Orca Security
Integration version: 8.0
Configure Orca Security integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| UI Root | String | https://{ui instance} | Yes | UI root of the Orca Security instance. |
| API Root | String | https://{api instance} | Yes | API root of the Orca Security instance. |
| API Key | String | N/A | Yes | API Key of the Orca Security instance account. If both the "API Key" and "API Token" parameters are provided, the "API Token" parameter is used. |
| API Token | String | N/A | Yes | API Token of the Orca Security instance account. If both the "API Key" and "API Token" parameters are provided, the "API Token" parameter is used. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verify the SSL certificate for the connection to the Orca Security SIEM server is valid. |
How to generate API key
- Go to Settings-> Integrations-> Orca API.
- Click Manage Keys, and then click Generate a new key.
- Copy and paste the generated key into Google Security Operations SOAR.
Use Cases
- Ingest alerts.
- Fetch information about assets or vulnerabilities.
- Triage alerts.
- Track compliance.
Actions
Ping
Description
Test connectivity to Orca Security with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run on
The action doesn't run on entities, nor has mandatory input parameters.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
N/A
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Orca Security server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the Orca Security server! Error is {0}".format(exception.stacktrace) |
General |
Update Alert
Description
Update an alert in Orca Security.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Alert ID | String | N/A | Yes | Specify the ID of the alert needs to be updated. |
| Verify Alert | Checkbox | Unchecked | No | If enabled, the action initiates the verification process for the alert. |
| Snooze State | DDL | Select One Possible Values:
|
No | Specify the snooze state for the alert. |
| Snooze Days | String | 1 | No | Specify the number of days alert needs to be snoozed. This parameter is mandatory, if the "Snooze State" parameter is set to "Snooze". If nothing is provided, the action snoozes the alert for 1 day. |
| Status | DDL | Select One Possible Values:
|
No | Specify the status to set for the alert. |
Run on
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"group_val": "nongroup",
"asset_type_string": "AwsIamRole",
"data": {
"recommendation": "Unused roles should be disabled or removed",
"details": "AWS IAM roles can grant access to AWS resources or actions. It is recommended that all roles that have been unused in 90 or greater days be deactivated or removed.",
"title": "Unused role with policy found"
},
"alert_labels": [
"mitre: initial access"
],
"configuration": {
"user_status": "snoozed",
"snooze_until": "2022-04-05T13:50:31.600118+00:00"
},
"is_compliance": false,
"group_type_string": "NonGroup",
"description": "Unused role with policy found",
"recommendation": "Unused roles should be disabled or removed",
"source": "stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
"group_type": "AwsIamRole",
"cluster_type": "AwsIamRole",
"type": "aws_iam_old_role_with_policy",
"group_unique_id": "AwsIamRole_570398916848_e739eb76-0e49-364d-df0b-ae582594f284",
"cloud_account_id": "1b6a52d3-58ed-4879-af03-b99f252f532d",
"type_string": "Unused role with policy found",
"asset_name": "stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
"account_name": "alon-vendors",
"asset_type": "AwsIamRole",
"context": "control",
"details": "AWS IAM roles can grant access to AWS resources or actions. It is recommended that all roles that have been unused in 90 or greater days be deactivated or removed.",
"model": {
"data": {
"Inventory": {
"Category": "Users and Access",
"UiUniqueField": "AROAYJTTMYDYKG3VCCXFF_arn:aws:iam::570398916848:role/stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
"SubCategory": "Roles",
"Observations": [],
"Tags": "{}",
"Name": "stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
"AccessEndpoints": "[]"
},
"AwsIamRole": {
"Path": "/",
"AssumeRolePolicy": {
"model": {
"name": "arn:aws:iam::570398916848:role/stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb_AssumeRolePolicy",
"id": "e739eb76-39f6-8cf3-62fa-47d36ff25a90",
"type": "AwsIamAssumeRolePolicy"
}
},
"Policies": {
"models": [
{
"model": {
"data": {
"AwsIamPolicy": {
"PolicyBody": "{\"Version\": \"2012-10-17\", \"Statement\": [{\"Action\": [\"*\"], \"Effect\": \"Allow\", \"Resource\": [\"*\"]}]}",
"IsPermissive": true,
"PermissiveActions": [
"Administrative Privileges"
],
"ResourceType": "managed_policy",
"PolicyId": "arn:aws:iam::aws:policy/AdministratorAccess",
"Name": "AdministratorAccess"
},
"Inventory": {
"Category": "Users and Access",
"UiUniqueField": "arn:aws:iam::aws:policy/AdministratorAccess",
"SubCategory": "Policies",
"Observations": [],
"Name": "AdministratorAccess",
"AccessEndpoints": "[]"
}
},
"name": "AdministratorAccess",
"asset_unique_id": "AwsIamPolicy_570398916848_e739eb76-e4a6-930f-457b-ad93e60bfb4a",
"id": "e739eb76-3ee7-fe8e-92c7-029cefb490e5",
"type": "AwsIamPolicy"
}
}
],
"remaining": 0
},
"RoleLastUsed": "2021-04-18T14:49:54+00:00",
"AuthorizedServices": {
"models": [
{
"model": {
"name": "appstream",
"id": "e739eb76-3017-e620-9123-f8ee3cd7ef8d",
"type": "AwsEntityAuthorizedService"
}
}
],
"remaining": 180
},
"InstanceProfileArnList": [],
"RoleTags": [],
"Arn": "arn:aws:iam::570398916848:role/stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
"PermissionUsage": 0.0,
"RoleId": "AROAYJTTMYDYKG3VCCXFF",
"CreateDate": "2020-12-08T12:07:12+00:00",
"Name": "stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb"
}
},
"name": "stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
"asset_unique_id": "AwsIamRole_570398916848_e739eb76-0e49-364d-df0b-ae582594f284",
"id": "e739eb76-349c-82af-7e37-f1aa43e45a48",
"type": "AwsIamRole"
},
"state": {
"severity": "hazardous",
"last_updated": "2022-04-04T13:50:31+00:00",
"last_seen": "2022-04-03T21:00:05+00:00",
"in_verification": false,
"low_since": "2022-04-04T13:50:31+00:00",
"created_at": "2022-03-19T16:55:08+00:00",
"closed_time": null,
"verification_status": null,
"score": 3,
"alert_id": "orca-265",
"high_since": null,
"closed_reason": null,
"status_time": "2022-04-04T13:50:31+00:00",
"status": "snoozed"
},
"rule_query": "AwsIamRole with Policies with (RoleLastUsed + 90 days < now) or (not RoleLastUsed and CreateDate + 90 days < now)",
"cluster_unique_id": "AwsIamRole_570398916848_e739eb76-0e49-364d-df0b-ae582594f284",
"cluster_name": "stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
"subject_type": "AwsIamRole",
"group_name": "stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
"level": 0,
"is_rule": true,
"cloud_provider": "aws",
"organization_name": "Partners",
"type_key": "a1751923a9161ea6c84fe9a071efd3af",
"cloud_vendor_id": "570398916848",
"rule_id": "r01d84719d0",
"asset_category": "Users and Access",
"asset_state": "enabled",
"organization_id": "e739eb76-3d1a-4022-b5d0-360b10d44685",
"asset_unique_id": "AwsIamRole_570398916848_e739eb76-0e49-364d-df0b-ae582594f284",
"cloud_provider_id": "570398916848",
"category": "IAM misconfigurations",
"asset_vendor_id": "AROAYJTTMYDYKG3VCCXFF_arn:aws:iam::570398916848:role/stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
"frameworks": [
{
"display_name": "Orca Best Practices",
"id": "orca_best_practices",
"custom": false,
"description": "Orca Best Practices",
"active": false
}
]
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the 200 status code is reported (is_success=true): "Successfully updated alert with ID "{id}" in Orca Security." If the "requested to set same configuration" error is reported (is_success=true): "Alert with ID "{id}" already has status "{status}" in Orca Security." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Alert". Reason: {0}''.format(error.Stacktrace)" If other error is reported: "Error executing action "Update Alert". Reason: {error}." If "Select One" is selected for the "Snooze State" parameter: "Error executing action "Update Alert". Reason: "Snooze Day" needs to be provided." If "Select One" is selected for the "Snooze State" or "Status" parameter, and the "Verify Alert" parameter is not enabled: "Error executing action "Update Alert". Reason: at least one of the following parameters needs to be provided: "Status", "Verify Alert", "Snooze Alert". |
General |
Add Comment To Alert
Description
Add a comment to alert in Orca Security.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Alert ID | String | N/A | Yes | Specify the ID of the alert to which action needs to add a comment. |
| Comment | String | N/A | Yes | Specify the comment that needs to be added to alert. |
Run on
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"unique_id": 315478535,
"user_email": "tip.labops@siemplify.co",
"user_name": "John Doe",
"alert_id": "orca-264",
"asset_unique_id": "AwsIamRole_570398916848_e739eb76-1d18-7e74-d3d4-42dc68c8ece4",
"create_time": "2022-03-28T14:06:10+00:00",
"type": "comment",
"details": {
"description": "Added comment",
"comment": "asd"
}
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the 200 status code is reported (is_success=true): "Successfully added a comment to alert with ID "{id}" in Orca Security." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Add Comment To Alert". Reason: {0}''.format(error.Stacktrace)" If an error is reported: "Error executing action "Add Comment To Alert". Reason: {error}." |
General |
Get Asset Details
Description
Retrieve information about assets from Orca Security.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Asset IDs | CSV | N/A | Yes | Specify a comma-separated list of asset ids for which you want to return details. |
| Return Vulnerabilities Information | Checkbox | Checked | No | If enabled, the action returns vulnerabilities that are related to the asset. |
| Lowest Severity For Vulnerabilities | DDL | Hazardous Possible Values:
|
No | The lowest severity that needs to be used to fetch vulnerabilities. |
| Max Vulnerabilities To Fetch | Integer | 50 | No | Specify the number of vulnerabilities to return per asset. Maximum: 100 |
| Create Insight | Checkbox | Checked | No | If enabled, the action creates an insight for every enriched asset. |
Run on
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"group_val": "nongroup",
"asset_type_string": "AwsIamRole",
"configuration": {},
"group_type_string": "NonGroup",
"group_type": "AwsIamRole",
"cluster_type": "AwsIamRole",
"type": "AwsIamRole",
"group_unique_id": "AwsIamRole_570398916848_e739eb76-1d18-7e74-d3d4-42dc68c8ece4",
"cloud_account_id": "1b6a52d3-58ed-4879-af03-b99f252f532d",
"asset_name": "AWSServiceRoleForElastiCache",
"account_name": "alon-vendors",
"context": "control",
"asset_type": "AwsIamRole",
"model": {
"data": {
"AwsIamRole": {
"AssumeRolePolicy": {
"model": {
"name": "arn:aws:iam::570398916848:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache_AssumeRolePolicy",
"id": "e739eb76-34d7-819c-77aa-b453455f9528",
"type": "AwsIamAssumeRolePolicy"
}
},
"Path": "/aws-service-role/elasticache.amazonaws.com/"
},
"Inventory": {
"DetectedCrownJewelScore": 0,
"DetectedCrownJewelReason": null
}
},
"name": "AWSServiceRoleForElastiCache",
"asset_unique_id": "AwsIamRole_570398916848_e739eb76-1d18-7e74-d3d4-42dc68c8ece4",
"id": "e739eb76-3314-943e-66ba-053b4610b9c7",
"type": "AwsIamRole"
},
"state": {
"severity": "hazardous",
"score": 3,
"unsafe_since": "2022-03-19T17:06:36+00:00",
"safe_since": null,
"last_seen": "2022-03-28T13:36:42+00:00",
"created_at": "2022-03-19T17:06:36+00:00",
"status_time": "2022-03-19T17:06:36+00:00",
"status": "exists"
},
"cluster_unique_id": "AwsIamRole_570398916848_e739eb76-1d18-7e74-d3d4-42dc68c8ece4",
"cluster_name": "AWSServiceRoleForElastiCache",
"group_name": "AWSServiceRoleForElastiCache",
"level": 0,
"cloud_provider": "aws",
"organization_name": "Partners",
"asset_subcategory": "Roles",
"cloud_vendor_id": "570398916848",
"asset_category": "Users and Access",
"asset_state": "enabled",
"organization_id": "e739eb76-3d1a-4022-b5d0-360b10d44685",
"cloud_provider_id": "570398916848",
"asset_unique_id": "AwsIamRole_570398916848_e739eb76-1d18-7e74-d3d4-42dc68c8ece4",
"asset_vendor_id": "AROAYJTTMYDYCMTKRKRZ3_arn:aws:iam::570398916848:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache",
"vulnerabilities": [
{
"asset_auto_updates": "off",
"vm_asset_unique_id": "vm_570398916848_i-0c80a86a5c14d9d36",
"group_type_string": "VM",
"asset_regions_names": [
"N. Virginia"
],
"group_type": "k8s",
"cluster_type": "k8s",
"type": "cve",
"score": 4,
"vm_id": "i-0c80a86a5c14d9d36",
"asset_name": "Omikron",
"context": "data",
"nvd": {
"cvss2_severity": "MEDIUM",
"cvss2_score": 5.0,
"cvss3_severity": "HIGH",
"cvss3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cvss3_score": 7.5,
"cvss2_vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"
},
"asset_distribution_version": "2 (2022.01.05)",
"asset_first_public_ips": [
"34.207.193.180"
],
"cloud_provider_id": "570398916848",
"asset_num_public_ips": 1,
"asset_labels": [
"internet_facing",
"brute-force_attempts"
],
"asset_distribution_name": "Amazon",
"affected_packages": [
"/opt/cni/bin/host-local",
"/opt/cni/bin/macvlan",
"/opt/cni/bin/bridge",
"/opt/cni/bin/flannel",
"/opt/cni/bin/host-device"
],
"asset_role_names": [
"ssh"
],
"asset_ingress_ports": [
"32609",
"31030"
]
}
]
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available for one asset (is_success=true): "Successfully enriched the following assets using information from Orca Security: {asset id}" If data is not available for one asset (is_success=true): "Action wasn't able to enrich the following assets using information from Orca Security: {asset id}" If data is not available for all assets (is_success=false): "None of the provided assets were enriched." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Asset Details". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Table Name: Asset Details Table Columns:
|
General |
Get Compliance Info
Description
Get information about compliance based on selected frameworks in Orca Security.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Framework Names | CSV | N/A | No | Specify a comma-separated list of names of the frameworks for which you want to retrieve compliance details. If nothing is provided, the action returns information about all selected frameworks. |
| Max Frameworks To Return | Integer | 50 | No | Specify the number of frameworks to return. |
| Create Insight | Checkbox | Checked | Yes | If enabled, the action creates an insight containing information about compliance. |
Run on
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
"frameworks": [
{
"display_name": "Orca Best Practices",
"id": "orca_best_practices",
"custom": false,
"description": "Orca Best Practices",
"active": true,
"avg_score_percent": 70,
"test_results": {
"FAIL": 121,
"PASS": 284
},
"categories": {
"total_count": 12,
"data": {
"Storage": {
"FAIL": 28,
"PASS": 35
},
"Database": {
"FAIL": 8,
"PASS": 94
},
"Monitoring": {
"FAIL": 20,
"PASS": 4
},
"Users and Access": {
"FAIL": 23,
"PASS": 11
},
"Network": {
"FAIL": 29,
"PASS": 96
},
"Messaging Service": {
"FAIL": 1,
"PASS": 11
},
"Serverless": {
"FAIL": 3,
"PASS": 13
},
"Vm": {
"FAIL": 6,
"PASS": 4
},
"Authentication": {
"FAIL": 4,
"PASS": 10
},
"Account": {
"PASS": 1
},
"ComputeServices": {
"FAIL": 1,
"PASS": 2
},
"Container": {
"PASS": 1
}
}
},
"top_accounts": [
{
"570398916848": {
"account_name": "alon-vendors",
"FAIL": 121,
"PASS": 284
}
}
]
}
]
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the 200 status code is reported (is_success=true): "Successfully returned information about compliance in Orca Security." If one framework is not found (is_success=true): "Information from the following frameworks wasn't found in Orca Security. Please check the spelling." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Compliance Info". Reason: {0}''.format(error.Stacktrace)" If all frameworks are not found (is_success=false): "Error executing action "Get Compliance Info". Reason: none of the provided frameworks were found in Orca Security. Please check the spelling. |
General |
| Case Wall Table | Table Name: Compliance Details Table Columns:
|
General |
Scan Assets
Description
Scan assets in Orca Security.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Asset IDs | String | N/A | Yes | Specify a comma-separated list of asset ids for which you want to return details. |
Run on
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"version": "0.1.0",
"scan_unique_id": "4f606aae-9e9b-4d01-aa29-797a06b6300e",
"asset_unique_ids": [
"i-080f6dfdeac0c7ffc"
],
"status": "done"
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available for one asset (is_success=true): "Successfully scanned the following assets in Orca Security: {asset name}". If data is not available for one asset or the asset is not found (is_success=true): "Action wasn't able to scan the following assets using in Orca Security: {asset name}" If data is not available for all assets (is_success=false): "None of the provided assets were scanned." Async message: "Pending assets: {asset names}" The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Scan Assets". Reason: {0}''.format(error.Stacktrace)" If ran into a timeout: "Error executing action "Scan Assets". Reason: action ran into a timeout during execution. Pending assets: {assets that are still in progress}. Please increase the timeout in IDE." |
General |
Get Vulnerability Details
Description
Retrieve information about vulnerabilities from Orca Security.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| CVE IDs | CSV | N/A | No | Specify a comma-separated list of CVEs that need to be enriched. |
| Create Insight | Checkbox | Checked | No | If enabled, the action creates an insight for every enriched vulnerability. Insight creation is not affected by the filtering that can be made with the "Fields To Return" parameter. |
| Max Assets To Return | Integer | 50 | No | Specify how many assets related to the CVE to return. Maximum: 10000 |
| Fields To Return | CSV | N/A | No | Specify a comma-separated list of fields that need to be returned. If vulnerabilities don't have specific fields to return, such fields values are set to nulls. Note: This parameter checks the JSON object, as it was flattened. Example: "object": {"id": 123} -> object_id is the key. |
| Output | DDL | JSON Possible Values:
|
No | Specify the type of the output for the action. If "JSON" is selected, the action returns a regular JSON Result. If "CSV" is selected, the action creates a file in the action execution folder and JSON result contains a path to that file. |
Run on
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"cve_id": "{cve_id}",
"results": [
{
"asset_auto_updates": "off",
"vm_asset_unique_id": "vm_570398916848_i-07cb1901406d7f7a2",
"group_type_string": "VM",
"asset_regions_names": [
"N. Virginia"
],
"group_type": "asg",
"cluster_type": "asg",
"type": "cve",
"score": 4,
"vm_id": "i-07cb1901406d7f7a2",
"asset_name": "alon-test",
"context": "data",
"nvd": {
"cvss2_severity": "MEDIUM",
"cvss2_score": 5.0,
"cvss3_severity": "HIGH",
"cvss3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cvss3_score": 7.5,
"cvss2_vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"
},
"asset_distribution_version": "2 (2022.01.05)",
"asset_first_public_ips": [
"54.234.117.173"
],
"asset_first_private_ips": [
"10.0.85.56"
],
"group_name": "alon-test",
"level": 1,
"fix_available_state": "Yes",
"organization_name": "Partners",
"published": "2019-09-30T19:15:00+00:00",
"packages": [
{
"installed_version": "1.12.13",
"package_name": "/opt/cni/bin/vlan",
"non_os_package_paths": [
"/opt/cni/bin/vlan"
],
"patched_version": "1.13.1"
},
{
"installed_version": "1.12.13",
"package_name": "/opt/cni/bin/ipvlan",
"non_os_package_paths": [
"/opt/cni/bin/ipvlan"
],
"patched_version": "1.13.1"
},
{
"installed_version": "1.12.13",
"package_name": "/opt/cni/bin/firewall",
"non_os_package_paths": [
"/opt/cni/bin/firewall"
],
"patched_version": "1.13.1"
},
{
"installed_version": "1.12.13",
"package_name": "/opt/cni/bin/tuning",
"non_os_package_paths": [
"/opt/cni/bin/tuning"
],
"patched_version": "1.13.1"
},
{
"installed_version": "1.12.13",
"package_name": "/opt/cni/bin/loopback",
"non_os_package_paths": [
"/opt/cni/bin/loopback"
],
"patched_version": "1.13.1"
}
],
"cloud_vendor_id": "570398916848",
"labels": [
"fix_available"
],
"asset_image_id": "ami-0d6c8b2a8562eba37",
"asset_num_public_dnss": 1,
"cve_id": "CVE-2019-16276",
"asset_state": "running",
"organization_id": "e739eb76-3d1a-4022-b5d0-360b10d44685",
"asset_availability_zones": [
"us-east-1b"
],
"asset_unique_id": "vm_570398916848_i-07cb1901406d7f7a2",
"asset_num_private_dnss": 1,
"asset_vendor_id": "i-07cb1901406d7f7a2",
"cvss3_score": 6.5,
"group_val": "nongroup",
"asset_type_string": "VM",
"asset_regions": [
"us-east-1"
],
"group_unique_id": "asg_570398916848_alon-test",
"cloud_account_id": "1b6a52d3-58ed-4879-af03-b99f252f532d",
"asset_num_private_ips": 1,
"account_name": "alon-vendors",
"asset_type": "vm",
"fix_available": true,
"cvss3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"cluster_unique_id": "asg_570398916848_alon-test",
"summary": "Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.",
"severity": "informational",
"cluster_name": "alon-test",
"asset_first_public_dnss": [
"ec2-54-234-117-173.compute-1.amazonaws.com"
],
"tags_info_list": [
"aws:ec2launchtemplate:version|1",
"aws:autoscaling:groupName|alon-test",
"aws:ec2launchtemplate:id|lt-09b558a2361e6b988"
],
"asset_first_private_dnss": [
"ip-10-0-85-56.ec2.internal"
],
"cloud_provider": "aws",
"asset_vpcs": [
"vpc-07ef7f777429cfd82"
],
"source_link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16276",
"asset_category": "VM",
"asset_distribution_major_version": "2",
"asset_tags_info_list": [
"aws:ec2launchtemplate:version|1",
"aws:autoscaling:groupName|alon-test",
"aws:ec2launchtemplate:id|lt-09b558a2361e6b988"
],
"cloud_provider_id": "570398916848",
"asset_num_public_ips": 1,
"asset_labels": [
"brute-force_attempts"
],
"asset_distribution_name": "Amazon",
"affected_packages": [
"/opt/cni/bin/vlan",
"/opt/cni/bin/ipvlan",
"/opt/cni/bin/firewall",
"/opt/cni/bin/tuning",
"/opt/cni/bin/loopback"
],
"asset_role_names": [
"ssh"
]
}
]
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available for one vulnerability (is_success=true): "Successfully enriched the following vulnerabilities using information from Orca Security: {cve id}" If data is not available for one vulnerability (is_success=true): "Action wasn't able to enrich the following vulnerabilities using information from Orca Security: {cve id}" If data is not available for all vulnerabilities (is_success=false): "None of the provided vulnerabilities were enriched." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Vulnerability Details". Reason: {0}''.format(error.Stacktrace)" |
General |
| Case Wall Table | Table Name: Vulnerability Details Table Columns:
|
General |
Connectors
Orca Security - Alerts Connector
Description
Pull information about alerts from Orca Security.
Configure Orca Security - Alerts Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | asset_type_string | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | https:/{{IP}}:8501 | Yes | API root of the Orca Security instance. |
| API Key | String | N/A | Yes | API Key of the Orca Security instance account. If both the "API Key" and "API Token" parameters are provided, the "API Token" parameter is used. |
| API Token | String | N/A | Yes | API Token of the Orca Security instance account. If both the "API Key" and "API Token" parameters are provided, the "API Token" parameter is used. |
Category Filter | CSV | N/A | No | A comma-separated list of category names that should be used during ingestion of the alerts. Note: This parameter is case sensitive. |
| Lowest Priority To Fetch | String | N/A | No | The lowest severity that needs to be used to fetch alerts. Possible values: Compromised, Imminent compromise, Hazardous, Informational If nothing is specified, the connector ingests alerts with all severities. |
| Max Hours Backwards | Integer | 1 | No | Number of hours from where to fetch alerts. |
| Max Alerts To Fetch | Integer | 100 | No | Number of alerts to process per one connector iteration. |
| Use dynamic list as a blacklist | Checkbox | Unchecked | Yes | If enabled, dynamic lists is used as a blacklist. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, verify that the SSL certificate for the connection to the Orca Security server is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
| Alert Type Filter | CSV | N/A | No | Type of the alerts that need to be ingested. This filter works with the Type parameter in response. Example: aws_s3_bucket_accessible_to_unmonitored_account |
Connector rules
Proxy support
The connector supports proxy.