Installing the Orca Security App

Using the Orca Security App

The Orca Security App helps you to collect data from the Orca platform API. You can use the provided Resource Sets to work with alerts, authentication logs, and asset information.

What Type of Data does Orca Security provide?

The Orca Security App requires that you setup the polling of the Orca Security API to poll the different event types.

  • Alerts - Orca Security Alerts including configuration and vulnerability notifications.

  • Logs - Authentication Log events such as failures, successes, and brute force attempts.

  • Assets - Records defining unique assets and instances scanned by Orca.

Setup

Creating the Orca Security API Token

  1. Log into your Orca Security Instance.

  2. Click Settings on the left.

Orca Menu Settings Option

Figure 1 - Orca Menu - Settings

3. Expand Users & Settings.

4. Click API.

Orca Menu API Option

Figure 2 - Orca Menu - API

5. Click the Create API Token button

Orca API Button

Figure 3 - Orca API Button

6. Name the new API token, for example, Observe-Lambda-Token, and select a desired expiration date. When a token expires, you must update the integration.

7. Select the Viewer role.

8. Record the generated API Token value in a secure location.

Orca API Token

Figure 4 - Orca API Token

Installing the Orca Security App

Install the Orca App using the Apps section under Workspace Setting.

Changing the Datastream

The Orca App uses the Default datastream for polled data and resource set creation. To select another datastream, use the Configuration tab of the App Details page.

Creating an Observe Ingest Token

Create a Orca Security token to ingest your logs into Observe.

  1. Under the Connections section of the App Details page, select Create Orca Token and follow the prompts.

  2. Record the generated API Token value in a secure location.

  3. Use the generated test command to test that the token works appropriately.

Collecting Orca API to Observe

  1. Ask your sales engineer about configuring Orca data collection using AWS Lambda to Observe.

  2. Create one Lambda for each event type to collect.

  3. Configure the environment variables for each event collector.

OBSERVE Connector Values
    OBSERVE_URL = Required: Observe Customer ID (Example: https://154418444508.observeinc.com/)
    OBSERVE_TOKEN = Required: Observe Datastream Token
    OBSERVE_LOGGING_LEVEL = Optional: Desired Logging Level (Example: DEBUG)

# Orca API Values:
    ORCA_TOKEN = Required: Orca Reader Level API Token
    ORCA_QUERY_TYPE = Required: Orca Query Type (Example: alerts)
    ORCA_TIME_LIMIT_HOURS = Optional: Integer in Hours To Limit Alert created_at time for OBSV Posting
    ORCA_LOGGING_LEVEL = Optional: Desired Logging Level (Example: DEBUG)

Note

Some Observe instances may optionally use a name instead of Customer ID; if this is the case for your instance, contact your Observe Data Engineer to discuss implementation. A stem name will work as is, but a DNS redirect name may require client configuration.

4. logs and alerts: ORCA_TIME_LIMIT_HOURS is recommended to be 24 hours, with cron schedule of hourly for ‘logs’ and ‘alerts’ because of the way Orca processes data and makes it available in the API. There could be duplicate events ingested, however, the Orca/Orca Alerts and Orca/Orca Logs datasets de-duplicates these events.

5. assets: ORCA_TIME_LIMIT_HOURS is recommended to be 4 hours, with cron schedule of every 4 hours.

Data Review

  1. Review the Orca Resource Sets and Dashboards to confirm the data processed correctly.

  2. The Orca/Orca Data Ingest Status Dashboard assists you with your data collection. The raw ingested counts are shown but not deduplicated events. This provides simple confirmation that data is being successfully ingested into Observe.

You have now configured the Orca Security app and ready to use this data in Observe.