Orca

  • Updated on Mar 5, 2025
  • Published on May 29, 2023
Prev Next

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Orca Alerts

✅

✅

orca_alerts

NDJSON

Webhook

Overview

imageOrca Security is a cloud-native security platform that provides comprehensive visibility and protection for cloud environments. It offers an agentless solution that helps organizations secure their infrastructure by detecting vulnerabilities, misconfigurations, and threats across their cloud platforms, such as AWS, Azure, and Google Cloud. Orca’s platform focuses on continuous security monitoring, risk management, and compliance by scanning workloads, storage, and network configurations in real time. It uses deep security analysis to identify critical risks, like insecure APIs or unauthorized access, allowing businesses to prevent data breaches and maintain a strong security posture.

Supported data types

Orca Alerts

Table name: orca_alerts

Orca alerts are notifications about security findings that the platform idOrca Alerts are notifications generated by Orca Security’s platform to inform security teams of potential threats, vulnerabilities, or misconfigurations within their cloud environment. These alerts are based on real-time analysis of cloud workloads, network configurations, and storage, helping organizations quickly identify critical security risks. Orca’s alerts focus on a range of issues, such as vulnerable containers, exposed sensitive data, misconfigured permissions, or suspicious activities. By providing actionable insights and prioritizing risks, Orca Alerts help teams respond quickly and mitigate potential security incidents before they escalate.

Send data to Hunters

Orca Alerts are consumed in Hunters using the Webhook export option by Orca.

To connect Orca logs:

  1. Approach Hunters support to receive a URL and a bearer token to configure a Webhook on Orca.

  2. Use this guide to configure a webhook on Orca.

    📘 More info

    When setting up your Orca webhook, enter the URL and bearer token received from Hunters Support in the relevant fields:

    image

  3. Use this guide to create an automation on Orca.

📘 Recommended settings

It is recommended to define the automation to catch all alerts, using all possible values of the Risk Level attribute.

Expected format

Logs are expected in JSON format.

{
    "type": "String",
    "is_rule": true,
    "rule_query": "AwsIamRole with Policies with (RoleLastUsed + 90 days < now) or (not RoleLastUsed and CreateDate + 90 days < now)",
    "is_compliance": false,
    "rule_id": "96e98a23a345bd24595427a0",
    "subject_type": "AwsIamRole",
    "type_string": "Unused role with policy found",
    "type_key": "97789e9a5420bc097aa3790",
    "category": "IAM misconfigurations",
    "description": "Unused role with policy found",
    "details": "AWS IAM roles can grant access to AWS resources or actions. It is recommended that all roles that have been unused in 90 or greater days be deactivated or removed.",
    "recommendation": "Unused roles should be disabled or removed",
    "alert_labels": [
        "mitre: initial access"
],
    "asset_category": "Users and Access",
    "cloud_provider": "aws",
    "account_name": "19875265424",
    "asset_name": "String",
    "asset_type": "AwsIamRole",
    "group_unique_id": "String",
    "asset_state": "enabled",
    "asset_tags_info_list": [
        "repo|String",
        "team|String",
        "unit|String",
        "group|String",
        "product|String",
        "baseline-version|v2"
    ],
    "tags_info_list": [
        
        "repo|String",
        "team|String",
        "unit|String",
        "group|String",
        "product|String",
        "baseline-version|v2"
    ],
    "configuration": {
        "user_score": 4
    },
    "state": {
        "alert_id": "orca-16452302456",
        "status": "open",
        "status_time": "2021-12-10T02:01:04+00:00",
        "score": 4,
        "severity": "informational",
        "created_at": "2021-12-10T02:01:04+00:00",
        "last_seen": "2021-12-10T02:01:04+00:00",
        "low_since": "2021-12-10T02:23:53+00:00",
        "high_since": null,
        "in_verification": false,
        "last_updated": "2021-12-10T02:01:04+00:00"
    },
    "source": "String",
    "organization_id": "String",
    "organization_name": "String",
    "context": "control",
    "asset_unique_id": "String",
    "asset_type_string": "AwsIamRole",
    "group_name": "String",
    "group_type": "AwsIamRole",
    "group_type_string": "NonGroup",
    "cluster_unique_id": "String",
    "cluster_type": "AwsIamRole",
    "cluster_name": "String",
    "level": 0,
    "group_val": "nongroup",
    "cloud_provider_id": "3784402816",
    "cloud_account_id": "String",
    "cloud_vendor_id": "3784402816",
    "asset_vendor_id": "String"
}