Skip to main content

Orca Connector

Learn how to integrate Orca into the Vulcan Platform

The following steps guide you through configuring this connector for use with the Vulcan Cyber platform from start to finish.

Connector Details

Details

Description

Supported products

Orca Cloud Security Platform

Category

CSPM

CWPP

Ingested data

Assets and Findings

Ingested Assets

Device

Container

Resource

Integration type

UNI directional (data is transferred from the Connector to the Vulcan Cyber platform in one direction)

Supported version and type

SaaS (latest)

Prerequisites and User Permissions

Before you begin configuring the connector, make sure to:

  1. Create an Orca Security business unit.

  2. Generate an Orca Security API token.

Create an Orca Security Business Unit

  1. Log in to the Orca Security platform.

  2. Navigate to Select Unit > Configure Business Units.

  3. Click Create Business Unit.

  4. In the Unit Name box, type a descriptive name for the business unit.

  5. Select the data source from which you want to fetch data: Provider (AWS, Azure, GCP, etc.) or Accounts.

  6. Click Create.

Generate an Orca Security API Token

  1. Log in to the Orca Security platform.

  2. Navigate to Settings > Users & Permissions > API.

  3. Click Add API Token.

  4. In the Name box, type a descriptive name for the token.

  5. In the Expiration Date section, select an expiration date or select the Never Expire checkbox.

  6. Select the Service Token checkbox.

  7. From the Roles list, select Viewer.

  8. Select the Scope access to specific resources checkbox.

  9. Select Business units, and then select the business unit you created.

  10. Click Add.

  11. Copy the API Token to a safe location. You need it to configure the connector.

Add a Connector

Configure the Orca connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the Orca icon.

  4. In the Server URL drop-down, select the region of your Orca server.

  5. In the API Token text box, paste the API key you generated earlier.

  6. In the Data pulling configuration section, you can configure dynamic settings specific to the connector.

    • In the Inventory Resources drop-down box, select the resources you want to ingest into the Vulcan Cyber platform.

    • In the Asset Retention text box, type the number of days after which you want assets to be removed from the Vulcan Cyber platform. If an asset has not been detected or updated within the specified number of days, it is automatically removed from the application, ensuring your asset inventory is current and relevant.

    • In the "Immediately remove assets when their status is:" section, select more statuses when the asset is detected it should be archived.

  7. In the Test connectivity section, click the Test Connectivity button to verify that the Vulcan Cyber platform can connect to your connector instance.

  8. Allow some time for the sync to complete. You can review the sync status under Log.

  9. In the Connector scheduling section, configure the time and day(s) on which you want connector syncs to occur.

  10. Click Create. The Vulcan Cyber platform begins syncing the connector. The sync can take some time to complete.

Data Mapping

The Vulcan Cyber platform integrates with the connector via API to retrieve relevant weakness and asset data, which is then mapped into the Vulcan Cyber platform. The following tables outline how fields and their values are mapped from the connector to the Vulcan Cyber platform.

Device Mapping

Vulcan Field

Orca Field

Asset Name

data[].name

Asset Provider ID

External Identifier

data[].data.InstanceId/Arn/ VmId / AzureId/ asset_unique_id

Cloud Provider

data[].data.CloudAccount.data.CloudProvider.value

Cloud Resource Type

data[].data.NewSubCategory

Cloud Resource > Service

data[].data.type

Cloud Resource > Billing ID

data[].data.CloudAccount.name

Host Fully Qualified DNS

data[].data.PublicDnss.value[0]

Last Observed At

data[].data.LastSeen.value

First Observation Date

data[].data.FirstSeen.value

External Tags

data[].data.Tags.value

Operating Systems

data[].data.DistributionName.value

OS Version

data[].data.DistributionVersion.value

IPv4 Addresses

data[].data.PrivateIps.value

Device System Type

data[].data.Type.value

Container Mapping

Vulcan Field

Orca Field

Asset Name

data[].name

Asset Provider ID

External Identifier

data[].data.InstanceId/Arn/ VmId / AzureId/ asset_unique_id

Cloud Provider

data[].data.CloudAccount.data.CloudProvider.value

Cloud Resource Type

data[].data.NewSubCategory

Cloud Resource > Service

data[].data.type

Cloud Resource > Billing ID

data[].data.CloudAccount.name

Host Fully Qualified DNS

data[].data.PublicDnss.value[0]

Last Observed At

data[].data.LastSeen.value

First Observation Date

data[].data.FirstSeen.value

External Tags

data[].data.Tags.value

Operating Systems

DistributionName

OS Version

DistributionVersion

Container Image Tags

ImageTags.value (single value)

Image Digest

ImageLayersDigest.value (single value)

Resource Mapping

Vulcan Field

Orca Field

Asset Name

data[].name

Asset Provider ID

External Identifier

data[].data.InstanceId/Arn/ VmId / AzureId/ asset_unique_id

Cloud Provider

data[].data.CloudAccount.data.CloudProvider.value

Cloud Resource Type

data[].data.NewSubCategory

Cloud Resource > Service

data[].data.type

Cloud Resource > Billing ID

data[].data.CloudAccount.name

Region

data[].data.Region.value

Host Fully Qualified DNS

data[].data.PublicDnss.value[0]

Last Observed At

data[].data.LastSeen.value

First Observation Date

data[].data.FirstSeen.value

External Tags

data[].data.Tags.value

Finding Mapping

Vulcan Field

Orca Field

Finding Name

vulnerability_name

CVEs

data[].data.CveIds.value

CVSSv3 Base Score

MaxCvssScore

Severity

data[].data.RiskLevel.value

Severity

State

data[].data.Status.value

MITRE Category

data[].data.MitreCategory.value

Description

data.description

Solution

vulnerability_recommendations

Finding Custom Attributes

port

protocol

package

Package Version

First Seen

device_vulnerability_detection_date

Last seen (Observed)

vulnerability_last_updated

Finding Status Mapping

Vulcan Status

Orca Status

Active / Vulnerable

Open or In Progress

Fixed

Closed, Dismissed, Snoozed

Finding Severity Mapping

Vulcan Severity

Orca Score

Critical

CVSS: 9.0 - 10.0

Severity: Critical

High

CVSS: 7.0 - 8.9

Severity: High

Medium

CVSS: 4.0 - 6.9

Severity: Medium

Low

CVSS: 1-3.9

Severity: Low

None

CVSS: 0

Severtity: empty

Locating Orca vulnerabilities in the Vulcan Platform

As Orca discovers vulnerabilities, the Vulcan Platform connector imports those vulnerabilities for reporting and action. You can view vulnerabilities via Connector by using the relevant filter:

  1. Open the Vulcan Platform dashboard and navigate to the Vulnerabilities. Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.

  2. Locate Orca on the vulnerability source/Connector list and click to filter results.

  3. Click on any vulnerability to view further information.

Locating Orca assets (Hosts, Images, Cloud Resources) in the Vulcan Platform

To locate all retrieved Hosts, Images, and Cloud Resources assets from Orca:

  1. Open the Vulcan Cyber dashboard and navigate to Assets.

  2. Click one of the relevant tabs: Cloud Resources, Hosts, Images

  3. Click on the Search or filter websites input box and select Connector from the drop-down selection.

  4. Locate the Orca option to view all synced assets.

Automating actions on vulnerabilities detected by Orca

Large environments quickly become unmanageable if constant manual attention and action are necessary to remediate vulnerabilities. Take advantage of the automation capabilities of Vulcan Cyber and the Orca connector.

Here is an example of creating email automation (other automation types are also available):

  1. Open the Vulcan Cyber dashboard and navigate to the Automation section. Once there, click the Create new Playbook button.

  2. First, give your automation playbook an indicative name.

  3. Select Orca for the source of vulnerabilities, and continue to set the vulnerability condition as Risk is Critical / High (for example), leaving the rest as defaults, or simply set the conditions as it suits your needs.

  4. Continue to the Remediation actions and select the take-action channel. In this example, we selected "Assign via email".

  5. Choose how the separation of tickets is handled. In this example, we selected the "up to 200 vulnerabilities are aggregated into a single email" option. Then add the recipient emails to be notified.

  6. Leave all other steps as default (or modify if needed) and click on Save and Run.

Related Articles
PrismaCloud Compute (CWPP) Connector
BitSight Connector
Aqua CWPP Connector
Lacework Connector
Microsoft Defender for Cloud Connector (new revision)
Did this answer your question?