Orca Security is a cloud security platform that continuously scans AWS, Azure, and GCP for risks, misconfigurations, and threats — and then routes prioritized alerts to SIEMs, SOARs, and other tools.
Orca alert logs generally follow a JSON schema, but fields like hostname
, vulnerabilities
, and compliance
may appear inconsistently depending on factors like the asset type or detection method. Additionally, fields such as risk_level
and orca_score
can also vary in structure and may be deeply nested. These inconsistencies make it harder for security teams to parse, normalize, and enrich logs, which can slow monitoring and response at scale.
Edge Delta’s pre-built Orca Security Pack automatically collects, normalizes, and enriches Orca alert logs within our intelligent Security Data Pipelines. Once processed, these logs can then be routed to the appropriate destinations, such as SIEMs and cost-effective archival storage. By introducing a uniform structure and enrichments across Orca alert logs, the pack streamlines analysis and threat detection workflows while reducing manual overhead for security teams.
This post will walk through each processing step within the Orca Security Pack and demonstrate how to add it to an existing pipeline.
Parsing
Edge Delta’s Orca Security Pack performs a sequence of security data processing steps within a single multiprocessor node. Its default configuration is based on best practices for processing Orca alert logs, but all steps are optional.
First, Edge Delta’s Parse JSON processor checks if the log’s body is already in JSON format. If it is, the pack merges the log fields into the body. If the body is a raw string, the processor converts it into JSON and replaces the original body with the result.
Enrichment
Next, the Add Field processor applies standard tags to each log. Consistent tagging improves filtering, correlation, troubleshooting, and routing by making Orca Security alert logs easier to isolate:
- attributes[“app”] = “OrcaSecurity”
- attributes[“type”] = “Orca alert”
- attributes[“sourcetype”] = “orca:alert”
Transformation and Standardization
After the alert logs are tagged, they move into the Copy Field processor. Here, key values from the original JSON are mapped to standardized, top-level fields, which are easier to work with downstream.
Without these transformations, Orca Security alert data would stay buried in nested JSON, making it harder to access, filter, or route. Applying a consistent schema across all Orca alerts makes the data easier to integrate with downstream systems and tools, leading to higher-quality dashboards, alerts, and integrations. Here are some examples of the changes:
- dest = body[“asset_name”]
- id = body[“state”][“alert_id”]
- severity = body[“state”][“risk_level”]
- description = body[“details”]
- severity_id = body[“state”][“orca_score”]
For the full breakdown of these steps, check out the pack’s documentation.
See the Pack in Action
To use the Orca Security Pack, you’ll first need an active pipeline in Edge Delta. If you don’t have one yet, follow these setup steps.
When your pipeline is ready, navigate to the Pipelines menu, select Knowledge, and open the Packs section. Scroll down to find the Orca Security Pack and click Add Pack. This places the pack in your library, which you can access anytime from the Pipelines menu under Packs. There, you can easily enable or disable specific processing steps according to your preferences.
To install the Orca Security Pack, go back to your Pipelines dashboard, pick the pipeline where you want to add it, and enter Edit Mode. Click Add Processor, navigate to Packs, and select the Orca Security Pack. You can rename it from the default “Orca Security Pack” to any name you prefer. Afterward, click Save Changes.
Next, in the Pipeline Builder, connect your Orca Security source to the pack by dragging the initial connection line.
Finally, configure your output destinations. Edge Delta’s Security Data Pipelines allow you to route processed Orca Security alert logs to any downstream system, including Splunk, IBM QRadar, or CrowdStrike Falcon. You can also ship the logs to Edge Delta’s Observability Platform, which offers real-time anomaly detection and pattern visualization. And, as always, you can send a copy of your raw alert logs to cost-effective archival storage destinations like S3.
Get Started with the Orca Security Pack
The Orca Security Pack is just one of many pre-built pipeline packs within Edge Delta’s growing library, each designed to automate data processing and improve efficiency for security and observability teams.
If you’d like to explore how Edge Delta’s Security Data Pipelines and pre-built packs can improve your security workflows, try our free playground or schedule a demo with one of our experts.