Orca Security Pack

This Orca Security pack allows structuring of Orca Security Events, as well as adding some event metadata.

  3 minute read  

Edge Delta Pipeline Pack for Orca Security

Overview

The Edge Delta Orca Security pack normalizes and enriches Orca Security alert messages so you can use their contents for downstream analysis, alerting, and SIEM correlation. The pipeline uses a multi-processor sequence to parse JSON, add standardized fields, and copy key attributes for better normalization and alert fidelity.

Pack Description

1. Data Ingestion

All log messages first enter via the Pack Source, which marks the logical entry point for data within this pack.

2. Parse, Add, and Copy Fields (via Multi-Processor Sequence)

Logs then move to the Parse JSON and Add Fields node, which is a Multiprocessor node. This node chains several processors, which are executed sequentially on every log:

- name: Parse JSON and Add Fields
  type: sequence
  user_description: Multi Processor
  processors:
    - type: ottl_transform
      metadata: '{"id":"hIxiqR_e9LJYEShdK5aeE","type":"parse-json","name":"Parse JSON"}'
      data_types:
      - log
      statements: |-
        merge_maps(body, ParseJSON(body), "upsert") where IsMap(body)
        set(body, ParseJSON(body)) where not IsMap(body)        
    - type: ottl_transform
      metadata: '{"id":"VdvT70lk2nFteq_PFhqBq","type":"add-field","name":"Add Field"}'
      data_types:
      - log
      statements: |-
        set(attributes["app"], "OrcaSecurity")
        set(attributes["type"], "Orca alert")
        set(attributes["sourcetype"], "orca:alert")        
    - type: ottl_transform
      metadata: '{"id":"VHYvfZQVcskPr4Fcyedzg","type":"copy-field","name":"Copy Field"}'
      data_types:
      - log
      statements: |-
        set(attributes["dest"], body["asset_name"])
        set(attributes["id"], body["state"]["alert_id"])
        set(attributes["severity"], body["state"]["risk_level"])
        set(attributes["description"], body["details"])
        set(attributes["dest_bunit"], body["account_name"])
        set(attributes["dest_category"], body["asset_category"])
        set(attributes["severity_id"], body["state"]["orca_score"])
        set(attributes["signature"], body["type"])
        set(attributes["vendor_account"], body["asset_vendor_id"])
        set(attributes["vendor_region"], body["asset_regions"])

This Multi-Processor sequence consists of three steps:

2.1. Parse JSON

The Parse JSON processor attempts to parse the log message body as JSON. If body is already a map (parsed JSON), it merges the JSON fields into the body using upsert (update or insert). If body is not a map (i.e., is a string), it parses the raw string as JSON and replaces body with the parsed map.

2.2. Add Field

The Add Field processor adds standard fields to every processed log entry. It sets attributes["app"] to "OrcaSecurity", sets attributes["type"] to "Orca alert", and it sets attributes["sourcetype"] to "orca:alert". These fields provide a standard way to identify Orca Security alert logs further downstream.

2.3. Copy Field

The Copy Field processor copies and maps key fields from the parsed JSON body into standardized attribute fields:

  • dest gets body["asset_name"]
  • id gets body["state"]["alert_id"]
  • severity gets body["state"]["risk_level"]
  • description gets body["details"]
  • dest_bunit gets body["account_name"]
  • dest_category gets body["asset_category"]
  • severity_id gets body["state"]["orca_score"]
  • signature gets body["type"]
  • vendor_account gets body["asset_vendor_id"]
  • vendor_region gets body["asset_regions"]

This provides canonical, top-level fields used by most monitoring and alerting tools.

3. Pack Destination

All transformed (and now normalized) log entries are routed to Pack Destination.

- name: Pack Destination
  type: compound_output

Sample Input

[{"type":"service_vulnerability","is_compliance":false,"rule_id":"r55v32bffcb1","subject_type":"vm_347c032b173_i-092014fc2dd1c6c3c","type_string":"Service Vulnerability","type_key":"ssh","category":"Vulnerabilities","description":"The following vulnerabilities were found on service: ssh 7.6p1","details":"We have found vulnerabilities on service: ssh 7.6p1","recommendation":"Patch the listed packages","alert_labels":["denial_of_service","directory_traversal","easy_exploitation","fix_available","mitre: discovery","mitre: impact","mitre: initial access","remote_code_execution"],"severity_contributing_factors":["Most severe vulnerability score"],"asset_category":"VM","cloud_provider":"aws","cloud_account_id":"0c33a6f2-5b7a-32ec-ee1c-4f31c084d014","cloud_vendor_id":"272143717452","cloud_account_type":"Regular","account_name":"272143717452","asset_name":"docker_acb_lvm2","asset_type":"vm","asset_type_string":"VM","group_unique_id":"vm_347c032b173_i-092014fc2dd1c6c3c","asset_state":"running","asset_labels":["public_facing","brute-force_attempts"],"asset_distribution_name":"Ubuntu","asset_distribution_version":"18.04","asset_distribution_major_version":"18","asset_auto_updates":"off","asset_role_names":["ssh"],"asset_ingress_ports":["22"],"asset_availability_zones":["us-east-1d"],"asset_regions":["us-east-1"],"asset_regions_names":["N. Virginia"],"asset_vpcs":["vpc-017b032c120f310d3"],"asset_tags_info_list":["orca-skip-stop|True","Name|docker_acb_lvm2"],"tags_info_list":["orca-skip-stop|True","Name|docker_acb_lvm2"],"asset_num_public_ips":1,"asset_first_public_ips":["41.214.154.214"],"asset_num_private_ips":1,"asset_first_private_ips":["161.24.76.117"],"asset_num_public_dnss":1,"asset_first_public_dnss":["ec2-41-214-154-214.compute-1.amazonaws.com"],"asset_num_private_dnss":1,"asset_first_private_dnss":["ip-161-24-76-117.ec2.internal"],"asset_image_id":"ami-03416377cb2f1cab1","asset_hostname":"ip-161-24-76-117","cve_list":["CVE-2022-23219","CVE-2021-3712","CVE-2021-41617","CVE-2020-1968","CVE-2020-14155","CVE-2016-2781","CVE-2019-1563","CVE-2021-36085","CVE-2021-23840","CVE-2016-20013","CVE-2009-5155","CVE-2019-17594","CVE-2018-19591","CVE-2021-36087","CVE-2016-10228","CVE-2020-1751","CVE-2020-10029","CVE-2019-1551","CVE-2019-19126","CVE-2017-11164","CVE-2019-1547","CVE-2022-23218","CVE-2018-25032","CVE-2022-2068","CVE-2021-37750","CVE-2021-36084","CVE-2022-28321","CVE-2018-11237","CVE-2013-4235","CVE-2019-17595","CVE-2022-0778","CVE-2021-3999","CVE-2021-23841","CVE-2020-1752","CVE-2022-29458","CVE-2021-36222","CVE-2019-25013","CVE-2021-3326","CVE-2021-39537","CVE-2021-20193","CVE-2022-1664","CVE-2018-20482","CVE-2021-36086","CVE-2019-20838","CVE-2023-0286","CVE-2022-37434","CVE-2018-20217","CVE-2019-9923","CVE-2015-8985","CVE-2018-11236","CVE-2022-42898","CVE-2020-29562","CVE-2023-0215","CVE-2020-14145","CVE-2021-35942","CVE-2020-27618","CVE-2020-13844","CVE-2018-7169","CVE-2022-1292","CVE-2020-28196","CVE-2019-20367","CVE-2019-9169","CVE-2020-1971"],"configuration":{"user_status":"in_progress","prev_user_status":"open"},"state":{"alert_id":"orca-11013","status":"in_progress","status_time":"2023-03-06T07:38:11+00:00","created_at":"2023-02-20T11:56:52+00:00","last_seen":"2023-02-20T23:06:17+00:00","score":3,"orca_score":8.9,"severity":"hazardous","risk_level":"high","low_since":null,"high_since":"2023-02-20T12:22:37+00:00","in_verification":false,"verification_status":null,"closed_reason":null,"closed_time":null,"last_updated":"2023-03-06T07:38:11+00:00","is_new_score":true},"source":"ssh","organization_id":"cb0a112d-7e18-2329-c27f-9b74b741f9b2","organization_name":"Orca Security","context":"data","asset_unique_id":"vm_347c032b173_i-092014fc2dd1c6c3c","group_name":"docker_acb_lvm2","group_type":"vm","group_type_string":"NonGroup","cluster_unique_id":"vm_347c032b173_i-092014fc2dd1c6c3c","cluster_type":"vm","cluster_name":"docker_acb_lvm2","level":0,"group_val":"nongroup","cloud_provider_id":"272143717452","vm_id":"i-092014fc2dd1c6c3c","vm_asset_unique_id":"vm_347c032b173_i-092014fc2dd1c6c3c","asset_vendor_id":"i-092014fc2dd1c6c3c","priv":{"key":"241c321f84177b1c624173cf4caf572a","score":3,"cve_data":{"os_vu":63},"orca_score":8.9,"orig_score":3,"debug_state":{"cve_id":"CVE-2022-23219","is_old":true,"has_fix":true,"cvss3_score":7,"has_exploit":false,"cvss3_vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H","impact_score":4,"info_version":"4","low_severity":false,"score_reason":"high_priority","service_type":"network","high_priority":true,"is_network_cve":true,"override_score":null,"service_enabled":false,"impact_score_level":"high","asset_internet_facing":true,"is_user_interaction_cve":false,"service_internet_facing":false},"is_new_score":true,"full_scan_time":"2023-02-20T23:06:17.945697+00:00","top_level_packages":["openssh-sftp-server","openssh-server","openssh-client"],"alert_id":"orca-11013"},"severity_reducing_factors":[],"orca_tags_info_list":[],"asset_orca_tags_info_list":[],"remediation_cli":[]}]