New
Join our webinar! Building a customizable and extensible cloud asset inventory at scale
CloudQuery News

Introducing the new Orca Source Plugin

Alex Savanovich

Alex Savanovich

Orca Security offers a comprehensive, agentless cloud security solution that provides in-depth security insights and protection across every layer of your cloud infrastructure. Our recently released Orca Source Plugin enables you to leverage Orca's security findings in numerous exciting ways, enhancing your overall cloud security strategy.

Why Orca + CloudQuery? #

The integration allows you to perform advanced data filtering and grouping without relying on restrictive UI filters. The best part is that there's no need to learn Orca's proprietary Sonar Query Language. Instead, you can use familiar SQL queries to answer questions of any complexity level, making the process more intuitive and accessible.

Unlock Cloud Security Insights with SQL #

Let's take a look at a couple of examples to help you get started with the Orca Source Plugin.
Prioritizing alerts can be challenging, especially when dealing with a high volume. A good starting point is to identify which assets in your cloud inventory need the most attention. The following SQL query will list the top five assets based on the number of alerts:
select
 count(*),
 asset_unique_id
from orca_alerts
group by asset_unique_id
order by count desc
limit 5;
Great! Now that we know which assets generate a lot of alerts, it's important to focus on the more severe alerts rather than the informational ones. Let's modify the query to filter out the informational alerts:
select
    count(*),
    asset_unique_id
from orca_alerts
where
    state->>'severity' != 'informational'
group by asset_unique_id
order by count desc
limit 5;
We can also drill down into specific types of vulnerabilities. For instance, to identify assets with the highest probability of a DDoS attack, we can use the following SQL query:
select
    count(*),
    asset_unique_id
from orca_cves
where
    asset_state = 'running'
    and 'denial_of_service' = any(labels)
group by asset_unique_id;
Alternatively, we could list the latest findings and address them in chronological order. the following SQL query will help you do just that:
select
    title,
    impact_score
from orca_attack_paths
where status = 'open'
order by created_at desc
limit 5;
This query will provide the most recent open findings, allowing you to prioritize and tackle new issues as they arise.
With the Orca CloudQuery plugin, you can play around with the data and fine-tune the queries in any format that's easiest for you. Once the sync is complete, you'll have all the data in a destination such as Postgres, MySQL, BigQuery, or any other supported destination. These destinations are specifically designed for efficient data exploration and querying, making them a great fit for handling data from Orca.

Maximize Performance and Efficiency with CloudQuery #

We've dedicated significant time to ensuring that syncing is fast and resource-efficient at every level. The core of CloudQuery is meticulously engineered, with a focus on optimizing performance and minimizing resource usage. Thanks to our pluggable architecture that leverages Apache Arrow, an efficient language-independent columnar memory format, we have a core that enables CloudQuery to handle vast amounts of data.
The optimization doesn't stop there. The Orca Source Plugin specifically implements incremental tables. The alerts and assets tables support syncing only the data that has changed since the last sync. This optimization ensures that tables with the largest volume of data are efficiently updated on subsequent syncs.
To take advantage of this feature, specify the backend_options configuration parameter. For example, to use this feature with a Postgres destination:
kind: source
spec:
  name: 'orca'
  path: 'cloudquery/orca'
  registry: 'cloudquery'
  version: 'v2.0.1'
  destinations: ['postgresql']
  backend_options:
    table_name: 'cq_state_orca'
    connection: '@@plugins.postgresql.connection'
  tables: ['*']
  spec:
    api_token: '${ORCA_API_TOKEN}'
---
kind: destination
spec:
  name: 'postgresql'
  path: 'cloudquery/postgresql'
  registry: 'cloudquery'
  version: 'v8.1.1'
  write_mode: 'overwrite-delete-stale'
  spec:
    connection_string: '${POSTGRES_CONNECTION_STRING}'

Enrich Your Security Insights #

The true power of the Orca CloudQuery integration lies in its ability to sync with any of our cloud infrastructure plugins, including AWS, GCP, Azure, and others. While Orca's platform provides a comprehensive view of your cloud inventory, data collected directly from the cloud provider offers unmatched depth and accuracy. By combining the insights from Orca with data gathered from cloud providers, you can ensure there are no blind spots in your infrastructure.
When you receive an alert from Orca, there's no need to go spelunking in the cloud provider console for missing information about a vulnerable asset. With our integrated approach, you can enrich Orca's data in the same query, providing you with a holistic view of your cloud environment.
For example, the following SQL query enriches Orca's data about S3 buckets with additional information such as creation date and tags:
select
    a.asset_vendor_id,
    s3.creation_date,
    s3.tags
from orca_alerts a
join
 aws_s3_buckets s3 on s3.name = a.asset_vendor_id
group by
 a.asset_vendor_id, s3.creation_date, s3.tags;

Get Started #

We are excited about the possibilities this integration unlocks. The seamless combination of Orca's security insights with CloudQuery's powerful ELT capabilities opens up new avenues for enhancing cloud security visibility and management.
To get started, see the Orca Source Plugin documentation for instructions.
We can't wait for you to try out this integration and experience firsthand how it can streamline your security management processes, eliminate blind spots in your infrastructure, and empower you to make more informed decisions to fortify your cloud environments against emerging threats.

Ready to get started with CloudQuery? You can download and use CloudQuery and follow along Ready to get started with CloudQuery? You can try out CloudQuery locally with our quick start guide or explore the CloudQuery Platform (currently in beta) for a more scalable solution.
Want help getting started? Join the CloudQuery community to connect with other users and experts, or message our team directly here if you have any questions.
Alex Savanovich

Written by Alex Savanovich

Alex is a Senior Software Engineer at CloudQuery, specializing in cloud data infrastructure and application development, with a focus on building scalable solutions for multi-cloud environments.

Turn cloud chaos into clarity

Find out how CloudQuery can help you get clarity from a chaotic cloud environment with a personalized conversation and demo.

Join our mailing list

Subscribe to our newsletter to make sure you don't miss any updates.

Legal

© 2024 CloudQuery, Inc. All rights reserved.

We use tracking cookies to understand how you use the product and help us improve it. Please accept cookies to help us improve. You can always opt out later via the link in the footer.