Orca Security is a security platform that identifies and remediates cloud security threats. Torq enables quick and easy integration with Orca Security, so you can automate anything and everything within moments.
Use Orca to trigger workflows in Torq
To ingest Orca events in Torq, you must create an Orca trigger integration and use the generated webhook URL (Torq endpoint) to configure a Webhook integration in Orca.
Create an Orca trigger integration in Torq
Navigate to integration: Go to Build > Integrations > Triggers > Orca and click Add Instance.
Give the integration a unique and meaningful name and click Add.
Configure a Torq integration in Orca
Sign in to your Orca account.
Click the Settings icon and then Integrations.
In the SIEM/SOAR section, locate the Torq integration and click Configure.
Click Create new trigger, configure the trigger, and click Save.
Name: a meaningful name for the trigger, such as,
Torq Events.Trigger URL: the Torq endpoint you created earlier.
Custom headers: (optional) headers that provide an added layer of security for sending data via the webhook.
Create an automation in Orca
The automation defines which alerts will be sent to Torq.
Sign in to your Orca account.
Click the Settings icon and then Alerts & Automations.
In the upper-right corner, click Create New > Create automation.
Enter a meaningful name and description for the automation.
In the Define Filter section, enter a query. The query is a combination of rules.
In the Define Actions section, locate the SIEM/SOAR category and select the Send to Torq trigger checkbox. Select the Troq trigger you created earlier.
Click Create Automation.
Create your Orca API token
Sign in to your Orca account.
Click the Settings icon and then Integrations.
Locate the Torq integration and click Connect. The integration is under the category SIEM/SOAR.
Copy the API token to enter it when creating the Orca integration in Torq.
Create an Orca steps integration in Torq
Go to Build > Integrations > Steps > Orca Security and click Add Instance.
Give the integration a unique and meaningful name.
Enter the API token that you generated in your Orca tenant.
Provide base URL.
If the base URL isn’t updated, the default region will be US.Click Add.
Use Orca steps in a workflow
Open or create a workflow: In your workspace, open an existing workflow or create a new one to get started.
Add an Orca step to your workflow: From the Builderbox, select a required Orca step, and drag it onto the workflow Canvas.
Remediate an Orca alert using Torq
After you create a Torq integration and trigger it, you can remediate an alert directly from the Orca platform. You select the Torq integration, which determines which Torq workflow the alert data is sent to.
Go to the alert you want to remediate using Torq.
Click Integrations > Remediate with Torq > {integration instance}.
Orca Serving Layer
Orca Security has deprecated several RESTful API calls and migrated that functionality to a new endpoint called the Serving Layer, which now underpins Orca databases. This shift delivers major gains in API performance, stability, and reliability.
Torq has introduced a new step called Serving Layer Query, which accepts open JSON input so you can build whatever query a given scenario requires.
Orca Discovery tool
Orca also offers a powerful UI tool called Discovery. It lets users create the exact query they need through an intuitive query editor, and then use it directly with Torq’s Serving Layer Query step. Once the query is ready, the API Request operator in Orca can generate the request in cURL format, making it easy to copy, validate, and plug into Torq.
This cURL command includes the raw JSON you need for the Torq Serving Layer Query step’s Request Body. You can find it in the --data-raw parameter.
Some queries generated in Discovery will include a group_by key by default, often alongside an order_by key. Depending on the scenario, you may only need only one of these keys.
Sample Serving Layer queries
Get alert state
Replace the values as needed to retrieve the specific Orca alerts you want to query.
{
"get_results_and_count": false,
"limit": 100,
"max_tier": 2,
"order_by[]": [
"-OrcaScore"
],
"query": {
"models": [
"Alert"
],
"type": "object_set",
"with": {
"key": "AlertId",
"operator": "in",
"type": "str",
"values": [
"orca-1234567"
]
}
},
"start_at_index": 0
}
List alerts
Update the values under RiskLevel and Status to match your desired settings.
{
"query": {
"models": [
"Alert"
],
"type": "object_set",
"with": {
"operator": "and",
"type": "operation",
"values": [
{
"key": "RiskLevel",
"values": [
"critical",
"high",
"medium"
],
"type": "str",
"operator": "in"
},
{
"key": "Status",
"values": [
"open",
"in_progress"
],
"type": "str",
"operator": "in"
}
]
}
},
"limit": 100,
"start_at_index": 0,
"order_by[]": [
"-OrcaScore"
],
"select": [
"AlertId",
"AlertType",
"OrcaScore",
"RiskLevel",
"RuleSource",
"RuleType",
"ScoreVector",
"Title",
"AssetData",
"AutoRemediationActions",
"Category",
"Inventory.Name",
"Inventory.CiSource",
"CloudAccount.Name",
"CloudAccount.CloudProvider",
"Source",
"Status",
"CreatedAt",
"LastSeen",
"Labels",
"Jira",
"AzureDevops",
"ServiceNowIncidents",
"ServiceNowSiIncidents",
"Monday",
"Linear"
],
"get_results_and_count": false,
"full_graph_fetch": {
"enabled": true
},
"max_tier": 2
}
List assets, AWS instances in a running state
Update the values under State to reflect the instance states you want to query.
{
"query": {
"models": [
"Inventory"
],
"type": "object_set",
"with": {
"operator": "and",
"type": "operation",
"values": [
{
"operator": "or",
"type": "operation",
"values": [
{
"key": "Type",
"values": [
"AwsEc2Instance"
],
"type": "str",
"operator": "in"
},
{
"key": "State",
"values": [
"running"
],
"type": "str",
"operator": "in"
}
]
},
{
"operator": "or",
"type": "operation",
"values": [
{
"key": "Type",
"values": [
"CloudAccount"
],
"type": "str",
"operator": "not_in"
},
{
"operator": "and",
"type": "operation",
"values": [
{
"key": "Type",
"values": [
"CloudAccount"
],
"type": "str",
"operator": "in"
},
{
"key": "CloudProvider",
"values": [
"shiftleft"
],
"type": "str",
"operator": "not_in"
}
]
}
]
}
]
}
},
"limit": 100,
"start_at_index": 0,
"order_by[]": [
"-OrcaScore"
],
"select": [
"Name",
"CiSource",
"CloudAccount.Name",
"CloudAccount.CloudProvider",
"OrcaScore",
"RiskLevel",
"group_unique_id",
"UiUniqueField",
"IsInternetFacing",
"SensitiveData.Name",
"SensitiveData.SensitiveData",
"State",
"Type",
"CloudProvider",
"Tags",
"NewCategory",
"NewSubCategory",
"AssetUniqueId",
"ConsoleUrlLink"
],
"get_results_and_count": false,
"full_graph_fetch": {
"enabled": true
},
"max_tier": 2
}
Templates
Now that you've added your integrations, check out these specially crafted templates by Torq's security experts. Visit Torq's template library for more.