RAD Security

RAD Security (formerly KSOC (Kubernetes Security Operations Center)) is a cloud security tool specifically designed for Kubernetes environments. You can bring cluster, container image, plugin, resource, and security data from RAD Security into Brinqa to provide a unified view of your Kubernetes-related attack surface, thus enhancing your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with RAD Security and how to obtain that information from RAD Security. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select RAD Security from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate RAD Security with Brinqa:

API URL: The RAD Security API Server URL. The default URL is https://api.ksoc.com/.
Secret key and Access key: The access keys associated with the RAD Security account, which must have permissions to log in to the API server and return data.
Parent account ID: The account ID associated with the RAD Security account, which must have permissions to log in to the API server and return data.

Generate RAD Security access keys

For the RAD Security connector to use the RAD Security API, you must provide access keys. RAD Security does not allow retrieving the secret key for an existing user, therefore, you must generate a new one instead. To obtain these access keys, follow these steps:

Login to your organization's RAD Security portal.
Navigate to Settings > Access Keys.
Click New Key. The Add Access Key window displays.

Provide the following information:
- Access Key Name: Provide a name for the key.
- Key Type: You have two options: Generic or Cloud.
  - Generic Key: Use this key type if your Kubernetes clusters are self-hosted, such as on-premises or in a data center where cloud-specific features are not a necessity.
  - Cloud Key: Use this key type if you're using cloud services for hosting your Kubernetes clusters, such as AWS, Azure, Google Cloud, and etc.
Click Create Key.

The Key ID and Secret Key display. You cannot view the secret key again. Copy the key and save it in a secure location. The Key ID is the Access key used in the integration configuration.

note

If you do not have the permissions to create access keys, contact your RAD Security administrator. For additional information, see RAD Security documentation.

Additional settings

The RAD Security connector contains additional options for specific configuration:

Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
Parallel requests: The maximum number of parallel API requests. The default setting is 4.

Types of data to retrieve

The RAD Security connector can retrieve the following types of data from the RAD Security API:

Table 1: Data retrieved from RAD Security

Connector Object	Required	Maps to Data Model
Cluster	No	Cloud Resource
Finding	No	Not mapped
Finding Definition	No	Not mapped
Image	No	Container Image
Plugin	No	Not mapped
Resource	No	Cloud Resource

info

For detailed steps on how to view the data retrieved from RAD Security in the Brinqa Platform, see How to view your data.

Attribute mappings

Expand the sections below to view the mappings between the source and the Brinqa data model attributes.

Cluster

Table 2: Cluster attribute mappings

Source Field Name	Maps to Attribute
aws.accountId	cloudAccountId
aws.clusterArn	Local variable
aws.clusterCreatedAt	Local variable
aws.clusterName	Local variable
aws.clusterRegion	Local variable
categories	categories
clusterResource.accountId	Local variable
clusterResource.caCertDigest	Local variable
clusterResource.cloudProviderType	cloudProvider
clusterResource.createdAt	sourceCreatedDate
clusterResource.deletedAt	Local variable
clusterResource.endpointHash	Local variable
clusterResource.idAsString	uid
clusterResource.kubernetesVersion	Local variable
clusterResource.kubewatcherVersion	Local variable
clusterResource.location	location
clusterResource.name	name
clusterResource.nodeCount	Local variable
clusterResource.region	region
clusterResource.status	status
clusterResource.updatedAt	sourceLastModified
clusterResource.workloadCount	Local variable
tags.key	tags
tags.source	Local variable
tags.value	Local variable

info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Finding

Table 3: Finding attribute mappings

Source Field Name	Maps to Attribute
findingResource.accountId	Local variable
findingResource.clusterId	targets
findingResource.createdAt	firstSeen
findingResource.fingerprint	Local variable
findingResource.id	uid
findingResource.ruleId	type
findingResource.sourceId	Local variable
findingResource.sourceKind	Local variable
findingResource.sourceName	Local variable
findingResource.sourceNamespace	Local variable
findingResource.sourceType	Local variable
findingResource.tags	tags
findingResource.updatedAt	lastSeen
status	status

info

Finding Definition

Table 4: Finding Definition attribute mappings

Source Field Name	Maps to Attribute
findingDetail.ruleId	uid
findingDetail.ruleTitle	name
findingDetail.severity	severity, severityScore, sourceSeverity

Image

Table 5: Image attribute mappings

Source Field Name	Maps to Attribute
categories	categories
imageResource.accountId	Local variable
imageResource.clusterIds	targets
imageResource.clusterToPodCount	Local variable
imageResource.criticalCount	Local variable
imageResource.digest	uid, digest
imageResource.highCount	Local variable
imageResource.lowCount	Local variable
imageResource.mediumCount	Local variable
imageResource.name	name
imageResource.negligibleCount	Local variable
imageResource.repo	Local variable
imageResource.scanId	Local variable
imageResource.scannedAt	lastScanned
imageResource.tags	tags
imageResource.totalCount	Local variable
imageResource.unspecifiedCount	Local variable

info

Resource

Table 6: Resource attribute mappings

Source Field Name	Maps to Attribute
categories	categories
resourceObject.accountId	Local variable
resourceObject.apiVersion	Local variable
resourceObject.clusterId	targets
resourceObject.deletedAt	Local variable
resourceObject.deletionSource	Local variable
resourceObject.id	uid
resourceObject.ingestedAt	Local variable
resourceObject.kind kind	kind
resourceObject.name	name
resourceObject.namespace	Local variable
resourceObject.ownerUid	owner
resourceObject.raw	Local variable
resourceObject.resourceCreatedAt	source created time
resourceObject.resourceVersion	current version
resourceObject.uid	Local variable
resourceObject.versionOverwrittenAt	Local variable
resourceObject.watchedAt	Local variable

info

Operation options

The RAD Security connector supports the following operation options. See connector operation options for information about how to apply them.

Table 7: RAD Security connector operation options

Connector Object	Option	All Possible Values	Description	Example
Resource	namespace	Any RAD Security resource namespace	A comma-separated list of resource namespaces. Retrieve resources associated with the specified namespaces.	Key: `namespace` Value: `artifactory`,`jenkins`. This key and value combination only retrieves resources associated with the specified namespaces.
	resource_types	Any RAD Security resource type	A comma-separated list of resource types. Retrieve resources of the specified types.	Key: `resource_types` Value: `dvwa-app`,`revshell-pod`. This key and value combination only retrieves resources associated with the specified types.

note

The option keys and values are case-sensitive as they are shown in this documentation.

APIs

The RAD Security connector uses the RAD Security API. Specifically, it uses the following endpoints:

Table 8: RAD Security API Endpoints

Connector Object	API Endpoints
Cluster	`GET /accounts/{accountId}/clusters`
	`GET /accounts/{accountId}/clusters/{clusterId}`
Finding	`GET /accounts/{accountId}/unified_findings/groups`
	`GET /accounts/{accountId}/unified_findings/groups/{group_id}`
Finding Definition	`GET /accounts/{accountId}/unified_findings/groups`
	`GET /accounts/{accountId}/unified_findings/groups/{group_id}`
Image	`GET accounts/{accountId}/images`
Plugin	`GET /accounts/{accountId}/clusters/{clusterId}`
Resource	`GET /clusters/{clusterId}/resources`
	`GET /clusters/{clusterId}/resources/{resourceId}/owners`

Changelog

The RAD Security connector has undergone the following changes:

Table 9: RAD Security connector changelog

Version	Description
3.1.0	- Fixed an issue where the Finding object sync was failing. As part of this fix, the Finding and Finding Definition API endpoints now use `unified-findings`. - Removed the Threat Vector and Threat Vector Definition objects, as they were not essential for the connector's functionality. - Changed the `SOURCE_CREATED_DATE` attribute type on the Plugin object from string to integer to resolve a data mismatch error. - Performance improvements, code clean up, and general maintenance.
3.0.4	- Updated the `RAW` attribute in the Resource object to retrieve the entire payload and encode it with the Base64 format. - Added new operation options, `namespace` and `resource_types`, to filter the Resource object.
3.0.3	Fixed an issue where the Image object sync was failing.
3.0.1	Initial Integration+ release.

Required connection settings​

Generate RAD Security access keys​

Additional settings​

Types of data to retrieve​

Attribute mappings​

Operation options​

APIs​

Changelog​

Required connection settings

Generate RAD Security access keys

Additional settings

Types of data to retrieve

Attribute mappings

Operation options

APIs

Changelog