Orca Security

Integration version: 8.0

Configure Orca Security integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
UI Root String https://{ui instance} Yes UI root of the Orca Security instance.
API Root String https://{api instance} Yes API root of the Orca Security instance.
API Key String N/A Yes

API Key of the Orca Security instance account.

If both the "API Key" and "API Token" parameters are provided, the "API Token" parameter is used.

API Token String N/A Yes

API Token of the Orca Security instance account.

If both the "API Key" and "API Token" parameters are provided, the "API Token" parameter is used.

Verify SSL Checkbox Checked Yes If enabled, verify the SSL certificate for the connection to the Orca Security SIEM server is valid.

How to generate API key

  1. Go to Settings-> Integrations-> Orca API.
  2. Click Manage Keys, and then click Generate a new key.
  3. Copy and paste the generated key into Google Security Operations SOAR.

Use Cases

  1. Ingest alerts.
  2. Fetch information about assets or vulnerabilities.
  3. Triage alerts.
  4. Track compliance.

Actions

Ping

Description

Test connectivity to Orca Security with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run on

The action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
N/A
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the Orca Security server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the Orca Security server! Error is {0}".format(exception.stacktrace)

General

Update Alert

Description

Update an alert in Orca Security.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Alert ID String N/A Yes Specify the ID of the alert needs to be updated.
Verify Alert Checkbox Unchecked No If enabled, the action initiates the verification process for the alert.
Snooze State DDL

Select One

Possible Values:

  • Select One
  • Snooze
  • Unsnooze
No Specify the snooze state for the alert.
Snooze Days String 1 No

Specify the number of days alert needs to be snoozed.

This parameter is mandatory, if the "Snooze State" parameter is set to "Snooze".

If nothing is provided, the action snoozes the alert for 1 day.

Status DDL

Select One

Possible Values:

  • Select One
  • Open
  • In Progress
  • Close
  • Dismiss
No Specify the status to set for the alert.

Run on

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
{
    "group_val": "nongroup",
    "asset_type_string": "AwsIamRole",
    "data": {
        "recommendation": "Unused roles should be disabled or removed",
        "details": "AWS IAM roles can grant access to AWS resources or actions. It is recommended that all roles that have been unused in 90 or greater days be deactivated or removed.",
        "title": "Unused role with policy found"
    },
    "alert_labels": [
        "mitre: initial access"
    ],
    "configuration": {
        "user_status": "snoozed",
        "snooze_until": "2022-04-05T13:50:31.600118+00:00"
    },
    "is_compliance": false,
    "group_type_string": "NonGroup",
    "description": "Unused role with policy found",
    "recommendation": "Unused roles should be disabled or removed",
    "source": "stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
    "group_type": "AwsIamRole",
    "cluster_type": "AwsIamRole",
    "type": "aws_iam_old_role_with_policy",
    "group_unique_id": "AwsIamRole_570398916848_e739eb76-0e49-364d-df0b-ae582594f284",
    "cloud_account_id": "1b6a52d3-58ed-4879-af03-b99f252f532d",
    "type_string": "Unused role with policy found",
    "asset_name": "stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
    "account_name": "alon-vendors",
    "asset_type": "AwsIamRole",
    "context": "control",
    "details": "AWS IAM roles can grant access to AWS resources or actions. It is recommended that all roles that have been unused in 90 or greater days be deactivated or removed.",
    "model": {
        "data": {
            "Inventory": {
                "Category": "Users and Access",
                "UiUniqueField": "AROAYJTTMYDYKG3VCCXFF_arn:aws:iam::570398916848:role/stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
                "SubCategory": "Roles",
                "Observations": [],
                "Tags": "{}",
                "Name": "stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
                "AccessEndpoints": "[]"
            },
            "AwsIamRole": {
                "Path": "/",
                "AssumeRolePolicy": {
                    "model": {
                        "name": "arn:aws:iam::570398916848:role/stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb_AssumeRolePolicy",
                        "id": "e739eb76-39f6-8cf3-62fa-47d36ff25a90",
                        "type": "AwsIamAssumeRolePolicy"
                    }
                },
                "Policies": {
                    "models": [
                        {
                            "model": {
                                "data": {
                                    "AwsIamPolicy": {
                                        "PolicyBody": "{\"Version\": \"2012-10-17\", \"Statement\": [{\"Action\": [\"*\"], \"Effect\": \"Allow\", \"Resource\": [\"*\"]}]}",
                                        "IsPermissive": true,
                                        "PermissiveActions": [
                                            "Administrative Privileges"
                                        ],
                                        "ResourceType": "managed_policy",
                                        "PolicyId": "arn:aws:iam::aws:policy/AdministratorAccess",
                                        "Name": "AdministratorAccess"
                                    },
                                    "Inventory": {
                                        "Category": "Users and Access",
                                        "UiUniqueField": "arn:aws:iam::aws:policy/AdministratorAccess",
                                        "SubCategory": "Policies",
                                        "Observations": [],
                                        "Name": "AdministratorAccess",
                                        "AccessEndpoints": "[]"
                                    }
                                },
                                "name": "AdministratorAccess",
                                "asset_unique_id": "AwsIamPolicy_570398916848_e739eb76-e4a6-930f-457b-ad93e60bfb4a",
                                "id": "e739eb76-3ee7-fe8e-92c7-029cefb490e5",
                                "type": "AwsIamPolicy"
                            }
                        }
                    ],
                    "remaining": 0
                },
                "RoleLastUsed": "2021-04-18T14:49:54+00:00",
                "AuthorizedServices": {
                    "models": [
                        {
                            "model": {
                                "name": "appstream",
                                "id": "e739eb76-3017-e620-9123-f8ee3cd7ef8d",
                                "type": "AwsEntityAuthorizedService"
                            }
                        }
                    ],
                    "remaining": 180
                },
                "InstanceProfileArnList": [],
                "RoleTags": [],
                "Arn": "arn:aws:iam::570398916848:role/stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
                "PermissionUsage": 0.0,
                "RoleId": "AROAYJTTMYDYKG3VCCXFF",
                "CreateDate": "2020-12-08T12:07:12+00:00",
                "Name": "stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb"
            }
        },
        "name": "stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
        "asset_unique_id": "AwsIamRole_570398916848_e739eb76-0e49-364d-df0b-ae582594f284",
        "id": "e739eb76-349c-82af-7e37-f1aa43e45a48",
        "type": "AwsIamRole"
    },
    "state": {
        "severity": "hazardous",
        "last_updated": "2022-04-04T13:50:31+00:00",
        "last_seen": "2022-04-03T21:00:05+00:00",
        "in_verification": false,
        "low_since": "2022-04-04T13:50:31+00:00",
        "created_at": "2022-03-19T16:55:08+00:00",
        "closed_time": null,
        "verification_status": null,
        "score": 3,
        "alert_id": "orca-265",
        "high_since": null,
        "closed_reason": null,
        "status_time": "2022-04-04T13:50:31+00:00",
        "status": "snoozed"
    },
    "rule_query": "AwsIamRole with Policies with (RoleLastUsed + 90 days < now) or (not RoleLastUsed and CreateDate + 90 days < now)",
    "cluster_unique_id": "AwsIamRole_570398916848_e739eb76-0e49-364d-df0b-ae582594f284",
    "cluster_name": "stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
    "subject_type": "AwsIamRole",
    "group_name": "stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
    "level": 0,
    "is_rule": true,
    "cloud_provider": "aws",
    "organization_name": "Partners",
    "type_key": "a1751923a9161ea6c84fe9a071efd3af",
    "cloud_vendor_id": "570398916848",
    "rule_id": "r01d84719d0",
    "asset_category": "Users and Access",
    "asset_state": "enabled",
    "organization_id": "e739eb76-3d1a-4022-b5d0-360b10d44685",
    "asset_unique_id": "AwsIamRole_570398916848_e739eb76-0e49-364d-df0b-ae582594f284",
    "cloud_provider_id": "570398916848",
    "category": "IAM misconfigurations",
    "asset_vendor_id": "AROAYJTTMYDYKG3VCCXFF_arn:aws:iam::570398916848:role/stacksets-exec-1b5a03f42a0193612df2f9ad785df2eb",
    "frameworks": [
        {
            "display_name": "Orca Best Practices",
            "id": "orca_best_practices",
            "custom": false,
            "description": "Orca Best Practices",
            "active": false
        }
    ]
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code is reported (is_success=true): "Successfully updated alert with ID "{id}" in Orca Security."

If the "requested to set same configuration" error is reported (is_success=true): "Alert with ID "{id}" already has status "{status}" in Orca Security."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Alert". Reason: {0}''.format(error.Stacktrace)"

If other error is reported: "Error executing action "Update Alert". Reason: {error}."

If "Select One" is selected for the "Snooze State" parameter: "Error executing action "Update Alert". Reason: "Snooze Day" needs to be provided."

If "Select One" is selected for the "Snooze State" or "Status" parameter, and the "Verify Alert" parameter is not enabled: "Error executing action "Update Alert". Reason: at least one of the following parameters needs to be provided: "Status", "Verify Alert", "Snooze Alert".

General

Add Comment To Alert

Description

Add a comment to alert in Orca Security.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Alert ID String N/A Yes Specify the ID of the alert to which action needs to add a comment.
Comment String N/A Yes Specify the comment that needs to be added to alert.

Run on

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
{
  "unique_id": 315478535,
  "user_email": "tip.labops@siemplify.co",
  "user_name": "John Doe",
  "alert_id": "orca-264",
  "asset_unique_id": "AwsIamRole_570398916848_e739eb76-1d18-7e74-d3d4-42dc68c8ece4",
  "create_time": "2022-03-28T14:06:10+00:00",
  "type": "comment",
  "details": {
      "description": "Added comment",
      "comment": "asd"
  }
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code is reported (is_success=true): "Successfully added a comment to alert with ID "{id}" in Orca Security."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Add Comment To Alert". Reason: {0}''.format(error.Stacktrace)"

If an error is reported: "Error executing action "Add Comment To Alert". Reason: {error}."

General

Get Asset Details

Description

Retrieve information about assets from Orca Security.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Asset IDs CSV N/A Yes Specify a comma-separated list of asset ids for which you want to return details.
Return Vulnerabilities Information Checkbox Checked No If enabled, the action returns vulnerabilities that are related to the asset.
Lowest Severity For Vulnerabilities DDL

Hazardous

Possible Values:

  • Compromised
  • Imminent Compromise
  • Hazardous
  • Informational
No The lowest severity that needs to be used to fetch vulnerabilities.
Max Vulnerabilities To Fetch Integer 50 No

Specify the number of vulnerabilities to return per asset.

Maximum: 100

Create Insight Checkbox Checked No If enabled, the action creates an insight for every enriched asset.

Run on

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
{
  "group_val": "nongroup",
  "asset_type_string": "AwsIamRole",
  "configuration": {},
  "group_type_string": "NonGroup",
  "group_type": "AwsIamRole",
  "cluster_type": "AwsIamRole",
  "type": "AwsIamRole",
  "group_unique_id": "AwsIamRole_570398916848_e739eb76-1d18-7e74-d3d4-42dc68c8ece4",
  "cloud_account_id": "1b6a52d3-58ed-4879-af03-b99f252f532d",
  "asset_name": "AWSServiceRoleForElastiCache",
  "account_name": "alon-vendors",
  "context": "control",
  "asset_type": "AwsIamRole",
  "model": {
    "data": {
      "AwsIamRole": {
        "AssumeRolePolicy": {
          "model": {
            "name": "arn:aws:iam::570398916848:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache_AssumeRolePolicy",
            "id": "e739eb76-34d7-819c-77aa-b453455f9528",
            "type": "AwsIamAssumeRolePolicy"
          }
        },
        "Path": "/aws-service-role/elasticache.amazonaws.com/"
      },
      "Inventory": {
        "DetectedCrownJewelScore": 0,
        "DetectedCrownJewelReason": null
      }
    },
    "name": "AWSServiceRoleForElastiCache",
    "asset_unique_id": "AwsIamRole_570398916848_e739eb76-1d18-7e74-d3d4-42dc68c8ece4",
    "id": "e739eb76-3314-943e-66ba-053b4610b9c7",
    "type": "AwsIamRole"
  },
  "state": {
    "severity": "hazardous",
    "score": 3,
    "unsafe_since": "2022-03-19T17:06:36+00:00",
    "safe_since": null,
    "last_seen": "2022-03-28T13:36:42+00:00",
    "created_at": "2022-03-19T17:06:36+00:00",
    "status_time": "2022-03-19T17:06:36+00:00",
    "status": "exists"
  },
  "cluster_unique_id": "AwsIamRole_570398916848_e739eb76-1d18-7e74-d3d4-42dc68c8ece4",
  "cluster_name": "AWSServiceRoleForElastiCache",
  "group_name": "AWSServiceRoleForElastiCache",
  "level": 0,
  "cloud_provider": "aws",
  "organization_name": "Partners",
  "asset_subcategory": "Roles",
  "cloud_vendor_id": "570398916848",
  "asset_category": "Users and Access",
  "asset_state": "enabled",
  "organization_id": "e739eb76-3d1a-4022-b5d0-360b10d44685",
  "cloud_provider_id": "570398916848",
  "asset_unique_id": "AwsIamRole_570398916848_e739eb76-1d18-7e74-d3d4-42dc68c8ece4",
  "asset_vendor_id": "AROAYJTTMYDYCMTKRKRZ3_arn:aws:iam::570398916848:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache",
  "vulnerabilities": [
    {
      "asset_auto_updates": "off",
      "vm_asset_unique_id": "vm_570398916848_i-0c80a86a5c14d9d36",
      "group_type_string": "VM",
      "asset_regions_names": [
        "N. Virginia"
      ],
      "group_type": "k8s",
      "cluster_type": "k8s",
      "type": "cve",
      "score": 4,
      "vm_id": "i-0c80a86a5c14d9d36",
      "asset_name": "Omikron",
      "context": "data",
      "nvd": {
        "cvss2_severity": "MEDIUM",
        "cvss2_score": 5.0,
        "cvss3_severity": "HIGH",
        "cvss3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
        "cvss3_score": 7.5,
        "cvss2_vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"
      },
      "asset_distribution_version": "2 (2022.01.05)",
      "asset_first_public_ips": [
        "34.207.193.180"
      ],
      "cloud_provider_id": "570398916848",
      "asset_num_public_ips": 1,
      "asset_labels": [
        "internet_facing",
        "brute-force_attempts"
      ],
      "asset_distribution_name": "Amazon",
      "affected_packages": [
        "/opt/cni/bin/host-local",
        "/opt/cni/bin/macvlan",
        "/opt/cni/bin/bridge",
        "/opt/cni/bin/flannel",
        "/opt/cni/bin/host-device"
      ],
      "asset_role_names": [
        "ssh"
      ],
      "asset_ingress_ports": [
        "32609",
        "31030"
      ]
    }
  ]
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available for one asset (is_success=true): "Successfully enriched the following assets using information from Orca Security: {asset id}"

If data is not available for one asset (is_success=true): "Action wasn't able to enrich the following assets using information from Orca Security: {asset id}"

If data is not available for all assets (is_success=false): "None of the provided assets were enriched."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Asset Details". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Name: Asset Details Table Columns:

  • Name: {asset_name}
  • Type: {asset_type}
  • Account: {account_name}
  • Category: {asset_category}
  • Subcategory: {asset_subcategory}
  • State: {asset_state}
  • Severity: {state/severity}
  • First Seen: {state/created_at}
  • Last Seen: {state/last_seen}
General

Get Compliance Info

Description

Get information about compliance based on selected frameworks in Orca Security.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Framework Names CSV N/A No

Specify a comma-separated list of names of the frameworks for which you want to retrieve compliance details.

If nothing is provided, the action returns information about all selected frameworks.

Max Frameworks To Return Integer 50 No Specify the number of frameworks to return.
Create Insight Checkbox Checked Yes If enabled, the action creates an insight containing information about compliance.

Run on

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
"frameworks": [
  {
    "display_name": "Orca Best Practices",
    "id": "orca_best_practices",
    "custom": false,
    "description": "Orca Best Practices",
    "active": true,
    "avg_score_percent": 70,
    "test_results": {
      "FAIL": 121,
      "PASS": 284
    },
    "categories": {
      "total_count": 12,
      "data": {
        "Storage": {
          "FAIL": 28,
          "PASS": 35
        },
        "Database": {
          "FAIL": 8,
          "PASS": 94
        },
        "Monitoring": {
          "FAIL": 20,
          "PASS": 4
        },
        "Users and Access": {
          "FAIL": 23,
          "PASS": 11
        },
        "Network": {
          "FAIL": 29,
          "PASS": 96
        },
        "Messaging Service": {
          "FAIL": 1,
          "PASS": 11
        },
        "Serverless": {
          "FAIL": 3,
          "PASS": 13
        },
        "Vm": {
          "FAIL": 6,
          "PASS": 4
        },
        "Authentication": {
          "FAIL": 4,
          "PASS": 10
        },
        "Account": {
          "PASS": 1
        },
        "ComputeServices": {
          "FAIL": 1,
          "PASS": 2
        },
        "Container": {
          "PASS": 1
        }
      }
    },
    "top_accounts": [
      {
        "570398916848": {
          "account_name": "alon-vendors",
          "FAIL": 121,
          "PASS": 284
        }
      }
    ]
  }
]
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code is reported (is_success=true): "Successfully returned information about compliance in Orca Security."

If one framework is not found (is_success=true): "Information from the following frameworks wasn't found in Orca Security. Please check the spelling."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Compliance Info". Reason: {0}''.format(error.Stacktrace)"

If all frameworks are not found (is_success=false): "Error executing action "Get Compliance Info". Reason: none of the provided frameworks were found in Orca Security. Please check the spelling.

General
Case Wall Table

Table Name: Compliance Details

Table Columns:

  • Name: {display_name}
  • Description: {description}
  • Score: {avg_score_percent}
  • Failed: {test_results/FAIL}
  • Passed: {test_results/PASS}
  • Active: {active}
General

Scan Assets

Description

Scan assets in Orca Security.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Asset IDs String N/A Yes Specify a comma-separated list of asset ids for which you want to return details.

Run on

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
{
  "version": "0.1.0",
  "scan_unique_id": "4f606aae-9e9b-4d01-aa29-797a06b6300e",
  "asset_unique_ids": [
      "i-080f6dfdeac0c7ffc"
  ],
  "status": "done"
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available for one asset (is_success=true): "Successfully scanned the following assets in Orca Security: {asset name}".

If data is not available for one asset or the asset is not found (is_success=true): "Action wasn't able to scan the following assets using in Orca Security: {asset name}"

If data is not available for all assets (is_success=false): "None of the provided assets were scanned."

Async message: "Pending assets: {asset names}"

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Scan Assets". Reason: {0}''.format(error.Stacktrace)"

If ran into a timeout: "Error executing action "Scan Assets". Reason: action ran into a timeout during execution. Pending assets: {assets that are still in progress}. Please increase the timeout in IDE."

General

Get Vulnerability Details

Description

Retrieve information about vulnerabilities from Orca Security.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
CVE IDs CSV N/A No Specify a comma-separated list of CVEs that need to be enriched.
Create Insight Checkbox Checked No

If enabled, the action creates an insight for every enriched vulnerability.

Insight creation is not affected by the filtering that can be made with the "Fields To Return" parameter.

Max Assets To Return Integer 50 No

Specify how many assets related to the CVE to return.

Maximum: 10000

Fields To Return CSV N/A No

Specify a comma-separated list of fields that need to be returned.

If vulnerabilities don't have specific fields to return, such fields values are set to nulls.

Note: This parameter checks the JSON object, as it was flattened.

Example: "object": {"id": 123} -> object_id is the key.

Output DDL

JSON

Possible Values:

  • JSON
  • CSV
No

Specify the type of the output for the action.

If "JSON" is selected, the action returns a regular JSON Result.

If "CSV" is selected, the action creates a file in the action execution folder and JSON result contains a path to that file.

Run on

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success=False
JSON Result
{
    "cve_id": "{cve_id}",
    "results": [
        {
            "asset_auto_updates": "off",
            "vm_asset_unique_id": "vm_570398916848_i-07cb1901406d7f7a2",
            "group_type_string": "VM",
            "asset_regions_names": [
                "N. Virginia"
            ],
            "group_type": "asg",
            "cluster_type": "asg",
            "type": "cve",
            "score": 4,
            "vm_id": "i-07cb1901406d7f7a2",
            "asset_name": "alon-test",
            "context": "data",
            "nvd": {
                "cvss2_severity": "MEDIUM",
                "cvss2_score": 5.0,
                "cvss3_severity": "HIGH",
                "cvss3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "cvss3_score": 7.5,
                "cvss2_vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"
            },
            "asset_distribution_version": "2 (2022.01.05)",
            "asset_first_public_ips": [
                "54.234.117.173"
            ],
            "asset_first_private_ips": [
                "10.0.85.56"
            ],
            "group_name": "alon-test",
            "level": 1,
            "fix_available_state": "Yes",
            "organization_name": "Partners",
            "published": "2019-09-30T19:15:00+00:00",
            "packages": [
                {
                    "installed_version": "1.12.13",
                    "package_name": "/opt/cni/bin/vlan",
                    "non_os_package_paths": [
                        "/opt/cni/bin/vlan"
                    ],
                    "patched_version": "1.13.1"
                },
                {
                    "installed_version": "1.12.13",
                    "package_name": "/opt/cni/bin/ipvlan",
                    "non_os_package_paths": [
                        "/opt/cni/bin/ipvlan"
                    ],
                    "patched_version": "1.13.1"
                },
                {
                    "installed_version": "1.12.13",
                    "package_name": "/opt/cni/bin/firewall",
                    "non_os_package_paths": [
                        "/opt/cni/bin/firewall"
                    ],
                    "patched_version": "1.13.1"
                },
                {
                    "installed_version": "1.12.13",
                    "package_name": "/opt/cni/bin/tuning",
                    "non_os_package_paths": [
                        "/opt/cni/bin/tuning"
                    ],
                    "patched_version": "1.13.1"
                },
                {
                    "installed_version": "1.12.13",
                    "package_name": "/opt/cni/bin/loopback",
                    "non_os_package_paths": [
                        "/opt/cni/bin/loopback"
                    ],
                    "patched_version": "1.13.1"
                }
            ],
            "cloud_vendor_id": "570398916848",
            "labels": [
                "fix_available"
            ],
            "asset_image_id": "ami-0d6c8b2a8562eba37",
            "asset_num_public_dnss": 1,
            "cve_id": "CVE-2019-16276",
            "asset_state": "running",
            "organization_id": "e739eb76-3d1a-4022-b5d0-360b10d44685",
            "asset_availability_zones": [
                "us-east-1b"
            ],
            "asset_unique_id": "vm_570398916848_i-07cb1901406d7f7a2",
            "asset_num_private_dnss": 1,
            "asset_vendor_id": "i-07cb1901406d7f7a2",
            "cvss3_score": 6.5,
            "group_val": "nongroup",
            "asset_type_string": "VM",
            "asset_regions": [
                "us-east-1"
            ],
            "group_unique_id": "asg_570398916848_alon-test",
            "cloud_account_id": "1b6a52d3-58ed-4879-af03-b99f252f532d",
            "asset_num_private_ips": 1,
            "account_name": "alon-vendors",
            "asset_type": "vm",
            "fix_available": true,
            "cvss3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "cluster_unique_id": "asg_570398916848_alon-test",
            "summary": "Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.",
            "severity": "informational",
            "cluster_name": "alon-test",
            "asset_first_public_dnss": [
                "ec2-54-234-117-173.compute-1.amazonaws.com"
            ],
            "tags_info_list": [
                "aws:ec2launchtemplate:version|1",
                "aws:autoscaling:groupName|alon-test",
                "aws:ec2launchtemplate:id|lt-09b558a2361e6b988"
            ],
            "asset_first_private_dnss": [
                "ip-10-0-85-56.ec2.internal"
            ],
            "cloud_provider": "aws",
            "asset_vpcs": [
                "vpc-07ef7f777429cfd82"
            ],
            "source_link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16276",
            "asset_category": "VM",
            "asset_distribution_major_version": "2",
            "asset_tags_info_list": [
                "aws:ec2launchtemplate:version|1",
                "aws:autoscaling:groupName|alon-test",
                "aws:ec2launchtemplate:id|lt-09b558a2361e6b988"
            ],
            "cloud_provider_id": "570398916848",
            "asset_num_public_ips": 1,
            "asset_labels": [
                "brute-force_attempts"
            ],
            "asset_distribution_name": "Amazon",
            "affected_packages": [
                "/opt/cni/bin/vlan",
                "/opt/cni/bin/ipvlan",
                "/opt/cni/bin/firewall",
                "/opt/cni/bin/tuning",
                "/opt/cni/bin/loopback"
            ],
            "asset_role_names": [
                "ssh"
            ]
        }
    ]
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available for one vulnerability (is_success=true): "Successfully enriched the following vulnerabilities using information from Orca Security: {cve id}"

If data is not available for one vulnerability (is_success=true): "Action wasn't able to enrich the following vulnerabilities using information from Orca Security: {cve id}"

If data is not available for all vulnerabilities (is_success=false): "None of the provided vulnerabilities were enriched."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Vulnerability Details". Reason: {0}''.format(error.Stacktrace)"

General
Case Wall Table

Table Name: Vulnerability Details

Table Columns:

  • ID: {cve_id}
  • Description: {summary}
  • Fix Available: {fix_available}
  • Affected Assets Count: {group_size}
  • Labels: {csv of labels}
  • Publish Date: {published}
General

Connectors

Orca Security - Alerts Connector

Description

Pull information about alerts from Orca Security.

Configure Orca Security - Alerts Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name Type Default Value Is Mandatory Description
Product Field Name String Product Name Yes Enter the source field name in order to retrieve the Product Field name.
Event Field Name String asset_type_string Yes Enter the source field name in order to retrieve the Event Field name.
Environment Field Name String "" No

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

Environment Regex Pattern String .* No

A regex pattern to run on the value found in the "Environment Field Name" field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field via regex logic.

If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Integer 180 Yes Timeout limit for the python process running the current script.
API Root String https:/{{IP}}:8501 Yes API root of the Orca Security instance.
API Key String N/A Yes

API Key of the Orca Security instance account.

If both the "API Key" and "API Token" parameters are provided, the "API Token" parameter is used.

API Token String N/A Yes

API Token of the Orca Security instance account.

If both the "API Key" and "API Token" parameters are provided, the "API Token" parameter is used.

Category Filter CSV N/A No

A comma-separated list of category names that should be used during ingestion of the alerts.

Note: This parameter is case sensitive.

Lowest Priority To Fetch String N/A No

The lowest severity that needs to be used to fetch alerts.

Possible values: Compromised, Imminent compromise, Hazardous, Informational

If nothing is specified, the connector ingests alerts with all severities.

Max Hours Backwards Integer 1 No Number of hours from where to fetch alerts.
Max Alerts To Fetch Integer 100 No Number of alerts to process per one connector iteration.
Use dynamic list as a blacklist Checkbox Unchecked Yes If enabled, dynamic lists is used as a blacklist.
Verify SSL Checkbox Unchecked Yes If enabled, verify that the SSL certificate for the connection to the Orca Security server is valid.
Proxy Server Address String N/A No The address of the proxy server to use.
Proxy Username String N/A No The proxy username to authenticate with.
Proxy Password Password N/A No The proxy password to authenticate with.
Alert Type Filter CSV N/A No Type of the alerts that need to be ingested. This filter works with the Type parameter in response. Example: aws_s3_bucket_accessible_to_unmonitored_account

Connector rules

Proxy support

The connector supports proxy.