orbital.amp.cisco.com/v0/query \
  --header 'accept: application/json' \
  --header 'authorization: Bearer eyJ...' \
  --header 'content-type: application/json' \
  --data '{
    "name": "Front desk process inventory with webhook",
    "nodes": ["host:FRONT-DESK-123"],
    "expiry": 1767225600,
    "interval": 600,
    "osQuery": [
      {
        "label": "processes",
        "name": "List Processes",
        "sql": "SELECT * FROM processes;"
      }
    ],
    "postbacks": [
      {
        "webhookid": "65CLM4Jnns8uXa9bbBKksA"
      }
    ],
    "context": {
      "description": ["front desk"]
    }
  }'

Example 5: Scheduled Query With an Inline Postback

curl --request POST \
  --url https://orbital.amp.cisco.com/v0/query \
  --header 'accept: application/json' \
  --header 'authorization: Bearer eyJ...' \
  --header 'content-type: application/json' \
  --data '{
    "name": "Front desk process inventory with inline destination",
    "nodes": ["host:FRONT-DESK-123"],
    "expiry": 1767225600,
    "interval": 600,
    "osQuery": [
      {
        "label": "processes",
        "name": "List Processes",
        "sql": "SELECT * FROM processes;"
      }
    ],
    "postbacks": [
      {
        "url": "https://mywebserver.com",
        "format": "expanded",
        "fingerprint": "C728DF57BE22F0B2391DD3F7C402063F7E3241B50EB758755B96FBADAAA7A361"
      }
    ]
  }'

Live query requests do not support postbacks in the canonical schema, so this page does not provide a live-query postback example.