Orca

Overview
Orca is an agentless cloud security and compliance tool combining all your cloud assets from AWS, Azure, and GCP.
Data from Orca is collected and ingested by Hunters, then populated in the Hunters portal and correlated to other related detected threats from Orca, AWS, Azure, GCP and other different sources.
Supported Data Types
Orca Alerts
Alert for example
{
"type": "String",
"is_rule": true,
"rule_query": "AwsIamRole with Policies with (RoleLastUsed + 90 days < now) or (not RoleLastUsed and CreateDate + 90 days < now)",
"is_compliance": false,
"rule_id": "96e98a23a345bd24595427a0",
"subject_type": "AwsIamRole",
"type_string": "Unused role with policy found",
"type_key": "97789e9a5420bc097aa3790",
"category": "IAM misconfigurations",
"description": "Unused role with policy found",
"details": "AWS IAM roles can grant access to AWS resources or actions. It is recommended that all roles that have been unused in 90 or greater days be deactivated or removed.",
"recommendation": "Unused roles should be disabled or removed",
"alert_labels": [
"mitre: initial access"
],
"asset_category": "Users and Access",
"cloud_provider": "aws",
"account_name": "19875265424",
"asset_name": "String",
"asset_type": "AwsIamRole",
"group_unique_id": "String",
"asset_state": "enabled",
"asset_tags_info_list": [
"repo|String",
"team|String",
"unit|String",
"group|String",
"product|String",
"baseline-version|v2"
],
"tags_info_list": [
"repo|String",
"team|String",
"unit|String",
"group|String",
"product|String",
"baseline-version|v2"
],
"configuration": {
"user_score": 4
},
"state": {
"alert_id": "orca-16452302456",
"status": "open",
"status_time": "2021-12-10T02:01:04+00:00",
"score": 4,
"severity": "informational",
"created_at": "2021-12-10T02:01:04+00:00",
"last_seen": "2021-12-10T02:01:04+00:00",
"low_since": "2021-12-10T02:23:53+00:00",
"high_since": null,
"in_verification": false,
"last_updated": "2021-12-10T02:01:04+00:00"
},
"source": "String",
"organization_id": "String",
"organization_name": "String",
"context": "control",
"asset_unique_id": "String",
"asset_type_string": "AwsIamRole",
"group_name": "String",
"group_type": "AwsIamRole",
"group_type_string": "NonGroup",
"cluster_unique_id": "String",
"cluster_type": "AwsIamRole",
"cluster_name": "String",
"level": 0,
"group_val": "nongroup",
"cloud_provider_id": "3784402816",
"cloud_account_id": "String",
"cloud_vendor_id": "3784402816",
"asset_vendor_id": "String"
}
Sending Data to Hunters
Configure a Webhook in Orca
Hunters will provide a URL and a custom header in order to configure a Webhook in Orca.
For more information regarding the required steps on the Orca side using Hunters' provided details, please read this page.
Configure a new Automation in Orca
After creating a Webhook, please create an Automation that will send all Orca alerts to Hunters' Webhook. It is recommended to define the Automation to catch all Alerts, using all possible values of Risk Level attribute (see here).
For more information regarding the required steps on the Orca side, please read this page (at the section “Use your webhook in an automation”).