Data Source

Orca Security is a cloud security platform (CNAPP) that performs agentless scanning of cloud environments (AWS, GCP, Azure) to detect vulnerabilities, misconfigurations, lateral movement paths, and active threats. This connector ingests Orca alert data into the OrcaAlerts_CL custom table.

Alert fields available in OrcaAlerts_CL include: alert_id, alert_type, alert_labels, status, risk_level, orca_score, description, recommendation, source, account_name, cloud_provider_id, asset_unique_id, asset_name, asset_hostname, asset_type, asset_state, vm_id, cluster_name, cluster_type, cve_list, and findings.

Ingestion Mechanism

New connector (v3.0.0): Push CCF (kind: Push) using the Azure Monitor Logs Ingestion API via DCE/DCR. Orca pushes alerts to a Data Collection Endpoint; the DCR transforms the Custom-OrcaSecurityAlerts stream into OrcaAlerts_CL.

  • DCR stream: Custom-OrcaSecurityAlerts
  • Output table: OrcaAlerts_CL (custom table)
  • Authentication: Microsoft Entra ID application (client credentials); Monitoring Metrics Publisher role assigned on the DCR
  • DCR transformKql normalises the time field to TimeGenerated, coerces orca_score to real, resolves alert_type fallback from type, and maps asset_tags_info_list from asset_tags

Legacy connector (retained): HTTP Data Collector API with Shared Key authentication remains deployed for backward compatibility. Both connectors write to the same OrcaAlerts_CL table.

The DCR transformKql handles a reserved keyword conflict: the source stream column named time is referenced using bracket notation throughout the transform, and the column is projected away before output to avoid collisions with the system-managed TimeGenerated column.

Detection Surface Unlocked

This connector provides visibility into cloud security findings across multi-cloud environments. Key attacker activity categories surfaced via OrcaAlerts_CL:

  • Service vulnerabilities on running assets – exploitable CVEs on live compute (alert_type == service_vulnerability, asset_state == running)
  • Remote code execution paths – alerts labelled remote_code_execution in alert_labels
  • Lateral movement and privilege escalation – cloud IAM misconfigurations, exposed credentials, and east-west attack paths
  • Asset inventory visibility – VM IDs, cluster names/types, asset hostnames, and cloud account identifiers for correlation with other Sentinel data sources

No bundled Analytic Rules or Hunting Queries are included in this PR; existing queries against OrcaAlerts_CL continue to function unchanged.

Operational Notes

The new connector requires an Entra ID app registration with the Application Developer role (or higher) and Contributor + User Access Administrator on the Azure subscription to provision the DCE, DCR, and table. The connector UI supports both auto-provisioning of an Entra app and BYOA (bring-your-own-application) flows.

Environments already running the legacy Shared Key connector do not need to migrate immediately – both connectors are active and ingest to the same table.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/OrcaAlerts_CL.json
Logos/OrcaSecurity.svg
Logos/OrcaSecurityLogo.svg
Solutions/Orca Security Alerts/Data Connectors/OrcaSecurityAlertsCCF/OrcaSecurityAlerts_ConnectorDefinition.json
Solutions/Orca Security Alerts/Data Connectors/OrcaSecurityAlertsCCF/OrcaSecurityAlerts_DCR.json
Solutions/Orca Security Alerts/Data Connectors/OrcaSecurityAlertsCCF/OrcaSecurityAlerts_PollerConfig.json
Solutions/Orca Security Alerts/Data Connectors/OrcaSecurityAlertsCCF/OrcaSecurityAlerts_Table.json
Solutions/Orca Security Alerts/Package/testParameters.json
Solutions/Orca Security Alerts/Workbooks/OrcaAlerts.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Orca Security Alerts.json, createUiDefinition.json, mainTemplate.json)