Orca Security integration overview
You can integrate Orca Security with Sophos Central so that it sends alerts to Sophos for analysis.
This page gives you an overview of the integration.
Orca Security product overview
Orca Security is a cloud-native security platform that delivers full-stack visibility and protection for public cloud infrastructures. By tapping directly into the cloud environment, it identifies vulnerabilities, malware, misconfigurations, and lateral movement risks, ensuring that your cloud assets remain secure and compliant without the need for agents or network scanners.
Sophos documents
What we ingest
Sample alerts seen by Sophos:
"alertType": "aws_s3_risky_policy""alertType": "malware""alertType": "Expired ACM certificate""alertType": "The following vulnerabilities were found on Internet facing service: kernel VERSION""alertType": "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'VALUE' (Automated)""alertType": "The following vulnerabilities were found on service: amazon-ecs-volume-plugin VERSION""alertType": "The following vulnerabilities were found on software: golang.org/x/net-VERSION"
Filtering
We filter messages as follows:
- We filter only to confirm messages are in the correct format.
- We don't DROP any alerts.
Sample threat mappings
We define the alert type from the field description if it isn't empty. Otherwise, we use the field type_string.
Sample mappings:
{"alertType": "aws_iam_old_role_with_policy", "threatId": "T1098", "threatName": "Account Manipulation"}
{"alertType": "malware", "threatId": "T1587.001", "threatName": "Malware"}
{"alertType": "Unencrypted web endpoint exposing password input field", "threatId": "T1056", "threatName": "Input Capture"}