Orca
Orca is a cloud security tool that enhances visibility across your cloud environments. You can bring cloud, container, database, function, package, storage, user, virtual machine, and security data from Orca into Brinqa to gain a unified view of your cloud-related attack surface, thus enhancing your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Orca and how to obtain that information from Orca. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Orca from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Orca with Brinqa:
-
API URL: The Orca API Server URL. The default URL is
https://api.orcasecurity.io.-
The API URL depends on the region of your Orca environment. The following table lists the Orca API URL for each region. Please refer to the Orca documentation for accuracy:
Table 1: Orca API URLs
-
-
API Token: The API token associated with the Orca account, which must have permissions to log in to the API server and return data.
Generate an Orca API token
For the Orca connector to use the Orca API, you must provide an API token. To generate an API token, follow these steps:
-
Log in to your organization's Orca account as an administrator
-
Click Settings from the navigation menu.
-
Navigate to Users & Permissions > API.
-
Click API Tokens, and then click Add API Token. The Add API Token dialog displays.
Provide the following information:
-
Name: Give your API token a name.
-
Description: (Optional) Provide a description of the API token.
-
Never Expire: (Optional) Select this option to mark the token as non-expiring. The Expiration field appears if you clear the checkbox. You can then select the token expiry date if desired.
-
Service Token: (Optional) Service tokens operate independently of individual user accounts, inheriting their permissions based on the creator's permissions. Service tokens remain valid even if the creator's account is deactivated or removed from the organization. If desired, select this option to enable the use of a service token.
-
Role: Define the permissions of the token. While the Administrator role can bring in all data, Brinqa recommends that you use the Viewer role, as this is considered to be the minimum role needed to read and retrieve data. Click the Role dropdown and select Viewer.
- For additional information on Orca roles and permissions, see Orca documentation.
-
Scope: Select the specific accounts or business units that the API token will be authorized to access. Leave this option unchecked if you do not want to limit the data retrieved by the Orca connector.
-
-
Click Add.
Your new API key token displays. You can't view the token again after this. Copy and save it to a secure location.
-
Click Continue.
If you do not have the permissions to create an API token, contact your Orca administrator. For additional information, see Orca documentation.
Additional settings
The Orca connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 10,000. It is not recommended to go over 10,000.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 2.
-
Request timeout (secs): The maximum time allotted, in seconds, before a request times out. The default setting is 120 seconds. Although it is not recommended, you can also enter zero (0) to disable timeouts.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Orca API before giving up and reporting a failure. The default setting is 5.
Types of data to retrieve
The Orca connector can retrieve the following types of data from the Orca API:
Table 2: Data retrieved from Orca
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Alert | No | Alert |
| Alert Definition | No | Alert Definition |
| Cloud Account | Yes | Cloud Account |
| Container | Yes | Container |
| Container Image | Yes | Container Image |
| Database | No | Cloud Resource |
| Function | No | Cloud Resource |
| Installed Package | No | Installed Package |
| Package | No | Package |
| Secret | No | Cloud Resource |
| Storage | No | Cloud Resource |
| User | No | Person |
| Virtual Machine | Yes | Host |
| Virtual Machine Image | Yes | Host Image |
| Vulnerability | No | Vulnerability |
| Vulnerability Definition | No | Vulnerability Definition |
| Vulnerable Package | No | Not mapped |
For detailed steps on how to view the data retrieved from Orca in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Account
Table 3: Account attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
CloudAccount.autoRemediationEnabled | AUTO_REMEDIATION_ENABLED |
CloudAccount.businessUnits | BUSINESS_UNITS |
CloudAccount.cloudAccountType | ACCOUNT_TYPE |
CloudAccount.cloudProvider | CLOUD_PROVIDER |
CloudAccount.cloudProviderId | CLOUD_PROVIDER_ID |
CloudAccount.id | CLOUD_ACCOUNT_ID |
CloudAccount.id | UID |
CloudAccount.name | NAME |
CloudAccount.tags | TAGS |
CloudAccount.vendorId | VENDOR_ID |
Instant.now() | LAST_CAPTURED |
Alert
Table 4: Alert attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
AlertModel.alertId | UID |
AlertModel.assetUniqueId + inventory | TARGETS |
AlertModel.category | CATEGORIES |
AlertModel.cloudAccount.data.cloudAccountType | CLOUD_ACCOUNT_TYPE |
AlertModel.cloudAccount.data.cloudProvider | CLOUD_ACCOUNT_PROVIDER |
AlertModel.cloudAccount.data.cloudProviderId | CLOUD_ACCOUNT_PROVIDER_ID |
AlertModel.cloudAccount.data.vendorId | CLOUD_ACCOUNT_VENDOR_ID |
AlertModel.cloudAccount.id | CLOUD_ACCOUNT_ID |
AlertModel.cloudAccount.name | CLOUD_ACCOUNT_NAME |
AlertModel.createdAt | SOURCE_CREATED_DATE |
AlertModel.customRemediation | CUSTOM_REMEDIATION |
AlertModel.cveIds | CVE_IDS |
AlertModel.description | DESCRIPTION |
AlertModel.details | RESULTS |
AlertModel.details | SUMMARY |
AlertModel.inventory.id | ASSET_ID |
AlertModel.inventory.name | ASSET_NAME |
AlertModel.inventory.newCategory | ASSET_CATEGORY |
AlertModel.inventory.newSubCategory | ASSET_SUBCATEGORY |
AlertModel.inventory.region | ASSET_REGION |
AlertModel.inventory.type | ASSET_TYPE |
AlertModel.inventory.assetUniqueId | ASSET_UNIQUE_ID |
AlertModel.labels | TAGS |
AlertModel.lastSeen | LAST_FOUND |
AlertModel.lastUpdated | SOURCE_LAST_MODIFIED |
AlertModel.orcaScore | ORCA_SCORE |
AlertModel.recommendation | RECOMMENDATION |
AlertModel.remediationConsole | REMEDIATION_STEPS |
AlertModel.riskFindings.value.type | RISK_TYPE |
AlertModel.riskLevel → normalized | SEVERITY |
AlertModel.riskLevel | SOURCE_SEVERITY |
AlertModel.ruleId | TYPE |
AlertModel.score | SCORE |
AlertModel.source | SOURCE |
AlertModel.status → normalized | STATUS |
AlertModel.status | SOURCE_STATUS |
AlertModel.statusTime | STATUS_TIME |
AlertModel.title or alertType | NAME |
AlertModel.relatedCompliances | RELATED_COMPLIANCES |
| Derived from normalized severity | SEVERITY_SCORE |
| Derived from normalized severity | SOURCE_SEVERITY_SCORE |
| Derived from normalized status | STATUS_CATEGORY |
Instant.now() | LAST_CAPTURED |
Alert Definition
Table 5: Alert Definition attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
AlertModel.category | CATEGORIES |
AlertModel.createdAt | SOURCE_CREATED_DATE |
AlertModel.customRemediation | CUSTOM_RECOMMENDATION |
AlertModel.cveIds | CVE_IDS |
AlertModel.description | DESCRIPTION |
AlertModel.labels | TAGS |
AlertModel.lastSeen | LAST_FOUND |
AlertModel.lastUpdated | SOURCE_LAST_MODIFIED |
AlertModel.mitreCategory | MITRE_CATEGORY |
AlertModel.mitreTechniques | MITRE_TECHNIQUES |
AlertModel.orcaScore | ORCA_SCORE |
AlertModel.recommendation + remediationCli + remediationConsole | RECOMMENDATION |
AlertModel.remediationConsole | REMEDIATION_STEPS |
AlertModel.riskLevel → normalized | SEVERITY |
AlertModel.riskLevel | RISK_LEVEL |
AlertModel.riskLevel | SOURCE_SEVERITY |
AlertModel.ruleId | UID |
AlertModel.ruleQuery | RULE_QUERY |
AlertModel.ruleSource | RULE_SOURCE |
AlertModel.score | SCORE |
AlertModel.status → normalized | STATUS |
AlertModel.status | PROVIDER_STATUS |
AlertModel.status | SOURCE_STATUS |
AlertModel.statusTime | STATUS_TIME |
AlertModel.title or alertType | NAME |
| Derived from normalized severity | SEVERITY_SCORE |
| Derived from normalized status | STATUS_CATEGORY |
Container
Table 6: Container attribute mappings
Inherits all shared inventory attributes and shared compute attributes. Additionally:
| Source Field Name | SDM Attribute |
|---|---|
assetUniqueId or id | UID |
Container.containerLabels | LABELS |
Container.description | DESCRIPTION |
Container.execName | EXEC_NAME |
Container.execPath | EXEC_PATH |
Container.id | CONTAINER_ID |
Container.imageDigest | IMAGE_DIGEST |
Container.imageId | IMAGE_ID |
Container.imageLayersDigest | IMAGE_LAYERS_DIGEST |
Container.imageName | IMAGE_NAME |
Container.imageVersion | IMAGE_VERSION |
Container.k8SContainerName | K8S_CONTAINER_NAME |
Container.k8SPodNames | K8S_POD_NAMES |
Container.k8SPodNamespace | K8S_POD_NAMESPACE |
Container.lastUpdatedTime | SOURCE_LAST_MODIFIED |
Container.maintainer | MAINTAINER |
Container.serviceName | SERVICE_NAME |
Container.storageDriver | STORAGE_DRIVER |
Container.user | USER |
Container.vm.assetUniqueId | HOST |
Derived from imageName + imageVersion | IMAGE |
Instant.now() | LAST_CAPTURED |
Container Image
Table 7: Container Image attribute mappings
Inherits all shared inventory attributes and shared compute attributes. Additionally:
| Source Field Name | SDM Attribute |
|---|---|
name or assetUniqueId or id | UID |
ContainerImage.imageDigest | IMAGE_DIGEST |
ContainerImage.imageId | IMAGE_ID |
ContainerImage.imageLabels | IMAGE_LABELS |
ContainerImage.imageLayersDigest | IMAGE_LAYERS_DIGEST |
ContainerImage.imageName | IMAGE_NAME |
ContainerImage.imagePushedAt | IMAGE_PUSHED_AT |
ContainerImage.imageSize | IMAGE_SIZE |
ContainerImage.imageTags | IMAGE_TAGS |
ContainerImage.repositoryName | REPOSITORY |
ContainerImage.repositoryUri | REPOSITORY_URI |
Instant.now() | LAST_CAPTURED |
Database
Table 8: Database attribute mappings
Inherits all shared inventory attributes. Additionally:
| Source Field Name | SDM Attribute |
|---|---|
assetUniqueId or id | UID |
Instant.now() | LAST_CAPTURED |
Function
Table 9: Function attribute mappings
Inherits all shared inventory attributes and shared compute attributes. Additionally:
| Source Field Name | SDM Attribute |
|---|---|
assetUniqueId or id | UID |
Function.description | DESCRIPTION |
Function.ephemeralStorage | EPHEMERAL_STORAGE |
Function.functionArn | FUNCTION_ARN |
Function.functionId | FUNCTION_ID |
Function.functionName | FUNCTION_NAME |
Function.handler | HANDLER |
Function.packageType | PACKAGE_TYPE |
Function.timeout | TIMEOUT |
Function.tracingConfig | TRACING_CONFIG |
Instant.now() | LAST_CAPTURED |
Installed Package
Table 10: Installed Package attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
Dataset id | UID |
CloudAccount.cloudAccountType | CLOUD_ACCOUNT_TYPE |
CloudAccount.cloudProvider | CLOUD_ACCOUNT_PROVIDER |
CloudAccount.cloudProviderId | CLOUD_ACCOUNT_PROVIDER_ID |
CloudAccount.vendorId | CLOUD_ACCOUNT_VENDOR_ID |
| Cloud account dataset ID | CLOUD_ACCOUNT_ID |
| Cloud account dataset name | CLOUD_ACCOUNT_NAME |
InstalledPackage.cloudAccount → assetUniqueId, id | TARGETS |
InstalledPackage.installDate | INSTALL_DATE |
InstalledPackage.isInstalledByPackageManager | INSTALLED_BY_PACKAGE_MANAGER |
InstalledPackage.name | NAME |
InstalledPackage.nonOsPackagePaths | INSTALL_PATHS |
InstalledPackage._package().id | PACKAGE_ID |
InstalledPackage._package().id | TYPE |
InstalledPackage.version | REVISION |
Instant.now() | LAST_CAPTURED |
Package
Table 11: Package attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
Dataset id | UID |
Package.architecture | ARCHITECTURE |
Package.author | PUBLISHER |
Package.cpe | CPE |
Package.description | DESCRIPTION |
Package.edition | EDITION |
Package.endOfLifeDate | EOL_DATE |
Package.isLatest | LATEST |
Package.isOsPackage | OS_PACKAGE |
Package.latestAvailableVersion | LATEST_VERSION |
Package.name | NAME |
Package.releaseDate | RELEASE_DATE |
Package.url | URL |
Package.version | CURRENT_VERSION |
Instant.now() | LAST_CAPTURED |
Secret
Table 12: Secret attribute mappings
Inherits all shared inventory attributes. Additionally:
| Source Field Name | SDM Attribute |
|---|---|
assetUniqueId or id | UID |
Secret.lastAccessedDate | LAST_ASSESSED |
Secret.lastChangedDate | LAST_CHANGED |
Secret.rotationEnabled | ROTATION_ENABLED |
Instant.now() | LAST_CAPTURED |
Storage
Table 13: Storage attribute mappings
Inherits all shared inventory attributes and content attributes (HAS_PII, PII_TYPES). Additionally:
| Source Field Name | SDM Attribute |
|---|---|
assetUniqueId or id | UID |
Storage.isVersioningEnabled | VERSIONING_ENABLED |
Storage.totalFilesCount | TOTAL_FILES_COUNT |
Storage.usedStorage | USED_STORAGE |
Instant.now() | LAST_CAPTURED |
User
Table 14: User attribute mappings
Inherits all shared inventory attributes. Additionally:
| Source Field Name | SDM Attribute |
|---|---|
assetUniqueId or id | UID |
User.mfaActive | MFA_ACTIVE |
User.passwordEnabled | PASSWORD_ENABLED |
User.passwordLastChanged | PASSWORD_LAST_CHANGED |
User.passwordLastUsed | PASSWORD_LAST_USED |
User.passwordNextRotation | PASSWORD_NEXT_ROTATION |
User.userId | USERNAME |
Instant.now() | LAST_CAPTURED |
Virtual Machine
Table 15: Virtual Machine attribute mappings
Inherits all shared inventory attributes and shared compute attributes. Additionally:
| Source Field Name | SDM Attribute |
|---|---|
assetUniqueId or id | UID |
Vm.image.assetUniqueId or Vm.imageId | IMAGE |
Vm.imageId → looked up from VmImage map | IMAGE_ASSET_UID |
Vm.imageName | IMAGE_NAME |
Vm.imageOwnerId | IMAGE_OWNER_ID |
Vm.imageIsPublic | PUBLIC_IMAGE |
Vm.instanceType | INSTANCE_TYPE |
Vm.uiUniqueField | INSTANCE_ID |
Instant.now() | LAST_CAPTURED |
Virtual Machine Image
Table 16: Virtual Machine Image attribute mappings
Inherits all shared inventory attributes and shared compute attributes. Additionally:
| Source Field Name | SDM Attribute |
|---|---|
assetUniqueId or id | UID |
VmImage.imageId | IMAGE_ID |
VmImage.imageOwnerId | IMAGE_OWNER_ID |
Instant.now() | LAST_CAPTURED |
Vulnerability
Table 17: Vulnerability attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
Dataset id | UID |
Dataset name | NAME |
CloudAccount.cloudAccountType | CLOUD_ACCOUNT_TYPE |
CloudAccount.cloudProvider | CLOUD_ACCOUNT_PROVIDER |
CloudAccount.cloudProviderId | CLOUD_ACCOUNT_PROVIDER_ID |
CloudAccount.vendorId | CLOUD_ACCOUNT_VENDOR_ID |
CVE.lastModifiedDate or Instant.now() | LAST_FOUND |
InstalledPackage.isInstalledByPackageManager | INSTALLED_BY_PACKAGE_MANAGER |
InstalledPackage.isOsPackage | IS_OS_PACKAGE |
InstalledPackage.nonOsPackagePaths | NON_OS_PACKAGE_PATHS |
InstalledPackage.nonOsPackagePaths | RESULTS |
InstalledPackage.version | PACKAGE_VERSION |
Inventory id, assetUniqueId, name | TARGETS |
VulnerabilityV2Resource.cloudAccount.id | CLOUD_ACCOUNT_ID |
VulnerabilityV2Resource.cloudAccount.name | CLOUD_ACCOUNT_NAME |
VulnerabilityV2Resource.cve.id | TYPE |
VulnerabilityV2Resource.description | DESCRIPTION |
VulnerabilityV2Resource.firstSeen | FIRST_FOUND |
VulnerabilityV2Resource.installedPackage.id | PACKAGE_ID |
VulnerabilityV2Resource.installedPackage.name | PACKAGE_NAME |
VulnerabilityV2Resource.inventory.assetUniqueId | ASSET_UNIQUE_ID |
VulnerabilityV2Resource.inventory.id | ASSET_ID |
VulnerabilityV2Resource.inventory.name | ASSET_NAME |
VulnerabilityV2Resource.inventory.type | ASSET_TYPE |
VulnerabilityV2Resource.patchAvailable | FIXABLE |
VulnerabilityV2Resource.patchAvailable | PATCHABLE |
VulnerabilityV2Resource.patchedVersions → composed | RECOMMENDATION |
Hardcoded "Active" → normalized | STATUS |
Hardcoded "Active" | SOURCE_STATUS |
Instant.now() | LAST_CAPTURED |
Vulnerability Definition
Table 18: Vulnerability Definition attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
CVE Dataset id | UID |
CVE Dataset name | NAME |
Cve.cisaKev | CISA_EXPLOITED |
Cve.cvss2Score | CVSS_V2_BASE_SCORE |
Cve.cvss3Score | CVSS_V3_BASE_SCORE |
Cve.cweTypes | CWE_IDS |
Cve.epssPercentile | EPSS_PERCENTILE |
Cve.epssProbability | EPSS_SCORE |
Cve.hasExploit | HAS_EXPLOIT |
Cve.isTrending | TRENDING |
Cve.lastModifiedDate | SOURCE_LAST_MODIFIED |
Cve.publishedDate | PUBLISHED_DATE |
Cve.sourceLink | URL |
Cve.userInteraction | USER_INTERACTION |
VulnerabilityV2Resource.cvssVector → parsed | ATTACK_VECTOR |
VulnerabilityV2Resource.description | DESCRIPTION |
VulnerabilityV2Resource.patchAvailable | PATCHABLE |
VulnerabilityV2Resource.patchedVersions | PATCHED_VERSIONS |
VulnerabilityV2Resource.patchReleaseDate | PATCH_RELEASE_DATE |
VulnerabilityV2Resource.threatImpact | THREAT_IMPACT |
Vulnerable Package
Table 19: Vulnerable Package attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
Dataset id | UID |
InstalledPackage.nonOsPackagePaths | PACKAGE_PATH |
VulnerablePackage._package().id | PACKAGE_ID |
VulnerablePackage.cve().id | VULNERABILITY_DEFINITION_ID |
VulnerablePackage.fixed | FIXED |
VulnerablePackage.patchedVersions | PATCHED_VERSIONS |
Instant.now() | LAST_CAPTURED |
Shared Inventory Attributes
Table 20: Shared inventory attribute mappings
All models extending InventoryAsset (User, Storage, Database, Secret, and all Compute models) inherit these attributes:
| Source Field Name | SDM Attribute |
|---|---|
assetUniqueId or id | UID |
CloudAccount.cloudAccountType | CLOUD_ACCOUNT_TYPE |
CloudAccount.cloudProvider | CLOUD_ACCOUNT_PROVIDER |
CloudAccount.cloudProviderId | CLOUD_ACCOUNT_PROVIDER_ID |
CloudAccount.vendorId | CLOUD_ACCOUNT_VENDOR_ID |
| Cloud account dataset ID | CLOUD_ACCOUNT_ID |
| Cloud account dataset name | CLOUD_ACCOUNT_NAME |
Dataset id | ASSET_ID |
Dataset name | NAME |
Dataset type | TYPE |
InventoryModel.assetUniqueId | ASSET_UNIQUE_ID |
InventoryModel.clusterUniqueId | CLUSTER_UNIQUE_ID |
InventoryModel.creationTime | SOURCE_CREATED_DATE |
InventoryModel.detectedCrownJewelReason | DETECTED_CROWN_JEWEL_REASON |
InventoryModel.detectedCrownJewelScore | DETECTED_CROWN_JEWEL_SCORE |
InventoryModel.exposure | EXPOSURE |
InventoryModel.firstSeen | FIRST_SEEN |
InventoryModel.fullScanTime | FULL_SCAN_TIME |
InventoryModel.groupUniqueId | GROUP_UNIQUE_ID |
InventoryModel.isInternetFacing | IS_INTERNET_FACING |
InventoryModel.lastSeen | LAST_SEEN |
InventoryModel.modelTags | MODEL_TAGS |
InventoryModel.newCategory | CATEGORIES |
InventoryModel.newSubCategory | SUBCATEGORY |
InventoryModel.observations | OBSERVATIONS |
InventoryModel.orcaScore | ORCA_SCORE |
InventoryModel.orcaTags | ORCA_TAGS |
InventoryModel.region | REGION |
InventoryModel.relatedCompliances | RELATED_COMPLIANCE |
InventoryModel.riskLevel | RISK_LEVEL |
InventoryModel.score | SCORE |
InventoryModel.tags | TAGS |
InventoryModel.uiUniqueField | UI_UNIQUE_FIELD |
InventoryModel.updatedTime | SOURCE_LAST_MODIFIED |
InventoryModel.zones | ZONES |
<type> - <name> | DESCRIPTION |
Shared Compute Attributes
Table 21: Shared compute attribute mappings
All models extending ComputeAsset (Virtual Machine, Virtual Machine Image, Container Image, Container, Function) additionally inherit:
| Source Field Name | SDM Attribute |
|---|---|
ComputeModel.autoUpdatesStatus | AUTO_UPDATES_STATUS |
ComputeModel.availabilityZones | AVAILABILITY_ZONES |
ComputeModel.cpuCount | CPU_COUNT |
ComputeModel.cpuFrequency | CPU_FREQUENCY |
ComputeModel.cpuType | CPU_TYPE |
ComputeModel.distroCategory | DISTRIBUTION_CATEGORY |
ComputeModel.distributionMajorVersion | DISTRIBUTION_MAJOR_VERSION |
ComputeModel.distributionName | DISTRIBUTION_NAME |
ComputeModel.distributionVersion | DISTRIBUTION_VERSION |
ComputeModel.esmStatus | ESM_STATUS |
ComputeModel.hostname | HOSTNAMES |
ComputeModel.lastUpdateTime | SOURCE_LAST_MODIFIED |
ComputeModel.macAddresses | MAC_ADDRESSES |
ComputeModel.memory | MEMORY_SIZE |
ComputeModel.osBitMode | OS_BIT_MODE |
ComputeModel.osEndOfSupport | OS_END_OF_SUPPORT |
ComputeModel.osSupportInfoSite | OS_SUPPORT_INFO_SITE |
ComputeModel.owner | OWNER |
ComputeModel.privateDnss | PRIVATE_DNS_NAMES |
ComputeModel.privateIps | PRIVATE_IP_ADDRESSES |
ComputeModel.publicDnss | PUBLIC_DNS_NAMES |
ComputeModel.publicIps | PUBLIC_IP_ADDRESSES |
ComputeModel.regionNames | REGION_NAMES |
ComputeModel.regions | REGIONS |
ComputeModel.securityGroups | SECURITY_GROUPS |
ComputeModel.state | STATE |
ComputeModel.stopDate | STOP_DATE |
ComputeModel.totalDisksBytes | TOTAL_DISK_BYTES |
ComputeModel.upTime | UP_TIME |
ComputeModel.upTimeHours | UP_TIME_HOURS |
ComputeModel.vCpuCount | VIRTUAL_CPU_COUNT |
ContentModel.hasPii | HAS_PII |
ContentModel.piiTypes | PII_TYPES |
Operation options
The Orca connector supports the following operation options. See connector operation options for information about how to apply them.
Expand the sections below to view the supported operation options per connector object:
The option keys and values are case-sensitive as they are shown in this documentation.
Alert / Alert Definition
Table 22: Alert / Alert Definition operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Alert, Alert Definition | asset_category | Any valid Orca asset category string | Filter alerts by asset category (NewCategory). | Key: asset_category Value: Virtual Instances. Retrieves only alerts associated with assets in the specified category. |
| Alert, Alert Definition | asset_subcategory | Any valid Orca asset sub-category string | Filter alerts by asset sub-category (NewSubCategory). | Key: asset_subcategory Value: Databases. Retrieves only alerts associated with assets in the specified sub-category. |
| Alert, Alert Definition | asset_type | Any valid Orca asset type string | Filter alerts by asset type. | Key: asset_type Value: AwsEc2Instance. Retrieves only alerts associated with the specified asset type. |
| Alert, Alert Definition | related_compliances | Any valid compliance framework string | Filter alerts by compliance associations. | Key: related_compliances Value: PCI DSS. Retrieves only alerts associated with the specified compliance framework. |
| Alert, Alert Definition | status | Any valid Orca alert status string | Filter alerts by status. | Key: status Value: open. Retrieves only alerts with the specified status. |
Installed Package
Table 23: Installed Package operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Installed Package | installDateInPastDays | Any positive integer | Filter installed packages by install date within the last N days. | Key: installDateInPastDays Value: 30. Retrieves only packages installed within the last 30 days. |
Package
Table 24: Package operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Package | releaseDateInPastDays | Any positive integer | Filter packages released within the last N days. | Key: releaseDateInPastDays Value: 90. Retrieves only packages released within the last 90 days. |
Vulnerability
Table 25: Vulnerability operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Vulnerability | assetCategory | Any valid Orca asset category string | Filter vulnerabilities by asset category. | Key: assetCategory Value: Virtual Instances. Retrieves only vulnerabilities for assets in the specified category. |
| Vulnerability | assetState | Any valid asset state string | Filter vulnerabilities by asset state. | Key: assetState Value: running. Retrieves only vulnerabilities for assets in the specified state. |
| Vulnerability | assetSubcategory | Any valid Orca asset sub-category string | Filter vulnerabilities by asset sub-category. | Key: assetSubcategory Value: Databases. Retrieves only vulnerabilities for assets in the specified sub-category. |
| Vulnerability | assetType | Any valid Orca asset type string | Filter vulnerabilities by asset type. | Key: assetType Value: AwsEc2Instance. Retrieves only vulnerabilities for the specified asset type. |
| Vulnerability | cisaKev | true, false | Filter vulnerabilities by CISA KEV status. | Key: cisaKev Value: true. Retrieves only vulnerabilities listed in the CISA KEV catalog. |
| Vulnerability | cveId | Any valid CVE ID(s), comma-separated | Filter vulnerabilities by CVE ID(s). | Key: cveId Value: CVE-2023-1234. Retrieves only vulnerabilities matching the specified CVE ID(s). |
| Vulnerability | cvss2Score | Any float value | Filter vulnerabilities by minimum NVD CVSS v2 score. | Key: cvss2Score Value: 7.0. Retrieves only vulnerabilities with a CVSS v2 score of 7.0 or higher. |
| Vulnerability | cvss2Severity | Any valid CVSS v2 severity string | Filter vulnerabilities by NVD CVSS v2 severity. | Key: cvss2Severity Value: HIGH. Retrieves only vulnerabilities with the specified CVSS v2 severity. |
| Vulnerability | cvss3Score | Any float value | Filter vulnerabilities by minimum NVD CVSS v3 score. | Key: cvss3Score Value: 9.0. Retrieves only vulnerabilities with a CVSS v3 score of 9.0 or higher. |
| Vulnerability | cvss3Severity | Any valid CVSS v3 severity string | Filter vulnerabilities by NVD CVSS v3 severity. | Key: cvss3Severity Value: CRITICAL. Retrieves only vulnerabilities with the specified CVSS v3 severity. |
| Vulnerability | cvss4Score | Any float value | Filter vulnerabilities by minimum NVD CVSS v4 score. | Key: cvss4Score Value: 8.0. Retrieves only vulnerabilities with a CVSS v4 score of 8.0 or higher. |
| Vulnerability | cvss4Severity | Any valid CVSS v4 severity string | Filter vulnerabilities by NVD CVSS v4 severity. | Key: cvss4Severity Value: HIGH. Retrieves only vulnerabilities with the specified CVSS v4 severity. |
| Vulnerability | hasExploit | true, false | Filter vulnerabilities by exploit availability. | Key: hasExploit Value: true. Retrieves only vulnerabilities that have a known exploit. |
| Vulnerability | isTrending | true, false | Filter vulnerabilities by trending status. | Key: isTrending Value: true. Retrieves only vulnerabilities that are currently trending. |
| Vulnerability | notInPackageSections | Any valid package section string | Exclude packages from specified sections. | Key: notInPackageSections Value: os. Excludes vulnerabilities from packages in the specified sections. |
APIs
The Orca connector uses the Orca REST API. Expand the sections below to view the specific endpoints along with their associated payloads:
Versions 3.1.0 and later of the Orca connector use the Orca Serving Layer API. If your environment does not have Serving Layer API access, please contact Orca to enable it. Alternatively, you can contact Brinqa Support to downgrade to version 3.0.x of the connector if you don't want to enable the Serving Layer API.
All connector objects use the single serving-layer query endpoint: POST {baseUrl}/api/serving-layer/query. Each object sends a QueryRequest containing a query (an ObjectSet specifying the Orca model types, keys, and conditions) along with optional additional_models[] for related data, and a full_graph_fetch flag. Pagination is handled automatically using limit (default page size 1,000) and start_at_index.
Expand the sections below to view the query payloads for each connector object:
Account API
POST {baseUrl}/api/serving-layer/query
{
"ui": false,
"get_results_and_count": false,
"order_by_pk": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 1000,
"additional_models[]":
[
"CloudAccount"
],
"query":
{
"type": "object_set",
"operator": "has",
"models":
[
"CloudAccount"
],
"keys":
[
"CloudAccount"
],
"with":
{
"type": "operation",
"operator": "and",
"values":
[]
}
},
"full_graph_fetch":
{
"enabled": true,
"limit_children": 0
},
"max_tier": 5,
"select":
[
"CloudProviderId",
"BusinessUnits.Name",
"CloudProvider",
"VendorId",
"AutoRemediationEnabled",
"CloudAccountType",
"Tags",
"Name"
]
}
Alert API
POST {baseUrl}/api/serving-layer/query
Alert queries include nested ObjectSet conditions to join Inventory and CloudAccount data. The CreatedAt date-time condition is added as an incremental filter when syncing.
{
"ui": false,
"get_results_and_count": false,
"order_by_pk": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]":[],
"query":
{
"type": "object_set",
"operator": "has",
"models":
[
"Alert"
],
"keys":
[
"Alert"
],
"with":
{
"type": "operation",
"operator": "and",
"values":
[
{
"type": "object",
"operator": "has",
"models":
[
"CloudAccount"
],
"keys":
[
"CloudAccount"
]
},
{
"type": "object_set",
"operator": "has",
"models":
[
"Inventory"
],
"keys":
[
"Inventory"
]
}
]
}
},
"full_graph_fetch":
{
"enabled": true,
"limit_children": 0
},
"max_tier": 5,
"select":
[
"RuleSource",
"OrcaScore",
"Category",
"CloudAccount.Name",
"Description",
"Inventory.NewCategory",
"ScoreVector",
"CreatedAt",
"RuleId",
"AssetData",
"Inventory.Region",
"LastSeen",
"Source",
"Inventory.NewSubCategory",
"AlertType",
"AutoRemediationActions",
"Inventory.Name",
"CustomRemediation",
"CloudAccount.CloudAccountType",
"CloudAccount.CloudProviderId",
"LastUpdated",
"RelatedCompliances",
"Status",
"CloudAccount.VendorId",
"CveIds",
"StatusTime",
"Title",
"RuleType",
"Labels",
"RemediationConsole",
"AlertSource",
"RiskFindings",
"Recommendation",
"Inventory.CiSource",
"AlertId",
"Score",
"Details",
"RiskLevel",
"CloudAccount.CloudProvider"
]
}
Alert Definition API
POST {baseUrl}/api/serving-layer/query
Uses the same query as Alert. Alert definitions are derived from alert data and deduplicated by ruleId.
Container API
POST {baseUrl}/api/serving-layer/query
{
"ui": false,
"get_results_and_count": false,
"order_by_pk": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]":
[
"CloudAccount",
"Content.Compute.Vm"
],
"query":
{
"type": "object_set",
"operator": "has",
"models":
[
"Container",
"Fargate",
"CloudRun",
"Aci"
],
"with":
{
"type": "operation",
"operator": "and",
"values": []
}
},
"full_graph_fetch":
{
"enabled": true,
"limit_children": 0
},
"max_tier": 5,
"select": []
}
Container Image API
POST {baseUrl}/api/serving-layer/query
{
"ui": false,
"get_results_and_count": false,
"order_by_pk": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 23000,
"additional_models[]":
[
"CloudAccount"
],
"query":
{
"type": "object_set",
"operator": "has",
"models":
[
"ContainerImage"
],
"keys":
[
"ContainerImage"
],
"with":
{
"type": "operation",
"operator": "and",
"values": []
}
},
"full_graph_fetch":
{
"enabled": true,
"limit_children": 0
},
"max_tier": 5,
"select": []
}
Database API
POST {baseUrl}/api/serving-layer/query
{
"ui": false,
"get_results_and_count": false,
"order_by_pk": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 1000,
"additional_models[]":
[
"CloudAccount"
],
"query":
{
"type": "object_set",
"operator": "has",
"models":
[
"Inventory"
],
"keys":
[
"Inventory"
],
"with":
{
"type": "operation",
"operator": "and",
"values":
[
{
"key": "NewSubCategory",
"type": "str",
"operator": "in",
"values":
[
"Databases"
]
}
]
}
},
"full_graph_fetch":
{
"enabled": true,
"limit_children": 0
},
"max_tier": 5,
"select": []
}
Function API
POST {baseUrl}/api/serving-layer/query
{
"ui": false,
"get_results_and_count": false,
"order_by_pk": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 1000,
"additional_models[]":
[
"CloudAccount"
],
"query":
{
"type": "object_set",
"operator": "has",
"models":
[
"Function",
"AwsLambdaFunction",
"AzureFunctionApp",
"AzureFunction",
"AwsStepFunctionsStateMachine",
"GcpCloudFunction"
],
"with":
{
"type": "operation",
"operator": "and",
"values": []
}
},
"full_graph_fetch":
{
"enabled": true,
"limit_children": 0
},
"max_tier": 5,
"select": []
}
Installed Package API
POST {baseUrl}/api/serving-layer/query
The InstallDate filter is applied when the installDateInPastDays operation option is configured.
{
"ui": false,
"get_results_and_count": false,
"order_by_pk": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]":
[
"CloudAccount",
"Package"
],
"query":
{
"type": "object_set",
"operator": "has",
"models":
[
"InstalledPackage"
],
"keys":
[
"InstalledPackage"
],
"with":
{
"type": "operation",
"operator": "and",
"values": []
}
},
"full_graph_fetch":
{
"enabled": true,
"limit_children": 0
},
"max_tier": 5,
"select": []
}
Package API
POST {baseUrl}/api/serving-layer/query
The ReleaseDate filter is applied when the releaseDateInPastDays operation option is configured.
{
"ui": false,
"get_results_and_count": false,
"order_by_pk": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]": [],
"query":
{
"type": "object_set",
"operator": "has",
"models":
[
"Package"
],
"keys":
[
"Package"
],
"with":
{
"type": "operation",
"operator": "and",
"values": []
}
},
"full_graph_fetch":
{
"enabled": true,
"limit_children": 0
},
"max_tier": 5,
"select": []
}
Secret API
POST {baseUrl}/api/serving-layer/query
{
"ui": false,
"get_results_and_count": false,
"order_by_pk": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]":
[
"CloudAccount"
],
"query":
{
"type": "object_set",
"operator": "has",
"models":
[
"AzureKeyVaultSecret",
"GcpSecretManagerSecret",
"GcpSecretManagerSecretVersion",
"AwsSecretsManagerSecret",
"OciIamCustomerSecretKey"
],
"with":
{
"type": "operation",
"operator": "and",
"values": []
}
},
"full_graph_fetch":
{
"enabled": true,
"limit_children": 0
},
"max_tier": 5,
"select": []
}
Storage API
POST {baseUrl}/api/serving-layer/query
{
"ui": false,
"get_results_and_count": false,
"order_by_pk": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]":
[
"CloudAccount",
"Content.Storage"
],
"query":
{
"type": "object_set",
"operator": "has",
"models":
[
"Inventory"
],
"keys":
[
"Inventory"
],
"with":
{
"type": "operation",
"operator": "and",
"values":
[
{
"key": "NewSubCategory",
"type": "str",
"operator": "in",
"values":
[
"Buckets"
]
}
]
}
},
"full_graph_fetch":
{
"enabled": true,
"limit_children": 0
},
"max_tier": 5,
"select": []
}
User API
POST {baseUrl}/api/serving-layer/query
{
"ui": false,
"get_results_and_count": false,
"order_by_pk": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]":
[
"CloudAccount"
],
"query":
{
"type": "object_set",
"operator": "has",
"models":
[
"User"
],
"keys":
[
"User"
],
"with":
{
"type": "operation",
"operator": "and",
"values": []
}
},
"full_graph_fetch":
{
"enabled": true,
"limit_children": 0
},
"max_tier": 5,
"select": []
}
Virtual Machine API
POST {baseUrl}/api/serving-layer/query
A pre-fetch query for VmImage records is made first (with no conditions) to build an imageId → assetUniqueId lookup map, then the main VM query is executed:
{
"ui": false,
"get_results_and_count": false,
"order_by_pk": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]": [],
"query":
{
"type": "object_set",
"operator": "has",
"models":
[
"VulnerablePackage"
],
"keys":
[
"VulnerablePackage"
],
"with":
{
"type": "operation",
"operator": "and",
"values":
[
{
"type": "object_set",
"operator": "has",
"models":
[
"Package"
],
"keys":
[
"Package"
],
"with":
{
"type": "operation",
"operator": "and",
"values":
[
{
"type": "object_set",
"operator": "has",
"models":
[
"InstalledPackage"
],
"keys":
[
"InstalledPackages"
],
"with":
{
"type": "operation",
"operator": "and",
"values": []
}
}
]
}
}
]
}
},
"full_graph_fetch":
{
"enabled": true,
"limit_children": 0
},
"max_tier": 5,
"select": []
}
Virtual Machine Image API
POST {baseUrl}/api/serving-layer/query
{
"ui": false,
"get_results_and_count": false,
"order_by_pk": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 1000,
"additional_models[]":
[
"CloudAccount"
],
"query":
{
"type": "object_set",
"operator": "has",
"models":
[
"VmImage"
],
"keys":
[
"VmImage"
],
"with":
{
"type": "operation",
"operator": "and",
"values": []
}
},
"full_graph_fetch":
{
"enabled": true,
"limit_children": 0
},
"max_tier": 5,
"select": []
}
Vulnerability API
POST {baseUrl}/api/serving-layer/query
Vulnerability queries include nested ObjectSet conditions to join CVE, Inventory, and InstalledPackage data. Additional conditions from operation options (e.g. cisaKev, cvss3Score, assetCategory) are injected into the respective nested ObjectSet.
{
"ui": false,
"get_results_and_count": false,
"order_by_pk": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]": [],
"query":
{
"type": "object_set",
"operator": "has",
"models":
[
"VulnerabilityV2"
],
"with":
{
"type": "operation",
"operator": "and",
"values":
[
{
"type": "object_set",
"operator": "has",
"models":
[
"InstalledPackage"
],
"keys":
[
"InstalledPackage"
],
"with":
{
"type": "operation",
"operator": "and",
"values":
[
{
"type": "object",
"operator": "has",
"models":
[
"CloudAccount"
],
"keys":
[
"CloudAccount"
]
},
{
"type": "object_set",
"operator": "has",
"models":
[
"Package"
],
"keys":
[
"Package"
],
"with":
{
"type": "operation",
"operator": "and",
"values":
[
{
"type": "object_set",
"operator": "has",
"models":
[
"VulnerablePackage"
],
"keys":
[
"VulnerablePackages"
]
}
]
}
}
]
}
},
{
"type": "object_set",
"operator": "has",
"models":
[
"Inventory"
],
"keys":
[
"Inventory"
]
},
{
"type": "object_set",
"operator": "has",
"models":
[
"CVE"
],
"keys":
[
"CVE"
]
}
]
}
},
"full_graph_fetch":
{
"enabled": true,
"limit_children": 0
},
"max_tier": 5,
"select":
[
"Name",
"Description",
"CvssSeverity",
"HasExploit",
"FirstSeen",
"PatchAvailable",
"PatchedVersions",
"CisaKev",
"CvssScore",
"EpssProbability",
"Inventory.Name",
"Inventory.AssetUniqueId",
"InstalledPackage.Name",
"InstalledPackage.Version",
"InstalledPackage.IsOsPackage",
"InstalledPackage.IsInstalledByPackageManager",
"InstalledPackage.NonOsPackagePaths",
"InstalledPackage.PackagePathProperties",
"InstalledPackage.ReachabilityStatus",
"CVE.Id",
"CVE.Name",
"CVE.LastModifiedDate",
"CloudAccount.Name",
"CloudAccount.CloudProvider",
"CloudAccount.CloudProviderId",
"CloudAccount.CloudAccountType",
"CloudAccount.VendorId"
]
}
Vulnerability Definition API
POST {baseUrl}/api/serving-layer/query
Queries VulnerabilityV2 records that have a related CVE object. Each unique CVE generates one vulnerability definition.
{
"ui": false,
"get_results_and_count": false,
"order_by_pk": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"additional_models[]": [],
"query":
{
"type": "object_set",
"operator": "has",
"models":
[
"VulnerabilityV2"
],
"keys":
[
"VulnerabilityV2"
],
"with":
{
"type": "operation",
"operator": "and",
"values":
[
{
"type": "object",
"operator": "has",
"models":
[
"CVE"
],
"keys":
[
"CVE"
]
}
]
}
},
"full_graph_fetch":
{
"enabled": true,
"limit_children": 0
},
"max_tier": 5,
"select": []
}
Vulnerable Package API
POST {baseUrl}/api/serving-layer/query
{
"ui": false,
"enable_pagination": true,
"limit": 1000,
"start_at_index": 0,
"query": {
"type": "object_set",
"operator": "has",
"models": ["VulnerablePackage"],
"keys": ["VulnerablePackage"],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"type": "object_set",
"operator": "has",
"models": ["Package"],
"keys": ["Package"],
"with": {
"type": "operation",
"operator": "and",
"values": [
{
"type": "object_set",
"operator": "has",
"models": ["InstalledPackage"],
"keys": ["InstalledPackages"],
"with": {
"type": "operation",
"operator": "and",
"values": []
}
}
]
}
}
]
}
},
"full_graph_fetch": { "enabled": true }
}
Changelog
The Orca connector has undergone the following changes:
Table 27: Orca connector changelog
| Version | Description | Date Published |
|---|---|---|
| 3.2.1 | - Added BUSINESS_UNITS attribute to the Account object. - Added ASSET_CATEGORY, ASSET_SUBCATEGORY, and ASSET_REGION attributes to the Alert object. - Optimized Account and Alert sync queries for improved performance. No migration required. | May 20th, 2026 |
| 3.2.0 | - Added broader inventory coverage through the serving-layer integration, including support for additional asset types such as Secrets, Packages, Installed Packages, and Vulnerable Packages. - Expanded Alert and Vulnerability data with richer security context, including cloud account metadata, related compliance, CVE identifiers, package details, remediation guidance, and risk scoring fields. - Improved cloud account handling and vulnerability definition enrichment with attack vector, exploitability, EPSS, patch availability, and other metadata. - Fixed alert and alert definition attribute mapping issues and sync/schema issues affecting account, vulnerability, and package-related models. Migration required: purge previously synced Orca data for VM Asset, Package, Installed Package, Vulnerability Definition, and related finding models and run a full re-sync after upgrading. | April 14th, 2026 |
| 3.1.9 | - Added two new operation options to filter the retrieved alerts by their asset_subcategory or asset_type. - Added RESULTS and RECOMMENDATION attributes to the Vulnerability object. | October 30th, 2025 |
| 3.1.8 | Updated the API endpoint used by test connection. | October 8th, 2025 |
| 3.1.7 | Code clean up and general maintenance. | September 25th, 2025 |
| 3.1.6 | - Updated the API endpoint used by the Alert and Alert Definition objects. The Alert and Alert Definition objects now use the api/sonar/query endpoint. - Fixed an issue where several connector object syncs were failing. - Replaced the SYS_ID attribute on all objects with UID. | September 25th, 2025 |
| 3.1.5 | - Improved the legibility of several timestamps by converting raw epoch values to ISO-8601 format. For example, the 1,733,424,289,000 timestamp on the UP_TIME attribute now displays as 2024-12-05T18:44:49Z. - Added the IMAGE_ASSET_UID attribute to the Virtual Machine object. | June 27th, 2025 |
| 3.1.4 | Fixed an issue where the Alert Definition object did not populate normalized status or severity information. | May 30th, 2025 |
| 3.1.3 | - Added the PACKAGE_PATH attribute to the Vulnerable Package object. - Added a new operation option to specify whether to exclude large fields in the retrieved alerts: exclude_large_fields. Starting June 1, 2025, the Orca Alert API endpoint excludes large fields by default. If you want the alerts to include these fields, set this option to 'false'. | May 19th, 2025 |
| 3.1.2 | - Added the RELATED_COMPLIANCES attribute to the Alert object. - Added a new operation option to filter the retrieved alerts by their related compliance frameworks: related_compliances. | April 24th, 2025 |
| 3.1.1 | Fixed an issue where the Vulnerability object sync was failing due to performance limitations with the default pagination settings. As a result, the default page size has been increased from 1,000 to 10,000, per Orca’s recommendation, to improve sync speed and reliability. | April 1st, 2025 |
| 3.1.0 | Added support for the Orca Serving Layer API. | November 1st, 2024 |
| 3.0.2 | Changed the DISTRIBUTION_VERSION attribute type on the Container, Function, and Virtual Machine objects from string to integer. | October 30th, 2024 |
| 3.0.1 | Removed the use of ImmutableSet. | March 24th, 2024 |
| 3.0.0 | Initial Integration+ release. | March 5th, 2024 |