Query Comms: Jan 6 - Jan 10
Query + AWS Dev Day 2025
Secure your spot on February 4th at 8:30AM at the AWS New York City Office for a hands-on workshop using Query Federated Search with Amazon Security Lake.
Attendees will:
Sign up to attend from the link below!
Google Workspace Admin SDK Reports Integrated Into Query Federated Search
? SOC Analyst #1: Hey, the other day when you were asking about the user reports in Google Workspace, I also onboarded the other Google Workspace Admin SDK Connector. This other Connector is for the Reports API.
?? SOC Analyst #2: Reports API? Query already has some pretty good visualizations in their Summary Insights report. The Reports API also gives reports? Just how are we going to get results for pie charts to show up in other reports? Great, now we’re a Federated Bakery…
???? SOC Analyst #1: Ugh! Don’t quit your day job. The API has a weird naming convention, it’s not like other security tool APIs for reports. The Reports API from the Admin SDK actually contains all of the logging data! So it includes all of the login data, anytime an OAuth2 token is exchanged, all Google Drive activity, device level activity, and even Admin logs.
?? SOC Analyst #2: Wow, okay that IS a big deal! We can start working down some of the privacy and regulatory compliance tickets that we were briefed about when the M&A started. I bet it would be useful to know if someone was sharing or downloading files out of their Google Drive, or knowing if someone was tampering with apps on the company issued devices!
?? SOC Analyst #1: Yeah, exactly! Using Query we can do our normal Entity based search where we can get the full logs for a set group of people using their IDs or Emails from the Directory API, or we can look for specific activity - try one now!
?? SOC Analyst #2: Okay…how would we check if someone is trying to disable their 2FA? I don’t know what Report type that would be.
?? SOC Analyst #1: According to the Query docs, that maps from the “login” type actually. Just open up Events, go to the IAM Category, and select Account Change Events. Then add a filter for the “message” attribute, enter the event code “2sv_disable”, and increase the time range to 30 days.
?? SOC Analyst #2: [TYPING IN THE QUERY CONSOLE] Alright…oh wow that was super fast, looks like there are a few match events in here. Okay let me just pivot on these email addresses…alright, boom, the Directory API is showing they’re still active. Let me follow up with the M&A team - maybe we are moving them to the corporate IDP or something?
?? SOC Analyst #1: Great idea, without Query that would have been a massive pain. Think we can get a bonus equivalent to the money we save by not duplicating every single “login” event from the Reports API into Amazon OpenSearch Service or our lake?
?? SOC Analyst #3: The Magic Conch says you already know the answer to that…
领英推荐
#SecDataOpsCast — Welcome to 2025
Hear Query CISO Neal Bridges and Query CEO Matt Eberhart pick on insights, reflections, and predictions:?
??? What did we get right in 2024 — and where did predictions go to die?
??? What went wrong, and how can we learn from it? ?
?? What’s next for SecDataOps in a rapidly evolving landscape? ?
?? Are more acquisitions and consolidations on the horizon? ?
?? Will the US strike back against state-sponsored APTs? ?
?? How will the new administration shape tech and security policy?
Let’s kick off 2025 with clarity and purpose!
Google Workspace Admin SDK Directory Integrated Into Query Federated Search
? SOC Analyst #2: Hey! Do you know how often that pull from Big Rocket Co’s identity provider comes into the lake?
?? Detection Engineer: They’re pushing the file to us, but the M&A team has a lot of their security folks doing due diligence. Let me check [CLICKS AROUND ENDLESSLY]. The timing is haphazard, I guess it is manual, but the last file came in a few weeks ago. Why? It’s not like they are hiring anyone new, when the deal merger finalizes they’ll be part of our organization.
?? SOC Analyst #2: Well, it would be helpful to get the up-to-date information such as their last login time, if they got suspended, or if the user was archived, we’ve gotten a ton of telemetry into the Query Federated Search platform to help with all of these investigations from the CorpDev security consultancy, but Query cannot make up for bad data.
?? Detection Engineer: Well, we can map any schema into OCSF…, or do you mean it’s incomplete. What do they use again?
?? SOC Analyst #2: Mapping and deduplication is not the issue, they’re using Google Workspace, but it’s probably some file they made a long time ago it only has basic information like the name, email address, number, when they were created, and some booleans about 2FA and mail being setup. That does not match up with the schemas in the online documentation.
?? SOC Analyst #1: [Laughing sarcastically] you two aren’t going to believe this, I get to do the thing!
??????? SOC Analyst #2: Oh no there’s–
?? SOC Analyst #1: A NEW QUERY CONNECTOR! They just released a few new Connectors for Google Workspace. We can plug into the Directory API no issue at all and pull out fully normalized data for users and their devices. All we need is for Big Rocket Co. to delegate their Google SecOps Service Account to Workspace or create us a new one and we can activate the Admin SDK in their Google Cloud Project.
?? Detection Engineer: Hey, that’s an easier task, glad I don’t have to put that into the lake anymore. I’ll get with the data & analytics team to dedupe and move the old data to a lesser storage tier.
?? SOC Analyst #2: Alright that will make things SO MUCH EASIER, we can probably just start pulling the full point-in-time report for compliance and readiness metrics out using Query. There is nothing beyond our reach now! EXCELSIOR!