# Orca security
SureCloud connects to Orca Security to retrieve cloud asset inventory, security finding details, and compliance posture assessment results collected by Orca's agentless scanning engine. This allows SureCloud to surface risks, misconfigurations, and compliance gaps across your cloud environments — providing evidence that cloud security monitoring and posture management controls are continuously operating.
## Authentication and setup
Orca Security provides API access via a personal API token. SureCloud uses a token associated with a read-only Orca user account.
{% stepper %}
{% step %}
**Create a dedicated Orca user for SureCloud**
Log in to the Orca Security console. Navigate to **Settings → Users** and create a new user (e.g. `surecloud@yourcompany.com`) with the **Viewer** role. The Viewer role provides read-only access to findings, assets, and compliance results.
{% endstep %}
{% step %}
**Generate an API token**
Log in as the new user (or ask an admin to do this on the user's behalf). Navigate to **Settings → API Tokens** and click **Create Token**. Give it a descriptive name such as `SureCloud CCM`. Copy the token — it is only shown once.
{% endstep %}
{% step %}
**Enter the token in SureCloud**
Navigate to **SureCloud → Integrations → Orca Security → Connect**. Enter your Orca tenant URL (e.g. `https://app.orcasecurity.io`) and paste the API token. Click **Save** and then **Test Connection**.
{% endstep %}
{% endstepper %}
{% hint style="warning" %}
Store the API token securely after copying it. SureCloud encrypts it at rest, but treat it as a sensitive credential. Rotate it every 90 days in **Orca → Settings → API Tokens** and update it in **SureCloud → Integrations → Orca Security → Edit Connection**.
{% endhint %}
## Endpoints
| API Call | Use Case |
| ------------------------------ | ----------------------------------------------------------------------------------------------- |
| `GET /api/user` | Verify token validity and retrieve account details during connection test |
| `GET /api/assets` | Enumerate cloud assets discovered by Orca's agentless scan |
| `GET /api/alerts` | Retrieve active security findings and risk alerts across the cloud estate |
| `GET /api/alerts/{id}` | Retrieve individual finding detail including severity, affected asset, and remediation guidance |
| `GET /api/compliance` | Retrieve compliance posture results across configured frameworks |
| `GET /api/compliance/findings` | Retrieve per-control compliance findings for posture evidence |
| `GET /api/cloud_accounts` | List connected cloud accounts (AWS, Azure, GCP) to confirm scanning coverage |
## Pagination
`GET /api/assets` and `GET /api/alerts` support offset-based pagination. SureCloud sets `limit` and `offset` parameters and increments the offset until the returned result count is less than the page limit.
```json
GET /api/alerts?limit=500&offset=500
```
`GET /api/compliance/findings` uses the same offset pattern. `GET /api/cloud_accounts` and `GET /api/user` return single or bounded result sets with no additional pagination.
## Required permissions
SureCloud requires a Orca user with the **Viewer** role. This provides:
* Read access to all assets and their risk scores
* Read access to security alerts and findings
* Read access to compliance posture results
* Read access to connected cloud account inventory
No administrative or write permissions are required.
## Polling frequency
| Data Type | Interval |
| ---------------------------- | -------------- |
| Cloud asset inventory | Every 24 hours |
| Security findings and alerts | Every 4 hours |
| Compliance posture results | Every 24 hours |
| Cloud account coverage | Every 24 hours |
## Troubleshooting
Connection test returns 401 Unauthorized
The API token is invalid or has been revoked. Navigate to **Orca → Settings → API Tokens**, confirm the token is still active, and regenerate it if necessary. Update the token in **SureCloud → Integrations → Orca Security → Edit Connection**.
Some cloud accounts are missing from the asset inventory in SureCloud
Orca only returns assets from cloud accounts that have been onboarded into your Orca tenant. If a cloud account was added to Orca after the last SureCloud polling cycle, it will appear on the next cycle. If accounts remain missing after 24 hours, confirm they are visible in **Orca → Settings → Cloud Accounts** and that the SureCloud Viewer user has access to all accounts (some Orca tenants use account-scoped user access).
Compliance findings are empty despite assessments being visible in Orca
Compliance posture results in Orca are generated based on the compliance frameworks enabled in your Orca tenant. If no frameworks have been activated, the compliance endpoints will return empty results. Navigate to **Orca → Compliance → Settings** to confirm at least one compliance framework is enabled.
Alert counts differ between SureCloud and the Orca console
SureCloud collects alerts within a defined severity and status filter to focus on actionable findings. Orca may display additional informational or suppressed alerts in its console that SureCloud excludes. If you need to adjust the alert filter settings for your SureCloud collection, contact SureCloud Support.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/orca-security.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.