Orca
Orca is a cloud security tool that enhances visibility across your cloud environments. You can bring cloud, container, database, function, package, storage, user, virtual machine, and security data from Orca into Brinqa to gain a unified view of your cloud-related attack surface, thus enhancing your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Orca and how to obtain that information from Orca. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Orca from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Orca with Brinqa:
-
API URL: The Orca API Server URL: The default URL is https://api.orcasecurity.io.
- The API URL depends on the region of your Orca environment. For additional information, see Orca documentation.
-
API Token: The API token associated with the Orca account, which must have permissions to log in to the API server and return data.
Generate an Orca API token
For the Orca connector to use the Orca API, you must provide an API token. To generate an API token, follow these steps:
-
Log in to your organization's Orca account as an administrator
-
Click Settings from the navigation menu.
-
Navigate to Users & Permissions > API.
-
Click API Tokens, and then click Add API Token. The Create API Token dialog displays.
Provide the following information:
-
Name: Give your API token a name.
-
Description: Provide a description of the API token.
-
Never Expire: Marked by default. The Expiration field appears if you clear the checkbox. You can then select the token expiry date if desired.
-
Service Token: Service tokens operate independently of individual user accounts, inheriting their permissions based on the creator's permissions. Service tokens remain valid even if the creator's account is deactivated or removed from the organization. If desired, select this option to enable the use of a service token.
-
Role: Define the permissions of the token. While the Administrator role can bring in all data, Brinqa recommends that you use the Viewer role, as this is considered to be the minimum role needed to read and retrieve data.
- For additional information on Orca roles and permissions, see Orca documentation.
-
Scope: Select the specific accounts or business units that the API token will be authorized to access. Leave this option unchecked if you do not want to limit the data retrieved by the Orca connector.
-
-
Click Add.
Your API Token displays. Save the token to a secure location. You can not view the token again.
-
Click Continue.
If you do not have the permissions to create an API token, contact your Orca administrator. For additional information, see Orca documentation.
Additional settings
The Orca connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 8.
-
Request timeout (secs): The maximum time allotted, in seconds, before a request times out. The default setting is 120 seconds. Although it is not recommended, you can also enter zero (0) to disable timeouts.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Orca API before giving up and reporting a failure. The default setting is 5.
Types of data to retrieve
The Orca connector can retrieve the following types of data from Orca:
Table 1: Data retrieved from Orca
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Alert | No | Alert |
| Alert Definition | No | Alert Definition |
| Cloud Account | Yes | Cloud Account |
| Container | Yes | Container |
| Container Image | Yes | Container Image |
| Database | No | Cloud Resource |
| Function | Yes | Cloud Resource |
| Installed Package | No | Installed Package |
| Package | No | Package |
| Storage | No | Cloud Resource |
| User | No | Cloud Resource |
| Virtual Machine | Yes | Host |
| Virtual Machine Image | Yes | Host Image |
| Vulnerability | No | Vulnerability |
| Vulnerability Definition | No | Vulnerability Definition |
| Vulnerability Package | No | Not mapped |
For detailed steps on how to view the data retrieved from Orca in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Alert
Table 2: Alert attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ALERT_LABELS | tags |
| ASSET_NAME | Local variable |
| ASSET_SYS_ID | Local variable |
| ASSET_TYPE | Local variable |
| CATEGORY | categories |
| CLOUD_ACCOUNT_ID | cloudAccountId |
| CLOUD_ACCOUNT_NAME | cloudAccountName |
| CLOUD_ACCOUNT_TYPE | cloudAccountType |
| CLOUD_PROVIDER | cloudProvider |
| CLOUD_PROVIDER_ID | cloudProviderId |
| CLOUD_VENDOR_ID | cloudVendorId |
| CREATION_TIME | sourceCreatedDate |
| IN_VERIFICATION | Local variable |
| LAST_FOUND | lastFound |
| ORCA_SCORE | Local variable |
| RULE_ID | type |
| SCORE | Local variable |
| SOURCE | Local variable |
| STATUS | status(normalized), sourceStatus, statusCategory |
| STATUS_TIME | Local variable |
| SUBJECT_TYPE | Local variable |
| SYS_ID | uid |
| TARGETS | targets |
| UPDATED_TIME | sourceLastModified |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Alert Definition
Table 3: Alert Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ALERT_LABELS | tags |
| CATEGORY | categories |
| CREATED_AT | sourceCreatedDate |
| CVE_LIST | cveRecords |
| DETAILS | summary |
| IS_COMPLIANCE | Local variable |
| IS_RULE | Local variable |
| LAST_SEEN | lastFound |
| LAST_UPDATED | sourceLastModified |
| MITRE_CATEGORY | Local variable |
| MITRE_TECHNIQUE | Local variable |
| ORCA_SCORE | Local variable |
| RECOMMENDATIONS | recommendation |
| RISK_LEVEL | Local variable |
| RULE_QUERY | Local variable |
| RULE_SOURCE | Local variable |
| SCORE | Local variable |
| SEVERITY | severity |
| SEVERITY_CONTRIBUTING_FACTORS | Local variable |
| SEVERITY_REDUCING_FACTORS | Local variable |
| SEVERITY_SCORE | Local variable |
| SOURCE_SEVERITY | Local variable |
| STATUS | status, sourceStatus |
| SYS_ID | uid |
| TARGETS | targets |
| TYPE, TYPE_STRING | name |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Cloud Account
Table 4: Cloud Account attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ACCOUNT_TYPE | Local variable |
| AUTO_REMEDIATION_ENABLED | Local variable |
| CLOUD_ACCOUNT_ID | cloudAccountId |
| CLOUD_PROVIDER | cloudProvider |
| CLOUD_PROVIDER_ID | Local variable |
| NAME | name |
| SYS_ID | uid |
| TAGS | tags |
| VENDOR_ID | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Container
Table 5: Container attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| APPLICATIONS | Local variable |
| ASSET_TYPE | type |
| AUTO_UPDATES_STATUS | Local variable |
| AVAILABILITY_ZONES | Local variable |
| CATEGORY | categories |
| CLOUD_ACCOUNT_ID | cloudAccountId |
| CLOUD_ACCOUNT_NAME | Local variable |
| CLOUD_ACCOUNT_TYPE | Local variable |
| CLOUD_PROVIDER | cloudProvider |
| CLOUD_PROVIDER_ID | Local variable |
| CLOUD_VENDOR_ID | Local variable |
| CPU_COUNT | Local variable |
| CPU_FREQUENCY | Local variable |
| CPU_TYPE | Local variable |
| CREATION_TIME | sourceCreatedDate |
| DESCRIPTION | description |
| DETECTED_CROWN_JEWEL_REASON | Local variable |
| DETECTED_CROWN_JEWEL_SCORE | Local variable |
| DISTRIBUTION_CATEGORY | Local variable |
| DISTRIBUTION_MAJOR_VERSION | Local variable |
| DISTRIBUTION_NAME | Local variable |
| DISTRIBUTION_VERSION | Local variable |
| ESM_STATUS | Local variable |
| EXEC_NAME | Local variable |
| EXEC_PATH | Local variable |
| EXPOSURE | Local variable |
| HAS_PII | Local variable |
| HOST_NAME | hostnames |
| ID | Local variable |
| IMAGE_DIGEST | Local variable |
| IMAGE_ID | image |
| IMAGE_LAYERS_DIGEST | Local variable |
| IMAGE_NAME | Local variable |
| IMAGE_VERSION | Local variable |
| IS_INTERNET_FACING | Local variable |
| K8S_CONTAINER_NAME | Local variable |
| K8S_POD_NAMES | Local variable |
| K8S_POD_NAMESPACE | Local variable |
| LABELS | Local variable |
| MAC_ADDRESSES | macAddresses |
| MAINTAINER | Local variable |
| MEMORY_SIZE | Local variable |
| MODEL_TAGS | Local variable |
| NAME | name |
| OBSERVATIONS | Local variable |
| ORCA_SCORE | Local variable |
| ORCA_TAGS | Local variable |
| OS_BIT_MODE | Local variable |
| OS_END_OF_SUPPORT | Local variable |
| OS_SUPPORT_INFO_SITE | Local variable |
| OWNER | owner |
| PII_TYPES | Local variable |
| PRIVATE_DNSS | privateDnsNames |
| PRIVATE_IPS | privateIpAddresses |
| PUBLIC_DNSS | publicDnsNames |
| PUBLIC_IPS | publicIpAddresses |
| REGIONS | Local variable |
| REGION_NAMES | Local variable |
| REGION | region |
| RELATED_COMPLIANCE | Local variable |
| RISK_LEVEL | Local variable |
| SCORE | Local variable |
| SECURITY_GROUPS | Local variable |
| SERVICE_NAME | Local variable |
| STATE | Local variable |
| STOP_DATE | Local variable |
| STORAGE_DRIVER | Local variable |
| SUBCATEGORY | Local variable |
| SUBNETS | Local variable |
| SYS_ID | uid |
| TAGS | tags |
| TOTAL_DISK_BYTES | Local variable |
| UP_TIME | Local variable |
| UP_TIME_HOURS | Local variable |
| USER | Local variable |
| VIRTUAL_CPU_COUNT | Local variable |
| VM_ID | host, Local variable |
| VM_SYS_ID | Local variable |
| VPCS | Local variable |
| ZONES | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Container Image
Table 6: Container Image attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| APPLICATIONS | Local variable |
| ASSET_TYPE | type |
| AUTO_UPDATES_STATUS | Local variable |
| AVAILABILITY_ZONES | Local variable |
| CATEGORY | categories |
| CPU_COUNT | Local variable |
| CPU_FREQUENCY | Local variable |
| CPU_TYPE | Local variable |
| CREATION_TIME | sourceCreatedDate |
| CLOUD_ACCOUNT_ID | cloudAccountId |
| CLOUD_ACCOUNT_NAME | Local variable |
| CLOUD_ACCOUNT_TYPE | Local variable |
| CLOUD_PROVIDER | cloudProvider |
| CLOUD_PROVIDER_ID | Local variable |
| CLOUD_VENDOR_ID | Local variable |
| DETECTED_CROWN_JEWEL_REASON | Local variable |
| DETECTED_CROWN_JEWEL_SCORE | Local variable |
| DISTRIBUTION_CATEGORY | Local variable |
| DISTRIBUTION_MAJOR_VERSION | Local variable |
| DISTRIBUTION_NAME | Local variable |
| DISTRIBUTION_VERSION | Local variable |
| ESM_STATUS | Local variable |
| EXPOSURE | Local variable |
| HOST_NAME | hostname |
| IMAGE_DESCRIPTION | Local variable |
| IMAGE_DIGEST | digest |
| IMAGE_ID | image |
| IMAGE_LABELS | Local variable |
| IMAGE_LAYERS_DIGEST | Local variable |
| IMAGE_NAME | Local variable |
| IMAGE_PUSHED_AT | Local variable |
| IMAGE_SIZE | Local variable |
| IMAGE_TAGS | Local variable |
| MAC_ADDRESSES | macAddresses |
| MEMORY_SIZE | Local variable |
| MODEL_TAGS | Local variable |
| NAME | name |
| OBSERVATIONS | Local variable |
| ORCA_SCORE | Local variable |
| ORCA_TAGS | Local variable |
| OWNER | owner |
| PRIVATE_DNSS | privateDnsNames |
| PRIVATE_IPS | privateIpAddresses |
| PUBLIC_DNSS | publicDnsNames |
| PUBLIC_IPS | publicIpAddresses |
| REGIONS | Local variable |
| REGION_NAMES | Local variable |
| REPOSITORY_NAME | repository |
| REPOSITORY_URI | Local variable |
| SECURITY_GROUPS | Local variable |
| STATE | Local variable |
| STOP_DATE | Local variable |
| SUBNETS | Local variable |
| SYS_ID | uid |
| TAGS | tags |
| TOTAL_DISK_BYTES | Local variable |
| UP_TIME | Local variable |
| UP_TIME_HOURS | Local variable |
| UPDATED_TIME | sourceLastModified |
| VIRTUAL_CPU_COUNT | Local variable |
| VPCS | Local variable |
| ZONES | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Database
Table 7: Database attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ASSET_TYPE | type |
| CATEGORY | categories |
| CLOUD_ACCOUNT_ID | cloudAccountId |
| CLOUD_ACCOUNT_NAME | Local variable |
| CLOUD_ACCOUNT_TYPE | Local variable |
| CLOUD_PROVIDER | cloudProvider |
| CLOUD_PROVIDER_ID | Local variable |
| CLOUD_VENDOR_ID | Local variable |
| CREATION_TIME | sourceCreatedDate |
| DETECTED_CROWN_JEWEL_REASON | Local variable |
| DETECTED_CROWN_JEWEL_SCORE | Local variable |
| EXPOSURE | Local variable |
| IS_INTERNET_FACING | Local variable |
| MODEL_TAGS | Local variable |
| NAME | name |
| OBSERVATIONS | Local variable |
| ORCA_SCORE | Local variable |
| ORCA_TAGS | Local variable |
| REGION | region |
| RELATED_COMPLIANCE | Local variable |
| RISK_LEVEL | Local variable |
| SCORE | Local variable |
| SUBCATEGORY | Local variable |
| SYS_ID | uid |
| TAGS | tags |
| UPDATED_TIME | sourceLastModified |
| ZONES | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Function
Table 8: Function attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| APPLICATIONS | Local variable |
| ASSET_TYPE | type |
| AUTO_UPDATES_STATUS | Local variable |
| AVAILABILITY_ZONES | Local variable |
| CATEGORY | categories |
| CLOUD_ACCOUNT_ID | cloudAccountId |
| CLOUD_ACCOUNT_NAME | Local variable |
| CLOUD_ACCOUNT_TYPE | Local variable |
| CLOUD_PROVIDER | cloudProvider |
| CLOUD_PROVIDER_ID | Local variable |
| CLOUD_VENDOR_ID | Local variable |
| CPU_COUNT | Local variable |
| CPU_FREQUENCY | Local variable |
| CPU_TYPE | Local variable |
| CREATION_TIME | sourceCreatedDate |
| DETECTED_CROWN_JEWEL_REASON | Local variable |
| DETECTED_CROWN_JEWEL_SCORE | Local variable |
| DISTRIBUTION_CATEGORY | Local variable |
| DISTRIBUTION_MAJOR_VERSION | Local variable |
| DISTRIBUTION_NAME | Local variable |
| DISTRIBUTION_VERSION | Local variable |
| ESM_STATUS | Local variable |
| EXPOSURE | Local variable |
| FUNCTION_ID | Local variable |
| FUNCTION_NAME | Local variable |
| HAS_PII | Local variable |
| HOST_NAME | hostname |
| IS_INTERNET_FACING | Local variable |
| MAC_ADDRESSES | macAddresses |
| MEMORY_SIZE | Local variable |
| MODEL_TAGS | Local variable |
| NAME | name |
| OBSERVATIONS | Local variable |
| ORCA_SCORE | Local variable |
| ORCA_TAGS | Local variable |
| OS_BIT_MODE | Local variable |
| OS_END_OF_SUPPORT | Local variable |
| OS_SUPPORT_INFO_SITE | Local variable |
| OWNER | owner |
| PII_TYPES | Local variable |
| PRIVATE_DNSS | privateDnsNames |
| PRIVATE_IPS | privateIpAddresses |
| PUBLIC_DNSS | publicDnsNames |
| PUBLIC_IPS | publicIpAddresses |
| REGIONS | Local variable |
| REGION_NAMES | Local variable |
| REGION | region |
| RELATED_COMPLIANCE | Local variable |
| RISK_LEVEL | Local variable |
| SCORE | Local variable |
| SECURITY_GROUPS | Local variable |
| STATE | Local variable |
| STOP_DATE | Local variable |
| SUBCATEGORY | Local variable |
| SUBNETS | Local variable |
| SYS_ID | uid |
| TAGS | tags |
| TOTAL_DISK_BYTES | Local variable |
| UP_TIME | Local variable |
| UP_TIME_HOURS | Local variable |
| UPDATED_TIME | sourceLastModified |
| VIRTUAL_CPU_COUNT | Local variable |
| VPCS | Local variable |
| ZONES | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Installed Package
Table 9: Installed Package attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| CLOUD_ACCOUNT_ID | cloudAccountId |
| CLOUD_ACCOUNT_NAME | Local variable |
| CLOUD_ACCOUNT_TYPE | Local variable |
| CLOUD_PROVIDER | cloudProvider |
| CLOUD_PROVIDER_ID | Local variable |
| CLOUD_VENDOR_ID | Local variable |
| installedPackage.content.getAssetUniqueId | targets |
| installedPackage.id | uid |
| installedPackage.installDate | installedDate |
| installedPackage.isInstalledByPackageManager | Local variable |
| installedPackage.name | name |
| installedPackage.nonOsPackagePaths | Local variable |
| installedPackage.package | type |
| installedPackage,version | revision |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Package
Table 10: Package attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ARCHITECTURE | Local variable |
| CLOUD_ACCOUNT_ID | cloudAccountId |
| CLOUD_ACCOUNT_NAME | Local variable |
| CLOUD_ACCOUNT_TYPE | Local variable |
| CLOUD_PROVIDER | cloudProvider |
| CLOUD_PROVIDER_ID | Local variable |
| CLOUD_VENDOR_ID | Local variable |
| DESCRIPTION | description |
| EDITION | Local variable |
| EOL_DATE | Local variable |
| IS_LATEST | Local variable |
| IS_OS_PACKAGE | Local variable |
| LATEST_AVAILABLE_VERSION | latestVersion |
| LINK | url |
| NAME | name |
| PUBLISHER | publisher |
| RELEASE_DATE | Local variable |
| SYS_ID | uid |
| VERSION | currentVersion |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Storage
Table 11: Storage attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ASSET_TYPE | type |
| CATEGORY | categories |
| CLOUD_ACCOUNT_ID | cloudAccountId |
| CLOUD_ACCOUNT_NAME | Local variable |
| CLOUD_ACCOUNT_TYPE | Local variable |
| CLOUD_PROVIDER | cloudProvider |
| CLOUD_PROVIDER_ID | Local variable |
| CLOUD_VENDOR_ID | Local variable |
| CREATION_TIME | sourceCreatedDate |
| DETECTED_CROWN_JEWEL_REASON | Local variable |
| DETECTED_CROWN_JEWEL_SCORE | Local variable |
| EXPOSURE | Local variable |
| HAS_PII | Local variable |
| IS_INTERNET_FACING | Local variable |
| MODEL_TAGS | Local variable |
| NAME | name |
| OBSERVATIONS | Local variable |
| ORCA_SCORE | Local variable |
| ORCA_TAGS | Local variable |
| PII_TYPES | Local variable |
| REGION | region |
| RELATED_COMPLIANCE | Local variable |
| RISK_LEVEL | Local variable |
| SCORE | Local variable |
| SUBCATEGORY | Local variable |
| SYS_ID | uid |
| TAGS | tags |
| TOTAL_FILES_COUNT | Local variable |
| UPDATED_TIME | sourceLastModified |
| USED_STORAGE | Local variable |
| ZONES | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
User
Table 12: User attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ASSET_TYPE | type |
| CATEGORY | categories |
| CLOUD_ACCOUNT_ID | cloudAccountId |
| CLOUD_ACCOUNT_NAME | Local variable |
| CLOUD_ACCOUNT_TYPE | Local variable |
| CLOUD_PROVIDER | cloudProvider |
| CLOUD_PROVIDER_ID | Local variable |
| CLOUD_VENDOR_ID | Local variable |
| CREATION_TIME | sourceCreatedDate |
| DETECTED_CROWN_JEWEL_REASON | Local variable |
| DETECTED_CROWN_JEWEL_SCORE | Local variable |
| EXPOSURE | Local variable |
| IS_INTERNET_FACING | Local variable |
| MFA_ACTIVE | Local variable |
| MODEL_TAGS | Local variable |
| NAME | name |
| OBSERVATIONS | Local variable |
| ORCA_SCORE | Local variable |
| ORCA_TAGS | Local variable |
| PASSWORD_ENABLED | Local variable |
| PASSWORD_LAST_CHANGED | Local variable |
| PASSWORD_LAST_USED | Local variable |
| PASSWORD_NEXT_ROTATION | Local variable |
| REGION | region |
| RELATED_COMPLIANCE | Local variable |
| RISK_LEVEL | Local variable |
| SCORE | Local variable |
| SUBCATEGORY | Local variable |
| SYS_ID | uid |
| TAGS | tags |
| UPDATED_TIME | sourceLastModified |
| USERNAME | userName |
| ZONES | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Virtual Machine
Table 13: Virtual Machine attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| APPLICATIONS | Local variable |
| ASSET_TYPE | type |
| AUTO_UPDATES_STATUS | Local variable |
| AVAILABILITY_ZONES | Local variable |
| CATEGORY | categories |
| CPU_COUNT | Local variable |
| CPU_FREQUENCY | Local variable |
| CPU_TYPE | Local variable |
| CREATION_TIME | sourceCreatedDate |
| CLOUD_ACCOUNT_ID | cloudAccountId |
| CLOUD_ACCOUNT_NAME | Local variable |
| CLOUD_ACCOUNT_TYPE | Local variable |
| CLOUD_PROVIDER | cloudProvider |
| CLOUD_PROVIDER_ID | Local variable |
| CLOUD_VENDOR_ID | Local variable |
| DETECTED_CROWN_JEWEL_REASON | Local variable |
| DETECTED_CROWN_JEWEL_SCORE | Local variable |
| DISTRIBUTION_CATEGORY | Local variable |
| DISTRIBUTION_MAJOR_VERSION | Local variable |
| DISTRIBUTION_NAME | Local variable |
| DISTRIBUTION_VERSION | Local variable |
| ESM_STATUS | Local variable |
| EXPOSURE | Local variable |
| HAS_PII | Local variable |
| HOST_NAME | hostnames |
| IMAGE_ID | image |
| IMAGE_NAME | Local variable |
| IMAGE_OWNER_ID | Local variable |
| INSTANCE_TYPE | Local variable |
| IS_INTERNET_FACING | Local variable |
| MAC_ADDRESSES | macAddresses |
| MEMORY_SIZE | Local variable |
| MODEL_TAGS | Local variable |
| NAME | name |
| OBSERVATIONS | Local variable |
| ORCA_SCORE | Local variable |
| ORCA_TAGS | Local variable |
| OWNER | owner |
| PII_TYPES | Local variable |
| PRIVATE_DNSS | privateDnsNames |
| PRIVATE_IPS | privateIpAddresses |
| PUBLIC_DNSS | publicDnsNames |
| PUBLIC_IPS | publicIpAddresses |
| PUBLIC_IMAGE | Local variable |
| REGIONS | Local variable |
| REGION_NAMES | Local variable |
| REGION | region |
| RELATED_COMPLIANCE | Local variable |
| RISK_LEVEL | Local variable |
| SCORE | Local variable |
| SECURITY_GROUPS | Local variable |
| STATE | Local variable |
| STOP_DATE | Local variable |
| SUBCATEGORY | Local variable |
| SUBNETS | Local variable |
| SYS_ID | uid |
| TAGS | tags |
| TOTAL_DISK_BYTES | Local variable |
| UP_TIME | Local variable |
| UP_TIME_HOURS | Local variable |
| UPDATED_TIME | sourceLastModified |
| VIRTUAL_CPU_COUNT | Local variable |
| VPCS | Local variable |
| ZONES | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Virtual Machine Image
Table 14: Virtual Machine Image attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| APPLICATIONS | Local variable |
| ASSET_TYPE | type |
| AUTO_UPDATES_STATUS | Local variable |
| AVAILABILITY_ZONES | Local variable |
| CATEGORY | categories |
| CPU_COUNT | Local variable |
| CPU_FREQUENCY | Local variable |
| CPU_TYPE | Local variable |
| CREATION_TIME | sourceCreatedDate |
| CLOUD_ACCOUNT_ID | cloudAccountId |
| CLOUD_ACCOUNT_NAME | Local variable |
| CLOUD_ACCOUNT_TYPE | Local variable |
| CLOUD_PROVIDER | cloudProvider |
| CLOUD_PROVIDER_ID | Local variable |
| CLOUD_VENDOR_ID | Local variable |
| DETECTED_CROWN_JEWEL_REASON | Local variable |
| DETECTED_CROWN_JEWEL_SCORE | Local variable |
| DISTRIBUTION_CATEGORY | Local variable |
| DISTRIBUTION_MAJOR_VERSION | Local variable |
| DISTRIBUTION_NAME | Local variable |
| DISTRIBUTION_VERSION | Local variable |
| ESM_STATUS | Local variable |
| EXPOSURE | Local variable |
| HOST_NAME | hostnames |
| IMAGE_DESCRIPTION | Local variable |
| IMAGE_ID | Local variable |
| IMAGE_NAME | Local variable |
| IMAGE_OWNER_ID | Local variable |
| IS_INTERNET_FACING | Local variable |
| MAC_ADDRESSES | macAddresses |
| MEMORY_SIZE | Local variable |
| MODEL_TAGS | Local variable |
| NAME | name |
| OS_BIT_MODE | Local variable |
| OS_END_OF_SUPPORT | Local variable |
| OS_SUPPORT_INFO_SITE | Local variable |
| OWNER | owner |
| PRIVATE_DNSS | privateDnsNames |
| PRIVATE_IPS | privateIpAddresses |
| PUBLIC_DNSS | publicDnsNames |
| PUBLIC_IPS | publicIpAddresses |
| REGIONS | Local variable |
| REGION_NAMES | Local variable |
| SECURITY_GROUPS | Local variable |
| STATE | Local variable |
| STOP_DATE | Local variable |
| SUBNETS | Local variable |
| SYS_ID | uid |
| TAGS | tags |
| TOTAL_DISK_BYTES | Local variable |
| UP_TIME | Local variable |
| UP_TIME_HOURS | Local variable |
| UPDATED_TIME | sourceLastModified |
| VIRTUAL_CPU_COUNT | Local variable |
| VPCS | Local variable |
| ZONES | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Vulnerability
Table 15: Vulnerability attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ASSET_NAME | Local variable |
| ASSET_SYS_ID | Local variable |
| ASSET_TYPE | Local variable |
| ASSET_UID | targets |
| CLOUD_ACCOUNT_ID | cloudAccountId |
| CLOUD_ACCOUNT_NAME | Local variable |
| CLOUD_ACCOUNT_TYPE | Local variable |
| CLOUD_PROVIDER | cloudProvider |
| CLOUD_PROVIDER_ID | Local variable |
| CLOUD_VENDOR_ID | Local variable |
| CVE_ID | type |
| FIRST_FOUND | firstFound |
| FIX_AVAILABLE | fixable |
| LAST_FOUND | lastFound |
| STATUS | status, sourceStatus |
| SYS_ID | uid |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Vulnerability Definition
Table 16: Vulnerability Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ATTACK_VECTOR | Local variable |
| CISA_KEV | Local variable |
| CVSS2_SCORE | cvssV2BaseScore |
| CVSS2_VECTOR | cvssV2Vector |
| CVSS3_SCORE | cvssV3BaseScore |
| CVSS3_VECTOR | cvssV3Vector |
| CWES | cweIds |
| DESCRIPTION | description |
| HAS_EXPLOIT | cisaExploited |
| LAST_MODIFIED_DATE | sourceLastModified |
| NAME | name |
| PUBLISHED | publishedDate |
| SOURCE_LINK | url |
| SYS_ID | uid |
| USER_INTERACTION | Local variable |
| VENDOR_LINK | references |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The Orca connector supports the following operation options. See connector operation options for information about how to apply them.
Table 17: Orca connector operation options
| Connector Object | Option | All Possible values | Description | Example |
|---|---|---|---|---|
| Alert, Alert Definition | assetCategory | Any Orca asset category. | Retrieve alerts from the specified asset category. | Key: assetSubcategory Value: Data Storage. This key and value combination only retrieves alerts from your Orca data storages. |
| show_informational_alerts | false | Filters out informational alerts. By default, the Orca connector retrieves informational alerts. | Key: show_informational_alerts Value: false. This key and value combination filters out informational alerts when retrieving alerts. | |
| show_snoozed_alerts | false | Filter out snoozed alerts. By default, the Orca connector retrieves snoozed alerts. | Key: show_snoozed_alerts Value: false. This key and value combination filters out snoozed alerts when retrieving alerts. | |
| sla_violation_alerts | false | Filters out alerts that are in violation of their SLA. | Key: sla_violation False: false. This key and value combination filters out alerts that in violation of their SLA. | |
| Installed Package, Package | releaseDateInPastDays | Any numeric value in days | Retrieve packages released since the specified number of days. | Key: releaseDateInPastDays Value: 30. This key and value combination only retrieves packages released in the past 30 days. |
| Vulnerability, Vulnerability Definition | assetCategory | Any Orca asset category. | Retrieve vulnerabilities from the specified asset category. | Key: assetSubcategory Value: Compute Services. This key and value combination only retrieves vulnerabilities from your Orca compute services. |
| assetSubcategory | Any Orca asset subcategory. | Retrieve vulnerabilities from the specified asset subcategory. | Key: assetSubcategory Value: Buckets. This key and value combination only retrieves vulnerabilities from your Orca Buckets. | |
| cisaKev | true | Retrieve vulnerabilities that are listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. | Key: cisaKev Value: true. This key and value combination only retrieves vulnerabilities listed in the CISA KEV catalog. | |
| cvss3Score | Any numeric value from 0.1-10.0 | Retrieve all vulnerabilities with a CVSS3 (Common Vulnerability Scoring System) score of the specified value or higher. | Key: cvss3Score Value: 7. This key and value combination only retrieves vulnerabilities with a CVSS3 score of 7 or higher. | |
| hasExploit | true | Retrieve vulnerabilities for which an exploit is known to be available. | Key: hasExploit Value: true. This key and value combination only retrieves vulnerabilities that have a known exploit available. | |
| isTrending | true | Retrieve trending vulnerabilities. | Key: isTrending Value: true. This key and value combination retrieves only trending vulnerabilities. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Orca connector uses the Orca REST API. Expand the sections below to view the specific endpoints along with their associated payloads:
Alert API
GET api/query/alerts
POST api/query/alerts
{
"unique_list": "account_name",
"unique_list_include_zero": true
}
Alert Definition API
GET api/query/alerts
POST api/query/alerts
{
"unique_list": "account_name",
"unique_list_include_zero": true
}
Cloud Account API
POST /api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 5000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"CloudAccount"
],
"keys": [
"CloudAccount"
],
"with": {
"type": "operation",
"operator": "and",
"values": []
}
}
}
Container API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"Container"
],
"keys": [
"Container"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "LastUpdateTime",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-03T11:24:05.276Z"
]
}
]
}
}
}
Container Image API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 2000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"ContainerImage"
],
"keys": [
"ContainerImage"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "LastUpdateTime",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-03T11:31:53.458Z"
]
}
]
}
}
}
Database API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"Inventory"
],
"keys": [
"Inventory"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "NewSubCategory",
"type": "str",
"operator": "in",
"values": [
"Databases"
]
}
]
}
}
}
Function API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 3000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"Function",
"AwsLambdaFunction",
"AzureFunction",
"GcpCloudFunction"
],
"keys": [
"Function",
"AwsLambdaFunction",
"AzureFunction",
"GcpCloudFunction"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "LastUpdateTime",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-03T11:37:26.183Z"
]
}
]
}
}
}
Installed Package API
POST api/sonar/query/
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"InstalledPackage"
],
"keys": [
"InstalledPackage"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "InstallDate",
"type": "datetime",
"operator": "in_past",
"value_type": "days",
"values": [
4
]
}
]
}
}
}
Package API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 4000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"Package"
],
"keys": [
"Package"
],
"with": {
"type": "operation",
"operator": "and",
"values": []
}
}
}
Storage API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]": [
"CloudAccount",
"Content.Storage"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"Inventory"
],
"keys": [
"Inventory"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "NewSubCategory",
"type": "str",
"operator": "in",
"values": [
"Buckets"
]
},
{
"key": "UpdatedTime",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-03T12:47:23.166Z"
]
}
]
}
}
}
User API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 6000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"User"
],
"keys": [
"User"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "CreationTime",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-02T20:05:22.735Z"
]
}
]
}
}
}
Virtual Machine API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 1000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"Vm"
],
"keys": [
"Vm"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "LastUpdateTime",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-03T14:31:16.335Z"
]
}
]
}
}
}
Virtual Machine Image API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 4000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"VmImage"
],
"keys": [
"VmImage"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "LastUpdateTime",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-03T14:35:30.596Z"
]
}
]
}
}
}
Vulnerability API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 4000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"VmImage"
],
"keys": [
"VmImage"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "LastUpdateTime",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-03T14:35:30.596Z"
]
}
]
}
}
}
Vulnerability Definition API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 4000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"Vulnerability"
],
"keys": [
"Vulnerability"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "FirstSeen",
"type": "datetime",
"operator": "date_gte",
"value_type": "days",
"values": [
"2024-05-07T14:45:03.363Z"
]
},
{
"type": "object_set",
"operator": "has",
"models": [
"CVE"
],
"keys": [
"CVE"
],
"with": {
"type": "operation",
"operator": "and",
"values": []
}
},
{
"type": "object_set",
"operator": "has",
"models": [
"Content"
],
"keys": [
"Content"
],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"key": "NewSubCategory",
"type": "str",
"operator": "in",
"values": [
"Virtual Instances"
]
}
]
}
},
{
"type": "object_set",
"operator": "has",
"models": [
"CVEDescription"
],
"keys": [
"CVEVendorData"
],
"with": {
"type": "operation",
"operator": "and",
"values": []
}
}
]
}
}
}
Vulnerability Package API
POST api/sonar/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 4000,
"additional_models[]": [
"CloudAccount"
],
"query": {
"type": "object_set",
"operator": "has",
"models": [
"VulnerablePackage"
],
"keys": [
"VulnerablePackage"
],
"with": {
"type": "operation",
"operator": "and",
"values": []
}
}
}
Changelog
The Orca connector has undergone the following changes:
3.0.1
- Removed the use of
Immutableset.
3.0.0
- Initial Integration+ release.