Orca Security V2 Connector
The Orca Security V2 Connector ingests cloud asset and vulnerability data from Orca Security into Qualys Enterprise TruRisk Management (ETM) for centralized visibility and risk prioritization.
This connector uses Orca’s Serving-Layer APIs to retrieve asset inventory and vulnerability findings across supported cloud providers and synchronizes them into ETM for unified analysis alongside other enterprise risk sources
Connector Details
Here is a comprehensive overview of what the Orca Security V2 Connector supports.
| Vendor | Orca |
| Product Name | Orca Security |
| Category | Cloud Security |
| Findings Supported | Assets and Vulnerabilities |
| Assets Supported | AwsEc2Instance, AzureComputeVm, GcpVmInstance, VmwareVmInstance, OciComputeVmInstance, AliCloudEcsInstance |
| Version | 1.0.0 |
| Supported Version & Type | SaaS (Latest) |
| Integration Type | API Integration (REST) |
| Direction | Unidirectional (Orca to Qualys) |
| Delta Support | Not Supported (Full pull on every run) |
| Import of Installed Software | Supported (Maximum 200 entries per asset) |
| Import of Source Tags | Supported (Maximum 200 tags per asset) |
| Filters / Query Support | Not Supported |
Each execution performs a full data pull from Orca.
Connection Settings
User Roles and Permissions
To allow Qualys ETM to retrieve data from Orca Security, you must create an API Token with appropriate permissions.
Required Permissions
The connector uses Orca’s Serving-Layer APIs to fetch:
- Host Assets
- VulnerabilityV2 findings
You may use the out-of-the-box Viewer role, which provides the necessary read permissions, such as
-
View/List only
-
Assets - View asset information
-
Cloud account - View cloud account information
-
Domain - View Domains information
-
Jira - View tickets
-
Compliance - View checks foundation benchmark standards for AWS, GCP, and Azure
-
CVE's - View Common Vulnerabilities and Exposures
-
Sonar actions - Query and Update Rules
-
Read-only access to all Shift-Left related resources
Or, you can create a custom role with the following minimum required permissions. Read more at Default Roles and Permissions (Requires Orca support login).
| Risk Permissions | Asset Permissions |
 |
 |
Keep in mind that restricting the token's scope means that data is fetched only for the selected scope. If you require unrestricted data flow, we recommend not selecting the checkbox.
Steps to Create an API Token:
- Log in to your Orca environment using your regional domain.
- Navigate to Settings > Users & Permissions > API.
- Click Create API Token.
- Provide Name and Description.
- Select expiration option (Never Expire or set Expiration Date).
- Select the required Role (Viewer or custom role).
- Optionally configure Scope (Accounts, Business Units, Shift Left Projects).
- Click Add, then Continue.
Save the token for future use. You can't access the token again after clicking Continue.
Authentication Details
Provide the following credentials in the connector configuration screen:
| Name | Key | Type | Example |
|---|---|---|---|
| API Token | apiToken |
Encrypted String | <Your API Token> |
| Domain | domain |
String | app.eu.orcasecurity.io |
Supported Regional Domains
| Region | API Domain URL |
|---|---|
| US (Default) | https://api.orcasecurity.io/api/ |
| Europe | https://app.eu.orcasecurity.io/api/ |
| Australia | https://app.au.orcasecurity.io/api/ |
| India | https://app.in.orcasecurity.io/api/ |
| Israel | https://api.il.orcasecurity.io/api/ |
| Brazil (SA) | https://api.sa.orcasecurity.io/api/ |
API Details
| Function | Endpoint | Models | Rate Limit | Description |
|---|---|---|---|---|
| Fetch Assets | https://<domain>/api/serving-layer/query | AliCloudEcsInstance, AwsEc2Instance, AzureComputeVm, GcpVmInstance, OciComputeVmInstance, VmwareVmInstance | 1 request per second per user | Retrieves cloud asset metadata, installed packages, services, tags, network exposure, and risk attributes. |
| Fetch Vulnerabilities | https://<domain>/api/serving-layer/query | VulnerabilityV2 | 1 request per second per user | Retrieves CVE data, CVSS scores, EPSS data, patch availability, exploit indicators, and associated asset linkage. |
Connector Configuration
Let's prepare your first Orca V2 connector.
Basic Details
- Log in to Qualys ETM.
- Navigate to Connectors > Integration.
- Locate Orca Security V2 and click Manage.
- Provide Connector Name and Description.
- Select Findings Type: Vulnerability / Host Asset.
- Enter API Token and Domain.
Preserve Findings Missing in Latest Sync: When selected, findings absent in new runs retain their previous status. When deselected, missing findings are automatically marked as Fixed. The behavior depends on the state selected during initial connection creation.
Mapping Details
Data Model
The connector provides an out-of-the-box Orca Security data model aligned to the Qualys ETM schema. It supports cloud asset attributes, risk indicators, installed software, tags, exposure indicators, and CVE metadata.
Transform Maps
A default transform map is provided. You may create a new map or clone the default to customize mappings.
Vulnerabilities Mapping for Orca V2
| data.Hostname.value | hostName |
| data.InstanceId.value | instanceId |
| data.MacAddresses.value[] | networkInterfaces[].macAddress |
| asset_unique_id | externalAssetId |
| data.Memory.value | biosInfo.totalMemory |
| vulnerabilities[].data.CVE.data.Id.value | finding[].externalFindingId |
| vulnerabilities[].data.CVE.data.PublicName.value | finding[].name |
| data.PublicDnsName.value | fqdn |
| data.DistributionName.value | operatingSystem.name |
| data.DistributionVersion.value | operatingSystem.version |
| data.assetIps[] | networkInterfaces[].ipAddress |
| data.CloudAccount.data.CloudProvider.value* AWS GCP Azure OCI Alibaba VMWare / Vmware |
cloudProvider EC2 GCP AZURE OCI ALIBABA SOURCE_TYPE_UNKNOWN |
| data.Tags.value | temp_q_customAttributes.orcaCustomAttributes |
| data.assetPorts[].data.PortNumber.value | ports[].port |
| data.assetPorts[].data.Protocol.value | ports[].protocol |
| data.assetPorts[].data.ServiceName.value | ports[].detectedService |
| data.assetPorts[].data.FirstSeen.value* | ports[].firstFound |
| data.assetPorts[].data.LastUpdated.value* | ports[].lastUpdated |
| data.RunningServices.value[].data.Name.value | services[].name |
| data.RunningServices.value[].data.Exec.value | services[].description |
| data.OsBitMode.value | operatingSystem.architecture |
| vulnerabilities[].data.CvssSeverity.value* | finding[].severity |
| data.CpuType.value | processor.description |
| data.CpuCount.value | processor.numberOfCpu |
| data.CpuFrequency.value | processor.speed |
| data.TotalDisksBytes.value | volumes[].size |
| data.assetApplications[].data.Name.value | softwares[].name |
| data.assetApplications[].data.Version.value | softwares[].version |
| data.assetApplications[].data.InstallDate.value* | softwares[].installedDate |
| data.assetApplications[].data.IsOsPackage.value | softwares[].isSystemApp |
| vulnerabilities[].data.Description.value | finding[].description |
| vulnerabilities[].data.FirstSeen.value* | finding[].firstFoundOn |
| vulnerabilities[].data.CvssVector.value | finding[].findingType.vulnerability.cvss.vector |
| vulnerabilities[].data.PatchAvailable.value* | finding[].findingType.vulnerability.isPatchAvailable |
| vulnerabilities[].data.CVE.data.HasExploit.value | finding[].findingType.vulnerability.isExploitAvailable |
| vulnerabilities[].data.CVE.data.CweTypes.value[] | finding[].findingType.vulnerability.cweIds[] |
| vulnerabilities[].data.CVE.data.Id.value | finding[].findingType.vulnerability.cveId |
| vulnerabilities[].id | finding[].findingType.vulnerability.vendorId |
| vulnerabilities[].data.CVE.data.Cvss2Score.value | finding[].findingType.vulnerability.cvss.cvss2Base |
| vulnerabilities[].data.CVE.data.Cvss3Score.value | finding[].findingType.vulnerability.cvss.cvss3Base |
| vulnerabilities[].data.ThreatImpact.value.0 | finding[].impact |
Profiles
Profiles determine what data is imported and when the connector runs.
- Click + to create a profile.
- Provide Name and Description.
- Select the required Transform Map.
- Set Status (Active / Inactive).
- Configure a Single Occurrence or Recurring schedule.
Scoring
The Scoring screen allows mapping of non-CVE vendor severities to Qualys Detection Score (QDS).
You configure:
- 5 severity levels (1–5)
- Corresponding QDS values (0–100)
- Default Severity for unmatched values
This ensures consistent risk normalization across different scoring systems.
Identification Rules
Identification Rules are provided by Qualys CSAM and control how findings match to assets. You may proceed without changes, ensuring at least one rule is active.
How Does a Connection Work?
The Orca connector functions through configured profiles that determine what data gets synchronized and when.
A Connection usually involves creating a profile that defines which vulnerabilities to import based on detection data types and asset types. The connector then automatically executes according to the schedule (or on-demand), pulling vulnerability data from Orca into Qualys ETM where it can be viewed alongside other security findings.
With the Orca API Connector successfully configured, you are almost ready to view all the assets and findings from Orca.
In the Connector screen, you can find your newly configured connector listed and marked in the Processed state.
Connector States
A successfully configured connector goes through 4 states.
- Registered - The connector is successfully created and registered to fetch data from the vendor.
- Scheduled - The connector is scheduled to execute a connection with the vendor.
- Processing - A connection is executed and the connector is fetching the asset and findings data.
- Processed - The connector has successfully fetched the assets, it may still be under process of fetching the findings. Wait for some more time for the connector to fetch the findings completely.
The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets and findings. This process (specifically for findings) may take some time.
This entire process may take up to 2 hours for completion. Once it is done, you can find the imported data in Enterprise TruRisk Management (ETM).
View Assets and Findings in ETM
After a successful run, Orca data appears within ETM.
View Assets
Navigate to:
Enterprise TruRisk Management > Inventory > Assets > Host
Use the filter:tags.name:"Orca Security"
You can review:
- Risk scores
- Cloud provider
- Exposure indicators
- Installed software
- Asset tags
View Vulnerabilities
Navigate to:
Enterprise TruRisk Management > Risk Management > Findings > Vulnerability
Use the filter:finding.vendorProductName:"Orca Security"
This displays all imported Orca vulnerabilities with:
- CVE details
- CVSS and EPSS data
- Patch availability
- Exploit status
- Asset linkage
Limitations
- Full pull only (no delta support).
- Maximum 200 source tags per asset.
- Maximum 200 services per asset.
- Maximum 200 installed software entries per asset.