Orca

Overview

Orca is an agentless cloud security and compliance tool combining all your cloud assets from AWS, Azure, and GCP.

Data from Orca is collected and ingested by Hunters, then populated in the Hunters portal and correlated to other related detected threats from Orca, AWS, Azure, GCP and other different sources.

Supported Data Types

Orca Alerts

Alert for example

{
    "type": "String",
    "is_rule": true,
    "rule_query": "AwsIamRole with Policies with (RoleLastUsed + 90 days < now) or (not RoleLastUsed and CreateDate + 90 days < now)",
    "is_compliance": false,
    "rule_id": "96e98a23a345bd24595427a0",
    "subject_type": "AwsIamRole",
    "type_string": "Unused role with policy found",
    "type_key": "97789e9a5420bc097aa3790",
    "category": "IAM misconfigurations",
    "description": "Unused role with policy found",
    "details": "AWS IAM roles can grant access to AWS resources or actions. It is recommended that all roles that have been unused in 90 or greater days be deactivated or removed.",
    "recommendation": "Unused roles should be disabled or removed",
    "alert_labels": [
        "mitre: initial access"
],
    "asset_category": "Users and Access",
    "cloud_provider": "aws",
    "account_name": "19875265424",
    "asset_name": "String",
    "asset_type": "AwsIamRole",
    "group_unique_id": "String",
    "asset_state": "enabled",
    "asset_tags_info_list": [
        "repo|String",
        "team|String",
        "unit|String",
        "group|String",
        "product|String",
        "baseline-version|v2"
    ],
    "tags_info_list": [
        
        "repo|String",
        "team|String",
        "unit|String",
        "group|String",
        "product|String",
        "baseline-version|v2"
    ],
    "configuration": {
        "user_score": 4
    },
    "state": {
        "alert_id": "orca-16452302456",
        "status": "open",
        "status_time": "2021-12-10T02:01:04+00:00",
        "score": 4,
        "severity": "informational",
        "created_at": "2021-12-10T02:01:04+00:00",
        "last_seen": "2021-12-10T02:01:04+00:00",
        "low_since": "2021-12-10T02:23:53+00:00",
        "high_since": null,
        "in_verification": false,
        "last_updated": "2021-12-10T02:01:04+00:00"
    },
    "source": "String",
    "organization_id": "String",
    "organization_name": "String",
    "context": "control",
    "asset_unique_id": "String",
    "asset_type_string": "AwsIamRole",
    "group_name": "String",
    "group_type": "AwsIamRole",
    "group_type_string": "NonGroup",
    "cluster_unique_id": "String",
    "cluster_type": "AwsIamRole",
    "cluster_name": "String",
    "level": 0,
    "group_val": "nongroup",
    "cloud_provider_id": "3784402816",
    "cloud_account_id": "String",
    "cloud_vendor_id": "3784402816",
    "asset_vendor_id": "String"
}

CODE

Sending Data to Hunters

Configure a Webhook in Orca

Hunters will provide a URL and a custom header in order to configure a Webhook in Orca.

For more information regarding the required steps on the Orca side using Hunters' provided details, please read this page.

Configure a new Automation in Orca

After creating a Webhook, please create an Automation that will send all Orca alerts to Hunters' Webhook. It is recommended to define the Automation to catch all Alerts, using all possible values of Risk Level attribute (see here).

For more information regarding the required steps on the Orca side, please read this page (at the section “Use your webhook in an automation”).