
RAD Security
Cloud Security- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The RAD Security Connector integrates with the RAD Security platform (formerly KSOC) — a Kubernetes and cloud-native security platform. It synchronizes cloud and Kubernetes inventory, container image scan summaries, deployed agent plugins, and runtime/posture findings into Brinqa.
The connector syncs six models:
- Cluster — Kubernetes clusters discovered per account (mapped to
CloudResource). - Resource — Kubernetes objects discovered within each cluster (mapped to
CloudResource). - Image — Container images scanned per account with vulnerability severity counts (mapped to
ContainerImage). - Plugin — RAD agent plugins reporting heartbeats from each cluster.
- Finding — Individual security findings within unified finding groups.
- Finding Definition — The rule/definition backing a finding group.
Data is retrieved from the RAD Security REST API. Listing endpoints are paged (page/page_size) and fetched in parallel. All listing endpoints are relative to the configured url (default https://api.ksoc.com); account-scoped endpoints iterate over the child accounts of the configured Parent Account ID (GET accounts?parent_id={parentAccountId}).
Data retrieved from RAD Security
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Cluster | Yes | Cloud Resource |
| Resource | Yes | Cloud Resource |
| Image | Yes | Container Image |
| Plugin | Yes | Plugin |
| Finding | Yes | Finding |
| Finding Definition | Yes | Finding Definition |
Model relationships
For detailed steps on how to view the data retrieved from RAD Security in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select RAD Security from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| Server URL | Yes | https://api.ksoc.com | RAD server URL |
| Access key | Yes | — | RAD API access key |
| Secret key | Yes | — | RAD API secret key |
| Parent account ID | No | — | RAD parent account ID |
| Page size | No | 100 | Maximum number of records to get per API request |
| Parallel requests | No | min(4, available processors) | Maximum number of parallel API requests |
Authentication
The connector authenticates with an access key / secret key pair, which it exchanges for a short-lived Bearer token. The token is cached until it nears expiry and is then automatically refreshed.
Endpoint
| Method | URL |
|---|---|
POST | {url}/authentication/authenticate |
Request Headers
| Header | Value |
|---|---|
Content-Type | application/json |
Request Body
{
"access_key_id": "<access key id>",
"secret_key": "<secret key>"
}
Sample Response
{
"token": "ory_st_r9SvQ5HTlPPEfaaHT92apdIRjGNVcsjA",
"expires_at": "2023-12-18T13:56:03.698310674Z"
}
Response Fields
| Field | Description |
|---|---|
token | The Bearer access token used to authorize subsequent requests. |
expires_at | Token expiry timestamp (ISO-8601). The token is refreshed once it has expired. |
Usage
Every subsequent API request includes the token in the Authorization header:
Authorization: Bearer <token>
Connectivity is verified by calling GET {url}/accounts.
How to obtain RAD Security credentials
Generate RAD Security access keys
For the RAD Security connector to use the RAD Security API, you must provide access keys. RAD Security does not allow retrieving the secret key for an existing user, therefore, you must generate a new one instead. To obtain these access keys, follow these steps:
-
Login to your organization's RAD Security portal.
-
Navigate to Settings > Access Keys.
-
Click New Key. The Add Access Key window displays.
Provide the following information:
-
Access Key Name: Provide a name for the key.
-
Key Type: You have two options: Generic or Cloud.
-
Generic Key: Use this key type if your Kubernetes clusters are self-hosted, such as on-premises or in a data center where cloud-specific features are not a necessity.
-
Cloud Key: Use this key type if you're using cloud services for hosting your Kubernetes clusters, such as AWS, Azure, Google Cloud, and etc.
-
-
-
Click Create Key.
The Key ID and Secret Key display. You cannot view the secret key again. Copy the key and save it in a secure location. The Key ID is the Access key used in the integration configuration.
Note: If you do not have the permissions to create access keys, contact your RAD Security administrator. For additional information, see RAD Security documentation.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Cluster
| Source Field Name | SDM Attribute |
|---|---|
ClusterResource.accountId | ACCOUNT_ID |
ClusterResource.aws.accountId | CLOUD_ACCOUNT_ID |
ClusterResource.aws.clusterArn | AWS_CLUSTER_ARN |
ClusterResource.aws.clusterCreatedAt | AWS_CLUSTER_CREATED_AT |
ClusterResource.aws.clusterName | AWS_CLUSTER_NAME |
ClusterResource.aws.clusterRegion | AWS_CLUSTER_REGION |
ClusterResource.caCertDigest | CA_CERT_DIGEST |
ClusterResource.cloudProviderType | CLOUD_PROVIDER |
ClusterResource.createdAt | SOURCE_CREATED_DATE |
ClusterResource.deletedAt | DELETED_AT |
ClusterResource.endpointHash | ENDPOINT_HASH |
ClusterResource.id | UID |
ClusterResource.kubernetesVersion | KUBERNETES_VERSION |
ClusterResource.kubewatcherVersion | KUBEWATCHER_VERSION |
ClusterResource.location | LOCATION |
ClusterResource.name | NAME |
ClusterResource.nodeCount | NODE_COUNT |
ClusterResource.region | REGION |
ClusterResource.status | STATUS |
ClusterResource.tags[].key | TAGS |
ClusterResource.tags[].source | TAGS_SOURCE |
ClusterResource.tags[].value | TAGS_VALUE |
ClusterResource.updatedAt | SOURCE_LAST_MODIFIED |
ClusterResource.workloadCount | WORKLOAD_COUNT |
| Constant | CATEGORIES |
Resource
| Source Field Name | SDM Attribute |
|---|---|
ResourceObject.accountId | ACCOUNT_ID |
ResourceObject.apiVersion | API_VERSION |
ResourceObject.clusterId | TARGETS |
ResourceObject.deletedAt | DELETED_AT |
ResourceObject.deletionSource | DELETION_SOURCE |
ResourceObject.entityType | ENTITY_TYPE |
ResourceObject.entityType, ResourceObject.kind, constant | CATEGORIES |
ResourceObject.id | UID |
ResourceObject.ingestedAt | INGESTED_AT |
ResourceObject.kind | KIND |
ResourceObject.name | NAME |
ResourceObject.namespace | NAMESPACE |
ResourceObject.ownerUid | OWNER |
ResourceObject.raw | RAW |
ResourceObject.resourceCreatedAt | SOURCE_CREATED_DATE |
ResourceObject.resourceVersion | CURRENT_VERSION |
ResourceObject.uid | UUID |
ResourceObject.versionOverwrittenAt | VERSION_OVERWRITTEN_AT |
ResourceObject.watchedAt | WATCHED_AT |
Image
| Source Field Name | SDM Attribute |
|---|---|
| Constant | CATEGORIES |
ImageResource.accountId | ACCOUNT_ID |
ImageResource.clusterIds | TARGETS |
ImageResource.criticalCount | CRITICAL_COUNT |
ImageResource.digest | UID |
ImageResource.digest | DIGEST |
ImageResource.highCount | HIGH_COUNT |
ImageResource.lowCount | LOW_COUNT |
ImageResource.mediumCount | MEDIUM_COUNT |
ImageResource.name | NAME |
ImageResource.negligibleCount | NEGLIGIBLE_COUNT |
ImageResource.repo | REPO |
ImageResource.scanId | SCAN_ID |
ImageResource.scannedAt | LAST_SCANNED |
ImageResource.tags | TAGS |
ImageResource.totalCount | TOTAL_COUNT |
ImageResource.unspecifiedCount | UNSPECIFIED_COUNT |
Plugin
| Source Field Name | SDM Attribute |
|---|---|
| heartbeat cluster_id | TARGETS |
| heartbeat created_at | SOURCE_CREATED_DATE |
| heartbeat id | UID |
| heartbeat instance | INSTANCE_ID |
heartbeat metadata.agent_version | CURRENT_VERSION |
| heartbeat type | NAME |
Finding
| Source Field Name | SDM Attribute |
|---|---|
| derived from normalized severity | SEVERITY_SCORE |
| derived from normalized status | STATUS_CATEGORY |
| finding group status | PROVIDER_STATUS |
FindingResource.accountId | ACCOUNT_ID |
FindingResource.clusterId | TARGETS |
FindingResource.createdAt | FIRST_SEEN |
FindingResource.fingerprint | FINGERPRINT |
FindingResource.id | UID |
FindingResource.ruleId | TYPE |
FindingResource.severity | SOURCE_SEVERITY |
FindingResource.severityInt | SOURCE_SEVERITY_SCORE |
FindingResource.sourceId | SOURCE_ID |
FindingResource.sourceKind | SOURCE_KIND |
FindingResource.sourceName | SOURCE_NAME |
FindingResource.sourceNamespace | SOURCE_NAMESPACE |
FindingResource.sourceType | SOURCE_TYPE |
FindingResource.tags | TAGS |
FindingResource.type | FINDING_TYPE |
FindingResource.updatedAt | LAST_SEEN |
| normalized finding group status | SOURCE_STATUS |
| normalized finding group status | STATUS |
normalized from FindingResource.severity | SEVERITY |
Finding Definition
| Source Field Name | SDM Attribute |
|---|---|
| derived from normalized severity | SEVERITY_SCORE |
| finding group rule_id | UID |
FindingDetails.ruleTitle | NAME |
FindingDetails.severity | SOURCE_SEVERITY |
normalized from FindingDetails.severity | SEVERITY |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Cluster
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET accounts/{accountId}/clusters - Default filters:
with_last_heartbeats=true
Resource
Operation options
| Option | Type | Default | Description |
|---|---|---|---|
resource_types | Optional comma-separated list filtering the resource types returned. | — | |
namespace | Optional namespace filter. | — | |
TRANSACTION_ID | Identifier for the shared cluster local-store transaction used during the sync. | — |
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET clusters/{clusterId}/resources - Default filters:
with_payload=true
Image
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET accounts/{accountId}/images
Plugin
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET accounts/{accountId}/clusters - Default filters:
with_last_heartbeats=true
Finding
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET accounts/{accountId}/unified_findings/groups
Finding Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET accounts/{accountId}/unified_findings/groups
Changelog
The RAD Security connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.1.2 | Bug Fixes - Corrected the data type of the Finding model's "Source severity score" attribute. RAD reports this value as text, so the connector now declares the attribute as text instead of a number, ensuring the value is stored rather than dropped or coerced. | • Finding: the "Source severity score" attribute changed from a numeric type to text. Re-sync the RAD Security connector to repopulate findings with the corrected type. |
| 3.1.1 | Improvements - Connector-sourced attribute values now take precedence over non-connector data channels (manual edits, bulk imports, UI input) when the platform consolidates records, so RAD Security data is no longer overridden by lower-priority sources. Bug Fixes - Corrected the data type of the Plugin model's "Source created date" attribute. It is now stored as a proper timestamp instead of a numeric epoch value, so date-based filtering, sorting, and display of plugin creation dates behave correctly. | • Plugin: the "Source created date" attribute changed from a numeric (epoch) value to a timestamp. Re-sync the RAD Security connector to repopulate Plugin records with the corrected type. |
| 3.1.0 | New Features - The connector now retrieves findings as consolidated finding groups, capturing richer source and fingerprint details for each issue so that related occurrences are grouped and tracked together. Improvements - Reworked the Finding and Finding Definition models to align with RAD Security's current finding data, replacing the previous trigger- and fix-oriented attributes with source identity, fingerprint, and finding-type information for clearer, more accurate findings. - Removed the Threat Vector and Threat Vector Definition models, which are no longer part of the RAD Security data set. Dependency Upgrades - Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | • Finding: the identifier used for findings changed and the model's attributes were substantially restructured. Purge existing Finding records and re-sync the RAD Security connector so findings are rebuilt with the new identity and attributes. • Finding Definition: the identifier used for finding definitions changed. Purge existing Finding Definition records and re-sync the RAD Security connector to rebuild them under the new identity. • Threat Vector and Threat Vector Definition: these models were removed. Purge any existing Threat Vector and Threat Vector Definition records, which are no longer synchronized. |
| 3.0.4 | New Features - Added the ability to scope a Resource sync to specific resource types and namespaces, so you can limit synchronization to only the Kubernetes resources you care about. Improvements - Added an "Entity type" attribute to the Resource model for clearer categorization of synced resources. - Resource raw payloads are now decoded and stored as readable text instead of an encoded string, making the raw resource definition usable for inspection and mapping. | N/A |
| 3.0.3 | Improvements - Increased the request timeout so that larger or slower RAD Security responses complete successfully instead of failing during synchronization. - Removed the unused "Cluster to pod count" attribute from the Image model. | N/A |
| 3.0.2 | Improvements - Refreshed and corrected the connector documentation, and standardized the connector category label. | N/A |
| 3.0.1 | New Features - Added Threat Vector and Threat Vector Definition models, synchronizing RAD Security threat vector data and its supporting definitions. Improvements - Rebranded the connector from KSOC to RAD Security, updating the connector name and connection field labels to match the current product. | • Cluster: cluster identifiers now fall back to the cluster's AWS ARN when RAD Security does not provide a primary cluster ID, which can change the identity of some clusters. Re-sync the RAD Security connector to rebuild Cluster records under the corrected identifiers. |
| 3.0.0 | Overview The RAD Security connector integrates with RAD Security (formerly KSOC) to synchronize Kubernetes and cloud security data, including clusters, container images, Kubernetes resources, and the security findings and finding definitions raised against them. Category: Cloud security Models | N/A |