Orca Security Logs (Beta)
Connecting Orca Security logs in your Panther Console
Overview
Panther ingests Orca Security alerts by configuring a webhook to post events to a Panther HTTP URL.
How to onboard Orca Security logs to Panther
Step 1: Create an Orca Security source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Orca Security,” then click its tile.
On the slide-out panel, click Start Setup.
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
For the Auth method, you will be required to use Bearer authentication. This is the only authentication method Orca Security supports.
Payloads sent to this source are subject to the payload requirements for all HTTP sources.
Do not proceed to the next step until the creation of your HTTP endpoint has been completed.
After creating the HTTP source, the Panther Console will display your HTTP Source URL. Store this value in a secure location, as you will need it in the next steps.
Step 2: Create a new Panther integration in Orca Security
In the Orca Security console, navigate to Settings > Integrations.
In the search bar in the upper-right hand corner, search for "Panther," then, on the Panther tile, click Configure.
On the Panther pop-up modal, click Create.
Under Panther Integration, fill in the form fields:
Template Name: Enter a descriptive name, e.g.,
Panther SIEM integration.Trigger URL: Enter the HTTP URL you generated in Panther in Step 1.
API Key: Enter "Bearer" followed by a space, then enter the Bearer token you generated or entered in Panther in Step 1. The complete value should look like:
Bearer SomeTokenHere.(Optional) Under Your Panther template, customize the Body and Custom Header contents by dragging and dropping fields from the Orca Optional Fields section.
Click Next.
In the upper-right hand corner, click Create Template.
Step 3: Automate alert forwarding in Orca Security
From the left-hand navigation bar in the Orca console, select Automations.
From the Orca Suggested Template section, select Forward Alerts via Integrations.
On the Create Query page, update the default Query value as desired.
This query determines which alerts will be forwarded to Panther. You may enter asterisks, use more specific values, or add/remove conditions.
Click Next.
On the Automation Details page, enter an Automation Name.
Click Next.
On the Define Results page, under SIEM/SOAR:
Select Panther.
In the Select Panther Trigger dropdown field, select the Panther integration you created in Step 2.
Click Create.
Panther-managed detections
See Panther-managed rules for Orca Security in the panther-analysis GitHub repository.
Supported log types
Orca.Alert
schema: Orca.Alert
description: Alerts sent from Orca Security
referenceURL: https://orca.security/
fields:
- name: alert_labels
description: Labels or tags associated with the alert for categorization
type: array
element:
type: string
- name: alert_source
required: true
description: The source system or component that generated the alert
type: string
- name: asset_name
required: true
description: The name of the affected asset or resource
type: string
- name: asset_type_string
required: true
description: The type of asset in human-readable format (e.g., VM, container, database)
type: string
- name: asset_unique_id
required: true
description: Unique identifier for the affected asset
type: string
- name: category
required: true
description: The security category of the alert (e.g., vulnerability, misconfiguration)
type: string
- name: cloud_account_id
required: true
description: The cloud account identifier where the issue was detected
type: string
- name: cluster_unique_id
required: true
description: Unique identifier for the cluster if the asset is part of a cluster
type: string
- name: configuration
required: true
description: Configuration details and metadata about the alert
type: object
fields:
- name: comments_count
description: Number of comments added to the alert
type: bigint
- name: status_justification
description: Justification provided for the current status
type: string
- name: status_reason
description: Reason for the current status
type: string
- name: prev_user_status
description: Previous status set by a user
type: string
- name: jira
description: JIRA integration details for this alert
type: json
- name: jira_issue
description: Associated JIRA issue identifier
type: string
- name: jira_issue_link
description: URL link to the associated JIRA issue
type: string
- name: user_orca_score
description: User-defined Orca risk score
type: float
- name: user_score
description: User-defined risk score
type: bigint
- name: service_now_incidents
description: ServiceNow incident details related to this alert
type: json
- name: user_status
description: Status set by a user
type: string
- name: description
required: true
description: Detailed description of the alert
type: string
- name: details
required: true
description: Technical details about the alert
type: string
- name: extra_match_data
description: Additional matching data for pattern-based alerts
type: object
fields:
- name: evidences
description: Evidence supporting the alert detection
type: object
fields:
- name: event_ids
description: List of event IDs related to the evidence
type: array
element:
type: string
- name: pattern_detection_result
description: Results from pattern-based detection
type: object
fields:
- name: cloud_account_id
description: Cloud account ID where the pattern was detected
type: string
- name: detected_event_fingerprints
description: Fingerprints of detected events matching the pattern
type: array
element:
type: object
fields:
- name: common_field
description: Common field used for pattern matching
type: string
indicators:
- aws_arn
- name: epoch_timestamp
description: Timestamp when the event occurred
type: timestamp
timeFormats:
- unix
- name: eventID
description: Unique identifier for the event
type: string
- name: eventName
description: Name of the event that triggered the pattern match
type: string
- name: organization_id
description: Organization ID where the pattern was detected
type: string
- name: pattern
description: Pattern definition that triggered the alert
type: object
fields:
- name: common_field
description: Common field used across pattern detections
type: string
- name: detections
description: List of detection patterns
type: array
element:
type: string
- name: name
description: Name of the pattern
type: string
- name: window_size
description: Time window size for pattern detection
type: bigint
- name: trace_id
description: Trace identifier for tracking the detection process
type: string
- name: group_unique_id
required: true
description: Unique identifier for the group the asset belongs to
type: string
- name: is_compliance
required: true
description: Indicates if the alert is related to compliance
type: boolean
- name: level
required: true
description: Numeric severity level of the alert
type: bigint
- name: live
description: Indicates if the alert is currently active
type: boolean
- name: organization_id
required: true
description: Identifier for the organization
type: string
- name: recommendation
required: true
description: Recommended actions to remediate the issue
type: string
- name: rule_id
required: true
description: Identifier for the rule that triggered the alert
type: string
- name: source
description: Source of the alert data
type: string
- name: state
required: true
description: Current state information about the alert
type: object
fields:
- name: alert_id
description: Unique identifier for the alert
type: string
- name: created_at
description: Timestamp when the alert was created
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: last_seen
description: Timestamp when the issue was last observed
type: timestamp
timeFormats:
- rfc3339
- name: high_since
description: Timestamp since when the alert has been high severity
type: timestamp
timeFormats:
- rfc3339
- name: last_updated
description: Timestamp when the alert was last updated
type: timestamp
timeFormats:
- rfc3339
- name: orca_score
description: Orca security risk score
type: float
- name: risk_level
description: Risk level assessment (e.g., high, medium, low)
type: string
- name: score
description: Numeric risk score
type: float
- name: severity
description: Severity level of the alert
type: string
- name: status
description: Current status of the alert
type: string
- name: status_time
description: Timestamp when the status was last changed
type: timestamp
timeFormats:
- rfc3339
- name: verification_status
description: Status of the verification process
type: string
- name: is_new_score
description: Indicates if the score was recently updated
type: boolean
- name: closed_time
description: Timestamp when the alert was closed
type: timestamp
timeFormats:
- rfc3339
- name: closed_reason
description: Reason for closing the alert
type: string
- name: low_since
description: Timestamp since when the alert has been low severity
type: timestamp
timeFormats:
- rfc3339
- name: in_verification
description: Indicates if the alert is currently being verified
type: boolean
- name: rule_source
description: Source of the rule that triggered the alert
type: string
- name: subject_type
required: true
description: Type of the subject affected by the alert
type: string
- name: type
required: true
description: Type of the alert
type: string
- name: type_key
required: true
description: Key identifier for the alert type
type: string
- name: type_string
required: true
description: Human-readable alert type
type: string
- name: account_name
description: Name of the cloud account
type: string
- name: asset_auto_updates
description: Auto-update configuration for the asset
type: string
- name: asset_availability_zones
description: List of availability zones where the asset is deployed
type: array
element:
type: string
- name: asset_category
description: Category of the affected asset
type: string
- name: asset_distribution_major_version
description: Major version of the OS distribution
type: string
- name: asset_distribution_name
description: Name of the OS distribution
type: string
- name: asset_distribution_version
description: Full version of the OS distribution
type: string
- name: asset_first_private_dnss
description: List of private DNS names for the asset
type: array
element:
type: string
- name: asset_first_private_ips
description: List of private IP addresses for the asset
type: array
element:
type: string
indicators:
- ip
- name: asset_first_public_dnss
description: List of public DNS names for the asset
type: array
element:
type: string
- name: asset_first_public_ips
description: List of public IP addresses for the asset
type: array
element:
type: string
indicators:
- ip
- name: asset_hostname
description: Hostname of the affected asset
type: string
indicators:
- hostname
- name: asset_image_id
description: Image ID used by the asset
type: string
- name: asset_ingress_ports
description: List of ingress ports open on the asset
type: array
element:
type: string
- name: asset_labels
description: Labels or tags associated with the asset
type: array
element:
type: string
- name: asset_num_private_dnss
description: Number of private DNS names for the asset
type: bigint
- name: asset_num_private_ips
description: Number of private IP addresses for the asset
type: bigint
- name: asset_num_public_dnss
description: Number of public DNS names for the asset
type: bigint
- name: asset_num_public_ips
description: Number of public IP addresses for the asset
type: bigint
- name: asset_regions
description: List of cloud regions where the asset is deployed
type: array
element:
type: string
- name: asset_regions_names
description: Human-readable names of regions where the asset is deployed
type: array
element:
type: string
- name: asset_role_names
description: List of IAM role names associated with the asset
type: array
element:
type: string
- name: asset_state
description: Current state of the asset (e.g., running, stopped)
type: string
- name: asset_stopped
description: Indicates if the asset is currently stopped
type: boolean
- name: asset_tags_info_list
description: List of tags associated with the asset
type: array
element:
type: string
- name: asset_type
description: Type of the affected asset
type: string
- name: asset_vendor_id
description: Vendor-specific identifier for the asset
type: string
- name: asset_vpcs
description: List of VPCs the asset is associated with
type: array
element:
type: string
- name: cloud_account_type
description: Type of cloud account (e.g., AWS, Azure, GCP)
type: string
- name: cloud_provider
description: Name of the cloud provider
type: string
- name: cloud_provider_id
description: Identifier for the cloud provider
type: string
indicators:
- aws_account_id
- name: cloud_vendor_id
description: Vendor-specific cloud identifier
type: string
indicators:
- aws_account_id
- name: cluster_name
description: Name of the cluster the asset belongs to
type: string
- name: cluster_type
description: Type of cluster (e.g., Kubernetes, ECS)
type: string
- name: container_id
description: Identifier for the container
type: string
- name: container_image_digest
description: Digest hash of the container image
type: string
- name: container_image_name
description: Name of the container image
type: string
- name: container_image_version
description: Version of the container image
type: string
- name: container_k8s_pod_namespace
description: Kubernetes namespace for the pod
type: string
- name: container_service_name
description: Name of the container service
type: string
- name: context
description: Context information for the alert
type: string
- name: cve_list
description: List of CVE identifiers related to the alert
type: array
element:
type: string
- name: cve_resolved
description: List of resolved CVEs
type: array
element:
type: json
- name: data
description: Additional data related to the alert
type: json
- name: earliest_cve_detection
description: Timestamp of the earliest CVE detection
type: string
- name: findings
description: Detailed findings related to the alert
type: array
element:
type: json
- name: group_name
description: Name of the group the asset belongs to
type: string
- name: group_type
description: Type of the group
type: string
- name: group_type_string
description: Human-readable group type
type: string
- name: group_val
description: Value associated with the group
type: string
- name: is_rule
description: Indicates if the alert was triggered by a rule
type: boolean
- name: k8s_cluster_name
description: Name of the Kubernetes cluster
type: string
- name: max_cvss_score
description: Maximum CVSS score for vulnerabilities in the alert
type: float
- name: organization_name
description: Name of the organization
type: string
- name: related_compliances
description: List of compliance standards related to the alert
type: array
element:
type: string
- name: rule_query
description: Query used by the rule that triggered the alert
type: string
- name: severity_contributing_factors
description: Factors that contributed to the severity assessment
type: array
element:
type: string
- name: severity_reducing_factors
description: Factors that reduced the severity assessment
type: array
element:
type: string
- name: tags_info_list
description: List of tags associated with the alert
type: array
element:
type: string
- name: vm_asset_unique_id
description: Unique identifier for the VM asset
type: string
- name: vm_id
description: Identifier for the virtual machine
type: string
- name: vm_name
description: Name of the virtual machine
type: string
- name: container_image_tags
description: Tags associated with the container image
type: string
- name: image_manifest_annotations
description: Annotations from the image manifest
type: string
- name: image_repository_uri
description: URI of the container image repository
type: string
- name: repository_name
description: Name of the repository
type: string
- name: remediation_cli
description: Command-line instructions for remediation
type: array
element:
type: string
- name: resource_group_name
description: Name of the resource group
type: stringLast updated
Was this helpful?