Orca
Orca is a cloud security tool that enhances visibility across your cloud environments. You can bring cloud, container, database, function, package, storage, user, virtual machine, and security data from Orca into Brinqa to gain a unified view of your cloud-related attack surface, thus enhancing your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Orca and how to obtain that information from Orca. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Orca from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Orca with Brinqa:
-
API URL: The Orca API Server URL. The default URL is
https://api.orcasecurity.io.-
The API URL depends on the region of your Orca environment. The following table lists the Orca API URL for each region. Please refer to the Orca documentation for accuracy:
Table 1: Orca API URLs
-
-
API Token: The API token associated with the Orca account, which must have permissions to log in to the API server and return data.
Generate an Orca API token
For the Orca connector to use the Orca API, you must provide an API token. To generate an API token, follow these steps:
-
Log in to your organization's Orca account as an administrator
-
Click Settings from the navigation menu.
-
Navigate to Users & Permissions > API.
-
Click API Tokens, and then click Add API Token. The Add API Token dialog displays.
Provide the following information:
-
Name: Give your API token a name.
-
Description: (Optional) Provide a description of the API token.
-
Never Expire: (Optional) Select this option to mark the token as non-expiring. The Expiration field appears if you clear the checkbox. You can then select the token expiry date if desired.
-
Service Token: (Optional) Service tokens operate independently of individual user accounts, inheriting their permissions based on the creator's permissions. Service tokens remain valid even if the creator's account is deactivated or removed from the organization. If desired, select this option to enable the use of a service token.
-
Role: Define the permissions of the token. While the Administrator role can bring in all data, Brinqa recommends that you use the Viewer role, as this is considered to be the minimum role needed to read and retrieve data. Click the Role dropdown and select Viewer.
- For additional information on Orca roles and permissions, see Orca documentation.
-
Scope: Select the specific accounts or business units that the API token will be authorized to access. Leave this option unchecked if you do not want to limit the data retrieved by the Orca connector.
-
-
Click Add.
Your new API key token displays. You can't view the token again after this. Copy and save it to a secure location.
-
Click Continue.
If you do not have the permissions to create an API token, contact your Orca administrator. For additional information, see Orca documentation.
Additional settings
The Orca connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 10,000. It is not recommended to go over 10,000.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 2.
-
Request timeout (secs): The maximum time allotted, in seconds, before a request times out. The default setting is 120 seconds. Although it is not recommended, you can also enter zero (0) to disable timeouts.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Orca API before giving up and reporting a failure. The default setting is 5.
Types of data to retrieve
The Orca connector can retrieve the following types of data from the Orca API:
Table 2: Data retrieved from Orca
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Alert | No | Alert |
| Alert Definition | No | Alert Definition |
| Cloud Account | Yes | Cloud Account |
| Container | Yes | Container |
| Container Image | Yes | Container Image |
| Database | No | Cloud Resource |
| Function | No | Cloud Resource |
| Installed Package | No | Installed Package |
| Package | No | Package |
| Storage | No | Cloud Resource |
| User | No | Cloud Resource |
| Virtual Machine | Yes | Host |
| Virtual Machine Image | Yes | Host Image |
| Vulnerability | No | Vulnerability |
| Vulnerability Definition | No | Vulnerability Definition |
| Vulnerable Package | No | Not mapped |
For detailed steps on how to view the data retrieved from Orca in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Operation options
The Orca connector supports the following operation options. See connector operation options for information about how to apply them.
Expand the sections below to view the supported operation options per connector object:
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Orca connector uses the Orca REST API. Expand the sections below to view the specific endpoints along with their associated payloads:
Versions 3.1.0 and later of the Orca connector use the Orca Serving Layer API. If your environment does not have Serving Layer API access, please contact Orca to enable it. Alternatively, you can contact Brinqa Support to downgrade to version 3.0.x of the connector if you don't want to enable the Serving Layer API.
Alert API
GET api/sonar/query
POST api/sonar/query
{
"unique_list": "account_name",
"unique_list_include_zero": true
}
Alert Definition API
GET api/sonar/query
POST api/sonar/query
{
"unique_list": "account_name",
"unique_list_include_zero": true
}
Cloud Account API
POST /api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 5000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"CloudAccount"
],
"keys": [
"CloudAccount"
],
"with": {
"type": "operation",
"operator": "and",
"values": []
}
}
}
Container API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"Container"
],
"keys": [
"Container"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "LastUpdateTime",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-03T11:24:05.276Z"
]
}
]
}
}
}
Container Image API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 2000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"ContainerImage"
],
"keys": [
"ContainerImage"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "LastUpdateTime",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-03T11:31:53.458Z"
]
}
]
}
}
}
Database API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"Inventory"
],
"keys": [
"Inventory"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "NewSubCategory",
"type": "str",
"operator": "in",
"values": [
"Databases"
]
}
]
}
}
}
Function API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 3000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"Function",
"AwsLambdaFunction",
"AzureFunction",
"GcpCloudFunction"
],
"keys": [
"Function",
"AwsLambdaFunction",
"AzureFunction",
"GcpCloudFunction"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "LastUpdateTime",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-03T11:37:26.183Z"
]
}
]
}
}
}
Installed Package API
POST api/sonar/query/
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"InstalledPackage"
],
"keys": [
"InstalledPackage"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "InstallDate",
"type": "datetime",
"operator": "in_past",
"value_type": "days",
"values": [
4
]
}
]
}
}
}
Package API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 4000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"Package"
],
"keys": [
"Package"
],
"with": {
"type": "operation",
"operator": "and",
"values": []
}
}
}
Storage API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]": [
"CloudAccount",
"Content.Storage"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"Inventory"
],
"keys": [
"Inventory"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "NewSubCategory",
"type": "str",
"operator": "in",
"values": [
"Buckets"
]
},
{
"key": "UpdatedTime",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-03T12:47:23.166Z"
]
}
]
}
}
}
User API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 6000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"User"
],
"keys": [
"User"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "CreationTime",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-02T20:05:22.735Z"
]
}
]
}
}
}
Virtual Machine API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 1000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"Vm"
],
"keys": [
"Vm"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "LastUpdateTime",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-03T14:31:16.335Z"
]
}
]
}
}
}
Virtual Machine Image API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 4000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"VmImage"
],
"keys": [
"VmImage"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "LastUpdateTime",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-03T14:35:30.596Z"
]
}
]
}
}
}
Vulnerability API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 4000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"VmImage"
],
"keys": [
"VmImage"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "LastUpdateTime",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-03T14:35:30.596Z"
]
}
]
}
}
}
Vulnerability Definition API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 4000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"Vulnerability"
],
"keys": [
"Vulnerability"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "FirstSeen",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-07T14:45:03.363Z"
]
},
{
"type": "object_set",
"operator": "has",
"models": [
"CVE"
],
"keys": [
"CVE"
],
"with": {
"type": "operation",
"operator": "and",
"values": []
}
},
{
"type": "object_set",
"operator": "has",
"models": [
"Content"
],
"keys": [
"Content"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "NewSubCategory",
"type": "str",
"operator": "in",
"values": [
"Virtual Instances"
]
}
]
}
},
{
"type": "object_set",
"operator": "has",
"models": [
"CVEDescription"
],
"keys": [
"CVEVendorData"
],
"with": {
"type": "operation",
"operator": "and",
"values": []
}
}
]
}
}
}
Vulnerability Package API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 4000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"VulnerablePackage"
],
"keys": [
"VulnerablePackage"
],
"with": {
"type": "operation",
"operator": "and",
"values": []
}
}
}
Changelog
The Orca connector has undergone the following changes:
Table 23: Orca connector changelog
| Version | Description | Date Published |
|---|---|---|
| 3.1.9 | - Added two new operation options to filter the retrieved alerts by their asset_subcategory or asset_type. - Added RESULTS and RECOMMENDATION attributes to the Vulnerability object. | October 30th, 2025 |
| 3.1.8 | Updated the API endpoint used by test connection. | October 8th, 2025 |
| 3.1.7 | Code clean up and general maintenance. | September 25th, 2025 |
| 3.1.6 | - Updated the API endpoint used by the Alert and Alert Definition objects. The Alert and Alert Definition objects now use the api/sonar/query endpoint. - Fixed an issue where several connector object syncs were failing. - Replaced the SYS_ID attribute on all objects with UID. | September 25th, 2025 |
| 3.1.5 | - Improved the legibility of several timestamps by converting raw epoch values to ISO-8601 format. For example, the 1,733,424,289,000 timestamp on the UP_TIME attribute now displays as 2024-12-05T18:44:49Z. - Added the IMAGE_ASSET_UID attribute to the Virtual Machine object. | June 27th, 2025 |
| 3.1.4 | Fixed an issue where the Alert Definition object did not populate normalized status or severity information. | May 30th, 2025 |
| 3.1.3 | - Added the PACKAGE_PATH attribute to the Vulnerable Package object. - Added a new operation option to specify whether to exclude large fields in the retrieved alerts: exclude_large_fields. Starting June 1, 2025, the Orca Alert API endpoint excludes large fields by default. If you want the alerts to include these fields, set this option to 'false'. | May 19th, 2025 |
| 3.1.2 | - Added the RELATED_COMPLIANCES attribute to the Alert object. - Added a new operation option to filter the retrieved alerts by their related compliance frameworks: related_compliances. | April 24th, 2025 |
| 3.1.1 | Fixed an issue where the Vulnerability object sync was failing due to performance limitations with the default pagination settings. As a result, the default page size has been increased from 1,000 to 10,000, per Orca’s recommendation, to improve sync speed and reliability. | April 1st, 2025 |
| 3.1.0 | Added support for the Orca Serving Layer API. | November 1st, 2024 |
| 3.0.2 | Changed the DISTRIBUTION_VERSION attribute type on the Container, Function, and Virtual Machine objects from string to integer. | October 30th, 2024 |
| 3.0.1 | Removed the use of ImmutableSet. | March 24th, 2024 |
| 3.0.0 | Initial Integration+ release. | March 5th, 2024 |