Orca Security

Orca Security is a security platform that identifies and remediates cloud-security threats.

Use Orca to trigger Torq workflows

To ingest Orca events in Torq, you need to create an Orca trigger integration and use the generated webhook URL (Torq endpoint) to configure a Webhook integration in Orca.

Configure an Orca trigger integration in Torq

1. Go to Integrations > Triggers.
2. Locate Orca and click Add.
3. Type a meaningful name for the integration instance and click Add.
   

Configure a Torq integration in Orca

1. Sign in to your Orca account.
2. Click the Settings icon and then Integrations.
3. In the SIEM/SOAR section, locate the Torq integration and click Configure.
   
4. Click Create new trigger, configure the trigger, and click Save.
   1. Name: a meaningful name for the trigger, such as, Torq Events.
   2. Trigger URL: the Torq endpoint you created earlier.
   3. Custom headers: (optional) headers that provide an added layer of security for sending data via the webhook.

Create an automation in Orca

The automation defines which alerts will be sent to Torq.

1. Sign in to your Orca account.
2. Click the Settings icon and then Alerts & Automations.
3. In the upper-right corner, click Create New > Create automation.
4. Enter a meaningful name and description for the automation.
5. In the Define Filter section, enter a query. The query is a combination of rules.
6. In the Define Actions section, locate the SIEM/SOAR category and select the Send to Torq trigger checkbox. Select the Troq trigger you created earlier.
7. Click Create Automation.
   For more information, see the Orca documentation.

Create a test workflow

For the test workflow, we'll define the Orca trigger and a single step.

1. In Torq, go to Workflows and click Create Workflow.
2. Type a meaningful name for the workflow, such as Orca Events Test.
3. Click the trigger icon and select Orca.
   

4. Select the integration instance you configured.
5. Add the step Print a message to stdout.

The workflow will trigger when it receives an alert from the webhook, which will be the next time Orca runs a scan of your Orca accounts.

Use Orca steps in a Torq workflow

To use Orca steps in Torq workflows, you have to create an Orca Security steps integration, which requires an Orca API token. All Orca steps require an access token (as an input parameter). So you'll need to add the step Create a user session, you need to pass an access token as an input parameter.

Create your Orca API token

1. Sign in to your Orca account.
2. Click the Settings icon and then Integrations.
3. Locate the Torq integration and click Connect. The integration is under the category SIEM/SOAR.

4. Copy the API token so you can enter it when creating the Orca integration in Torq.

Create an Orca steps integration in Torq

1. Go to Integrations > Steps
2. Locate Orca Security and click Add
3. Type a meaningful name for the integration instance.
4. Enter the API key that you generated in your ORca tenant.
5. Click Add.

Use Orca steps in a workflow

All Orca steps require that you pass an access token as an input parameter. To generate an access token, you need to execute the step Create a user session.

In this basic example, we create a workflow that creates a user session and gets a list of assets on the associated Orca account.

Remediate an Orca alert using Torq

After you create a Torq integration and trigger you can remediate an alert directly from the Orca platform. You select the Torq integration, which determines which Torq workflow the alert data is sent to.

1. Go to the alert you want to remediate using Torq.
2. Click Integrations > Remediate with Torq > {integration instance}.

Templates

• Search for CVE findings in Orca - Triggered by Slack (Basic)
• Remediate AWS VPC created without flow logs (Intermediate)
• Remediate AWS EC2 instance with open network access (Intermediate)
• Handle Orca alert for IAM role with admin permissions (Intermediate)
• Handle AWS security group with Open SSH access (Intermediate)
• Handle AWS S3 bucket should enforce HTTPS alert (Intermediate)
• Enable encryption on AWS S3 bucket on Orca alert (Intermediate)
• Enable AWS S3 bucket versioning on Orca alert (Intermediate)