[INTPLAT-462] DDS: Orca Security: integration V1.0.0 #19164
Conversation
aliciascott
added
the
editorial review
|
Thank you @surabhipatel-crest I've created an Editorial card for someone on our team to review this further |
torosmassa
changed the title
There was a problem hiding this comment.
Hi @bhargavnariyanicrest looks good just a few small suggestions.
orca_security/README.md
Outdated
|
|
||
| ## Overview | ||
|
|
||
| [Orca Security][1] a cloud security platform that identifies, prioritizes, and remediates security risks and compliance. It provides features like Real-time visibility, vulnerability management, workload protection, cloud security posture management, compliance management. |
There was a problem hiding this comment.
| [Orca Security][1] a cloud security platform that identifies, prioritizes, and remediates security risks and compliance. It provides features like Real-time visibility, vulnerability management, workload protection, cloud security posture management, compliance management. | |
| [Orca Security][1] is a cloud security platform that identifies, prioritizes, and remediates security risks and compliance. It provides features like real-time visibility, vulnerability management, workload protection, cloud security posture management, and compliance management. |
orca_security/README.md
Outdated
|
|
||
| - Alert: Represents details such as the state of alert, account details, asset in which the alert was found, and more. | ||
|
|
||
| The Orca Security integration seamlessly ingests the data of alert logs using the in-built integration of Orca with Datadog. Before ingestion of the data, it normalizes and enriches the logs, ensuring a consistent data format and enhancing information content for downstream processing and analysis. The integration provides insights into alert logs through the out-of-the-box dashboards. |
There was a problem hiding this comment.
| The Orca Security integration seamlessly ingests the data of alert logs using the in-built integration of Orca with Datadog. Before ingestion of the data, it normalizes and enriches the logs, ensuring a consistent data format and enhancing information content for downstream processing and analysis. The integration provides insights into alert logs through the out-of-the-box dashboards. | |
| The Orca Security integration seamlessly ingests the data of alert logs using the built-in integration of Orca with Datadog. Before ingestion of the data, it normalizes and enriches the logs, ensuring a consistent data format, and enhancing information content for downstream processing and analysis. The integration provides insights into alert logs through the out-of-the-box dashboards. |
orca_security/README.md
Outdated
|
|
||
| The Datadog Configuration window opens. | ||
| 4. Specify the following settings: | ||
| - **API Key** - Add API key of Datadog platform. |
There was a problem hiding this comment.
| - **API Key** - Add API key of Datadog platform. | |
| - **API Key** - Add the API key of your Datadog platform. |
orca_security/README.md
Outdated
| 9. In the **Trigger Query** section, select all the values for alert state in the query. The query should look as below: | ||
|
|
||
| ```When an alert Alert State is open,in_progress,snoozed,dismissed,closed``` | ||
| 10. In the **Define Results** section, please enable **Apply to Existing Alerts** if existing alerts in the Orca Security platform need to be forwarded to Datadog or disable it to forward newly generated/updated alerts. (**Note:** As per Datadog Log Ingestion behavior, alerts updated older than 18 hours cannot be ingested to Datadog.) |
There was a problem hiding this comment.
| 10. In the **Define Results** section, please enable **Apply to Existing Alerts** if existing alerts in the Orca Security platform need to be forwarded to Datadog or disable it to forward newly generated/updated alerts. (**Note:** As per Datadog Log Ingestion behavior, alerts updated older than 18 hours cannot be ingested to Datadog.) | |
| 10. In the **Define Results** section, please enable **Apply to Existing Alerts** if existing alerts in the Orca Security platform need to be forwarded to Datadog, or disable it to forward newly generated/updated alerts. | |
| **Note**: Alerts that were updated more than 18 hours ago cannot be ingested into Datadog. |
orca_security/README.md
Outdated
|
|
||
| ```When an alert Alert State is open,in_progress,snoozed,dismissed,closed``` | ||
| 10. In the **Define Results** section, please enable **Apply to Existing Alerts** if existing alerts in the Orca Security platform need to be forwarded to Datadog or disable it to forward newly generated/updated alerts. (**Note:** As per Datadog Log Ingestion behavior, alerts updated older than 18 hours cannot be ingested to Datadog.) | ||
| 11. In the **SEIM/SOAR** under the **Define Results** section, check the **Datadog** and select **Logs** as the datadog type. |
There was a problem hiding this comment.
| 11. In the **SEIM/SOAR** under the **Define Results** section, check the **Datadog** and select **Logs** as the datadog type. | |
| 11. In the **SIEM/SOAR** section under the **Define Results** section, check **Datadog** and select **Logs** as the Datadog type. |
datadog-assets
bot
added
docs/requested-changes
and removed
docs/review-requested
labels
| @@ -0,0 +1,240 @@ | |||
| id: "orca-security" | |||
There was a problem hiding this comment.
The indentation for this file does not look correct. You have an example here. Could you try make sure the message respect the same indentation. Custom should not be empty is done correctly
There was a problem hiding this comment.
For the log pipeline example, we usually receive the correct output with a custom tag from the validate-log action in the CI/CD pipeline, which we include in the results for all integrations. However, for Orca security, the custom tag appears empty, and despite this, the CI/CD pipeline still passes. We attempted to manually add values to the custom tag and adjusted the indentation according to the given reference. Unfortunately, this led to an internal server error with the message An internal error occurred while assets were being validated. and Contact Datadog to find out how to resolve the problem.
There was a problem hiding this comment.
the correct output with a custom tag
Indeed you should receive the correct response, but the sample need to properly formatted and I believe we struggle to make it work here. I believe how you committed here, should be the good way. Can you try again and I will follow up to help
There was a problem hiding this comment.
Thanks. We have updated its format and added output with custom tag.
There was a problem hiding this comment.
Looks good now, thank you!
| "rule_id" : "r4c1559f2e0", | ||
| "asset_category" : "Encryption and Secrets", | ||
| "asset_state" : "enabled", | ||
| "service" : "Orca Alerts", |
There was a problem hiding this comment.
Could we add a service remapper for this property?
https://docs.datadoghq.com/logs/log_configuration/processors/?tab=api#service-remapper
There was a problem hiding this comment.
We have added it.
thibaultkrebs
added
the
assets/deploy-logs-staging
What does this PR do?
This is a initial release PR of Orca Security integration including all the required assets.
Additional Notes
Review checklist (to be filled by reviewers)
qa/skip-qalabel if the PR doesn't need to be tested during QA.backport/<branch-name>label to the PR and it will automatically open a backport PR once this one is merged