AlertOps and Orca Security
Orca Security is a cloud security platform designed to help businesses detect and identify vulnerabilities, malware, misconfigurations, weak and leaked passwords, lateral movement risk, and high-risk data across Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) environments.
AlertOps’ alert management system can be integrated with Orca Security to receive and respond to all (predefined status mappings) alerts through email, SMS, push notification or phone alerts. AlertOps would ensure that the alert/job status would reach the appropriate team by using proper workflows, escalation policies and schedules. Based on your ruleset, incidents can be automatically opened and closed, depending on whether Orca Security reports an error or a recovery.
The above scenario and scope for integration is due to the fact that AlertOps has a very flexible and simple API/Webhook configuration feature that can be leveraged with Orca Security's automation and integration capabilities.
AlertOps - Inbound Integration
We can define rulesets in AlertOps so that Orca Security can send out alert status changes to the AlertOps platform. AlertOps would ensure based on these notifications received, that it would always reach out and assign to the correct person/team by utilizing its escalation policies, schedules, and workflow features.
AlertOps provides Inbound Integrations to integrate with numerous monitoring, chat and ITSM tools. You can configure an inbound integration for Orca Security.
At a high level this is how the flow looks like, you define an API integration in the AlertOps platform by defining settings like Integration Name, Escalation rules, recipient users/groups. Once an integration is defined, a unique API URL is generated. This acts as webhook or the gateway through which notifications from Orca Security reach AlertOps and thus an incident/alert is created correspondingly. The API can be defined with various settings like URL mappings, filters, escalations etc. as required. Orca Security has to be configured with a webhook, and the webhook must be attached to an automation.
To configure an Inbound Integration in AlertOps to receive alerts from Orca Security,
Under 'Integrations' select 'Inbound Integrations', select the category 'API' and then select add 'Add API Integration'
There are numerous integration options available in AlertOps, select Orca Security
Once you select the integration, you can then specify basic settings like the integration name, escalation policy, names of the recipients/groups for which the alerts must be assigned to.
Once you click save, the API Integration will be created, and you will be given a unique URL which acts as the access point and needs to be configured at the source (in this case Orca Security), to send alerts. You can find the integration you just created, and you can give advanced settings and define various configurations for the alerts to be received and processed. For example, you can define when to open and close alerts based on the payload obtained from the API call, filters etc.
Make a note of the API URL, which will be used in Orca Security, so it calls a HTTP POST request to this URL with the body in JSON format containing the alert specific information. AlertOps automatically creates an alert when the status variable (state^status) contains 'open'. The incident will also be closed automatically when the status 'close' or 'closed' is received from Orca Security (and updated when 'in progress' is received).
The 'Advanced Mapping' section can help enforce a more specific level of control by pre-assigning either Recipient Users, Recipient Groups or by using templated Topics. This integration maps the recommendation and details value coming from the webhook JSON to the fields 'Steps to Resolve' and 'Root Cause' respectively. Similarly you can map values to custom fields as well. Click here to view advanced integration options (For customized mapping).
You can similarly define URL mappings as you want, owing to the flexibility provided by AlertOps’ OpenAPI/Plug-and-Play integrations. You can provide other filters and match with regex expressions as well. You can also test the generated URL with the sample data provided
Configuration of Orca Security for the Integration,
In the left navigation pane, select the 'Settings' gear icon. Select 'Integrations' under that.
Find the 'Webhook' integration and click 'Configure'. Select 'Create New Webhook'
Give the Webhook a name - you cannot change this once saved.
Under Webhook URL, paste the AlertOps Inbound Integration API URL.
Save. Make sure it is Enabled.
Now go to 'Alerts and Automations' under 'Settings'
Create a New Automation. Give the Automation a Name, Description and Query.
Under 'Define Actions', check the Send to Webhook URL checkbox, and choose the webhook you saved earlier from the Select Webhook dropdown menu. Only enabled webhooks will be available for selection from the dropdown menu.
Thats it! You have configured a Webhook Integration and attached it to an Automation. Any alert would now be sent to AlertOps for incident management.
Message logs, alert specific information can be viewed in the “Inbound Log” section in AlertOps Dashboard. Alerts can be viewed in the ‘Alerts’ tab as well.
Alert Triggering Information:
AlertOps will automatically create an incident when a new alert is received from Orca Security when the state^status field contains "open".
If an alert with status "open" matches an existing Open Alert, AlertOps will recognize the new alert as a duplicate and ignore the alert.
The alert will be recorded in the Inbound Messages table as “Mapped Appended.”
AlertOps will automatically close the same incident when an alert with state^status contains 'close/closed'.