Document toolboxDocument toolbox

cnapp.orca

Introduction

The tags beginning with cnapp.orca identify events generated by Orca Security.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as cnapp.orca. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Orca Security

cnapp.orca.security.alerts

cnapp.orca.security.alerts

For more information, read more About Devo tags.

Table structure

These are the fields displayed in this table:

cnapp.orca.security.alerts

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

type

str

 

is_compliance

bool

 

rule_id

str

 

subject_type

str

 

type_string

str

 

type_key

str

 

category

str

 

description

str

 

details

str

 

recommendation

str

 

alert_labels

str

 

asset_category

str

 

cloud_provider

str

 

cloud_account_id

str

 

cloud_vendor_id

str

 

cloud_account_type

str

 

account_name

str

 

asset_name

str

 

asset_type

str

 

asset_type_string

str

 

group_unique_id

str

 

vm_id

str

 

asset_state

str

 

asset_distribution_name

str

 

asset_distribution_version

str

 

asset_distribution_major_version

str

 

asset_auto_updates

str

 

asset_availability_zones

str

 

asset_regions

str

 

asset_regions_names

str

 

asset_vpcs

str

 

asset_tags_info_list

str

 

tags_info_list

str

 

asset_num_private_ips

int4

 

asset_first_private_ips

str

 

container_image_version

str

 

container_image_digest

str

 

container_image_name

str

 

container_k8s_pod_namespace

str

 

asset_hostname

str

 

container_id

str

 

vm_name

str

 

cve_list

str

 

max_cvss_score

float8

 

alert_id

str

 

status

str

 

status_time

str

 

score

int4

 

orca_score

int4

 

state_severity

str

 

risk_level

str

 

created_at

str

 

last_seen

str

 

low_since

str

 

high_since

str

 

in_verification

str

 

last_updated

str

 

rule_source

str

 

is_new_score

str

 

closed_time

str

 

verification_status

str

 

closed_reason

str

 

source

str

 

organization_id

str

 

organization_name

str

 

context

str

 

asset_unique_id

str

 

group_name

str

 

group_type

str

 

group_type_string

str

 

cluster_unique_id

str

 

cluster_type

str

 

cluster_name

str

 

severity

int4

 

group_val

str

 

cloud_provider_id

str

 

findings

str

 

hostchain

str

 ✓

tag

str

 ✓

rawMessage

str

 ✓

Â