Orca Security¶
About¶
The Orca platform enables security teams to fully support digital transformation initiatives with security purpose-built for the cloud. The agentless design deploys across your cloud estate in minutes, automatically discovers new assets as your environment expands, and has zero impact on your workloads.
Product Details¶
Vendor URL: Orca Security: Complete Cloud Infrastructure Security
Product Type: CASB
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Orca SIEM Integration
Log Guide: View Reports and Export Data From Orca
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 75%
Data Label: ORCA
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| account_name | principal.hostname |
| alert_labels | security_result.category_details |
| asset_availability_zones | principal.cloud.availability_zone |
| asset_distribution_name | principal.asset.software.name |
| asset_distribution_version | principal.asset.software.version |
| asset_first_private_ips | principal.ip |
| asset_name | principal.hostname |
| asset_regions | principal.asset.location.country_or_region |
| asset_unique_id | principal.asset.product_object_id |
| category | security_result.summary |
| cloud_provider | principal.cloud.environment |
| description | security_result.description |
| details | metadata.description |
| findings.cve.0.cve_id | extensions.vulns.vulnerabilities.cve_id |
| findings.cve.0.cvss3_score | extensions.vulns.vulnerabilities.cvss_base_score |
| findings.cve.0.cvss3_vector | extensions.vulns.vulnerabilities.cvs_vector |
| findings.cve.0.exploits.0.description | extensions.vulns.vulnerabilities.cve_description |
| findings.cve.0.source_link | security_result.about.url |
| model.data.Compute.OsSupportInfoSite | security_result.about.url |
| model.data.GcpIamServiceAccount.DisplayName | principal.user.userid |
| model.data.GcpIamServiceAccount.Email | principal.user.email_addresses |
| rule_id | security_result.rule_id |
| state.created_at | extensions.vulns.vulnerabilities.first_found |
| state.last_seen | extensions.vulns.vulnerabilities.last_found |
| state.severity | security_result.severity |
| state.status_time | event.timestamp |
| Statically Defined | security_result.alert_state |
| Statically Defined | security_result.confidence |
| Statically Defined | security_result.priority |
| type | metadata.product_event_type |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| Orca Category | SCAN_HOST | YES | |
| Default | GENERIC_EVENT | YES |
Log Sample¶
{"account_name":"principal_hostname","alert_labels":["denial_of_service","easy_exploitation","fix_available","mitre: impact"],"asset_availability_zones":["cloud_zone"],"asset_category":"Container","asset_distribution_major_version":"3.15","asset_distribution_name":"software_name","asset_distribution_version":"3.15.0","asset_first_private_ips":["10.0.0.34"],"asset_labels":["internet_facing"],"asset_name":"asset_name1234","asset_num_private_ips":1,"asset_regions":["principal_location"],"asset_regions_names":["region_name"],"asset_role_names":["role_name"],"asset_state":"running","asset_type":"container","asset_type_string":"Container","asset_unique_id":"product_id_1234567890","asset_vpcs":["principal_hostname/global/networks/company_name","principal_hostname/regions/principal_location/subnetworks/primary-principal_location"],"category":"Vulnerabilities","cloud_account_id":"cloudid1234567890","cloud_provider":"gcp","cloud_provider_id":"principal_hostname","cloud_vendor_id":"principal_hostname","cluster_name":"cluster_name","cluster_type":"gke","cluster_unique_id":"gke_principal_hostname_1234567890","configuration":{},"container_image_name":"domain.name/principal_hostname/user-management-frontend","container_k8s_pod_namespace":"dev","container_service_name":"role_name","context":"data","cve_list":["CVE-2022-0778"],"description":"A newly disclosed security flaw in OpenSSL could lead to a denial-of-service (DoS) condition when parsing certificates. It is highly recommended to patch.","details":"We have found that the system is vulnerable to a recently disclosed / high profile vulnerability in OpenSSL","findings":{"cve":[{"affected_packages":["libretls"],"cve_id":"CVE-2022-0778","cvss3_score":7.5,"cvss3_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","exploits":[{"description":"Proof of concept for CVE-2022-0778, which triggers an infinite loop in parsing X.509 certificates due to a bug in BN_mod_sqrt","url":"https://github.com/drago-96/CVE-2022-0778"}],"fix_available":true,"fix_available_state":"Yes","labels":["denial_of_service","easy_exploitation","fix_available"],"nvd":{},"packages":[{"installed_version":"3.3.4-r2","package_name":"libretls","patched_version":"3.3.4-r3"}],"published":"2022-03-15T17:15:00+00:00","score":4,"severity":"informational","source_link":"https://nvd.nist.gov/vuln/detail/CVE-2022-0778","summary":"The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).","type":"cve","vendor_source_link":""}],"cve_description":[{"description":"A newly disclosed security flaw in OpenSSL versions 1.0.2, 1.1.1 and 3.0 could lead to a denial-of-service (DoS) condition when parsing certificates. It is highly recommended to patch.","references":["https://thehackernews.com/2022/03/new-infinite-loop-bug-in-openssl-could.html","https://nvd.nist.gov/vuln/detail/CVE-2022-0778"],"type":"cve_description"}]},"frameworks":[],"group_name":"asset_name1234","group_type":"container","group_type_string":"Container","group_unique_id":"product_id_1234567890","group_val":"group","is_compliance":false,"level":0,"organization_id":"a99240ce-ea43-43d4-bfe1-ed98ce12877b","organization_name":"company_name","recommendation":"Patch the system or apply immediate mitigations","rule_id":"rid1234567890","severity_contributing_factors":["The resource is publicly ecompany_namesed to the internet"],"source":"OpenSSL Infinite Loop Bug","state":{"alert_id":"orca-2169296","created_at":"2022-03-21T19:03:03+00:00","high_since":"2022-03-21T19:34:10+00:00","in_verification":false,"last_seen":"2022-03-21T19:03:03+00:00","last_updated":"2022-03-21T19:03:03+00:00","low_since":null,"score":3,"severity":"hazardous","status":"open","status_time":"2022-03-21T19:03:03+00:00","verification_status":null},"subject_type":"vmcontainer_principal_hostname_1234567890123456789_123456789012","type":"trending_cve","type_key":"trending_cve_2022_0778","type_string":"High Profile / Trending Vulnerability"}
Sample Parsing¶
metadata.event_timestamp = "2022-03-21T19:03:03Z"
metadata.event_type = "SCAN_HOST"
metadata.vendor_name = "Orca"
metadata.product_event_type = "trending_cve"
metadata.description = "We have found that the system is vulnerable to a recently disclosed / high profile vulnerability in OpenSSL"
principal.hostname = "principal_hostname"
principal.ip = "10.0.0.34"
principal.cloud.environment = "GOOGLE_CLOUD_PLATFORM"
principal.cloud.availability_zone = "cloud_zone"
principal.asset.product_object_id = "product_id_1234567890"
principal.asset.hostname = "asset_hostname"
principal.asset.ip = "10.0.0.34"
principal.asset.location.country_or_region = "principal_location"
principal.asset.software.name = "software_name"
principal.asset.software.version = "3.15.0"
security_result.about.url = "https://nvd.nist.gov/vuln/detail/CVE-2022-0778"
security_result.category_details = "denial_of_service"
security_result.category_details = "easy_exploitation"
security_result.category_details = "fix_available"
security_result.category_details = "mitre: impact"
security_result.summary = "Vulnerabilities"
security_result.description = "A newly disclosed security flaw in OpenSSL could lead to a denial-of-service (DoS) condition when parsing certificates. It is highly recommended to patch."
security_result.severity = "LOW"
security_result.confidence = "HIGH_CONFIDENCE"
security_result.priority = "HIGH_PRIORITY"
security_result.rule_id = "rid1234567890"
security_result.alert_state = "ALERTING"
extensions.vulns.vulnerabilities.cvss_base_score = "7.5"
extensions.vulns.vulnerabilities.cvss_vector = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
extensions.vulns.vulnerabilities.cve_id = "CVE-2022-0778"
extensions.vulns.vulnerabilities.cve_description = "Proof of concept for CVE-2022-0778, which triggers an infinite loop in parsing X.509 certificates due to a bug in BN_mod_sqrt"
extensions.vulns.vulnerabilities.first_found = "2022-03-21T19:03:03Z"
extensions.vulns.vulnerabilities.last_found = "2022-03-21T19:03:03Z"
Parser Alerting¶
Parser-based alerting enabled for events with a hazardous severity.
Rules¶
Coming Soon