diff --git a/.github/workflows/config/labeler.yml b/.github/workflows/config/labeler.yml index 1d154f593b765..e9058a2bf665e 100644 --- a/.github/workflows/config/labeler.yml +++ b/.github/workflows/config/labeler.yml @@ -407,6 +407,8 @@ integration/openstack_controller: - openstack_controller/**/* integration/oracle: - oracle/**/* +integration/orca_security: +- orca_security/**/* integration/ossec_security: - ossec_security/**/* integration/otel: diff --git a/orca_security/CHANGELOG.md b/orca_security/CHANGELOG.md new file mode 100644 index 0000000000000..56297b8aa11b4 --- /dev/null +++ b/orca_security/CHANGELOG.md @@ -0,0 +1,7 @@ +# CHANGELOG - orca_security + +## 1.0.0 / 2024-11-29 + +***Added***: + +* Initial Release \ No newline at end of file diff --git a/orca_security/README.md b/orca_security/README.md new file mode 100644 index 0000000000000..c65d396ae663d --- /dev/null +++ b/orca_security/README.md @@ -0,0 +1,58 @@ +# Orca Security Integration For Datadog + +## Overview + +[Orca Security][1] is a cloud security platform that identifies, prioritizes, and remediates security risks and compliance. It provides features like real-time visibility, vulnerability management, workload protection, cloud security posture management, and compliance management. +This integration ingests the following log: + +- Alert: Represents details such as the state of alert, account details, asset in which the alert was found, and more. + +The Orca Security integration seamlessly ingests the data of alert logs using the built-in integration of Orca with Datadog. Before ingestion of the data, it normalizes and enriches the logs, ensuring a consistent data format, and enhancing information content for downstream processing and analysis. The integration provides insights into alert logs through the out-of-the-box dashboards. + +## Setup + +### Configuration + +#### [Orca Security Configuration for Datadog][2] + +1. Login to the Orca Security Platform. +2. Go to **Settings** > **Connections** > **Integrations**. +3. In the **SIEM/SOAR** section, select **Datadog**, and then click **Connect**. + + The Datadog Configuration window opens. +4. Specify the following settings: + - **API Key** - Add the API key of your Datadog platform. + - **Region** - Select the region where your Datadog instance is located. +5. Click **Save**. +6. Click **Configure** on the Datadog Integration and enable the integration. +7. Go to **Automations** and click **+ Create Automation**. +8. In the **Automation Details** section, provide **Automation Name**. +9. In the **Trigger Query** section, select all the values for alert state in the query. The query should look as below: + + ```When an alert Alert State is open,in_progress,snoozed,dismissed,closed``` +10. In the **Define Results** section, please enable **Apply to Existing Alerts** if existing alerts in the Orca Security platform need to be forwarded to Datadog, or disable it to forward newly generated/updated alerts. +**Note**: Alerts that were updated more than 18 hours ago cannot be ingested into Datadog. +11. In the **SIEM/SOAR** section under the **Define Results** section, check **Datadog** and select **Logs** as the Datadog type. +12. Click **Create**. + +## Data Collected + +### Logs + +The Orca integration collects and forwards Orca alert logs to Datadog. + +### Metrics + +The Orca integration does not include any metrics. + +### Events + +The Orca integration does not include any events. + +## Support + +For further assistance, contact [Datadog Support][3]. + +[1]: https://docs.orcasecurity.io/docs +[2]: https://docs.orcasecurity.io/docs/integrating-datadog +[3]: https://docs.datadoghq.com/help/ diff --git a/orca_security/assets/dashboards/orca_security_alerts.json b/orca_security/assets/dashboards/orca_security_alerts.json new file mode 100644 index 0000000000000..6fa71fba068ba --- /dev/null +++ b/orca_security/assets/dashboards/orca_security_alerts.json @@ -0,0 +1,5254 @@ +{ + "title": "Orca Security - Alerts", + "description": "This dashboard provides information about alerts generated on Orca Security.", + "widgets": [ + { + "id": 924673740345456, + "definition": { + "title": "", + "banner_img": "https://orca.security/wp-content/uploads/2021/11/brand-logo.jpg", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2132492701246762, + "definition": { + "type": "note", + "content": "Orca Security is a cloud security platform that provides deep visibility, compliance, and risk assessment for cloud resources without the need for agents. Orca Security plays a pivotal role in helping organizations enhance their cloud security posture by offering comprehensive visibility, risk assessment, and compliance management capabilities across cloud infrastructure.\n\nThis dashboard provides information about Alert Logs generated on Orca Security.\n\nFor more information, see the [Orca Security Documentation](https://docs.datadoghq.com/integrations/orca_security/).\n\nTips:\n - Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify and add widgets and visualizations.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 6 + } + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 9 + } + }, + { + "id": 4947271745923234, + "definition": { + "title": "Orca Security Logs Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4478312448339326, + "definition": { + "title": "Alert Logs over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 1921770662846222, + "definition": { + "title": "Total Alert Logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 4, + "width": 3, + "height": 4 + } + }, + { + "id": 4477472295632882, + "definition": { + "title": "Total Active Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @state.status:(open OR in_progress OR snoozed) $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 3, + "y": 4, + "width": 3, + "height": 4 + } + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 9 + } + }, + { + "id": 1406508136325992, + "definition": { + "title": "Total Open Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @state.status:open $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 2370612785049036, + "definition": { + "title": "Total In-Progress Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @state.status:in_progress $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 3, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 2552433718881508, + "definition": { + "title": "Total Snoozed Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @state.status:snoozed $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fbffdb" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 3813963053234470, + "definition": { + "title": "Total Dismissed Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @state.status:dismissed $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5f6fb" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 9, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 983677664018060, + "definition": { + "title": "Total Closed Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @state.status:closed $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 4, + "width": 3, + "height": 4 + } + }, + { + "id": 8723075613790978, + "definition": { + "title": "Alert Status over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@state.status", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 4, + "width": 9, + "height": 4 + } + }, + { + "id": 5537676114769394, + "definition": { + "title": "Top Alert Titles", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "message", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 7513527987911516, + "definition": { + "title": "Distribution by Risk Level", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@state.risk_level", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 8744435701449654, + "definition": { + "title": "Total API Security Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @alert_labels:\"source: apisec\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 12, + "width": 4, + "height": 4 + } + }, + { + "id": 7507966882815450, + "definition": { + "title": "Total Suspicious Activity Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:\"Suspicious activity\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 12, + "width": 4, + "height": 4 + } + }, + { + "id": 8637975943718946, + "definition": { + "title": "Total IAM Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:\"IAM misconfigurations\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fefce1" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 12, + "width": 4, + "height": 4 + } + }, + { + "id": 7799402283918886, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6819471697028016, + "definition": { + "type": "note", + "content": "Datadog Cloud SIEM analyzes and correlates Alert logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](https://app.datadoghq.com/security?query=source%3Aorca_security). ", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 1388392449505106, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:orca_security service:\"Orca Alerts\" status:critical $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 8412416118355766, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:orca_security service:\"Orca Alerts\" status:high $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 1113420710688240, + "definition": { + "title": "Critical Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:orca_security service:\"Orca Alerts\" status:critical $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 231136845047042, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:orca_security service:\"Orca Alerts\" status:medium $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 2580107450912926, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:orca_security service:\"Orca Alerts\" status:low $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffb52b" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 6168567190247518, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:orca_security service:\"Orca Alerts\" status:info $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#84c1e0" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 7446957046386056, + "definition": { + "title": "High Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:orca_security service:\"Orca Alerts\" status:high $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 2700728251315808, + "definition": { + "title": "Medium Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:orca_security service:\"Orca Alerts\" status:medium $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 7830645749530260, + "definition": { + "title": "Low Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:orca_security service:\"Orca Alerts\" status:low $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffb52b" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 6, + "height": 4 + } + }, + { + "id": 7843368132929400, + "definition": { + "title": "Info Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:orca_security service:\"Orca Alerts\" status:info $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#84c1e0" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 9, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 25, + "width": 12, + "height": 1 + } + }, + { + "id": 5121963513078638, + "definition": { + "title": "Alert Details", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7741410403648820, + "definition": { + "title": "Top Alert Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type_string", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 699282245251860, + "definition": { + "title": "Top Data Security Alerts", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @asset_category:Storage $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@state.risk_level", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 624849523761272, + "definition": { + "title": "Top Alert Hosts", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "host", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 8, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 8683401146682560, + "definition": { + "title": "Alert Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "message", + "width": "auto" + }, + { + "field": "state.alert_id", + "width": "auto" + }, + { + "field": "state.created_at", + "width": "auto" + }, + { + "field": "state.in_verification", + "width": "auto" + }, + { + "field": "state.last_seen", + "width": "auto" + }, + { + "field": "state.last_updated", + "width": "auto" + }, + { + "field": "state.low_since", + "width": "auto" + }, + { + "field": "state.orca_score", + "width": "auto" + }, + { + "field": "state.risk_level", + "width": "auto" + }, + { + "field": "state.rule_source", + "width": "auto" + }, + { + "field": "state.score", + "width": "auto" + }, + { + "field": "state.severity", + "width": "auto" + }, + { + "field": "state.status", + "width": "auto" + }, + { + "field": "state.status_time", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + }, + { + "id": 4429831354604576, + "definition": { + "title": "Top Alert Sources", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@alert_source", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 4, + "height": 4 + } + }, + { + "id": 8916176968622024, + "definition": { + "title": "Top MITRE ATT&CKS", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@data.mitre_category", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 8, + "width": 4, + "height": 4 + } + }, + { + "id": 2960232968101194, + "definition": { + "title": "Top Alert Accounts", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@account_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 8, + "y": 8, + "width": 4, + "height": 4 + } + }, + { + "id": 1938142781600414, + "definition": { + "title": "Top Vulnerabilities - Critical and High Alerts by Source", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @source:* @state.risk_level:(critical OR high) @category:Vulnerabilities $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@source", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 5, + "height": 4 + } + }, + { + "id": 4241432596381156, + "definition": { + "title": "Vulnerabilities - Risk Prioritized Alerts", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:Vulnerabilities @state.risk_level:(critical OR high OR medium) $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@state.risk_level", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 5, + "y": 12, + "width": 7, + "height": 4 + } + }, + { + "id": 1753705035588492, + "definition": { + "title": "Top Alert Labels", + "title_size": "16", + "title_align": "left", + "time": { + "type": "live", + "unit": "month", + "value": 1 + }, + "type": "toplist", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "a", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@alert_labels", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "a" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 5, + "height": 4 + } + }, + { + "id": 8942893925559138, + "definition": { + "title": "Distribution by Non-Vulnerable Risks", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" -@category:Vulnerabilities @state.risk_level:(critical OR high OR medium) $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@state.risk_level", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 5, + "y": 16, + "width": 7, + "height": 4 + } + }, + { + "id": 8189275721303042, + "definition": { + "title": "Top Cloud Providers by Account", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@cloud_provider", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "@account_name" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count", + "metric": "@account_name" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 20, + "width": 5, + "height": 4 + } + }, + { + "id": 5254865939065026, + "definition": { + "title": "Neglected Serverless Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @asset_category:Serverless @category:\"Neglected assets\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "message", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@asset_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 5, + "y": 20, + "width": 7, + "height": 4 + } + }, + { + "id": 2950080584092148, + "definition": { + "title": "Cloud Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "message", + "width": "auto" + }, + { + "field": "account_name", + "width": "auto" + }, + { + "field": "cloud_account_id", + "width": "auto" + }, + { + "field": "cloud_account_type", + "width": "auto" + }, + { + "field": "cloud_provider", + "width": "auto" + }, + { + "field": "cloud_provider_id", + "width": "auto" + }, + { + "field": "cloud_vendor_id", + "width": "auto" + }, + { + "field": "cluster_name", + "width": "auto" + }, + { + "field": "cluster_type", + "width": "auto" + }, + { + "field": "cluster_unique_id", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 24, + "width": 12, + "height": 4 + } + }, + { + "id": 4906981812375900, + "definition": { + "title": "Top Alerts by Group Type", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@group_type", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 28, + "width": 4, + "height": 4 + } + }, + { + "id": 7208269917519950, + "definition": { + "title": "Group Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "message", + "width": "auto" + }, + { + "field": "group_name", + "width": "auto" + }, + { + "field": "group_type", + "width": "auto" + }, + { + "field": "group_type_string", + "width": "auto" + }, + { + "field": "group_unique_id", + "width": "auto" + }, + { + "field": "group_val", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 4, + "y": 28, + "width": 8, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 26, + "width": 12, + "height": 33, + "is_column_break": true + } + }, + { + "id": 6425855102852124, + "definition": { + "title": "Alert Category Details", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5764059718686724, + "definition": { + "title": "Top Alert Categories", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@category", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 7710341617235570, + "definition": { + "title": "Top Suspicious Activity by Type", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:\"Suspicious activity\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type_string", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 3107848776418196, + "definition": { + "title": "Top Malicious Activity by Type", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:\"Malicious activity\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type_string", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 8, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 6536253324478998, + "definition": { + "title": "Total Vulnerabilities Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:Vulnerabilities $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 3 + } + }, + { + "id": 5786710683253084, + "definition": { + "title": "Vulnerabilities over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:Vulnerabilities $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 4, + "width": 8, + "height": 3 + } + }, + { + "id": 5537701599950778, + "definition": { + "title": "Total Data Protection Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:\"Data protection\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffebeb" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 7, + "width": 4, + "height": 3 + } + }, + { + "id": 6776126391678614, + "definition": { + "title": "Data Protection Alerts over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:\"Data protection\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 7, + "width": 8, + "height": 3 + } + }, + { + "id": 8566337838933810, + "definition": { + "title": "Total Network Misconfiguration Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:\"Network misconfigurations\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 10, + "width": 4, + "height": 3 + } + }, + { + "id": 8421085371799994, + "definition": { + "title": "Network Misconfiguration Alerts over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:\"Network misconfigurations\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 10, + "width": 8, + "height": 3 + } + }, + { + "id": 5036020458207494, + "definition": { + "title": "Total Data Risk Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:\"Data at risk\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 13, + "width": 4, + "height": 3 + } + }, + { + "id": 5375795056189494, + "definition": { + "title": "Data Risk Alerts over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:\"Data at risk\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 13, + "width": 8, + "height": 3 + } + }, + { + "id": 8257346006352384, + "definition": { + "title": "Total Authentication Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:Authentication $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffe0e0" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 16, + "width": 4, + "height": 3 + } + }, + { + "id": 3096738400070790, + "definition": { + "title": "Authentication Alerts over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:Authentication $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 16, + "width": 8, + "height": 3 + } + }, + { + "id": 5285146091532866, + "definition": { + "title": "Total Logging and Monitoring Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:\"Logging and monitoring\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 19, + "width": 4, + "height": 3 + } + }, + { + "id": 4373363001620230, + "definition": { + "title": "Logging and Monitoring Alerts over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:\"Logging and monitoring\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 19, + "width": 8, + "height": 3 + } + }, + { + "id": 510905734689330, + "definition": { + "title": "Total Lateral Movement Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:\"Lateral movement\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffeae0" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 22, + "width": 4, + "height": 3 + } + }, + { + "id": 919128107437272, + "definition": { + "title": "Lateral Movement Alerts over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:\"Lateral movement\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 22, + "width": 8, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 59, + "width": 12, + "height": 26 + } + }, + { + "id": 2641086880097668, + "definition": { + "title": "Asset Details", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5564489608580580, + "definition": { + "title": "Total Enabled Assets", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @asset_state:enabled $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 7020739309589100, + "definition": { + "title": "Total Running Assets", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @asset_state:running $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 3, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 7563755918060194, + "definition": { + "title": "Total Pending Deletion Assets", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @asset_state:pending_deletion $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#f8ffe0" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 8131942538808572, + "definition": { + "title": "Total Disabled Assets", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @asset_state:disabled $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#feddbe" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 9, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 2058298632911828, + "definition": { + "title": "Total Stopped Assets", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @asset_state:stopped $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 4, + "width": 3, + "height": 4 + } + }, + { + "id": 6729625914648454, + "definition": { + "title": "Distribution by Asset State", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@asset_state", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 3, + "y": 4, + "width": 9, + "height": 4 + } + }, + { + "id": 2013549788995556, + "definition": { + "title": "Top Asset Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@asset_type_string", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 4, + "height": 4 + } + }, + { + "id": 2416100574612932, + "definition": { + "title": "Top Asset Categories", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@asset_category", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 8, + "width": 4, + "height": 4 + } + }, + { + "id": 5318819323836612, + "definition": { + "title": "Top Serverless Assets with High Risk Score", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @state.risk_level:(critical OR high) @asset_category:Serverless $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@asset_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 8, + "y": 8, + "width": 4, + "height": 4 + } + }, + { + "id": 1939791328883106, + "definition": { + "title": "Top Assets with Sensitive Data", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @asset_labels:sensitive_data $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@asset_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 4, + "height": 4 + } + }, + { + "id": 1957323391871310, + "definition": { + "title": "Top Vulnerable Internet Facing Assets", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:Vulnerabilities @asset_labels:internet_facing $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@asset_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "*" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count", + "metric": "*" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 12, + "width": 4, + "height": 4 + } + }, + { + "id": 3355324497921286, + "definition": { + "title": "Top Risky Neglected Assets by Type", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @category:\"Neglected assets\" @state.risk_level:(critical OR high OR medium) $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type_string", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 8, + "y": 12, + "width": 4, + "height": 4 + } + }, + { + "id": 7569315094819404, + "definition": { + "title": "Serverless Assets by Risk Level", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @asset_category:Serverless $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@state.risk_level", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 8, + "height": 4 + } + }, + { + "id": 6977485842623188, + "definition": { + "title": "Top Asset Labels", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@asset_labels", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 8, + "y": 16, + "width": 4, + "height": 4 + } + }, + { + "id": 5997635244488554, + "definition": { + "title": "Top Risky Assets", + "title_size": "16", + "title_align": "left", + "time": { + "type": "live", + "unit": "month", + "value": 1 + }, + "type": "toplist", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "a", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @state.risk_level:(critical OR high OR medium) $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@asset_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "a" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 20, + "width": 4, + "height": 4 + } + }, + { + "id": 7933504032500054, + "definition": { + "title": "Top Asset Tags", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@asset_tags_info_list", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 20, + "width": 4, + "height": 4 + } + }, + { + "id": 6460559290743636, + "definition": { + "title": "Top Asset Role Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@asset_role_names", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 8, + "y": 20, + "width": 4, + "height": 4 + } + }, + { + "id": 2125981499228204, + "definition": { + "title": "Lambda Functions Exposing Environment Variable Secrets in Serverless Assets", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @type_string:\"Lambda function environment variables expose Personally Identifiable Information (PII)\" @asset_category:Serverless $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "message", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@asset_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 24, + "width": 6, + "height": 4 + } + }, + { + "id": 3772467336444558, + "definition": { + "title": "Lambda Functions with Admin Privileges in Serverless Assets", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" @type_string:\"Lambda Function with Admin Privileges\" @asset_category:Serverless $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "message", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@asset_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 6, + "y": 24, + "width": 6, + "height": 4 + } + }, + { + "id": 48023636716546, + "definition": { + "title": "Top Asset Regions", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@asset_regions", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 28, + "width": 3, + "height": 4 + } + }, + { + "id": 2268277715757440, + "definition": { + "title": "Asset Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "message", + "width": "auto" + }, + { + "field": "asset_name", + "width": "auto" + }, + { + "field": "asset_category", + "width": "auto" + }, + { + "field": "asset_regions", + "width": "auto" + }, + { + "field": "asset_state", + "width": "auto" + }, + { + "field": "asset_type_string", + "width": "auto" + }, + { + "field": "asset_unique_id", + "width": "auto" + }, + { + "field": "asset_vendor_id", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 3, + "y": 28, + "width": 9, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 85, + "width": 12, + "height": 33 + } + }, + { + "id": 6113071595393960, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:orca_security service:\"Orca Alerts\" $Risk-Level $Alert-Status $Host $Source $Asset-State $Asset-Regions", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "state.status", + "width": "auto" + }, + { + "field": "message", + "width": "auto" + }, + { + "field": "state.risk_level", + "width": "auto" + }, + { + "field": "category", + "width": "auto" + }, + { + "field": "alert_labels", + "width": "auto" + }, + { + "field": "type_string", + "width": "auto" + }, + { + "field": "asset_category", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "state.alert_id", + "width": "auto" + }, + { + "field": "state.created_at", + "width": "auto" + }, + { + "field": "state.in_verification", + "width": "auto" + }, + { + "field": "state.last_seen", + "width": "auto" + }, + { + "field": "state.last_updated", + "width": "auto" + }, + { + "field": "state.low_since", + "width": "auto" + }, + { + "field": "state.orca_score", + "width": "auto" + }, + { + "field": "state.risk_level", + "width": "auto" + }, + { + "field": "state.rule_source", + "width": "auto" + }, + { + "field": "state.score", + "width": "auto" + }, + { + "field": "state.severity", + "width": "auto" + }, + { + "field": "state.status_time", + "width": "auto" + }, + { + "field": "alert_source", + "width": "auto" + }, + { + "field": "data.mitre_category", + "width": "auto" + }, + { + "field": "account_name", + "width": "auto" + }, + { + "field": "source", + "width": "auto" + }, + { + "field": "cloud_provider", + "width": "auto" + }, + { + "field": "asset_name", + "width": "auto" + }, + { + "field": "cloud_account_id", + "width": "auto" + }, + { + "field": "cloud_account_type", + "width": "auto" + }, + { + "field": "cloud_provider_id", + "width": "auto" + }, + { + "field": "cloud_vendor_id", + "width": "auto" + }, + { + "field": "cluster_name", + "width": "auto" + }, + { + "field": "cluster_type", + "width": "auto" + }, + { + "field": "cluster_unique_id", + "width": "auto" + }, + { + "field": "group_type", + "width": "auto" + }, + { + "field": "group_name", + "width": "auto" + }, + { + "field": "group_type_string", + "width": "auto" + }, + { + "field": "group_unique_id", + "width": "auto" + }, + { + "field": "group_val", + "width": "auto" + }, + { + "field": "asset_state", + "width": "auto" + }, + { + "field": "asset_type_string", + "width": "auto" + }, + { + "field": "asset_labels", + "width": "auto" + }, + { + "field": "asset_tags_info_list", + "width": "auto" + }, + { + "field": "asset_role_names", + "width": "auto" + }, + { + "field": "asset_regions", + "width": "auto" + }, + { + "field": "asset_unique_id", + "width": "auto" + }, + { + "field": "asset_vendor_id", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 4 + } + } + ], + "template_variables": [ + { + "name": "Risk-Level", + "prefix": "@state.risk_level", + "available_values": [], + "default": "*" + }, + { + "name": "Alert-Status", + "prefix": "@state.status", + "available_values": [], + "default": "*" + }, + { + "name": "Host", + "prefix": "host", + "available_values": [], + "default": "*" + }, + { + "name": "Source", + "prefix": "@alert_source", + "available_values": [], + "default": "*" + }, + { + "name": "Asset-State", + "prefix": "@asset_state", + "available_values": [], + "default": "*" + }, + { + "name": "Asset-Regions", + "prefix": "@asset_regions", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/orca_security/assets/logs/orca-security.yaml b/orca_security/assets/logs/orca-security.yaml new file mode 100644 index 0000000000000..1df51cb200a5f --- /dev/null +++ b/orca_security/assets/logs/orca-security.yaml @@ -0,0 +1,44 @@ +id: orca-security +metric_id: orca-security +backend_only: false +installation_sources: + - orca_security +facets: null +pipeline: + type: pipeline + name: Orca Security + enabled: true + filter: + query: source:orca_security + processors: + - type: date-remapper + name: Define `state.last_updated` as the official date of the log + enabled: true + sources: + - state.last_updated + - type: service-remapper + name: Define `service` as the official service of the log + enabled: true + sources: + - service + - name: Lookup on `state.risk_level` to `status` + enabled: true + source: state.risk_level + target: status + lookupTable: |- + informational,info + low,info + medium,warning + high,critical + critical,critical + type: lookup-processor + - type: status-remapper + name: Define `status` as the official status of the log + enabled: true + sources: + - status + - type: message-remapper + name: Define `data.title` as the official message of the log + enabled: true + sources: + - data.title diff --git a/orca_security/assets/logs/orca-security_tests.yaml b/orca_security/assets/logs/orca-security_tests.yaml new file mode 100644 index 0000000000000..becb292fb458b --- /dev/null +++ b/orca_security/assets/logs/orca-security_tests.yaml @@ -0,0 +1,198 @@ +id: "orca-security" +tests: + - + sample: |- + { + "group_val" : "nongroup", + "asset_type_string" : "AwsKmsKey", + "data" : { + "mitre_category" : "collection", + "recommendation" : "It is recommended to verify the CMK which have been scheduled for deletion in order to avoid loss of data encrypted with those keys.", + "details" : "It was found that {AwsKmsKey} is pending deletion. Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion.", + "mitre_techniques" : [ "Data from Information Repositories (T1213)" ], + "title" : "KMS CMK schedule deletion", + "remediation_console" : [ ">1. Open the AWS KMS console at **[KMS console](https://console.aws.amazon.com/kms/)**.", ">2. Select the desired AWS Region by using the Region selector in the upper-right corner of the page.", ">3. In the left navigation pane, select **Customer managed keys**.", ">4. Select the desired KMS key that you want to recover.", ">5. Click Key actions drop down menu and then, select **Cancel key deletion**." ], + "mitre_technique" : [ "Data from Information Repositories (T1213)" ] + }, + "alert_labels" : [ "mitre: collection" ], + "is_compliance" : "False", + "group_type_string" : "NonGroup", + "related_compliances" : [ "AWS Foundational Security Best Practices", "CCPA", "CJIS (Criminal Justice Information Services)", "CMMC (Cybersecurity Maturity Model Certification) Level 2", "COPPA (Children’s Online Privacy Protection)", "CPRA (California Privacy Rights Act)", "DORA (Digital Operational Resilience Act)", "FFIEC (Federal Financial Institutions Examination Council)", "FedRAMP", "HIPAA", "HITRUST Level 1", "HITRUST Level 2", "HITRUST Level 3", "ISM (Australian Government Information Security Manual) September 2022", "ISMS-P (Personal information & Information Security Management System)", "ISO 27001 2013", "ISO 27001 2022", "ISO 27002 2022", "LGPD (Brazilian General Data Protection)", "MITRE ATT&CK v12", "MITRE ATT&CK v13", "MPA (Motion Picture Association) v5", "NIS (Network and Information Security) v2", "NIST 800-171 (Rev 2)", "NIST 800-171 (Rev 3)", "NIST 800-172", "NIST 800-53 (Rev 5.1.1)", "NZISM", "Orca Best Practices", "PDPA (Personal Data Protection Act)", "PDPO (Personal Data Privacy Ordinance)", "PIPEDA (Personal Information Protection and Electronic Documents Act)", "RBI (Reserve Bank of India)", "SOC 2", "TISAX VDA", "UK Cyber Essentials" ], + "recommendation" : "It is recommended to verify the CMK which have been scheduled for deletion in order to avoid loss of data encrypted with those keys.", + "description" : "KMS CMK schedule deletion", + "source" : "alias/JAY_ODS", + "group_type" : "AwsKmsKey", + "cluster_type" : "AwsKmsKey", + "type" : "aws_kms_cmk_pending_deletion", + "group_unique_id" : "AwsKmsKey_748335378900_5832f325-2adb-3211-7d8c-2bd9a4829e91", + "cloud_account_id" : "f77d16af-0f52-44e8-9496-d1c9bd46d930", + "score" : "normal", + "hostname" : "alias/JAY_ODS", + "type_string" : "KMS CMK schedule deletion", + "asset_name" : "alias/JAY_ODS", + "account_name" : "cds-avataar", + "alert_source" : "Orca Scan", + "context" : "control", + "asset_type" : "AwsKmsKey", + "details" : "It was found that alias/JAY_ODS is pending deletion. Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion.", + "state" : { + "severity" : "informational", + "rule_source" : "Orca", + "last_updated" : "2024-11-20T16:17:40+00:00", + "last_seen" : "2024-11-19T15:28:57+00:00", + "low_since" : "2024-11-13T16:07:48+00:00", + "created_at" : "2024-11-13T15:21:12+00:00", + "closed_time" : "2024-11-20T16:17:40+00:00", + "score" : 4, + "risk_level" : "informational", + "orca_score" : 1.8, + "alert_id" : "orca-5903", + "closed_reason" : "asset deleted", + "status_time" : "2024-11-20T16:17:40+00:00", + "status" : "closed" + }, + "rule_query" : "AwsKmsKey with KeyState = 'PendingDeletion'", + "cluster_unique_id" : "AwsKmsKey_748335378900_5832f325-2adb-3211-7d8c-2bd9a4829e91", + "cluster_name" : "alias/JAY_ODS", + "subject_type" : "AwsKmsKey", + "group_name" : "alias/JAY_ODS", + "level" : 0, + "tags_info_list" : [ "ODS|JAY" ], + "is_rule" : "True", + "cloud_provider" : "aws", + "organization_name" : "test", + "cloud_vendor_id" : "748335378900", + "type_key" : "ad59fd836bc225b159dcfbf413191c77", + "rule_id" : "r4c1559f2e0", + "asset_category" : "Encryption and Secrets", + "asset_state" : "enabled", + "service" : "Orca Alerts", + "asset_tags_info_list" : [ "ODS|JAY" ], + "asset_unique_id" : "AwsKmsKey_748335378900_5832f325-2adb-3211-7d8c-2bd9a4829e91", + "cloud_provider_id" : "748335378900", + "category" : "Data protection", + "cloud_account_type" : "Regular", + "asset_vendor_id" : "arn:aws:kms:us-east-1:748335378900:key/afcaa647-4393-4a29-b869-0c97914a1773" + } + result: + custom: + account_name: "cds-avataar" + alert_labels: + - "mitre: collection" + alert_source: "Orca Scan" + asset_category: "Encryption and Secrets" + asset_name: "alias/JAY_ODS" + asset_state: "enabled" + asset_tags_info_list: + - "ODS|JAY" + asset_type: "AwsKmsKey" + asset_type_string: "AwsKmsKey" + asset_unique_id: "AwsKmsKey_748335378900_5832f325-2adb-3211-7d8c-2bd9a4829e91" + asset_vendor_id: "arn:aws:kms:us-east-1:748335378900:key/afcaa647-4393-4a29-b869-0c97914a1773" + category: "Data protection" + cloud_account_id: "f77d16af-0f52-44e8-9496-d1c9bd46d930" + cloud_account_type: "Regular" + cloud_provider: "aws" + cloud_provider_id: "748335378900" + cloud_vendor_id: "748335378900" + cluster_name: "alias/JAY_ODS" + cluster_type: "AwsKmsKey" + cluster_unique_id: "AwsKmsKey_748335378900_5832f325-2adb-3211-7d8c-2bd9a4829e91" + context: "control" + data: + details: "It was found that {AwsKmsKey} is pending deletion. Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion." + mitre_category: "collection" + mitre_technique: + - "Data from Information Repositories (T1213)" + mitre_techniques: + - "Data from Information Repositories (T1213)" + recommendation: "It is recommended to verify the CMK which have been scheduled for deletion in order to avoid loss of data encrypted with those keys." + remediation_console: + - ">1. Open the AWS KMS console at **[KMS console](https://console.aws.amazon.com/kms/)**." + - ">2. Select the desired AWS Region by using the Region selector in the upper-right corner of the page." + - ">3. In the left navigation pane, select **Customer managed keys**." + - ">4. Select the desired KMS key that you want to recover." + - ">5. Click Key actions drop down menu and then, select **Cancel key deletion**." + description: "KMS CMK schedule deletion" + details: "It was found that alias/JAY_ODS is pending deletion. Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion." + group_name: "alias/JAY_ODS" + group_type: "AwsKmsKey" + group_type_string: "NonGroup" + group_unique_id: "AwsKmsKey_748335378900_5832f325-2adb-3211-7d8c-2bd9a4829e91" + group_val: "nongroup" + hostname: "alias/JAY_ODS" + is_compliance: "False" + is_rule: "True" + level: 0 + organization_name: "test" + recommendation: "It is recommended to verify the CMK which have been scheduled for deletion in order to avoid loss of data encrypted with those keys." + related_compliances: + - "AWS Foundational Security Best Practices" + - "CCPA" + - "CJIS (Criminal Justice Information Services)" + - "CMMC (Cybersecurity Maturity Model Certification) Level 2" + - "COPPA (Children’s Online Privacy Protection)" + - "CPRA (California Privacy Rights Act)" + - "DORA (Digital Operational Resilience Act)" + - "FFIEC (Federal Financial Institutions Examination Council)" + - "FedRAMP" + - "HIPAA" + - "HITRUST Level 1" + - "HITRUST Level 2" + - "HITRUST Level 3" + - "ISM (Australian Government Information Security Manual) September 2022" + - "ISMS-P (Personal information & Information Security Management System)" + - "ISO 27001 2013" + - "ISO 27001 2022" + - "ISO 27002 2022" + - "LGPD (Brazilian General Data Protection)" + - "MITRE ATT&CK v12" + - "MITRE ATT&CK v13" + - "MPA (Motion Picture Association) v5" + - "NIS (Network and Information Security) v2" + - "NIST 800-171 (Rev 2)" + - "NIST 800-171 (Rev 3)" + - "NIST 800-172" + - "NIST 800-53 (Rev 5.1.1)" + - "NZISM" + - "Orca Best Practices" + - "PDPA (Personal Data Protection Act)" + - "PDPO (Personal Data Privacy Ordinance)" + - "PIPEDA (Personal Information Protection and Electronic Documents Act)" + - "RBI (Reserve Bank of India)" + - "SOC 2" + - "TISAX VDA" + - "UK Cyber Essentials" + rule_id: "r4c1559f2e0" + rule_query: "AwsKmsKey with KeyState = 'PendingDeletion'" + score: "normal" + service: "Orca Alerts" + source: "alias/JAY_ODS" + state: + alert_id: "orca-5903" + closed_reason: "asset deleted" + closed_time: "2024-11-20T16:17:40+00:00" + created_at: "2024-11-13T15:21:12+00:00" + last_seen: "2024-11-19T15:28:57+00:00" + last_updated: "2024-11-20T16:17:40+00:00" + low_since: "2024-11-13T16:07:48+00:00" + orca_score: 1.8 + risk_level: "informational" + rule_source: "Orca" + score: 4 + severity: "informational" + status: "closed" + status_time: "2024-11-20T16:17:40+00:00" + status: "info" + subject_type: "AwsKmsKey" + tags_info_list: + - "ODS|JAY" + type: "aws_kms_cmk_pending_deletion" + type_key: "ad59fd836bc225b159dcfbf413191c77" + type_string: "KMS CMK schedule deletion" + message: "KMS CMK schedule deletion" + service: "Orca Alerts" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1732119460000 \ No newline at end of file diff --git a/orca_security/assets/orca_security.svg b/orca_security/assets/orca_security.svg new file mode 100644 index 0000000000000..60599aa54c7c2 --- /dev/null +++ b/orca_security/assets/orca_security.svg @@ -0,0 +1,48 @@ + + + + + + + + + + + + + + + + + + + + + + diff --git a/orca_security/assets/service_checks.json b/orca_security/assets/service_checks.json new file mode 100644 index 0000000000000..fe51488c7066f --- /dev/null +++ b/orca_security/assets/service_checks.json @@ -0,0 +1 @@ +[] diff --git a/orca_security/images/orca_security_alerts.png b/orca_security/images/orca_security_alerts.png new file mode 100644 index 0000000000000..d3da88e24d848 Binary files /dev/null and b/orca_security/images/orca_security_alerts.png differ diff --git a/orca_security/manifest.json b/orca_security/manifest.json new file mode 100644 index 0000000000000..d234434e94b32 --- /dev/null +++ b/orca_security/manifest.json @@ -0,0 +1,52 @@ +{ + "manifest_version": "2.0.0", + "app_uuid": "c5503835-004d-4f4b-bf61-57845767f8e1", + "app_id": "orca-security", + "display_on_public_website": false, + "tile": { + "overview": "README.md#Overview", + "configuration": "README.md#Setup", + "support": "README.md#Support", + "changelog": "CHANGELOG.md", + "description": "Gain insights into Orca Security alert logs.", + "title": "Orca Security", + "media": [ + { + "media_type": "image", + "caption": "Orca Security - Alerts", + "image_url": "images/orca_security_alerts.png" + } + ], + "classifier_tags": [ + "Category::Log Collection", + "Category::Security", + "Submitted Data Type::Logs", + "Offering::Integration" + ] + }, + "assets": { + "integration": { + "auto_install": false, + "source_type_id": 32538198, + "source_type_name": "Orca Security", + "events": { + "creates_events": false + }, + "service_checks": { + "metadata_path": "assets/service_checks.json" + } + }, + "dashboards": { + "Orca Security - Alerts": "assets/dashboards/orca_security_alerts.json" + }, + "logs": { + "source": "orca_security" + } + }, + "author": { + "support_email": "help@datadoghq.com", + "name": "Datadog", + "homepage": "https://www.datadoghq.com", + "sales_email": "info@datadoghq.com" + } +}