Cyera

📘

TL;DR

To integrate Cyera with Query:

• Generate a Cyera API client, retrieve the Client ID and Client Secret.
• Confirm your Cyera API URL, a default is loaded in the configuration.
• Configure a Cyera Connector in the Query Federated Search console.
• Use Query Search to parallelize searches and surface details about DSPM/DLP findings and registered data stores for incident response (IR), threat hunting, investigations, and other security and observability use cases.

Overview

Cyera is a Data Security Posture Management (DSPM) tool with support for all three of the major Cloud Service Providers (CSPs) such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. Likewise they have support for on-premises and SaaS-based storage, data warehousing, and collaboration tools such as Microsoft OneDrive, Google Drive, Snowflake, ServiceNow, and more.

Cyera can autodiscover data within these sources, use heuristic and AI-powered classifications, and then create and tag issues and help end users understand the type of data, regulatory and compliance exposures, identity and public access exposures, and use that data to reduce their data attack surface.

All federated searches have their searches and results expressed in the terms of the Query Data Model (QDM), which is based on the Open Cybersecurity Schema Framework (OCSF). Each API source is normalized into a specific QDM/OCSF Event Class to standardize and normalize the data for increased situational awareness, ease of aggregation of filtering, and easy pivoting.

Query integrates with the Cyera DSPM platform to allow analysts and operators using Query to easily retrieve indexed data sources as well as their associated DLP/DSPM issues from the Cyera API. For instance, while investigating an alert about Microsoft OneDrive via the Azure Sentinel or Microsoft Defender for Office Connectors, pivoting on the GUID of the resource will retrieve the configuration and DLP/DSPM issues from Cyera. Likewise, you can begin your investigations from Cyera by retrieving Data Security Finding events by their lifecycle and severity and pivot into the resources themselves to find ownership data. From there, you can use Query to pivot to more user-centric sources from Okta, Auth0, EntraID, AWS CloudTrail, and otherwise.

🤓

Some details on searches

Cyera's API issues a Gateway Timeout (HTTP 504) within 60 seconds of returning details from both V2 Datastores and V2 Issues APIs. To that end, Query can support not more than a few hundred results.

For the best performance, consider adding filters for your Event-based searches or sticking to Resource UID based searches for point-targets.

Additionally, in the future, Query will remap V2 Datastores to the upcoming OCSF 1.4.0 Cloud Resources Inventory Info and also implemented the Resource Name Observables (Entity) when added.

Prerequisites

To connect a Cyera with Query Federated Search you'll need to

1. Refer to the Cyera User Guide for information on how to create an API Client with proper scopes to read from the V2 Datastores and V2 Issues APIs. Vault the API Client ID and Client Secret in a secure location.
2. Verify the URL of your Cyera API endpoint. Query will default to api.cyera.io, however regional endpoints exist such as api-eu.cyera.io, use the one that fits your geographical location.

To learn how to configure a Cyera Connector, proceed to the next section.

👍

On NHI security

NHI - or, Non-Human Identities - such as your Cyera API client ID and client secret - are extremely sensitive. Query securely stores the Client Secret in a dedicated AWS Secrets Manager Secret per Connector per Tenant.

Setting up the Cyera Connector

Use the following steps to create a new Query Federated Search Connector for Cyera.

1. Navigate to the Connectors page, select Add Connector, and selectCyera from the Cloud Infrastructure and Data Lakes category as shown below (FIG. 1). You can also search for Cyera using the search bar in the Add Connector page.

   

2. In the Configure Connector tab, add the following detail as shown below (FIG. 2):

   1. Connector Alias Name: The human-readable name you want to give to this connector, such as the specific business unit that the Cyera deployment supports.

   2. Cyera API Client ID: Your API client ID, copied in Step 1 of the Prerequisites section.

   3. Cyera API Secret: Your API client secret, copied in Step 1 of the Prerequisites section.

   4. Cyera API URL: The preferred URL for your Cyera API endpoint, confirmed in Step 2 of the Prerequisites section.

      

3. Select Save to save and activate the Connector.

4. Select Test Connection from the bottom-right of the connection pane to ensure that your credentials are valid and can be successfully exchanged for a JWT.

You will now see Cyera added as an available Connector within the Query Search and Query Summary Insights UI.

Querying Cyera Connectors

Within the Query Search UI, all Connectors are enabled by default. To check that your specified Connector(s) for INTEGRATION are enabled, navigate to the Cloud Infrastructure and Data Lakes section of the Selected Connectors dropdown and ensure that your specified Cyera Connector(s) are are selected (denoted by a checkbox) before running your searches as shown below (FIG. 3).

Entity-based Search

The Cyera Connector is a static schema Connector which means that all normalization and search translation is completely defined by the Query team. Refer back to the Introduction section and refer to the table to learn which Entities map against which Cyera. For instance, you can lookup the Issues and Datastore metadata entires by using the Resource UID Entity interchangeably for both the UID (GUID) and name of the resources.

In the Federated Search console, select the search dropdown, ensure the Entities radio button is selected and search for your desired Entity as shown below (FIG. 4). For instance, you can search for the UID of a Microsoft OneDrive share, these can be further correlated against other different Query Connectors such as for Microsoft Defender XDR tables in Azure Log Analytics.

After selecting an Entity, most allow you to specify an Operator. This allows you to perform simple equality searches or to perform more generalized searches using Contains, Starts With, or Ends With Operators. Cyera only supports equality operators.

When you search for multiple values that may be present across different Connectors, the Query Federated Search query planner inspects the Configure Schema metadata to ensure searches are sent to the appropriate Connectors, this operates more as a collated window function within Query and not as an expensive SQL join.

Additionally, you can specify case-sensitivity for the entire search criteria. An example of a multi-value CVE search that uses the equals operator and toggled case-sensitivity is shown below (FIG. 5).

Event-based Search

Event-based searches allow you to broadly search across the entirety of results from a downstream API, or, search for very specific results based on filters. Refer back to the Introduction section and refer to the table to learn which Events map to the Cyera Connector.

In the Federated Search console, select the search dropdown, ensure the Events radio button is selected and search for your desired Event as shown below (FIG. 6), in this case select the Discovery category to find the Device Inventory Info Event Class. You can also search across all Connectors normalized to Device Inventory Info such as Jamf, Microsoft Intune, Crowdstrike, or other data lake or SIEM resources mapped to Device Inventory Info such as asset data from ITSM and CAASM reports, and otherwise.

Searching from the Event will pull a sample (up to 500-700) of all matching events per Connectors that are mapped to it. For more specific filtering within an Event, you can choose one or more conditions to refine a search. Selecting the plus-sign (+) dropdown next to the Event menu allows you to choose from any specific OCSF/QDM attribute in the event.

For instance, when searching for Device Inventory Info events, you can specify retrieving an asset by its Instance ID (such as assets from a cloud provider) by filtering for Device --> Instance ID as shown below (FIG. 7).

When adding two or more Conditions, you can further change the behavior by specifying ANY or ALL quantifiers over the filters for greater levels of specificity or more narrow-but-generalized searches, respectively, as shown below (FIG. 9). In this case a multiple values were used to search for Non-Compliant devices (that are reporting as compromised) that checked in the last 30 days and are running an Android OS.

Resources

• Cyera API Docs
• Cyera User Docs

Troubleshooting Steps

• Ensure that your API Client and Secret are valid, and that the appropriate scopes have been added.
• If you changed the API URL, ensure that it is valid.
• For Event-based searches, Query can only support direct matches for what Cyera supports, for instance if using the device.description or cloud.provider search criteria to search for specific platforms, ensure that a supported value is used with case sensitivity. For instance, Microsoft365 and NOT microsoft365 and OneDrive and NOT onedrive or one drive.

If you have exhausted the above Troubleshooting list, please contact your designated Query Sales Engineer or Customer Success Manager. If you are using a free tenant, please contact Query Customer Success via the Support email in the Help section, or via Intercom within your tenant.