Installing the Orca Security App

Using the Orca Security App

The Orca Security App helps you to collect data from the Orca platform API. You can use the provided Resource Sets to work with alerts, authentication logs, and asset information.

What Type of Data does Orca Security provide?

The Orca Security App requires that you setup the polling of the Orca Security API to poll the different event types.

  • Alerts - Orca Security Alerts including configuration and vulnerability notifications.

  • Logs - Authentication Log events such as failures, successes, and brute force attempts.

  • Assets - Records defining unique assets and instances scanned by Orca.

Setup

Creating the Orca Security API Token

  1. Log into your Orca Security Instance.

  2. Click Settings on the left.

../../../_images/orca-menu-settings.png

Figure 1 - Orca Menu - Settings

3. Expand Users & Settings.

4. Click API.

../../../_images/orca-menu-api.png

Figure 2 - Orca Menu - API

5. Click the Create API Token button

../../../_images/orca-api-button.png

Figure 3 - Orca API Button

6. Name the new API token, for example, Observe-Lambda-Token, and select a desired expiration date. When a token expires, you must update the integration.

7. Select the Viewer role.

8. Record the generated API Token value in a secure location.

../../../_images/orca-api-token.png

Figure 4 - Orca API Token

Installing the Orca Security App

Install the Orca App using the Apps section under Workspace Setting.

Changing the Datastream

The Orca App uses the Default datastream for polled data and resource set creation. To select another datastream, use the Configuration tab of the App Details page.

Creating an Observe Ingest Token

Create a Orca Security token to ingest your logs into Observe.

  1. Under the Connections section of the App Details page, select Create Orca Token and follow the prompts.

  2. Record the generated API Token value in a secure location.

  3. Use the generated test command to test that the token works appropriately.

Collecting Orca API to Observe

  1. Ask your sales engineer about configuring Orca data collection using AWS Lambda to Observe.

  2. Create one Lambda for each event type to collect.

  3. Configure the environment variables for each event collector.

OBSERVE Connector Values
    OBSERVE_URL = Required: Observe Customer ID (Example: https://154418444508.observeinc.com/)
    OBSERVE_TOKEN = Required: Observe Datastream Token
    OBSERVE_LOGGING_LEVEL = Optional: Desired Logging Level (Example: DEBUG)

# Orca API Values:
    ORCA_TOKEN = Required: Orca Reader Level API Token
    ORCA_QUERY_TYPE = Required: Orca Query Type (Example: alerts)
    ORCA_TIME_LIMIT_HOURS = Optional: Integer in Hours To Limit Alert created_at time for OBSV Posting
    ORCA_LOGGING_LEVEL = Optional: Desired Logging Level (Example: DEBUG)

4. logs and alerts: ORCA_TIME_LIMIT_HOURS is recommended to be 24 hours, with cron schedule of hourly for ‘logs’ and ‘alerts’ because of the way Orca processes data and makes it available in the API. There could be duplicate events ingested, however, the Orca/Orca Alerts and Orca/Orca Logs datasets deduplicates these events.

5. assets: ORCA_TIME_LIMIT_HOURS is recommended to be 4 hours, with cron schedule of every 4 hours.

Data Review

  1. Review the Orca Resource Sets and Dashboards to confirm the data processed correctly.

  2. The Orca/Orca Data Ingest Status Dashboard assists you with your data collection. The raw ingested counts are shown but not deduplicated events. This provides simple confirmation that data is being successfully ingested into Observe.

You have now configured the Orca Security app and ready to use this data in Observe.