Orca automations allow you to define alert query filters (rules) which, when met, trigger system actions such as changing the severity of an alert, dismissing an alert, sending notifications, and opening a ticket. Automations can help your teams rapidly respond to cloud security issues using your existing remediation workflows. For example, when Orca detects an API call from a malicious IP address, you can use the PagerDuty integration to notify the corresponding team(s). Similarly, when Orca detects an S3 bucket file containing database credentials, you can send a Slack message to your security team.
- Getting started with automations
- Automations: settings overview
- Query syntax overview
- Manage saved automations
Getting started with automations
Follow these steps to view your existing automations or to create a new automation.
- Navigate to Settings ( icon) from the main menu on the left.
- Select Alerts & Automations from the Settings submenu.
- Select the Automations tab to view existing automations.
- In the upper-right corner of the page, expand the Create New dropdown menu and choose Create automation.
Automations: settings overview
Automations settings are divided into two sections: “Define Filter” and “Define Actions”.
Define Filter (alert rules):
- Automation name and a short description.
- Select the Apply to existing alerts checkbox if you would like for existing alerts to trigger the automation action(s). This would occur the next time Orca runs a scan of your cloud environment. If not selected, only new alerts will trigger the selected action(s).
- The query rules that must be met for the automation to trigger the selected action(s).
- Use the Clear rule link to clear the query. Use the Test Now button to run a query test against the alert data currently in your Orca account.
- Query conditions that you can string together to specify exactly which alerts can trigger an automation. Clicking a condition adds it to the query. Lower opacity conditions have already been added to the query.
- Query test results are displayed after you click the Test Now button.
Define Actions (triggered when query rules are met) :
- Change alert severity automatically when Orca detects alerts that meet your query rules. Learn more about alert prioritization. The available options include:
- Imminent Compromise
- Increase Severity (by one level)
- Decrease severity (by one level)
- Dismiss all alerts of this type when Orca detects alerts that meet your query criteria. Learn more about dismissing alerts.
- Choose one or more notification methods where alert information will be sent.
- Automatically open tickets using enabled ticketing integrations.
Query syntax overview
The automation query defines the search criteria for recognizing Orca alerts. A valid query consists of one subject and at least one condition. Since the subject of every automation query is an alert, the “When an alert” subject type is already set as the query prefix.
Query example - minimum requirements
Being that “alert” is the default query subject, we simply need to define a single alert condition to meet the minimum requirements of a valid query.
Example: When an alert (subject) Category is IAM misconfigurations (condition):
When testing this query, our Orca account returned 18 existing alerts.
Here are several helpful tips for building queries quickly:
- After inserting a condition, click into the empty underlined field and start typing. The query auto-complete will suggest matching values.
- To delete a previously inserted condition value (e.g., IAM Misconfigurations), move your cursor over that value to reveal the remove (x) icon in the upper-right corner of the value name. You can then insert a different condition value.
- To delete a condition itself (e.g., Category), along with its value, move your cursor over that condition to reveal the remove (x) icon in the upper-right corner of the condition name.
- Use the Esc key on your keyboard to close the auto-complete dropdown menu.
Query example - more than one condition
Let’s expand on our first example by inserting one more condition for alert “Type”.
Example: When an alert (subject) Category is IAM misconfigurations (condition) and Type is Unused role with policy found (condition):
When you specify multiple query conditions, they are automatically linked with the AND operator. This means that all linked conditions must be met simultaneously for the automation action(s) to trigger. Our updated example query now returns 16 alerts when tested.
Query example - more than one condition value
The same condition cannot be inserted multiple times in the query. However, you can specify multiple condition values directly after the condition itself and they will be separated by commas.
Let’s look at an example where the query will trigger an action if alerts are detected in more than one cloud account.
Example: When an alert (subject) Account is dev-research, acme-production (condition):
When you specify multiple condition values, they are automatically linked with a comma, which serves as the OR operator. This means that either of the linked condition values must be met for the automation action(s) to trigger.
Manage saved automations
Let’s explore the available options for managing your saved alert automations.
- Toggle switch to enable and disable an automation. Disabled automations are grayed out.
- Click the vertical ellipsis to reveal the following options:
- Edit - change the automations settings.
- Duplicate - use an existing automation as a template to create a new automation.
- Disable - prevent automation from triggering system actions until it is enabled again.
- Remove - permanently delete an automation.