Knowledge BaseRelease NotesRequest Demo

Orca Security Logs

Connecting Orca Security logs in your Panther Console

Overview

Panther ingests Orca Security alerts by configuring a webhook to post events to a Panther HTTP URL.

How to onboard Orca Security logs to Panther

Step 1: Create an Orca Security source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for “Orca Security,” then click its tile.

  4. On the slide-out panel, click Start Setup.

    An arrow is drawn from an "Orca Security" tile in the background to a "Start Setup" button on an "Orca Security" panel in the foreground.

  5. Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.

    • For the Auth method, you will be required to use Bearer authentication. This is the only authentication method Orca Security supports.

    • Payloads sent to this source are subject to the payload requirements for all HTTP sources.

    • Do not proceed to the next step until the creation of your HTTP endpoint has been completed.

After creating the HTTP source, the Panther Console will display your HTTP Source URL. Store this value in a secure location, as you will need it in the next steps.

Step 2: Create a new Panther integration in Orca Security

  1. In the Orca Security console, navigate to Settings > Integrations.

  2. In the search bar in the upper-right hand corner, search for "Panther," then, on the Panther tile, click Configure.

    Under an "Integrations" header is a Panther box. There is a "Configure" button.

  3. On the Panther pop-up modal, click Create.

    Under a "Panther" header is an empty pop-up modal. There is a "Create" button at the bottom.

  4. Under Panther Integration, fill in the form fields:

    • Template Name: Enter a descriptive name, e.g., Panther SIEM integration.

    • Trigger URL: Enter the HTTP URL you generated in Panther in Step 1.

    • API Key: Enter "Bearer" followed by a space, then enter the Bearer token you generated or entered in Panther in Step 1. The complete value should look like: Bearer SomeTokenHere.

    • (Optional) Under Your Panther template, customize the Body and Custom Header contents by dragging and dropping fields from the Orca Optional Fields section.

    Under a "Panther Integration" header, there are various form fields, including "Template Name" and "Trigger URL."

  5. Click Next.

  6. In the upper-right hand corner, click Create Template.

Step 3: Automate alert forwarding in Orca Security

  1. From the left-hand navigation bar in the Orca console, select Automations.

  2. From the Orca Suggested Template section, select Forward Alerts via Integrations.

  3. On the Create Query page, update the default Query value as desired.

    • This query determines which alerts will be forwarded to Panther. You may enter asterisks, use more specific values, or add/remove conditions.

Under a "Create New Automation From Suggested Template" is a "Query" field. Its value is, "When an alert Category is * and Provider is * and Orca Risk Level is * and Alert State is *"

  1. Click Next.

  2. On the Automation Details page, enter an Automation Name.

Under a "Create New Automation From Suggested Template" header are various form fields, like "Scope," "Automation Name," and "Description." In the bottom right corner are two buttons: Back and Next.

  1. Click Next.

  2. On the Define Results page, under SIEM/SOAR:

    1. Select Panther.

    2. In the Select Panther Trigger dropdown field, select the Panther integration you created in Step 2.

Under a "New Automation" header, there are various checkboxes. One checkbox with the label "Panther" is selected.

  1. Click Create.

Panther-managed detections

See Panther-managed rules for Orca Security in the panther-analysis GitHub repository.

Supported log types

Starting January 1, 2026, Orca Security will be discontinuing support for their Orca.Alert schema, replacing it with Orca.AlertEvent.

Please update your integration to use the new Orca.AlertEvent schema before January 2026.

For details about the new format, see the Orca Security documentation.

Orca.AlertEvent

Orca.Alert (Legacy)

Starting January 1, 2026, Orca Security will be discontinuing support for their Orca.Alert schema, replacing it with Orca.AlertEvent.

Please update your integration to use the new Orca.AlertEvent schema before January 2026.

For details about the new format, see the Orca Security documentation.

PreviousOpenAI Logs (Beta)NextOsquery Logs

Last updated

Was this helpful?