# Orca Security Logs ## Overview Panther ingests [Orca Security ](https://orca.security/)alerts by configuring a webhook to post events to a Panther HTTP URL. ## How to onboard Orca Security logs to Panther ### Step 1: Create an Orca Security source in Panther 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New**. 3. Search for “Orca Security,” then click its tile. 4. On the slide-out panel, click **Start Setup**.

An arrow is drawn from an "Orca Security" tile in the background to a "Start Setup" button on an "Orca Security" panel in the foreground.

5. Follow [Panther's instructions for configuring an HTTP Source](https://docs.panther.com/data-transports/http#how-to-set-up-an-http-log-source-in-panther), beginning at Step 5. * For the **Auth method**, you will be required to use [Bearer authentication](https://docs.panther.com/data-transports/http#bearer). This is the only authentication method Orca Security supports. * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-transports/http#payload-requirements). * Do not proceed to the next step until the creation of your HTTP endpoint has been completed. After creating the HTTP source, the Panther Console will display your HTTP Source URL. Store this value in a secure location, as you will need it in the next steps. ### Step 2: Create a new Panther integration in Orca Security 1. In the Orca Security console, navigate to **Settings** > **Integrations**. 2. In the search bar in the upper-right hand corner, search for "Panther," then, on the **Panther** tile, click **Configure**.

Under an "Integrations" header is a Panther box. There is a "Configure" button.

3. On the **Panther** pop-up modal, click **Create**.

Under a "Panther" header is an empty pop-up modal. There is a "Create" button at the bottom.

4. Under **Panther Integration**, fill in the form fields: * **Template Name**: Enter a descriptive name, e.g., `Panther SIEM integration`. * **Trigger URL**: Enter the HTTP URL you generated in Panther in [Step 1](#step-1-create-an-orca-security-source-in-panther). * **API Key**: Enter "Bearer" followed by a space, then enter the Bearer token you generated or entered in Panther in [Step 1](#step-1-create-an-orca-security-source-in-panther). The complete value should look like: `Bearer SomeTokenHere`. * (Optional) Under **Your Panther template**, customize the **Body** and **Custom Header** contents by dragging and dropping fields from the **Orca Optional Fields** section.

Under a "Panther Integration" header, there are various form fields, including "Template Name" and "Trigger URL."

5. Click **Next**. 6. In the upper-right hand corner, click **Create Template**. ### Step 3: Automate alert forwarding in Orca Security 1. From the left-hand navigation bar in the Orca console, select **Automations**. 2. From the **Orca Suggested Template** section, select **Forward Alerts via Integrations**. 3. On the **Create Query** page, update the default **Query** value as desired. * This query determines which alerts will be forwarded to Panther. You may enter asterisks, use more specific values, or add/remove conditions.

Under a "Create New Automation From Suggested Template" is a "Query" field. Its value is, "When an alert Category is * and Provider is * and Orca Risk Level is * and Alert State is *"

4. Click **Next**. 5. On the **Automation Details** page, enter an **Automation Name**.

Under a "Create New Automation From Suggested Template" header are various form fields, like "Scope," "Automation Name," and "Description." In the bottom right corner are two buttons: Back and Next.

6. Click **Next**. 7. On the **Define Results** page, under **SIEM/SOAR**: 1. Select **Panther**. 2. In the **Select Panther Trigger** dropdown field, select the Panther integration you created in Step 2.

Under a "New Automation" header, there are various checkboxes. One checkbox with the label "Panther" is selected.

8. Click **Create**. ## Panther-managed detections See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Orca Security in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/rules/orca_rules). ## Supported log types {% hint style="warning" %} Starting January 1, 2026, Orca Security will be discontinuing support for their `Orca.Alert` schema, replacing it with `Orca.AlertEvent`. Please update your integration to use the new `Orca.AlertEvent` schema before January 2026. For details about the new format, see the [Orca Security documentation](https://docs.orcasecurity.io/docs/2025-10-29-changes-to-alert-fields-for-integrations-in-the-serving-layer). {% endhint %} ### Orca.AlertEvent ```yaml schema: Orca.AlertEvent description: Alerts sent from Orca Security (New Format) referenceURL: https://orca.security/ fields: - name: version required: true description: Version of the alert data format type: string - name: data required: true description: Alert data payload type: object fields: - name: account_id description: The cloud account identifier where the issue was detected type: string indicators: - aws_account_id - name: account_name description: Name of the cloud account type: string - name: cloud_provider description: Name of the cloud provider (e.g., aws, azure, gcp) type: string - name: cloud_provider_id description: Identifier for the cloud provider type: string - name: alert_id description: Unique identifier for the alert type: string - name: alert_labels description: Labels or tags associated with the alert for categorization type: array element: type: string - name: alert_category required: true description: The security category of the alert (e.g., Vulnerabilities, Misconfigurations) type: string - name: created_at required: true description: Timestamp when the alert was created type: timestamp timeFormats: - rfc3339 - '%Y-%m-%dT%H:%M:%S' isEventTime: true - name: remediation_cli description: Command-line instructions for remediation type: array element: type: string - name: remediation_console description: Console-based remediation instructions type: array element: type: string - name: description required: true description: Detailed description of the alert type: string - name: details required: true description: Technical details about the alert type: string - name: orca_score description: Orca security risk score type: float - name: recommendation required: true description: Recommended actions to remediate the issue type: string - name: risk_level description: Risk level assessment (e.g., high, medium, low, critical) type: string - name: source description: Source of the alert data (e.g., software package name) type: string - name: status description: Current status of the alert (e.g., open, closed, resolved) type: string - name: type required: true description: Type of the alert (e.g., Vulnerable Software, Misconfiguration) type: string - name: last_seen description: Timestamp when the issue was last observed type: timestamp timeFormats: - rfc3339 - '%Y-%m-%dT%H:%M:%S' - name: last_updated description: Timestamp when the alert was last updated type: timestamp timeFormats: - rfc3339 - '%Y-%m-%dT%H:%M:%S' - name: max_cvss_score description: Maximum CVSS score for vulnerabilities in the alert type: float - name: rule_type description: Type of rule that triggered the alert type: string - name: auto_remediation_actions description: Automated remediation actions available for this alert type: array element: type: string - name: asset_hostname description: Hostname of the affected asset type: string indicators: - hostname - name: asset_name required: true description: The name of the affected asset or resource type: string - name: asset_state description: Current state of the asset (e.g., running, stopped) type: string - name: asset_tags description: Tags associated with the asset as key-value pairs type: json - name: asset_type required: true description: Type of the affected asset (e.g., vm, container, database) type: string - name: asset_unique_id required: true description: Unique identifier for the affected asset type: string - name: asset_vpcs description: List of VPCs the asset is associated with type: array element: type: string - name: cluster_name description: Name of the cluster the asset belongs to type: string - name: cluster_type description: Type of cluster (e.g., Kubernetes, ECS) type: string - name: custom_tags description: Custom tags associated with the alert type: json - name: vm_id description: Identifier for the virtual machine type: string - name: asset_category description: Category of the affected asset (e.g., VM, Container) type: string - name: asset_labels description: Labels or tags associated with the asset type: array element: type: string - name: resource_group_name description: Name of the resource group type: string - name: asset_regions description: List of cloud regions where the asset is deployed type: array element: type: string - name: cve_list description: List of CVE identifiers related to the alert type: array element: type: string indicators: - cve - name: related_compliances description: List of compliance standards related to the alert type: array element: type: string - name: findings description: Detailed findings related to the alert type: json - name: alert_ui_link description: URL link to view the alert in the Orca Security UI type: string indicators: - url ``` ### Orca.Alert (Legacy) {% hint style="warning" %} Starting January 1, 2026, Orca Security will be discontinuing support for their `Orca.Alert` schema, replacing it with `Orca.AlertEvent`. Please update your integration to use the new `Orca.AlertEvent` schema before January 2026. For details about the new format, see the [Orca Security documentation](https://docs.orcasecurity.io/docs/2025-10-29-changes-to-alert-fields-for-integrations-in-the-serving-layer). {% endhint %} ```yaml schema: Orca.Alert description: Alerts sent from Orca Security referenceURL: https://orca.security/ fields: - name: alert_labels description: Labels or tags associated with the alert for categorization type: array element: type: string - name: alert_source required: true description: The source system or component that generated the alert type: string - name: asset_name required: true description: The name of the affected asset or resource type: string - name: asset_type_string required: true description: The type of asset in human-readable format (e.g., VM, container, database) type: string - name: asset_unique_id required: true description: Unique identifier for the affected asset type: string - name: category required: true description: The security category of the alert (e.g., vulnerability, misconfiguration) type: string - name: cloud_account_id required: true description: The cloud account identifier where the issue was detected type: string - name: cluster_unique_id required: true description: Unique identifier for the cluster if the asset is part of a cluster type: string - name: configuration required: true description: Configuration details and metadata about the alert type: object fields: - name: comments_count description: Number of comments added to the alert type: bigint - name: status_justification description: Justification provided for the current status type: string - name: status_reason description: Reason for the current status type: string - name: prev_user_status description: Previous status set by a user type: string - name: jira description: JIRA integration details for this alert type: json - name: jira_issue description: Associated JIRA issue identifier type: string - name: jira_issue_link description: URL link to the associated JIRA issue type: string - name: user_orca_score description: User-defined Orca risk score type: float - name: user_score description: User-defined risk score type: bigint - name: service_now_incidents description: ServiceNow incident details related to this alert type: json - name: user_status description: Status set by a user type: string - name: description required: true description: Detailed description of the alert type: string - name: details required: true description: Technical details about the alert type: string - name: extra_match_data description: Additional matching data for pattern-based alerts type: object fields: - name: evidences description: Evidence supporting the alert detection type: object fields: - name: event_ids description: List of event IDs related to the evidence type: array element: type: string - name: pattern_detection_result description: Results from pattern-based detection type: object fields: - name: cloud_account_id description: Cloud account ID where the pattern was detected type: string - name: detected_event_fingerprints description: Fingerprints of detected events matching the pattern type: array element: type: object fields: - name: common_field description: Common field used for pattern matching type: string indicators: - aws_arn - name: epoch_timestamp description: Timestamp when the event occurred type: timestamp timeFormats: - unix - name: eventID description: Unique identifier for the event type: string - name: eventName description: Name of the event that triggered the pattern match type: string - name: organization_id description: Organization ID where the pattern was detected type: string - name: pattern description: Pattern definition that triggered the alert type: object fields: - name: common_field description: Common field used across pattern detections type: string - name: detections description: List of detection patterns type: array element: type: string - name: name description: Name of the pattern type: string - name: window_size description: Time window size for pattern detection type: bigint - name: trace_id description: Trace identifier for tracking the detection process type: string - name: group_unique_id required: true description: Unique identifier for the group the asset belongs to type: string - name: is_compliance required: true description: Indicates if the alert is related to compliance type: boolean - name: level required: true description: Numeric severity level of the alert type: bigint - name: live description: Indicates if the alert is currently active type: boolean - name: organization_id required: true description: Identifier for the organization type: string - name: recommendation required: true description: Recommended actions to remediate the issue type: string - name: rule_id required: true description: Identifier for the rule that triggered the alert type: string - name: source description: Source of the alert data type: string - name: state required: true description: Current state information about the alert type: object fields: - name: alert_id description: Unique identifier for the alert type: string - name: created_at description: Timestamp when the alert was created type: timestamp timeFormats: - rfc3339 isEventTime: true - name: last_seen description: Timestamp when the issue was last observed type: timestamp timeFormats: - rfc3339 - name: high_since description: Timestamp since when the alert has been high severity type: timestamp timeFormats: - rfc3339 - name: last_updated description: Timestamp when the alert was last updated type: timestamp timeFormats: - rfc3339 - name: orca_score description: Orca security risk score type: float - name: risk_level description: Risk level assessment (e.g., high, medium, low) type: string - name: score description: Numeric risk score type: float - name: severity description: Severity level of the alert type: string - name: status description: Current status of the alert type: string - name: status_time description: Timestamp when the status was last changed type: timestamp timeFormats: - rfc3339 - name: verification_status description: Status of the verification process type: string - name: is_new_score description: Indicates if the score was recently updated type: boolean - name: closed_time description: Timestamp when the alert was closed type: timestamp timeFormats: - rfc3339 - name: closed_reason description: Reason for closing the alert type: string - name: low_since description: Timestamp since when the alert has been low severity type: timestamp timeFormats: - rfc3339 - name: in_verification description: Indicates if the alert is currently being verified type: boolean - name: rule_source description: Source of the rule that triggered the alert type: string - name: subject_type required: true description: Type of the subject affected by the alert type: string - name: type required: true description: Type of the alert type: string - name: type_key required: true description: Key identifier for the alert type type: string - name: type_string required: true description: Human-readable alert type type: string - name: account_name description: Name of the cloud account type: string - name: asset_auto_updates description: Auto-update configuration for the asset type: string - name: asset_availability_zones description: List of availability zones where the asset is deployed type: array element: type: string - name: asset_category description: Category of the affected asset type: string - name: asset_distribution_major_version description: Major version of the OS distribution type: string - name: asset_distribution_name description: Name of the OS distribution type: string - name: asset_distribution_version description: Full version of the OS distribution type: string - name: asset_first_private_dnss description: List of private DNS names for the asset type: array element: type: string - name: asset_first_private_ips description: List of private IP addresses for the asset type: array element: type: string indicators: - ip - name: asset_first_public_dnss description: List of public DNS names for the asset type: array element: type: string - name: asset_first_public_ips description: List of public IP addresses for the asset type: array element: type: string indicators: - ip - name: asset_hostname description: Hostname of the affected asset type: string indicators: - hostname - name: asset_image_id description: Image ID used by the asset type: string - name: asset_ingress_ports description: List of ingress ports open on the asset type: array element: type: string - name: asset_labels description: Labels or tags associated with the asset type: array element: type: string - name: asset_num_private_dnss description: Number of private DNS names for the asset type: bigint - name: asset_num_private_ips description: Number of private IP addresses for the asset type: bigint - name: asset_num_public_dnss description: Number of public DNS names for the asset type: bigint - name: asset_num_public_ips description: Number of public IP addresses for the asset type: bigint - name: asset_regions description: List of cloud regions where the asset is deployed type: array element: type: string - name: asset_regions_names description: Human-readable names of regions where the asset is deployed type: array element: type: string - name: asset_role_names description: List of IAM role names associated with the asset type: array element: type: string - name: asset_state description: Current state of the asset (e.g., running, stopped) type: string - name: asset_stopped description: Indicates if the asset is currently stopped type: boolean - name: asset_tags_info_list description: List of tags associated with the asset type: array element: type: string - name: asset_type description: Type of the affected asset type: string - name: asset_vendor_id description: Vendor-specific identifier for the asset type: string - name: asset_vpcs description: List of VPCs the asset is associated with type: array element: type: string - name: cloud_account_type description: Type of cloud account (e.g., AWS, Azure, GCP) type: string - name: cloud_provider description: Name of the cloud provider type: string - name: cloud_provider_id description: Identifier for the cloud provider type: string indicators: - aws_account_id - name: cloud_vendor_id description: Vendor-specific cloud identifier type: string indicators: - aws_account_id - name: cluster_name description: Name of the cluster the asset belongs to type: string - name: cluster_type description: Type of cluster (e.g., Kubernetes, ECS) type: string - name: container_id description: Identifier for the container type: string - name: container_image_digest description: Digest hash of the container image type: string - name: container_image_name description: Name of the container image type: string - name: container_image_version description: Version of the container image type: string - name: container_k8s_pod_namespace description: Kubernetes namespace for the pod type: string - name: container_service_name description: Name of the container service type: string - name: context description: Context information for the alert type: string - name: cve_list description: List of CVE identifiers related to the alert type: array element: type: string - name: cve_resolved description: List of resolved CVEs type: array element: type: json - name: data description: Additional data related to the alert type: json - name: earliest_cve_detection description: Timestamp of the earliest CVE detection type: string - name: findings description: Detailed findings related to the alert type: array element: type: json - name: group_name description: Name of the group the asset belongs to type: string - name: group_type description: Type of the group type: string - name: group_type_string description: Human-readable group type type: string - name: group_val description: Value associated with the group type: string - name: is_rule description: Indicates if the alert was triggered by a rule type: boolean - name: k8s_cluster_name description: Name of the Kubernetes cluster type: string - name: max_cvss_score description: Maximum CVSS score for vulnerabilities in the alert type: float - name: organization_name description: Name of the organization type: string - name: related_compliances description: List of compliance standards related to the alert type: array element: type: string - name: rule_query description: Query used by the rule that triggered the alert type: string - name: severity_contributing_factors description: Factors that contributed to the severity assessment type: array element: type: string - name: severity_reducing_factors description: Factors that reduced the severity assessment type: array element: type: string - name: tags_info_list description: List of tags associated with the alert type: array element: type: string - name: vm_asset_unique_id description: Unique identifier for the VM asset type: string - name: vm_id description: Identifier for the virtual machine type: string - name: vm_name description: Name of the virtual machine type: string - name: container_image_tags description: Tags associated with the container image type: string - name: image_manifest_annotations description: Annotations from the image manifest type: string - name: image_repository_uri description: URI of the container image repository type: string - name: repository_name description: Name of the repository type: string - name: remediation_cli description: Command-line instructions for remediation type: array element: type: string - name: resource_group_name description: Name of the resource group type: string ```