From orca-skills
Delivers Orca Security briefings summarizing new critical alerts, attack paths, compliance drift, exposure changes, and aging unactioned alerts from the last 24-72 hours.
npx claudepluginhub orcasecurity/orca-skills --plugin orca-skillsThis skill uses the workspace's default tool permissions.
Answers the question: **"What happened while I was away, and what needs my attention?"**
Triages Orca Security alerts by ID with behavioral timelines, risk assessments, blast radius calculations, and progressive disclosure for summaries, investigations, and remediations.
Triages new SentinelOne alerts, investigates specifics, searches by severity/status with GraphQL filters, reviews timelines, and manages MSP workflows using read-only tools.
Investigate a runtime threat detected by Sysdig end-to-end. Surfaces the highest-priority threat, enumerates affected images, scores vulnerability vs runtime correlations on a 1-5 confidence scale, deep-dives into network blast radius or suspicious-binary VT lookups depending on the event class, and hands the case off to Jira or PagerDuty. Triggers on: "investigate runtime threat", "what is this Falco alert", runtime incident triage, SOC investigation, Falco alert analysis.
Share bugs, ideas, or general feedback.
Answers the question: "What happened while I was away, and what needs my attention?"
Provides a security briefing for the last 24-72 hours covering new critical alerts, escalated alerts, attack path changes, compliance drift, exposure changes, CDR activity anomalies, crown jewel risks, and aging unactioned alerts.
/orca-morning-briefing
/orca-morning-briefing 72h
/orca-morning-briefing week
Or natural language:
| Argument | Period | When to Use |
|---|---|---|
| (none) | Last 24 hours | Daily morning check |
72h | Last 3 days | Monday morning / after weekend |
week | Last 7 days | Weekly review / returning from PTO |
Map these to CDR time_range enum values:
"last_24_hours""last_3_days""last_7_days"Run ALL of the following queries in parallel to minimize latency. Do not wait for one to finish before starting the next.
Run these discovery_search queries in parallel:
Query 1a: New critical alerts
discovery_search:
search_phrase: "critical open alerts"
limit: 10
Query 1b: New high alerts
discovery_search:
search_phrase: "high severity open alerts"
limit: 10
Query 1c: Alerts on crown jewel assets
discovery_search:
search_phrase: "open alerts on crown jewel assets"
limit: 10
Query 1d: Internet-facing assets with critical vulnerabilities
discovery_search:
search_phrase: "internet facing assets with critical vulnerabilities"
limit: 10
Query 1e: New attack paths
discovery_search:
search_phrase: "critical attack paths"
limit: 10
Run these in parallel:
Query 2a: Current compliance scores
get_enabled_compliance_frameworks:
(no filters โ get all frameworks)
Query 2b: Compliance trend
get_compliance_trend_over_time:
filters:
datetime_filter: 7 (or 14/30 depending on time range)
Query 2c: Compliance by account
get_compliance_analysis_by_account_or_business_unit:
group_by: "accounts"
Run these in parallel:
Query 3a: CDR events grouped by action (last 24h)
get_cdr_events_grouped_by_event_name:
time_range: "last_24_hours" (or "last_3_days" / "last_7_days")
page_size: 50
Query 3b: CDR events from unusual sources
search_cdr_events:
time_range: "last_24_hours" (or "last_3_days" / "last_7_days")
limit: 50
After all queries return, analyze and synthesize:
From discovery_search results for critical and high alerts:
CreatedAt falls within the requested time windowAlertType appears, flag as "NEW TYPE")From discovery_search attack path results:
From compliance framework results:
From CDR event aggregation:
Classify CDR activity into:
Category Event Patterns Concern Level
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Normal operations Describe*, List*, Get* (read) LOW
Resource changes Create*, Put*, Modify*, Update* MEDIUM
Deletions Delete*, Remove*, Terminate* HIGH
IAM changes Attach*Policy, Create*Role, HIGH
PutRolePolicy, AssumeRole
Security changes AuthorizeSecurityGroup*, HIGH
PutBucketPolicy, ModifyVpc*
Console logins ConsoleLogin from new IPs MEDIUM-HIGH
Root account usage Any action by root account CRITICAL
From discovery_search internet-facing results:
From discovery_search crown jewel results:
From all alert results, identify:
Calculate the overall environment health:
IF new_critical_alerts > 0 AND (crown_jewel_affected OR compliance_dropped) THEN
pulse = "๐ด DEGRADING โ immediate attention needed"
ELSE IF new_critical_alerts > 0 OR compliance_dropped THEN
pulse = "โ ๏ธ NEEDS ATTENTION โ new critical findings"
ELSE IF new_high_alerts > 3 THEN
pulse = "โ ๏ธ ELEVATED โ review high-severity queue"
ELSE IF aging_criticals > 0 THEN
pulse = "โณ STALE โ no new threats but unresolved criticals aging"
ELSE
pulse = "โ
STABLE โ no significant changes"
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
MORNING BRIEFING โ <date>
Last <time_range> | <account(s)>
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
PULSE: <environment health assessment โ 1 line>
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ NEW ALERTS <N> total (<X> critical, <Y> high) โ
โ ESCALATED <N> alerts changed severity or reopened โ
โ ATTACK PATHS <N> new or worsened โ
โ COMPLIANCE <framework> dropped <X>% โ
โ EXPOSURE <N> assets newly internet-facing โ
โ CROWN JEWELS <N> new alerts on critical assets โ
โ AGING CRITICALS <N> critical alerts open > 7 days โ
โ CDR ACTIVITY <volume assessment โ normal/elevated/spike> โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
TOP PRIORITIES:
[1] <alert-id> โ <title> (<score>, <age>)
[2] <alert-id> โ <title> (<score>, <age>)
[3] <alert-id> โ <title> (<score>, <age>)
[4] <alert-id> โ <title> (<score>, <age>)
[5] <alert-id> โ <title> (<score>, <age>)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Type a keyword to drill down: alerts | escalated | attack paths |
compliance | exposure | crown jewels | aging | activity |
new types | trends | full
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
The TOP PRIORITIES list should be ordered by:
Show up to 5 items. If fewer than 5 priorities, show fewer.
When user types a keyword, show the expanded section:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
NEW ALERTS โ last <time_range>
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
CRITICAL (<N>):
<alert-id> <score> <title>
<asset> in <account> | <age> | <labels>
<alert-id> <score> <title>
<asset> in <account> | <age> | <labels>
HIGH (<N>):
<alert-id> <score> <title>
<asset> in <account> | <age> | <labels>
...
NEW ALERT TYPES (first time in environment):
โก <alert-type> โ never seen before (orca-XXXX on <asset>)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Triage any alert: /orca-alert-triage <alert-id>
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
ESCALATED ALERTS โ last <time_range>
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
SEVERITY INCREASED:
<alert-id> <old-level> โ <new-level> <title>
Reason: <score vector change>
REOPENED (was closed/dismissed):
<alert-id> dismissed โ open <title>
<asset> | originally opened <date>
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
ATTACK PATHS โ last <time_range>
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
NEW ATTACK PATHS:
[!] <score> <attack path story โ 1 line>
Assets: <list> | Kill chain: <step count>
Crown jewel involved: YES/NO
WORSENED:
[โ] <score> <attack path story>
Change: <what got worse>
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
COMPLIANCE POSTURE โ last <time_range>
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
FRAMEWORK SCORES:
Framework Score 7-Day Trend Status
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
PCI DSS v4.0.1 87% โ -2% โ DROPPED
NIST 800-53 93% โ 0% โ STABLE
SOC 2 95% โ +1% โ IMPROVING
CIS AWS v3.0 81% โ -1% โ DROPPED
WORST ACCOUNTS:
<account> โ <score>% avg across frameworks
<account> โ <score>% avg across frameworks
NEW FAILING CONTROLS:
<framework>: <control> โ <N> assets failing
...
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
EXPOSURE โ Internet-Facing Assets with Critical Alerts
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
<asset> (<type>) in <account>
Public IP: <ip>
Critical alerts: <N> | Orca Score: <score>
Crown jewel: YES/NO
<asset> (<type>) in <account>
...
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
CROWN JEWEL ALERTS โ last <time_range>
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
<asset> (crown jewel score: <N>)
Reason: <why it's a crown jewel>
New alerts: <N> (<severity breakdown>)
Top alert: <alert-id> โ <title> (score: <X>)
...
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
AGING ALERTS โ Critical Alerts Needing Attention
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
CRITICAL > 30 DAYS (urgent):
<alert-id> <age>d <title>
<asset> | Jira: <ticket> (<status>)
CRITICAL > 7 DAYS:
<alert-id> <age>d <title>
<asset> | Jira: <ticket> (<status>)
DISMISSED โ REOPENED (remediation friction):
<alert-id> <title>
dismissed <date>, reopened <date>
JIRA STUCK:
<alert-id> Jira <ticket> in "<status>" for <N> days
<title>
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
CDR ACTIVITY โ last <time_range>
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
VOLUME: <total events> events (<assessment>)
TOP EVENTS BY VOLUME:
<event_name> <count> <assessment>
<event_name> <count> <assessment>
...
HIGH-INTEREST ACTIVITY:
[!] <description of suspicious pattern>
Actor: <identity> | Count: <N> | Service: <service>
[!] <description>
...
UNUSUAL ACTORS (if any):
<actor> โ <N events>, services: <list>
First seen in this period: YES/NO
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
NEW ALERT TYPES โ First Time in Environment
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โก <alert-type>
First occurrence: <alert-id> on <asset>
Severity: <level> | Score: <X.X>
What it means: <1-line explanation>
โก <alert-type>
...
(If none): No new alert types detected in this period.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
TRENDS โ Environment Over Time
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
ALERT TREND (7-day):
Day Critical High Medium Total
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Mon Apr 14 2 5 12 19
Tue Apr 15 1 3 8 12
...
Today 3 4 5 12
DIRECTION: <improving / degrading / stable>
TOP 5 MOST-AFFECTED ASSETS:
<asset> โ <N> open alerts (<X> critical)
<asset> โ <N> open alerts (<X> critical)
...
TOP 3 MOST-AFFECTED ACCOUNTS:
<account> โ <N> critical alerts, compliance: <score>%
...
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Show all sections above in order:
This is the "report mode" โ useful for sharing with the team or pasting into a status update.
If no new critical/high alerts in the time window:
PULSE: โ
STABLE โ no new critical or high alerts
NEW ALERTS: 0 critical, 0 high
(Last critical alert was <N> days ago: <alert-id>)
Still show aging alerts, compliance, and CDR activity โ the absence of new alerts doesn't mean everything is fine.
discovery_search is limited to 10 results per query. If results are capped:
app_url in results)If get_enabled_compliance_frameworks returns empty:
COMPLIANCE: No frameworks enabled.
Consider enabling PCI DSS, SOC 2, or CIS benchmarks.
If CDR queries return 0 events:
CDR ACTIVITY: No events found.
Possible reasons:
โข CloudTrail / audit log ingestion not configured
โข CDR not enabled for this account
On the first run, there's no historical baseline to compare against. Note this:
Note: This is the first briefing for this environment.
Future briefings will show trends and comparisons.
| Tool | Purpose | Briefing Section |
|---|---|---|
discovery_search | Find new critical alerts | New Alerts, Crown Jewels, Exposure |
discovery_search | Find new high alerts | New Alerts |
discovery_search | Find crown jewel alerts | Crown Jewels |
discovery_search | Find exposed assets | Exposure |
discovery_search | Find attack paths | Attack Paths |
get_enabled_compliance_frameworks | Current compliance scores | Compliance |
get_compliance_trend_over_time | Score trends (7/14/30 days) | Compliance, Trends |
get_cdr_events_grouped_by_event_name | Event volume by action type | CDR Activity |
| Tool | Purpose | When Called |
|---|---|---|
get_compliance_analysis_by_account_or_business_unit | Account-level compliance breakdown | "compliance" drill-down |
get_compliance_framework_control_tests | Failing controls per framework | "compliance" drill-down |
search_cdr_events | Detailed event inspection | "activity" drill-down |
get_alert | Full alert details | When user triages from briefing |
get_asset_crown_jewel_info | Crown jewel status for specific asset | "crown jewels" drill-down |
get_framework_assets_with_failed_controls_count | Worst assets per framework | "compliance" drill-down |
| Parameter | Type | Required | Description |
|---|---|---|---|
search_phrase | string | Yes | Natural language query |
limit | integer (1-10) | No | Max results (default: 5) |
| Parameter | Type | Required | Description |
|---|---|---|---|
filters | object | No | Contains datetime_filter (7/14/30), providers, accounts, framework_ids, etc. |
| Parameter | Type | Required | Description |
|---|---|---|---|
filters | object | No | Same shape as compliance frameworks filters |
| Parameter | Type | Required | Description |
|---|---|---|---|
group_by | enum | No | "accounts" or "business_units" (default: "business_units") |
framework_ids | array | No | Filter to specific frameworks |
| Parameter | Type | Required | Description |
|---|---|---|---|
time_range | enum | Yes | "last_1_hour", "last_24_hours", "last_3_days", "last_7_days", "last_30_days" |
cloud_providers | array | No | Filter by provider |
accounts | array | No | Filter by account |
actors | array | No | Filter by actor |
services | array | No | Filter by service |
page_size | integer (1-100) | No | Results per page (default: 15) |
| Parameter | Type | Required | Description |
|---|---|---|---|
time_range | enum | Yes | Same as above |
actors | array | No | Filter by actor ARNs |
targets | array | No | Filter by target resources |
services | array | No | Filter by service |
actions | array | No | Filter by event name |
source_ip_addresses | array | No | Filter by source IP |
limit | integer (1-100) | No | Max events (default: 20) |
All array parameters must be arrays, even for single values: ["value"] not "value".
discovery_search does not have an explicit time parameter. Use time-related language in the search phrase (e.g., "critical alerts created in the last 24 hours"). For CDR and compliance tools, use their native time filters.get_compliance_trend_over_time returns data points over time. Compare the latest score against the score from N days ago to calculate drift./orca-alert-triage <alert-id> for investigation, /orca-impact-analysis <alert-id> for remediation planning, and /orca-config-origin <alert-id> for ownership.