RAD Security
RAD Security (formerly KSOC (Kubernetes Security Operations Center)) is a cloud security tool specifically designed for Kubernetes environments. You can bring cluster, container image, plugin, resource, and security data from RAD Security into Brinqa to provide a unified view of your Kubernetes-related attack surface, thus enhancing your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with RAD Security and how to obtain that information from RAD Security. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select RAD Security from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate RAD Security with Brinqa:
-
API URL: The RAD Security API Server URL. The default URL is
https://api.ksoc.com/. -
Secret key and Access key: The access keys associated with the RAD Security account, which must have permissions to log in to the API server and return data.
-
Parent account ID: The account ID associated with the RAD Security account, which must have permissions to log in to the API server and return data.
Generate RAD Security access keys
For the RAD Security connector to access the KSOC API, you must provide access keys. RAD Security does not allow retrieving the secret key for an existing user, therefore, you must generate a new one instead. To obtain these access keys, follow these steps:
-
Login to your organization's RAD Security portal.
-
Navigate to Settings > Access Keys.
-
Click New Key. The Add Access Key window displays.
Provide the following information:
-
Access Key Name: Provide a name for the key.
-
Key Type: You have two options: Generic or Cloud.
-
Generic Key: Use this key type if your Kubernetes clusters are self-hosted, such as on-premises or in a data center where cloud-specific features are not a necessity.
-
Cloud Key: Use this key type if you're using cloud services for hosting your Kubernetes clusters, such as AWS, Azure, Google Cloud, and etc.
-
-
-
Click Create Key.
The Key ID and Secret Key display. You cannot view the secret key again. Copy the key and save it in a secure location. The Key ID is the Access key used in the integration configuration.
If you do not have the permissions to create access keys, contact your RAD Security administrator. For additional information, see RAD Security documentation.
Additional settings
The RAD Security connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 4.
Types of data to retrieve
The RAD Security connector can retrieve the following types of data from the KSOC API:
Table 1: Data retrieved from RAD Security
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Cluster | No | Cloud Resource |
| Finding | No | Not mapped |
| Finding Definition | No | Not mapped |
| Image | No | Container Image |
| Plugin | No | Not mapped |
| Resource | No | Cloud Resource |
| Threat Vector | No | Not mapped |
| Threat Vector Definition | No | Not mapped |
For detailed steps on how to view the data retrieved from RAD Security in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Cluster
Table 2: Cluster attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| aws.accountId | cloudAccountId |
| aws.clusterArn | Local variable |
| aws.clusterCreatedAt | Local variable |
| aws.clusterName | Local variable |
| aws.clusterRegion | Local variable |
| categories | categories |
| clusterResource.accountId | Local variable |
| clusterResource.caCertDigest | Local variable |
| clusterResource.cloudProviderType | cloudProvider |
| clusterResource.createdAt | sourceCreatedDate |
| clusterResource.deletedAt | Local variable |
| clusterResource.endpointHash | Local variable |
| clusterResource.idAsString | uid |
| clusterResource.kubernetesVersion | Local variable |
| clusterResource.kubewatcherVersion | Local variable |
| clusterResource.location | location |
| clusterResource.name | name |
| clusterResource.nodeCount | Local variable |
| clusterResource.region | region |
| clusterResource.status | status |
| clusterResource.updatedAt | sourceLastModified |
| clusterResource.workloadCount | Local variable |
| tags.key | tags |
| tags.source | Local variable |
| tags.value | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Image
Table 3: Image attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| categories | categories |
| imageResource.accountId | Local variable |
| imageResource.clusterIds | targets |
| imageResource.clusterToPodCount | Local variable |
| imageResource.criticalCount | Local variable |
| imageResource.digest | uid, digest |
| imageResource.highCount | Local variable |
| imageResource.lowCount | Local variable |
| imageResource.mediumCount | Local variable |
| imageResource.name | name |
| imageResource.negligibleCount | Local variable |
| imageResource.repo | Local variable |
| imageResource.scanId | Local variable |
| imageResource.scannedAt | lastScanned |
| imageResource.tags | tags |
| imageResource.totalCount | Local variable |
| imageResource.unspecifiedCount | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Resource
Table 4: Resource attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| categories | categories |
| resourceObject.accountId | Local variable |
| resourceObject.apiVersion | Local variable |
| resourceObject.clusterId | targets |
| resourceObject.deletedAt | Local variable |
| resourceObject.deletionSource | Local variable |
| resourceObject.id | uid |
| resourceObject.ingestedAt | Local variable |
| resourceObject.kind kind | kind |
| resourceObject.name | name |
| resourceObject.namespace | Local variable |
| resourceObject.ownerUid | owner |
| resourceObject.raw | Local variable |
| resourceObject.resourceCreatedAt | source created time |
| resourceObject.resourceVersion | current version |
| resourceObject.uid | Local variable |
| resourceObject.versionOverwrittenAt | Local variable |
| resourceObject.watchedAt | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The RAD Security connector supports the following operation options. See connector operation options for information about how to apply them.
Table 5: RAD Security connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Resource | namespace | Any RAD Security resource namespace | A comma-separated list of resource namespaces. Retrieve resources associated with the specified namespaces. | Key: namespace Value: artifactory,jenkins. This key and value combination only retrieves resources associated with the specified namespaces. |
| resource_types | Any RAD Security resource type | A comma-separated list of resource types. Retrieve resources of the specified types. | Key: resource_types Value: dvwa-app,revshell-pod. This key and value combination only retrieves resources associated with the specified types. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The RAD Security connector uses the KSOC API. Specifically, it uses the following endpoints:
Table 6: RAD Security API Endpoints
| Connector Object | API Endpoints |
|---|---|
| Cluster | GET /accounts/{accountId}/clusters |
GET /accounts/{accountId}/clusters/{clusterId} | |
| Finding | GET /accounts/{accountId}/misconfig |
| Finding Definition | GET /accounts/{accountId}/clusters/{clusterId}/guardpolicies |
| Image | GET accounts/{accountId}/images |
| Plugin | GET /accounts/{accountId}/clusters/{clusterId} |
| Resource | GET /clusters/{clusterId}/resources |
GET /clusters/{clusterId}/resources/{resourceId}/owners | |
| Threat Vector | GET /accounts/{accountId}/clusters |
GET /accounts/{accountId}/threat_vector_instances/v2 | |
| Threat Vector Definition | GET /accounts/{accountId}/clusters |
GET /accounts/{accountId}/threat_vector_instances/v2 |
Changelog
The RAD Security connector has undergone the following changes:
3.0.4
-
Updated the RAW attribute in the Resource object to retrieve the entire payload and encode it with the Base64 format.
-
Added new operation options,
namespaceandresource_types, to filter the Resource object.
3.0.3
- Fixed an issue where the Image object sync was failing.
3.0.1
- Initial Integration+ release.