
Orca
Cloud Security- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The Orca Connector fetches and synchronizes cloud security data from the Orca Security platform. It connects to the Orca serving-layer API and processes cloud resources, vulnerabilities, and alerts, mapping them to the Brinqa Data Model.
Data retrieved from Orca
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Account | Yes | Account |
| Alert | Yes | Alert |
| Alert Definition | Yes | Alert Definition |
| API Gateway | Yes | Cloud Resource |
| CDN | Yes | Cloud Resource |
| Certificate | Yes | Cloud Resource |
| Compute Group | Yes | Cloud Resource |
| Container | Yes | Container |
| Container Image | Yes | Container Image |
| Database | Yes | Cloud Resource |
| DNS | Yes | Cloud Resource |
| File System | Yes | Cloud Resource |
| Function | Yes | Cloud Resource |
| IAM Group | Yes | Cloud Resource |
| IAM Policy | Yes | Cloud Resource |
| IAM Role | Yes | Cloud Resource |
| Installed Package | Yes | Installed Package |
| Kubernetes Cluster | Yes | Cloud Resource |
| Load Balancer | Yes | Cloud Resource |
| Logging | Yes | Cloud Resource |
| Machine Learning | Yes | Cloud Resource |
| Messaging and Queue | Yes | Cloud Resource |
| Network Firewall | Yes | Cloud Resource |
| Package | Yes | Package |
| Secret | Yes | Cloud Resource |
| Security Group | Yes | Cloud Resource |
| Service | Yes | Cloud Resource |
| Storage | Yes | Cloud Resource |
| User | Yes | Person |
| Virtual Machine | Yes | Host |
| Virtual Machine Image | Yes | Host Image |
| VPC | Yes | Cloud Resource |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
| Vulnerable Package | Yes | Vulnerable Package |
Model relationships
For detailed steps on how to view the data retrieved from Orca in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Orca from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | Yes | https://api.orcasecurity.io | Orca Security API URL |
| API token | Yes | — | Orca Security API token |
| Page size | No | 10000 | The maximum number of records to get per API request |
| Request timeout (secs) | No | 120 | The maximum seconds allotted before a request will time out. Enter zero (0) to disable timeouts (not recommended). |
| Parallel requests | No | min(availableProcessors, 2) | The maximum number of parallel API requests |
| Maximum retries | No | 5 | The maximum number of retry attempts before giving up a request |
Authentication
The connector authenticates using an API token (API key) generated in the Orca Security platform.
The token is supplied through the apiToken configuration property and is sent on every request as a static Authorization request header using the scheme Token <apiToken>. There is no separate token-exchange or login call — the same header is attached to each serving-layer query request.
Endpoint
| Method | URL | Purpose |
|---|---|---|
POST | {baseUrl}/api/serving-layer/query | Primary query endpoint used by all models (and by the connection test). |
The default {baseUrl} is https://api.orcasecurity.io.
Request Headers
| Header | Value | Description |
|---|---|---|
Authorization | Token <apiToken> | Static API token used to authenticate requests. |
Content-Type | application/json | Request body is JSON. |
Request Body
Each model sends a QueryRequest specifying the Orca model type(s), optional conditions, related models to include, and pagination. Example body used by the connection test:
{
"query": {
"models": ["CloudAccount"],
"keys": ["CloudAccount"],
"with": { "values": [] }
},
"additionalModels": ["CloudAccount"],
"fullGraphFetch": { "enabled": true },
"limit": 1,
"startAtIndex": 0
}
Sample Response
{
"data": [
{
"models": {
"CloudAccount": {
"id": "cloudaccount_abc123",
"name": "production-account",
"data": {
"cloud_provider": "aws",
"cloud_provider_id": "123456789012",
"cloud_account_type": "AWS",
"vendor_id": "123456789012"
}
}
}
}
],
"error": null
}
Response Fields
| Field | Description |
|---|---|
data | Array of result datasets. Each entry contains the queried model(s) and any related models requested via additionalModels/fullGraphFetch. |
error | Error message string; null (or absent) on success. A non-blank value aborts the query as non-retryable. |
Using the Credential in Subsequent Requests
The API token never expires per-request and is not refreshed: the connector simply re-attaches the Authorization: Token <apiToken> header to every serving-layer query it issues. Authentication is validated up front by the connection test, which posts a single CloudAccount query (limit=1) and checks the response status.
How to obtain Orca credentials
Generate an Orca API token
For the Orca connector to use the Orca API, you must provide an API token. To generate an API token, follow these steps:
-
Log in to your organization's Orca account as an administrator
-
Click Settings from the navigation menu.
-
Navigate to Users & Permissions > API.
-
Click API Tokens, and then click Add API Token. The Add API Token dialog displays.

Provide the following information:
-
Name: Give your API token a name.
-
Description: (Optional) Provide a description of the API token.
-
Never Expire: (Optional) Select this option to mark the token as non-expiring. The Expiration field appears if you clear the checkbox. You can then select the token expiry date if desired.
-
Service Token: (Optional) Service tokens operate independently of individual user accounts, inheriting their permissions based on the creator's permissions. Service tokens remain valid even if the creator's account is deactivated or removed from the organization. If desired, select this option to enable the use of a service token.
-
Role: Define the permissions of the token. While the Administrator role can bring in all data, Brinqa recommends that you use the Viewer role, as this is considered to be the minimum role needed to read and retrieve data. Click the Role dropdown and select Viewer.
- For additional information on Orca roles and permissions, see Orca documentation.
-
Scope: Select the specific accounts or business units that the API token will be authorized to access. Leave this option unchecked if you do not want to limit the data retrieved by the Orca connector.

-
-
Click Add.
Your new API key token displays. You can't view the token again after this. Copy and save it to a secure location.
-
Click Continue.
Note: If you do not have the permissions to create an API token, contact your Orca administrator. For additional information, see Orca documentation.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Account
| Source Field Name | SDM Attribute |
|---|---|
CloudAccount.autoRemediationEnabled | AUTO_REMEDIATION_ENABLED |
CloudAccount.businessUnits (list → names) | BUSINESS_UNITS |
CloudAccount.cloudAccountType | ACCOUNT_TYPE |
CloudAccount.cloudProvider | CLOUD_PROVIDER |
CloudAccount.cloudProviderId | CLOUD_PROVIDER_ID |
CloudAccount.id (Dataset ID) | UID |
CloudAccount.id (Dataset ID) | CLOUD_ACCOUNT_ID |
CloudAccount.name (Dataset Name) | NAME |
CloudAccount.tags (map → key:value strings) | TAGS |
CloudAccount.vendorId | VENDOR_ID |
Instant.now() at sync time | LAST_CAPTURED |
Alert
| Source Field Name | SDM Attribute |
|---|---|
AlertModel.alertId | UID |
AlertModel.assetUniqueId + inventory id, name, assetUniqueId | TARGETS |
AlertModel.category | CATEGORIES |
AlertModel.cloudAccount.data.cloudAccountType | CLOUD_ACCOUNT_TYPE |
AlertModel.cloudAccount.data.cloudProvider | CLOUD_ACCOUNT_PROVIDER |
AlertModel.cloudAccount.data.cloudProviderId | CLOUD_ACCOUNT_PROVIDER_ID |
AlertModel.cloudAccount.data.vendorId | CLOUD_ACCOUNT_VENDOR_ID |
AlertModel.cloudAccount.id | CLOUD_ACCOUNT_ID |
AlertModel.cloudAccount.name | CLOUD_ACCOUNT_NAME |
AlertModel.createdAt | SOURCE_CREATED_DATE |
AlertModel.customRemediation | CUSTOM_REMEDIATION |
AlertModel.cveIds | CVE_IDS |
AlertModel.description | DESCRIPTION |
AlertModel.details | SUMMARY |
AlertModel.details | RESULTS |
AlertModel.inventory.assetUniqueId | ASSET_UNIQUE_ID |
AlertModel.inventory.id | ASSET_ID |
AlertModel.inventory.name | ASSET_NAME |
AlertModel.inventory.newCategory | ASSET_CATEGORY |
AlertModel.inventory.newSubCategory | ASSET_SUBCATEGORY |
AlertModel.inventory.region | ASSET_REGION |
AlertModel.inventory.type | ASSET_TYPE |
AlertModel.labels | TAGS |
AlertModel.lastSeen | LAST_FOUND |
AlertModel.lastUpdated | SOURCE_LAST_MODIFIED |
AlertModel.orcaScore | ORCA_SCORE |
AlertModel.recommendation | RECOMMENDATION |
AlertModel.relatedCompliances | RELATED_COMPLIANCES |
AlertModel.remediationConsole joined with \n | REMEDIATION_STEPS |
AlertModel.riskFindings.value.type | RISK_TYPE |
AlertModel.riskLevel (raw) | SOURCE_SEVERITY |
AlertModel.riskLevel → normalizeFindingSeverity() | SEVERITY |
AlertModel.ruleId | TYPE |
AlertModel.score | SCORE |
AlertModel.source | SOURCE |
AlertModel.status (raw) | SOURCE_STATUS |
AlertModel.status → normalizeFindingStatus() | STATUS |
AlertModel.statusTime | STATUS_TIME |
AlertModel.title or AlertModel.alertType | NAME |
Derived from normalized severity via getFindingSeverityScore() | SEVERITY_SCORE |
| Derived from normalized status | STATUS_CATEGORY |
Instant.now() at sync time | LAST_CAPTURED |
| Same as SEVERITY_SCORE | SOURCE_SEVERITY_SCORE |
Alert Definition
| Source Field Name | SDM Attribute |
|---|---|
(schema field; not set in buildConnectorObject for AlertDefinition) | TARGETS |
(schema reference; populated from CVE data) | CVE_RECORDS |
AlertModel.category | CATEGORIES |
AlertModel.createdAt | SOURCE_CREATED_DATE |
AlertModel.customRemediation | CUSTOM_RECOMMENDATION |
AlertModel.cveIds | CVE_IDS |
AlertModel.description | DESCRIPTION |
AlertModel.labels | TAGS |
AlertModel.lastSeen | LAST_FOUND |
AlertModel.lastUpdated | SOURCE_LAST_MODIFIED |
AlertModel.mitreCategory | MITRE_CATEGORY |
AlertModel.mitreTechniques | MITRE_TECHNIQUES |
AlertModel.orcaScore | ORCA_SCORE |
AlertModel.remediationConsole joined with \n | REMEDIATION_STEPS |
AlertModel.riskLevel (raw) | RISK_LEVEL |
AlertModel.riskLevel (raw) | SOURCE_SEVERITY |
AlertModel.riskLevel → normalizeFindingSeverity() | SEVERITY |
AlertModel.ruleId | UID |
AlertModel.ruleQuery | RULE_QUERY |
AlertModel.ruleSource | RULE_SOURCE |
AlertModel.score | SCORE |
AlertModel.status (raw) | SOURCE_STATUS |
AlertModel.status (raw) | PROVIDER_STATUS |
AlertModel.status → normalizeFindingStatus() | STATUS |
AlertModel.statusTime | STATUS_TIME |
AlertModel.title or AlertModel.alertType | NAME |
| Composed from recommendation, remediationCli, remediationConsole | RECOMMENDATION |
| Derived from normalized status | STATUS_CATEGORY |
Derived via getFindingSeverityScore() | SEVERITY_SCORE |
API Gateway
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
CDN
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
Certificate
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
Compute Group
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Group.GroupType | GROUP_TYPE |
Instant.now() at sync time | LAST_CAPTURED |
Container
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Container.containerLabels (map → key:value strings) | LABELS |
Container.description | DESCRIPTION |
Container.execName | EXEC_NAME |
Container.execPath | EXEC_PATH |
Container.id | CONTAINER_ID |
Container.imageDigest | IMAGE_DIGEST |
Container.imageId | IMAGE_ID |
Container.imageLayersDigest | IMAGE_LAYERS_DIGEST |
Container.imageName | IMAGE_NAME |
Container.imageVersion | IMAGE_VERSION |
Container.k8SContainerName | K8S_CONTAINER_NAME |
Container.k8SPodNames | K8S_POD_NAMES |
Container.k8SPodNamespace | K8S_POD_NAMESPACE |
Container.lastUpdatedTime | SOURCE_LAST_MODIFIED |
Container.maintainer | MAINTAINER |
Container.serviceName | SERVICE_NAME |
Container.storageDriver | STORAGE_DRIVER |
Container.user | USER |
Container.vm.assetUniqueId | HOST |
Derived from imageName + imageVersion (registry-aware parsing) | IMAGE |
Instant.now() at sync time | LAST_CAPTURED |
Container Image
| Source Field Name | SDM Attribute |
|---|---|
ContainerImage.imageDigest | IMAGE_DIGEST |
ContainerImage.imageId | IMAGE_ID |
ContainerImage.imageLabels (map → key:value strings) | IMAGE_LABELS |
ContainerImage.imageLayersDigest | IMAGE_LAYERS_DIGEST |
ContainerImage.imageName | IMAGE_NAME |
ContainerImage.imagePushedAt | IMAGE_PUSHED_AT |
ContainerImage.imageSize | IMAGE_SIZE |
ContainerImage.imageTags | IMAGE_TAGS |
ContainerImage.repositoryName | REPOSITORY |
ContainerImage.repositoryUri | REPOSITORY_URI |
Instant.now() at sync time | LAST_CAPTURED |
| name if non-blank, else assetUniqueId, else id | UID |
Database
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
DNS
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
File System
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
Function
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Function.description | DESCRIPTION |
Function.ephemeralStorage | EPHEMERAL_STORAGE |
Function.functionArn | FUNCTION_ARN |
Function.functionId | FUNCTION_ID |
Function.functionName | FUNCTION_NAME |
Function.handler | HANDLER |
Function.packageType | PACKAGE_TYPE |
Function.timeout | TIMEOUT |
Function.tracingConfig | TRACING_CONFIG |
Instant.now() at sync time | LAST_CAPTURED |
IAM Group
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
IAM Policy
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
AwsIamPolicy.AllowsPrivilegeEscalation | ALLOWS_PRIVILEGE_ESCALATION |
AwsIamPolicy.PermissiveActions | PERMISSIVE_ACTIONS |
AwsIamPolicy.PolicyBody (JSON-serialized) | POLICY_BODY |
AwsIamPolicy.PolicyId | POLICY_ID |
Instant.now() at sync time | LAST_CAPTURED |
IAM Role
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
AwsIamRole.RoleLastUsed | ROLE_LAST_USED |
Instant.now() at sync time | LAST_CAPTURED |
Installed Package
| Source Field Name | SDM Attribute |
|---|---|
| Cloud account dataset ID | CLOUD_ACCOUNT_ID |
| Cloud account dataset name | CLOUD_ACCOUNT_NAME |
CloudAccount.cloudAccountType | CLOUD_ACCOUNT_TYPE |
CloudAccount.cloudProvider | CLOUD_ACCOUNT_PROVIDER |
CloudAccount.cloudProviderId | CLOUD_ACCOUNT_PROVIDER_ID |
CloudAccount.vendorId | CLOUD_ACCOUNT_VENDOR_ID |
| Dataset id | UID |
InstalledPackage._package().id | TYPE |
InstalledPackage._package().id | PACKAGE_ID |
InstalledPackage.cloudAccount → [assetUniqueId, id] | TARGETS |
InstalledPackage.installDate | INSTALL_DATE |
InstalledPackage.isInstalledByPackageManager | INSTALLED_BY_PACKAGE_MANAGER |
InstalledPackage.name | NAME |
InstalledPackage.nonOsPackagePaths | INSTALL_PATHS |
InstalledPackage.version | REVISION |
Instant.now() at sync time | LAST_CAPTURED |
Kubernetes Cluster
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
AwsEksCluster.EndOfLifeDate | EOL_DATE |
AwsEksCluster.PublicAccessCidrs | PUBLIC_ACCESS_CIDRS |
AwsEksCluster.PubliclyAccessible | PUBLICLY_ACCESSIBLE |
AwsEksCluster.Version | CURRENT_VERSION |
Instant.now() at sync time | LAST_CAPTURED |
Load Balancer
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
Logging
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
Machine Learning
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
Messaging and Queue
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
Network Firewall
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
Package
| Source Field Name | SDM Attribute |
|---|---|
Dataset id (packageId) | UID |
Instant.now() at sync time | LAST_CAPTURED |
Package.architecture | ARCHITECTURE |
Package.author | PUBLISHER |
Package.cpe | CPE |
Package.description | DESCRIPTION |
Package.edition | EDITION |
Package.endOfLifeDate | EOL_DATE |
Package.isLatest | LATEST |
Package.isOsPackage | OS_PACKAGE |
Package.latestAvailableVersion | LATEST_VERSION |
Package.name | NAME |
Package.releaseDate | RELEASE_DATE |
Package.url | URL |
Package.version | CURRENT_VERSION |
Secret
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
Secret.lastAccessedDate | LAST_ASSESSED |
Secret.lastChangedDate | LAST_CHANGED |
Secret.rotationEnabled | ROTATION_ENABLED |
Security Group
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
Service
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
Storage
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
Storage.isVersioningEnabled | VERSIONING_ENABLED |
Storage.totalFilesCount | TOTAL_FILES_COUNT |
Storage.usedStorage | USED_STORAGE |
User
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
User.mfaActive | MFA_ACTIVE |
User.passwordEnabled | PASSWORD_ENABLED |
User.passwordLastChanged | PASSWORD_LAST_CHANGED |
User.passwordLastUsed | PASSWORD_LAST_USED |
User.passwordNextRotation | PASSWORD_NEXT_ROTATION |
User.userId | USERNAME |
Virtual Machine
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
| Looked up from pre-fetched VmImage map using imageId | IMAGE_ASSET_UID |
Vm.imageId (raw) or Vm.image.assetUniqueId (preferred) | IMAGE |
Vm.imageIsPublic | PUBLIC_IMAGE |
Vm.imageName | IMAGE_NAME |
Vm.imageOwnerId | IMAGE_OWNER_ID |
Vm.instanceType | INSTANCE_TYPE |
Vm.uiUniqueField | INSTANCE_ID |
Virtual Machine Image
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
VmImage.imageId | IMAGE_ID |
VmImage.imageOwnerId | IMAGE_OWNER_ID |
VPC
| Source Field Name | SDM Attribute |
|---|---|
| assetUniqueId if non-blank, else id | UID |
Instant.now() at sync time | LAST_CAPTURED |
Vulnerability
| Source Field Name | SDM Attribute |
|---|---|
| "Vulnerable Package - <name> : Patched Version - <patchedVersions>" | RECOMMENDATION |
CloudAccount.cloudAccountType | CLOUD_ACCOUNT_TYPE |
CloudAccount.cloudProvider | CLOUD_ACCOUNT_PROVIDER |
CloudAccount.cloudProviderId | CLOUD_ACCOUNT_PROVIDER_ID |
CloudAccount.vendorId | CLOUD_ACCOUNT_VENDOR_ID |
CVE.lastModifiedDate or Instant.now() as default | LAST_FOUND |
| Dataset id | UID |
| Dataset name | NAME |
| Hardcoded "Active" | SOURCE_STATUS |
InstalledPackage.isInstalledByPackageManager | INSTALLED_BY_PACKAGE_MANAGER |
InstalledPackage.isOsPackage | IS_OS_PACKAGE |
InstalledPackage.nonOsPackagePaths | NON_OS_PACKAGE_PATHS |
InstalledPackage.nonOsPackagePaths | RESULTS |
InstalledPackage.version | PACKAGE_VERSION |
Instant.now() at sync time | LAST_CAPTURED |
Inventory [id, assetUniqueId, name] | TARGETS |
normalizeFindingStatus("Active") | STATUS |
VulnerabilityV2Resource.cloudAccount.id | CLOUD_ACCOUNT_ID |
VulnerabilityV2Resource.cloudAccount.name | CLOUD_ACCOUNT_NAME |
VulnerabilityV2Resource.cve.id | TYPE |
VulnerabilityV2Resource.description | DESCRIPTION |
VulnerabilityV2Resource.firstSeen | FIRST_FOUND |
VulnerabilityV2Resource.installedPackage.id | PACKAGE_ID |
VulnerabilityV2Resource.installedPackage.name | PACKAGE_NAME |
VulnerabilityV2Resource.inventory.assetUniqueId | ASSET_UNIQUE_ID |
VulnerabilityV2Resource.inventory.id | ASSET_ID |
VulnerabilityV2Resource.inventory.name | ASSET_NAME |
VulnerabilityV2Resource.inventory.type | ASSET_TYPE |
VulnerabilityV2Resource.patchAvailable | FIXABLE |
VulnerabilityV2Resource.patchAvailable | PATCHABLE |
Vulnerability Definition
| Source Field Name | SDM Attribute |
|---|---|
(schema field; populated via getCVSSMetrics) | REFERENCES |
| CVE Dataset id | UID |
| CVE Dataset name | NAME |
Cve.cisaKev | CISA_EXPLOITED |
Cve.cvss2Score | CVSS_V2_BASE_SCORE |
Cve.cvss3Score | CVSS_V3_BASE_SCORE |
Cve.cweTypes | CWE_IDS |
Cve.epssPercentile | EPSS_PERCENTILE |
Cve.epssProbability | EPSS_SCORE |
Cve.hasExploit | HAS_EXPLOIT |
Cve.isTrending | TRENDING |
Cve.lastModifiedDate | SOURCE_LAST_MODIFIED |
Cve.publishedDate | PUBLISHED_DATE |
Cve.sourceLink | URL |
Cve.userInteraction | USER_INTERACTION |
Parsed from VulnerabilityV2Resource.cvssVector (AV: field → Network/Adjacent/Local/Physical) | ATTACK_VECTOR |
VulnerabilityV2Resource.description | DESCRIPTION |
VulnerabilityV2Resource.patchAvailable | PATCHABLE |
VulnerabilityV2Resource.patchedVersions | PATCHED_VERSIONS |
VulnerabilityV2Resource.patchReleaseDate | PATCH_RELEASE_DATE |
VulnerabilityV2Resource.threatImpact | THREAT_IMPACT |
Vulnerable Package
| Source Field Name | SDM Attribute |
|---|---|
Collected from all linked InstalledPackage.nonOsPackagePaths | PACKAGE_PATH |
| Dataset id | UID |
Instant.now() at sync time | LAST_CAPTURED |
VulnerablePackage._package().id | PACKAGE_ID |
VulnerablePackage.cve().id | VULNERABILITY_DEFINITION_ID |
VulnerablePackage.fixed | FIXED |
VulnerablePackage.patchedVersions | PATCHED_VERSIONS |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Account
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query
Alert
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
CreatedAt >= since(whensinceis set)
Alert Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
CreatedAt >= since(whensinceis set)
API Gateway
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
CDN
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Certificate
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Compute Group
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Container
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Container Image
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Database
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
NewSubCategory = Databases
DNS
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
File System
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Function
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
IAM Group
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
IAM Policy
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
IAM Role
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Installed Package
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
InstallDate in_past <daysSince(since)> days(whensinceis set andinstallDateInPastDaysis not provided)
Kubernetes Cluster
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Load Balancer
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Logging
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Machine Learning
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Messaging and Queue
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Network Firewall
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Package
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
ReleaseDate in_past <releaseDateInPastDays> days(only when thereleaseDateInPastDaysoption is set)
Secret
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Security Group
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Service
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Storage
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
NewSubCategory = Buckets; plusLastSeen >= since(whensinceis set)
User
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Virtual Machine
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Virtual Machine Image
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
VPC
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
LastSeen >= since(whensinceis set)
Vulnerability
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query - Default filters:
FirstSeen >= since(whensinceis set)
Vulnerability Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query
Vulnerable Package
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (JSON query DSL) · Endpoint:
POST {baseUrl}/api/serving-layer/query
Changelog
The Orca connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.2.2 | New Features - Added support for a new Messaging and Queue asset model that ingests AWS SNS topics (AwsSnsTopic) and SQS queues (AwsSqsQueue) from Orca, addressing orphaned alerts that previously had no matching asset to attach to. - Added support for a new Logging asset model that ingests AWS CloudTrail trails (AwsCloudTrail) and Config recorders (AwsConfigurationRecorder) from Orca, addressing orphaned alerts for the Security and Monitoring / Logging subcategory. - Added support for a new File System asset model that ingests AWS EFS file systems (AwsEfsFileSystem) from Orca, addressing orphaned alerts for the Data Storage / File System subcategory. - Added support for a new Certificate asset model that ingests AWS Certificate Manager certificates (AwsCertificate) from Orca, addressing orphaned alerts for the Encryption and Secrets / Certificates subcategory. - Added support for a new DNS asset model that ingests AWS Route 53 hosted zones (AwsRoute53HostedZone) from Orca, addressing orphaned alerts for the Network / DNS subcategory. - Added support for a new CDN asset model that ingests AWS CloudFront distributions (AwsCloudFront) from Orca, addressing orphaned alerts for the Network / CDN subcategory. - Added support for a new Load Balancer asset model that ingests AWS classic and v2 load balancers (AwsEc2Elb, AwsEc2Elbv2) from Orca, addressing orphaned alerts for the Network / Load Balancers subcategory. - Added support for a new Kubernetes Cluster asset model that ingests AWS EKS clusters (AwsEksCluster) from Orca with cluster-specific attributes (Kubernetes version, end-of-life date, public API access settings), addressing orphaned alerts for the Kubernetes / Kubernetes Clusters subcategory. - Added support for a new Machine Learning asset model that ingests AWS SageMaker notebook instances (AwsSagemakerNotebookInstance) from Orca, addressing orphaned alerts for the AI And Machine Learning / Machine Learning subcategory. - Added support for a new Service asset model that ingests AWS CodeBuild credentials (AwsCodebuildCredentials) from Orca, addressing orphaned alerts for the Compute Services / Services subcategory. - Added support for a new IAM Policy asset model that ingests AWS inline and managed IAM policies (AwsIamPolicy, AwsIamManagedPolicy) from Orca with policy-specific attributes (policy ID, policy body JSON, privilege-escalation flag, permissive actions), addressing orphaned alerts for the Identity and Access / Access & Entitlements subcategory. - Added support for a new IAM Role asset model that ingests AWS IAM roles (AwsIamRole) from Orca with role-specific attributes (last-used timestamp), addressing orphaned alerts for the Identity and Access / Cloud Non-Human Identities (NHI) subcategory. - Added support for a new IAM Group asset model that ingests AWS IAM groups (AwsIamGroup) from Orca, addressing orphaned alerts for the Identity and Access / Users & Groups subcategory. - Added support for a new Compute Group asset model that ingests Orca's logical compute groupings (Group, e.g. Kubernetes workload groups) from Orca with a GROUP_TYPE attribute, addressing orphaned alerts for the Compute Services / Groups subcategory. - Added support for a new VPC asset model that ingests AWS VPCs and subnets (AwsVpc, AwsSubnet) from Orca, addressing orphaned alerts for those types under the Network / Segregation/Transport subcategory. - Added support for a new Security Group asset model that ingests AWS EC2 security groups (AwsEc2SecurityGroup) from Orca, addressing orphaned alerts under the Network / Segregation/Transport subcategory. - Added support for a new Network Firewall asset model that ingests AWS Network Firewall rule groups and policies (AwsNetworkFirewallRuleGroup, AwsNetworkFirewallPolicy) from Orca, addressing orphaned alerts under the Network / Segregation/Transport subcategory. - Added support for a new API Gateway asset model that ingests AWS API Gateway endpoints (AwsApiGatewayEndpoint) from Orca, addressing orphaned alerts under the Network / Segregation/Transport subcategory. | N/A |
| 3.2.1 | New Features - Added Business Units attribute to the Account model, making it possible to see which Orca business units each cloud account belongs to. - Added Asset Category, Asset Subcategory, and Asset Region attributes to the Alert model, providing richer asset context directly on each alert for improved filtering and reporting. Improvements - Optimized Account and Alert sync queries to request only the specific fields the connector uses, reducing data transfer and improving sync performance. | N/A |
| 3.2.0 | New Features - Added broader Orca inventory coverage through the serving-layer integration, including support for additional asset types such as Secrets, Packages, Installed Packages, and Vulnerable Packages. - Expanded Alert and Vulnerability data with richer security context, including cloud account metadata, related compliances, CVE identifiers, package details, remediation guidance, and risk scoring fields. - Added new inventory and relationship details such as LAST_CAPTURED, package paths, image-to-asset linkage, and additional compute, function, storage, and account attributes to improve investigation and reporting in Brinqa. Improvements - Improved cloud account handling across inventory and findings so assets and findings carry more consistent account identifiers, provider metadata, and account relationships. - Updated the connector to use Orca's newer query and serving-layer models, which improves data collection coverage and aligns sync behavior across inventory, alerts, and vulnerabilities. - Improved vulnerability definition enrichment with attack vector, exploitability, EPSS, patch availability, patch release date, trending status, and other metadata useful for prioritization. Bug Fixes - Fixed alert and alert definition attribute mapping issues so remediation data, custom recommendations, and related fields are stored with the correct data types and values. - Fixed sync and schema issues affecting account, vulnerability, and package-related models, including safer handling of remediation content and improved object mapping for package and image relationships. | • VM Asset, Package, Installed Package, Vulnerability Definition, and related finding models: Existing identifiers and several attribute data types changed on this branch, including UID generation in some models and time/remediation fields in others. Action: purge previously synced Orca data for these models and run a full re-sync after upgrading. |