From orca-skills
Retrieves full 360° security profiles for cloud assets including alerts, attack paths, compliance violations, permissions, exposure, sensitive data, and CDR activity. Use for asset posture reviews.
npx claudepluginhub orcasecurity/orca-skills --plugin orca-skillsThis skill uses the workspace's default tool permissions.
Answers the question: **"Tell me everything about this asset in one place."**
Analyzes AWS IAM identities for overprivileged access, CloudTrail usage patterns, lateral movement risks, and least-privilege policy recommendations. Use for IAM reviews.
Reviews SentinelOne XSPM misconfigurations across AWS, Azure, GCP, Kubernetes, identity, and IaC. Covers detection, compliance standards, MITRE ATT&CK mappings, remediation steps, evidence, and MSP posture workflows.
Investigate a runtime threat detected by Sysdig end-to-end. Surfaces the highest-priority threat, enumerates affected images, scores vulnerability vs runtime correlations on a 1-5 confidence scale, deep-dives into network blast radius or suspicious-binary VT lookups depending on the event class, and hands the case off to Jira or PagerDuty. Triggers on: "investigate runtime threat", "what is this Falco alert", runtime incident triage, SOC investigation, Falco alert analysis.
Share bugs, ideas, or general feedback.
Answers the question: "Tell me everything about this asset in one place."
Given an asset name, ID, or ARN, provides a complete 360° security profile: all open alerts (grouped by category), attack paths, compliance violations, permissions, network exposure, sensitive data, CDR activity summary, crown jewel status, and linked entities.
/orca-asset-profile web-bastion-host
/orca-asset-profile i-1234567890abcdef0
/orca-asset-profile arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0
Or natural language:
Determine the input type and use the appropriate tool:
| Input Pattern | Tool | Parameter |
|---|---|---|
orca-XXXX (alert ID) | get_asset_by_alert_id | alert_id |
| UUID format | get_asset_by_id | asset_id |
vm_XXXX, AwsXXX_XXXX (asset_unique_id) | get_asset_by_id | asset_id + model_type |
ARN format arn:aws:... | get_asset_by_id or discovery_search | varies |
| Name (anything else) | get_asset_by_name | asset_name |
If get_asset_by_name returns multiple results, show the list and ask the user to pick.
Once the asset is identified, extract its UUID (Inventory.id or id), asset_unique_id, group_unique_id, and ARN, then run all queries simultaneously:
Query 1: Full asset details
get_asset_by_id:
asset_id: <asset_unique_id or group_unique_id>
model_type: <asset type e.g. "AwsEc2Instance">
Query 2: All alerts on asset
get_asset_related_alerts_summary:
asset_id: <UUID>
Query 3: Alert count by severity
get_asset_alerts_count_grouped_by_risk_level:
asset_id: <UUID>
Query 4: Attack paths
get_asset_related_attack_paths_summary:
asset_id: <UUID>
Query 5: Crown jewel status
get_asset_crown_jewel_info:
group_unique_id: <group_unique_id>
Query 6: Compliance frameworks
get_related_compliance_frameworks_for_asset:
asset_id: <UUID or asset_unique_id>
Query 7: Linked entities
get_linked_entities_mapping:
asset_id: <UUID or asset_unique_id>
Query 8: CDR events (last 30 days)
search_cdr_events:
targets: [<asset ARN or identifier>]
time_range: "last_30_days"
limit: 50
Query 9: CDR event summary
get_cdr_events_grouped_by_event_name:
targets: [<asset ARN or identifier>]
time_range: "last_30_days"
Query 10: Effective permissions (AWS IAM assets only)
get_aws_effective_permissions_policy_on_asset:
asset_arn: <ARN>
Only call this for IAM-related assets (AwsIamRole, AwsIamUser) or assets with IAM profiles.
From the gathered data, extract and organize:
Asset Identity:
Risk Summary:
Alerts (from related_alerts_summary): Group by category:
Sort each group by Orca Score descending.
Attack Paths:
Compliance:
Permissions (IAM assets):
CDR Activity:
Linked Entities:
CRITICAL: Never leave the user with just data. After EVERY output layer, suggest the next action and offer to generate remediation code.
After the dashboard and after every drill-down section:
When the user selects a format:
remediate-<alert-id>.<ext> (e.g., .tf, .yml, .sh)Format mapping:
| User says | Extension | Template |
|---|---|---|
| Terraform | .tf | HCL with provider + resource blocks |
| CloudFormation | .cfn.yaml | YAML template with Parameters/Resources |
| Ansible | .yml | Playbook with tasks |
| CLI | .sh | Shell script with cloud CLI commands |
| Instructions | inline | Numbered step-by-step console walkthrough |
| Pulumi | .ts | TypeScript Pulumi program |
| ARM/Bicep | .bicep | Bicep template |
═══════════════════════════════════════════════════════════════════
ASSET PROFILE — <asset name>
<asset type> | <account> | <region> | <state>
═══════════════════════════════════════════════════════════════════
RISK: <Orca Score X.X> (<risk level>) | Crown Jewel: YES/NO (<score>)
┌─────────────────────────────────────────────────────────────────┐
│ ALERTS <N> total (<X> critical, <Y> high, <Z> medium) │
│ ATTACK PATHS <N> active kill chains │
│ COMPLIANCE <N> frameworks, <X> failing controls │
│ EXPOSURE <public_facing / internal> | ports: <list> │
│ SENSITIVE <data types — PII, secrets, keys, or "none"> │
│ PERMISSIONS <overprivileged / right-sized / N/A> │
│ CDR ACTIVITY <N> events in 30d (<assessment>) │
│ LINKED <N> connected assets │
└─────────────────────────────────────────────────────────────────┘
ASSET DETAILS:
ID: <instance-id / ARN / unique-id>
IP: <public IP> (public) / <private IP>
OS: <distribution + version> | EOL: <date or "supported">
AMI/Image: <image name>
Tags: <key=value, key=value, ...>
Created: <date> (<age>)
IaC: <Terraform / CloudFormation / None> (from CodeOrigins)
TOP ALERTS:
[1] <alert-id> — <title> (score: <X.X>, <category>)
[2] <alert-id> — <title> (score: <X.X>, <category>)
[3] <alert-id> — <title> (score: <X.X>, <category>)
RECOMMENDED ACTION:
The highest-impact fix is <top alert/issue>. I can generate
remediation code right now.
What format? terraform | cloudformation | ansible | cli |
instructions | pulumi | arm/bicep
═══════════════════════════════════════════════════════════════════
Or drill down: alerts | attack paths | compliance | permissions |
exposure | activity | linked | code origin | full
═══════════════════════════════════════════════════════════════════
───────────────────────────────────────────────────────────────────
ALERTS — <asset name>
───────────────────────────────────────────────────────────────────
VULNERABILITIES (<N>):
<alert-id> <score> <CVE> — <title>
CVSS: <X.X> | Exploit: YES/NO | Fix: <version>
MISCONFIGURATIONS (<N>):
<alert-id> <score> <title>
Rule: <rule-id> | Compliance: <frameworks>
MALWARE / THREATS (<N>):
<alert-id> <score> <malware name> — <classification>
Path: <file path>
SENSITIVE DATA (<N>):
<alert-id> <score> <title>
Data type: <PII / API key / credential>
ANOMALIES (<N>):
<alert-id> <score> <title>
───────────────────────────────────────────────────────────────────
NEXT STEPS:
Triage any alert: /orca-alert-triage <alert-id>
Fix impact: /orca-impact-analysis <alert-id>
Generate fix: Tell me which alert + format (terraform,
cloudformation, ansible, cli, instructions,
pulumi, arm/bicep)
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
ATTACK PATHS — <asset name>
───────────────────────────────────────────────────────────────────
[1] Score: <X.X> — <attack path story>
Role: <entry point / pivot / target>
Steps: <N> | Crown jewel target: YES/NO
[2] ...
BREAK THE CHAIN:
The easiest path to break is [path #N] by fixing <alert>.
Want me to generate the fix? Choose format: terraform |
cloudformation | ansible | cli | instructions | pulumi | arm/bicep
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
COMPLIANCE — <asset name>
───────────────────────────────────────────────────────────────────
<Framework Name>: <X>% (<P> pass, <F> fail)
Failing: <control 1>, <control 2>, ...
<Framework Name>: <X>%
Failing: ...
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
PERMISSIONS — <asset name>
───────────────────────────────────────────────────────────────────
Effective permissions: <N> actions across <M> services
Used (30d): <N> actions
Unused: <N> actions (candidates for removal)
DANGEROUS PERMISSIONS:
<permission> — <why it's dangerous>
...
Recommendation: /orca-identity-review <identity name>
FIX IT:
I can generate a least-privilege policy to replace the current
overprivileged one. Choose format: terraform | cloudformation |
ansible | cli | instructions | pulumi | arm/bicep
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
CDR ACTIVITY — <asset name> (last 30 days)
───────────────────────────────────────────────────────────────────
Total events: <N> | Unique actions: <M> | Unique actors: <P>
TOP ACTIONS:
<action> <count> <actors>
...
RECENT EVENTS:
<date> <action> <actor> <source IP>
...
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
LINKED ENTITIES — <asset name>
───────────────────────────────────────────────────────────────────
<entity type>: <count>
<name> (<type>) — <relationship>
...
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
CODE ORIGIN — <asset name>
───────────────────────────────────────────────────────────────────
IaC: <Terraform / CloudFormation / None>
Repo: <repository>
File: <file>:<lines>
Author: <git blame author>
Commit: <hash> "<message>"
<code snippet>
Full trace: /orca-config-origin <alert-id>
FIX AT SOURCE:
I can generate the corrected IaC code. Choose format:
terraform | cloudformation | ansible | pulumi | arm/bicep
───────────────────────────────────────────────────────────────────
Show all sections in order.
⚠️ No asset found matching "<input>"
Try:
• Check spelling
• Use instance ID (i-XXXX) or ARN
• Search: discovery_search for "<input>"
Show a numbered list and ask the user to pick:
Multiple assets match "bastion":
[1] web-bastion-host (AwsEc2Instance) in 123456789012
[2] bastion-dev (AwsEc2Instance) in 506464807365
[3] bastion-sg (AwsSecurityGroup) in 123456789012
Which one? (enter number or be more specific)
ALERTS: ✅ Clean — no open alerts on this asset
Note CDR retention limits (30 days) and suggest checking cloud provider audit logs directly.
| Tool | Purpose | Parameter |
|---|---|---|
get_asset_by_name | Find asset by name | asset_name (substring), optional model_type |
get_asset_by_id | Full asset details, tags, CodeOrigins | asset_id, optional model_type |
get_asset_by_alert_id | Find asset from alert | alert_id |
get_asset_related_alerts_summary | All alerts (top 50) | asset_id (UUID) |
get_asset_alerts_count_grouped_by_risk_level | Alert counts by severity | asset_id (UUID) |
get_asset_related_attack_paths_summary | Attack paths (top 50) | asset_id (UUID) |
get_asset_crown_jewel_info | Crown jewel status | group_unique_id |
get_linked_entities_mapping | Linked entity counts | asset_id |
search_cdr_events | Audit log events | targets (array), time_range, limit |
get_cdr_events_grouped_by_event_name | Event summary | targets (array), time_range |
| Tool | Purpose | When |
|---|---|---|
get_related_compliance_frameworks_for_asset | Compliance frameworks | Always attempted |
get_aws_effective_permissions_policy_on_asset | IAM permissions | AWS IAM assets only |
get_linked_entities_data | Detailed linked entities | "linked" drill-down |
get_compliance_framework_stats_for_asset | Per-framework score | "compliance" drill-down |
discovery_search | Fallback asset search | When name search fails |
asset_id for most tools = UUID from Inventory.id (e.g., c46cb523-3db4-49b0-...)group_unique_id for crown jewel = from alert/asset data (e.g., vm_123456789012_i-0caf...)targets must be an array: ["arn:aws:..."]time_range is an enum: "last_24_hours", "last_3_days", "last_7_days", "last_30_days"get_aws_effective_permissions_policy_on_asset takes asset_arn as a string (NOT array)/orca-alert-triage, /orca-impact-analysis, /orca-config-origin for individual alerts.get_asset_by_id response — check data.CodeOrigins for IaC source mapping.DetectedCrownJewelScore / DetectedCrownJewelReason in asset data.["public_facing", "sensitive_data", "brute-force_attempts"]) is key for quick risk assessment.