--- title: Orca Security API Integration on Truto slug: orcasecurity category: Default canonical: "https://truto.one/integrations/detail/orcasecurity/" --- # Orca Security API Integration on Truto **Category:** Default **Status:** Beta ## Unified APIs ### Unified User Directory API - **Users** — The User object represents a User. ## MCP-ready AI tools Truto exposes 40 tools for Orca Security that AI agents can call directly. - **list_all_orcasecurity_alerts** — Retrieve alerts from Orca Security. The response provides detailed information about the retrieved alerts, including their attributes and related data. - **get_single_orcasecurity_alert_by_id** — Retrieves details of a specific alert identified by its id from Orca Security. The response contains information related to the alert, including remediation details, compliance status, asset details, and more. - **orcasecurity_alerts_event_logs** — Use this endpoint to retrieve the event log for a specific alert by providing the alert_id. The response includes a list of events related to that alert, along with metadata for each event. - **orcasecurity_alerts_state** — Use this endpoint to retrieve the current state of a specific alert identified by its alert_id. The response includes detailed information such as the alert's severity, rule source, timestamps for creation and last update, verification status, risk level, Orca score, current status, and more. - **list_all_orcasecurity_alerts_scheme** — Retrieves a list of alerts and their details from Orca Security. The response includes an array of "alerts" with attributes such as type, rule information, compliance status, asset details, severity, cloud provider information, connectivity details, vulnerabilities, etc. - **list_all_orcasecurity_alerts_vulns** — Fetches a list of vulnerability alerts from Orca Security. Each alert includes details like CVE findings, severity, affected assets, fix availability, and related cloud account and organization data. - **list_all_orcasecurity_alerts_remediation_actions** — Use the endpoint to get remediation action and template IDs relevant to a specific alert type, such as "vulnerability". This helps identify which remediation steps can be applied to alerts of that type, enabling automated or guided response actions. - **list_all_orcasecurity_alerts_vulns_malware** — Use the endpoint to retrieve alerts from Orca Security for specified types such as vulnerability, malware, or both. The response includes detailed alert information, such as CVE details, severity levels, fix availability, affected packages, CVSS scores, exploit data, and more. - **list_all_orcasecurity_assets** — Use the endpoint to retrieve a list of assets from the Orca Security platform. The response includes asset details such as name, type, scan status, associated cloud account, model, state, and Orca tags. - **orcasecurity_assets_scheme** — Use the endpoint to retrieve the schema definition of assets from the Orca Security platform. The response includes metadata about asset structure, such as asset type, category, cloud provider, organization, connectivity, access, tags, risk level, configuration, and state. - **create_a_orcasecurity_session** — Use this endpoint to create a new user session by providing a valid security_token. This initiates authentication and returns session details upon success. - **delete_a_orcasecurity_session_by_id** — Use this endpoint to terminate the current user session, effectively logging the user out and revoking the session token. - **list_all_orcasecurity_cloud_accounts** — Use the endpoint to retrieve a list of connected cloud accounts from the Orca Security platform, including detailed metadata and aggregated statistics. The response includes information such as cloud provider type (e.g., AWS, GCP), account status, onboarding status, scan limitations, tags, remediation configurations, and DSPM (Data Security Posture Management) setup. - **get_single_orcasecurity_cloud_account_by_id** — Use this endpoint to retrieve detailed information about a specific cloud account in Orca Security by its unique ID. The response includes metadata such as cloud provider, account status, permissions, scan configuration, tags, and other relevant account-level settings. - **list_all_orcasecurity_accounts_remediation** — Use this endpoint to retrieve remediation configuration details for a specific cloud account, including the template and remediation_action values. These values are needed when configuring or triggering automated remediation workflows in Orca Security. - **list_all_orcasecurity_cloudtrail_discovery** — Use this endpoint to discover AWS CloudTrail configurations across connected AWS accounts in Orca Security. It helps identify available CloudTrail trails and assess their readiness for onboarding and security monitoring. - **list_all_orcasecurity_gcp_accounts** — Use this endpoint to retrieve a list of GCP accounts available for mass onboarding in Orca Security. It provides information needed to initiate and manage the onboarding of multiple Google Cloud projects or accounts. - **get_single_orcasecurity_alert_jira_info_by_id** — Use this endpoint to retrieve Jira integration details for a specific alert in Orca Security. It returns information such as the linked Jira ticket, status, and any synchronization details between Orca and Jira for the given alert ID. - **get_single_orcasecurity_scan_by_id** — Use this endpoint to retrieve the current status of a specific scan in Orca Security by providing its unique scan ID. The response includes information about the scan’s progress, completion state, and any issues encountered during execution. - **create_a_orcasecurity_scan** — Use this endpoint to create and launch a new security scan for a specific asset in Orca Security. - **create_a_orcasecurity_vendor_scan_asset** — Use this endpoint to create and launch a scan for a specific asset using its cloud provider ID, asset type, and provider asset ID (such as an AMI or VM ID). - **list_all_orcasecurity_cve_scheme** — Use this endpoint to retrieve the full schema definition of CVE (Common Vulnerabilities and Exposures) objects in Orca Security. The response outlines all fields available in CVE data, including asset details, severity scores, affected packages, exploit links, and fix status—helpful for understanding, parsing, or validating CVE-related API responses. - **list_all_orcasecurity_sonar_schema** — Use this endpoint to retrieve the field structure and metadata schema for Sonar findings in Orca Security. - **list_all_orcasecurity_sonar_schema_models** — Use this endpoint to retrieve the schema definition for a specific Sonar model in Orca Security. By specifying the model name (e.g., AzureSqlDbServer) as a query parameter, you can view the fields and structure used for that particular model's findings. - **list_all_orcasecurity_query_sonar** — Use this endpoint to run custom Sonar queries against cloud resources and identify configurations, such as unrestricted access or misconfigurations. - **list_all_orcasecurity_query_schema** — Use this endpoint to retrieve the field structure and metadata schema for various data types in Orca Security, including assets, alerts, inventory, logs, and CVEs. It returns a JSON object with version, status, and data fields describing the schema of each data type. - **list_all_orcasecurity_query_catalog** — Use this endpoint to retrieve the list of predefined queries available in the Orca Security Query Catalog, along with their associated metadata. - **list_all_orcasecurity_query_inventory** — Use this endpoint to retrieve filtered inventory data from Orca Security using a DSL-based query. You can apply complex filters using the dsl_filter parameter and optionally request a downloadable result with the get_download_link method. - **list_all_orcasecurity_query_alerts** — Use this endpoint to retrieve alert data from Orca Security using custom DSL-based filtering. It allows querying specific alert types, severities, statuses, and other attributes to support advanced use cases, such as integrations, dashboards, or automated analysis. - **orcasecurity_query_alerts_show_info_true** — Use this endpoint to retrieve all alerts, including informational alerts, from the Orca Security API. You can apply a DSL filter to refine the results. The response includes alert details such as asset type, remediation info, compliance status, tags, and more. - **list_all_orcasecurity_query_logs** — Use this endpoint to retrieve log data from the Orca Security platform. It returns a list of log entries, including status, grouping details, total item counts, and a list of log data objects. - **list_all_orcasecurity_query_cves** — Use this endpoint to retrieve a list of CVEs (Common Vulnerabilities and Exposures) from the Orca Security platform. - **list_all_orcasecurity_query_assets** — Use this endpoint to retrieve a list of all assets in your Orca Security environment. - **list_all_orcasecurity_attack_paths_crown_jewels** — Use this endpoint to retrieve a list of Crown Jewel assets identified by Orca Security. - **list_all_orcasecurity_chain_attack_paths** — Use this endpoint to retrieve the attack path snapshot for a specific chain. - **list_all_orcasecurity_user_audit_logs** — Use this endpoint to retrieve audit logs related to user activity within Orca Security. - **orcasecurity_user_audit_logs_actions** — Use this endpoint to retrieve a list of possible user actions recorded in the audit logs. - **list_all_orcasecurity_auth_tokens** — Use this endpoint to retrieve a list of active authentication tokens associated with your Orca Security account. - **create_a_orcasecurity_external_service_action** — Use this endpoint to initiate a remediation action via an external service in Orca Security. The request must include the service name, remediation template ID, specific remediation action, and a list of alert IDs to which the remediation will be applied. - **list_all_orcasecurity_users** — Use this endpoint to list all the users available in Orca Security. ## How it works 1. **Link your customer's Orca Security account.** Use Truto's frontend SDK; we handle every OAuth and API key flow so you don't need to create the OAuth app. 2. **Authentication is automatic.** Truto refreshes tokens, stores credentials securely, and injects them into every API request. 3. **Call Truto's API to reach Orca Security.** The Proxy API is a 1-to-1 mapping of the Orca Security API. 4. **Get a unified response format.** Every response uses a single shape, with cursor-based pagination and data in the `result` field. ## Use cases - **Aggregate cloud security posture into your GRC platform** — GRC and compliance platforms can pull asset inventories, CVE data, and alert states from their customers' Orca Security instances to automatically verify continuous scanning coverage and demonstrate that critical vulnerabilities are being remediated within SLA — satisfying SOC2, HIPAA, and PCI-DSS audit controls without manual evidence collection. - **Enrich SIEM and threat intelligence with cloud vulnerability context** — Security analytics platforms can overlay Orca's vulnerability, malware, and attack path data onto live incident streams, allowing SOC analysts to instantly understand whether a flagged cloud asset has known exploitable CVEs or is part of a chained attack path to crown jewel resources. - **Build real-time security scorecards in developer portals** — Internal developer platforms and engineering productivity tools can query Orca alerts and assets by team ownership to surface security debt directly in developer dashboards — shifting security left without requiring engineers to context-switch into a separate cloud security console. - **Power cyber asset discovery across cloud and identity boundaries** — CAASM and asset management platforms can continuously ingest Orca's full cloud asset topology and account inventory, correlating cloud VMs, storage, and IAM roles against identity providers and endpoint management tools to build a unified asset graph for mutual customers. - **Trigger automated remediation from your SOAR workflows** — Security orchestration platforms can read Orca alert states, cross-reference attack path severity, and programmatically fire external service actions through Orca to remediate misconfigurations — closing the loop from detection to response without human intervention. ## What you can build - **Unified cloud vulnerability dashboard** — Ship a single pane of glass that pulls CVEs, CVSS scores, exploit availability, and malware detections from Orca alongside data from other security tools, giving customers consolidated vulnerability visibility across their entire stack. - **Attack path risk prioritization engine** — Leverage Orca's crown jewel and chained attack path data to automatically rank which security findings pose the greatest real-world risk, helping your users focus on issues that could actually be exploited end-to-end. - **Bi-directional alert-to-ticket sync** — Automatically create tickets in your platform from high-severity Orca alerts, track remediation progress, and sync state back to Orca so security teams maintain a single source of truth without duplicate triage. - **Compliance evidence auto-collection** — Periodically query Orca's asset inventory and alert schemas to generate audit-ready reports proving continuous cloud scanning coverage and timely vulnerability remediation for SOC2, HIPAA, and PCI-DSS controls. - **Team-scoped security debt tracker** — Map Orca alerts and vulnerable assets to engineering team ownership using your platform's service catalog, then display per-team security scorecards that track open vulnerabilities, mean-time-to-remediate, and remediation action history. - **Custom Sonar query builder for advanced cloud investigations** — Expose Orca's powerful DSL query capabilities through your product's UI, letting security teams run custom Sonar queries against alerts, assets, logs, and CVEs without leaving your platform. ## FAQs ### What authentication method does the Orca Security integration use? The integration supports API token-based authentication. End users create an auth token in their Orca Security console, and Truto manages the session lifecycle — including session creation and deletion via the session endpoints — so your application doesn't need to handle token refresh logic. ### What types of data can I read from Orca Security through Truto? You can read alerts (including event logs, state, vulnerability details, malware data, remediation actions, and Jira info), full asset inventories, cloud account configurations (AWS, GCP), attack paths and crown jewel mappings, CVE data, user audit logs, scan results, and run custom Sonar/DSL queries against alerts, assets, logs, and inventory. ### Can I write data back to Orca Security, or is it read-only? The integration supports both read and write operations. You can create scans, trigger vendor scan assets, create external service actions for automated remediation, and manage authentication sessions — in addition to the extensive read capabilities across alerts, assets, and queries. ### Does Truto provide a Unified API for Orca Security? Orca Security is mapped to Truto's Unified User Directory API for the Users resource, allowing you to list users from Orca alongside other identity providers using a single normalized schema. All other Orca-specific endpoints — alerts, assets, attack paths, Sonar queries, remediation actions — are available as native tool calls. ### How does Truto handle pagination and rate limits for Orca Security's API? Truto abstracts away Orca's pagination logic across all list endpoints, so you receive consistent paginated responses without managing cursors or offsets yourself. Rate limit handling is built into the proxy layer, with automatic retries and backoff so your integration doesn't break under heavy query loads. ### Can I run custom queries against Orca's data through Truto? Yes. Truto exposes Orca's Sonar and query DSL endpoints, including query_sonar, query_alerts, query_assets, query_cves, query_logs, and query_inventory. This lets your application execute sophisticated filtered queries against your customers' Orca data without building a custom query engine.