announcement
product
Introducing the new Orca Source Plugin
Alex Savanovich •
Orca Security offers a comprehensive, agentless cloud security solution that provides in-depth security insights and protection across every layer of your cloud infrastructure. Our recently released Orca Source Plugin enables you to leverage Orca's security findings in numerous exciting ways, enhancing your overall cloud security strategy.
Why Orca + CloudQuery? #
The integration allows you to perform advanced data filtering and grouping without relying on restrictive UI filters. The best part is that there's no need to learn Orca's proprietary Sonar Query Language. Instead, you can use familiar SQL queries to answer questions of any complexity level, making the process more intuitive and accessible.
Unlock Cloud Security Insights with SQL #
Let's take a look at a couple of examples to help you get started with the Orca Source Plugin.
In all of these examples we assume the data was synced from Orca source to a Postgres destination.
Prioritizing alerts can be challenging, especially when dealing with a high volume. A good starting point is to identify which assets in your cloud inventory need the most attention. The following SQL query will list the top five assets based on the number of alerts:
select
count(*),
asset_unique_id
from orca_alerts
group by asset_unique_id
order by count desc
limit 5;Great! Now that we know which assets generate a lot of alerts, it's important to focus on the more severe alerts rather than the informational ones. Let's modify the query to filter out the informational alerts:
select
count(*),
asset_unique_id
from orca_alerts
where
state->>'severity' != 'informational'
group by asset_unique_id
order by count desc
limit 5;We can also drill down into specific types of vulnerabilities. For instance, to identify assets with the highest probability of a DDoS attack, we can use the following SQL query:
select
count(*),
asset_unique_id
from orca_cves
where
asset_state = 'running'
and 'denial_of_service' = any(labels)
group by asset_unique_id;Alternatively, we could list the latest findings and address them in chronological order. the following SQL query will help you do just that:
select
title,
impact_score
from orca_attack_paths
where status = 'open'
order by created_at desc
limit 5;This query will provide the most recent open findings, allowing you to prioritize and tackle new issues as they arise.
With the Orca CloudQuery plugin, you can play around with the data and fine-tune the queries in any format that's easiest for you. Once the sync is complete, you'll have all the data in a destination such as Postgres, MySQL, BigQuery, or any other supported destination. These destinations are specifically designed for efficient data exploration and querying, making them a great fit for handling data from Orca.
Maximize Performance and Efficiency with CloudQuery #
We've dedicated significant time to ensuring that syncing is fast and resource-efficient at every level. The core of CloudQuery is meticulously engineered, with a focus on optimizing performance and minimizing resource usage. Thanks to our pluggable architecture that leverages Apache Arrow, an efficient language-independent columnar memory format, we have a core that enables CloudQuery to handle vast amounts of data.
But the optimization doesn't stop there. The Orca Source Plugin specifically implements incremental tables. The alerts and assets tables support syncing only the data that has changed since the last sync. This optimization ensures that tables with the largest volume of data are efficiently updated on subsequent syncs.
To take advantage of this feature, specify the
backend_options configuration parameter. For example, to use this feature with a Postgres destination:kind: source
spec:
name: 'orca'
path: 'cloudquery/orca'
registry: 'cloudquery'
version: 'v2.0.1'
destinations: ['postgresql']
backend_options:
table_name: 'cq_state_orca'
connection: '@@plugins.postgresql.connection'
tables: ['*']
spec:
api_token: '${ORCA_API_TOKEN}'
---
kind: destination
spec:
name: 'postgresql'
path: 'cloudquery/postgresql'
registry: 'cloudquery'
version: 'v8.1.1'
write_mode: 'overwrite-delete-stale'
spec:
connection_string: '${POSTGRES_CONNECTION_STRING}'Enrich Your Security Insights #
The true power of the Orca CloudQuery integration lies in its ability to sync with any of our cloud infrastructure plugins, including AWS, GCP, Azure, and others. While Orca's platform provides a comprehensive view of your cloud inventory, data collected directly from the cloud provider offers unmatched depth and accuracy. By combining the insights from Orca with data gathered from cloud providers, you can ensure there are no blind spots in your infrastructure.
When you receive an alert from Orca, there's no need to go spelunking in the cloud provider console for missing information about a vulnerable asset. With our integrated approach, you can enrich Orca's data in the same query, providing you with a holistic view of your cloud environment.
For example, the following SQL query enriches Orca's data about S3 buckets with additional information such as creation date and tags:
select
a.asset_vendor_id,
s3.creation_date,
s3.tags
from orca_alerts a
join
aws_s3_buckets s3 on s3.name = a.asset_vendor_id
group by
a.asset_vendor_id, s3.creation_date, s3.tags;Get Started #
We are excited about the possibilities this integration unlocks. The seamless combination of Orca's security insights with CloudQuery's powerful ELT capabilities opens up new avenues for enhancing cloud security visibility and management.
To get started, see the Orca Source Plugin documentation for instructions.
We can't wait for you to try out this integration and experience firsthand how it can streamline your security management processes, eliminate blind spots in your infrastructure, and empower you to make more informed decisions to fortify your cloud environments against emerging threats.
Ready to dive deeper?
Join the CloudQuery Discord community to connect with other users and experts.
You can also try out CloudQuery locally with our quick start guide or explore CloudQuery Cloud (currently in beta) for a more scalable solution.