Skip to content

Orca Security

Orca Security

About

The Orca platform enables security teams to fully support digital transformation initiatives with security purpose-built for the cloud. The agentless design deploys across your cloud estate in minutes, automatically discovers new assets as your environment expands, and has zero impact on your workloads.

Product Details

Vendor URL: Orca Security: Complete Cloud Infrastructure Security

Product Type: CASB

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Orca SIEM Integration

Log Guide: View Reports and Export Data From Orca

Parser Details

Log Format: JSON

Expected Normalization Rate: 75%

Data Label: ORCA

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
account_name principal.hostname
alert_labels security_result.category_details
asset_availability_zones principal.cloud.availability_zone
asset_distribution_name principal.asset.software.name
asset_distribution_version principal.asset.software.version
asset_first_private_ips principal.ip
asset_name principal.hostname
asset_regions principal.asset.location.country_or_region
asset_unique_id principal.asset.product_object_id
category security_result.summary
cloud_provider principal.cloud.environment
description security_result.description
details metadata.description
findings.cve.0.cve_id extensions.vulns.vulnerabilities.cve_id
findings.cve.0.cvss3_score extensions.vulns.vulnerabilities.cvss_base_score
findings.cve.0.cvss3_vector extensions.vulns.vulnerabilities.cvs_vector
findings.cve.0.exploits.0.description extensions.vulns.vulnerabilities.cve_description
findings.cve.0.source_link security_result.about.url
model.data.Compute.OsSupportInfoSite security_result.about.url
model.data.GcpIamServiceAccount.DisplayName principal.user.userid
model.data.GcpIamServiceAccount.Email principal.user.email_addresses
rule_id security_result.rule_id
state.created_at extensions.vulns.vulnerabilities.first_found
state.last_seen extensions.vulns.vulnerabilities.last_found
state.severity security_result.severity
state.status_time event.timestamp
Statically Defined security_result.alert_state
Statically Defined security_result.confidence
Statically Defined security_result.priority
type metadata.product_event_type

Product Event Types

type,subtype severity UDM Event Classification alerting enabled
Orca Category SCAN_HOST YES
Default GENERIC_EVENT YES

Log Sample

{"account_name":"principal_hostname","alert_labels":["denial_of_service","easy_exploitation","fix_available","mitre: impact"],"asset_availability_zones":["cloud_zone"],"asset_category":"Container","asset_distribution_major_version":"3.15","asset_distribution_name":"software_name","asset_distribution_version":"3.15.0","asset_first_private_ips":["10.0.0.34"],"asset_labels":["internet_facing"],"asset_name":"asset_name1234","asset_num_private_ips":1,"asset_regions":["principal_location"],"asset_regions_names":["region_name"],"asset_role_names":["role_name"],"asset_state":"running","asset_type":"container","asset_type_string":"Container","asset_unique_id":"product_id_1234567890","asset_vpcs":["principal_hostname/global/networks/company_name","principal_hostname/regions/principal_location/subnetworks/primary-principal_location"],"category":"Vulnerabilities","cloud_account_id":"cloudid1234567890","cloud_provider":"gcp","cloud_provider_id":"principal_hostname","cloud_vendor_id":"principal_hostname","cluster_name":"cluster_name","cluster_type":"gke","cluster_unique_id":"gke_principal_hostname_1234567890","configuration":{},"container_image_name":"domain.name/principal_hostname/user-management-frontend","container_k8s_pod_namespace":"dev","container_service_name":"role_name","context":"data","cve_list":["CVE-2022-0778"],"description":"A newly disclosed security flaw in OpenSSL could lead to a denial-of-service (DoS) condition when parsing certificates. It is highly recommended to patch.","details":"We have found that the system is vulnerable to a recently disclosed / high profile vulnerability in OpenSSL","findings":{"cve":[{"affected_packages":["libretls"],"cve_id":"CVE-2022-0778","cvss3_score":7.5,"cvss3_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","exploits":[{"description":"Proof of concept for CVE-2022-0778, which triggers an infinite loop in parsing X.509 certificates due to a bug in BN_mod_sqrt","url":"https://github.com/drago-96/CVE-2022-0778"}],"fix_available":true,"fix_available_state":"Yes","labels":["denial_of_service","easy_exploitation","fix_available"],"nvd":{},"packages":[{"installed_version":"3.3.4-r2","package_name":"libretls","patched_version":"3.3.4-r3"}],"published":"2022-03-15T17:15:00+00:00","score":4,"severity":"informational","source_link":"https://nvd.nist.gov/vuln/detail/CVE-2022-0778","summary":"The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).","type":"cve","vendor_source_link":""}],"cve_description":[{"description":"A newly disclosed security flaw in OpenSSL versions 1.0.2, 1.1.1 and 3.0 could lead to a denial-of-service (DoS) condition when parsing certificates. It is highly recommended to patch.","references":["https://thehackernews.com/2022/03/new-infinite-loop-bug-in-openssl-could.html","https://nvd.nist.gov/vuln/detail/CVE-2022-0778"],"type":"cve_description"}]},"frameworks":[],"group_name":"asset_name1234","group_type":"container","group_type_string":"Container","group_unique_id":"product_id_1234567890","group_val":"group","is_compliance":false,"level":0,"organization_id":"a99240ce-ea43-43d4-bfe1-ed98ce12877b","organization_name":"company_name","recommendation":"Patch the system or apply immediate mitigations","rule_id":"rid1234567890","severity_contributing_factors":["The resource is publicly ecompany_namesed to the internet"],"source":"OpenSSL Infinite Loop Bug","state":{"alert_id":"orca-2169296","created_at":"2022-03-21T19:03:03+00:00","high_since":"2022-03-21T19:34:10+00:00","in_verification":false,"last_seen":"2022-03-21T19:03:03+00:00","last_updated":"2022-03-21T19:03:03+00:00","low_since":null,"score":3,"severity":"hazardous","status":"open","status_time":"2022-03-21T19:03:03+00:00","verification_status":null},"subject_type":"vmcontainer_principal_hostname_1234567890123456789_123456789012","type":"trending_cve","type_key":"trending_cve_2022_0778","type_string":"High Profile / Trending Vulnerability"}

Sample Parsing

metadata.event_timestamp = "2022-03-21T19:03:03Z"
metadata.event_type = "SCAN_HOST"
metadata.vendor_name = "Orca"
metadata.product_event_type = "trending_cve"
metadata.description = "We have found that the system is vulnerable to a recently disclosed / high profile vulnerability in OpenSSL"
principal.hostname = "principal_hostname"
principal.ip = "10.0.0.34"
principal.cloud.environment = "GOOGLE_CLOUD_PLATFORM"
principal.cloud.availability_zone = "cloud_zone"
principal.asset.product_object_id = "product_id_1234567890"
principal.asset.hostname = "asset_hostname"
principal.asset.ip = "10.0.0.34"
principal.asset.location.country_or_region = "principal_location"
principal.asset.software.name = "software_name"
principal.asset.software.version = "3.15.0"
security_result.about.url = "https://nvd.nist.gov/vuln/detail/CVE-2022-0778"
security_result.category_details = "denial_of_service"
security_result.category_details = "easy_exploitation"
security_result.category_details = "fix_available"
security_result.category_details = "mitre: impact"
security_result.summary = "Vulnerabilities"
security_result.description = "A newly disclosed security flaw in OpenSSL could lead to a denial-of-service (DoS) condition when parsing certificates. It is highly recommended to patch."
security_result.severity = "LOW"
security_result.confidence = "HIGH_CONFIDENCE"
security_result.priority = "HIGH_PRIORITY"
security_result.rule_id = "rid1234567890"
security_result.alert_state = "ALERTING"
extensions.vulns.vulnerabilities.cvss_base_score = "7.5"
extensions.vulns.vulnerabilities.cvss_vector = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
extensions.vulns.vulnerabilities.cve_id = "CVE-2022-0778"
extensions.vulns.vulnerabilities.cve_description = "Proof of concept for CVE-2022-0778, which triggers an infinite loop in parsing X.509 certificates due to a bug in BN_mod_sqrt"
extensions.vulns.vulnerabilities.first_found = "2022-03-21T19:03:03Z"
extensions.vulns.vulnerabilities.last_found = "2022-03-21T19:03:03Z"

Parser Alerting

Parser-based alerting enabled for events with a hazardous severity.