Guides
Start typing to search…

Ox Security

Integrate Query with the Ox Security Application Security Posture Management (ASPM) platform to retrieve details on applications and issues

STATIC CONNECTOR

📘

TL;DR

To integrate Ox Security with Query:

  • Generate an API Key and verify the OX Security GraphQL API endpoint URL.
  • Configure an OX Security Connector in the Query Security Data Mesh.
  • Use Query Search to parallelize searches and surface details about Apps and Issues for incident response (IR), threat hunting, investigations, AppSec, vulnerability management, and other use cases.

Overview

OX Security is an Application Security Posture Management (ASPM) platform that integrates with several traditional AppSec, Cloud Security, and Software Supply Chain tools such as source code platforms, SAST, IAST, DAST, vulnerability management, artifact registry, container registry, and other platforms to provide a full spectrum picture of salient AppSec-related issues. For instance, instead of reporting on singular vulnerabilities in Software Composition Analysis (e.g., Snyk, Dependabot) for a given repo, OX Security will gather those vulnerabilities, as well as reachability, infrastructure, repo configuration, pipeline data, and other security tools to correlate all of the related attack paths into a singular Issue.

Query integrates OX Security into the Federated Security Data Mesh by allowing users to collect all Apps (which represent anything from GitHub repos, to ECS clusters, to Kubernetes clusters) and Issues (the primary architectural quantum of security findings in OX Security) without ingesting or duplicating any data. Query uses its OX Security Connector to sit as a shim atop their GraphQL API endpoint to retrieve data on those Apps and Issues, handling query translation, pagination, in-situ normalization, and returns the collated results to you. From there, you can pivot across shared Attributes such as CVEs, CWEs, code owners, and otherwise to expand your searches into CMDBs, cloud security platforms, SIEMs, data lakes, and other locations to complete your objectives.

All federated searches have their searches and results expressed in the terms of the Query Data Model (QDM), which is based on the Open Cybersecurity Schema Framework (OCSF). Each API source is normalized into a specific QDM/OCSF Event Class to standardize and normalize the data for increased situational awareness, ease of aggregation of filtering, and easy pivoting.

API Name

QDM/OCSF Event Class

Entities/Observables

getApplicationsCloud Resources Inventory Info

Hostname
Resource ID
Resource Name

getIssuesApplication Security Posture Finding

Advisory ID
CVE ID
CWE ID
Resource ID
Resource Name

🤓

Some details on searches

Ox Security does not expose every single part of their schema as a filter, and by default will AND all filter categories. To that end, Query will over-fetch results depending on the type of search and apply your search intent post-hoc to avoid false negatives.

To limit the amount of extraneous over-fetching and prevent rate limiting, Query will only paginate up to 2500 results at maximum. Reach out to your Account Executive if you need a higher limited for your OX Security ASPM.

Prerequisites

To connect Ox Security with the Query Security Data Mesh you'll need to execute on the following steps to generate an API key.

  1. In the OX Security Console, select Settings on the bottom-right hand side of the screen and navigate to the API Key tab as shown below (FIG. 1).

    FIG. 1 - Navigating to the API Key section of the OX Security Admin settings menu

  2. To create a new API Key, select Create API Key. Provide an API Key Name, select API Integration in the API Key Type subsection, and provide an Expiration Date in accordance with your internal policies. Once complete, select Create, and copy the API key and store it in a password vault to use for configuring the OX Security Connector in the next section.

  3. The default URL for the OX Security GraphQL API is https://api.cloud.ox.security/api/apollo-gateway. To be sure, refer to the OX API Authentication section of the OX Security documentation, or reach out to your OX Security account rep.

To learn how to configure a Ox Security Connector, proceed to the next section.

👍

On NHI security

NHI - or, Non-Human Identities - such as your Ox Security API key is extremely sensitive, especially with read scopes across all of your sensitive security and AppSec details. Query securely stores the API Key in a dedicated AWS Secrets Manager Secret per Connector per Tenant.

Setting up the Ox Security Connector

Use the following steps to create a new Query Federated Search Connector for Ox Security.

  1. Navigate to the Connectors page, select Add Connector, and selectOx Security from the Developer Security category as shown below (FIG. 2). You can also search for Ox Security using the search bar in the Add Connector page.

    FIG. 2 - Locating the OX Security Connector in the Query Security Data Mesh platform

  2. In the Configure Connector tab, add the following detail as shown below (FIG. 3):

    1. Connector Alias Name: The human-readable name you want to give to this connector, you can provide the name...

    2. Ox Security API URL: Unless the API value has change in the documentation referred to in Step 3 of the Prerequisites section, keep the default value of https://api.cloud.ox.security/api/apollo-gateway.

    3. API Key: Your OX Security API integration key, copied in Step 2 of the Prerequisites section.

      FIG. 3 - Configuring the parameters for an OX Security Connector

  3. Select Save to save and activate the Connector.

  4. Select Test Connection from the bottom-right of the connection pane to ensure that your OX Security credentials are valid and active and that Query can connect to the provided URL.

You will now see Ox Security added as an available Connector within the Query Search and Query Summary Insights UI.

Querying Ox Security Connectors

Within the Query Search UI, all Connectors are enabled by default. To check that your specified Connector(s) for Ox Security are enabled, navigate to the Developer Security section of the Selected Connectors dropdown and ensure that your specified Ox Security Connector(s) are are selected (denoted by a checkbox) before running your searches as shown below (FIG. 4).

FIG. 4 - Locating the OX Security Connector in the Connectors picker menu

Resources

Troubleshooting Steps

  • Ensure that your OX Security tenant is active
  • Ensure that you have at least one Application and one Issue in OX Security.
  • Ensure that your API Key is Active, and has not been deactivated by the expiration date.
  • Ensure that the OX Security URL is correct if you modified it, as per their docs.

If you have exhausted the above Troubleshooting list, please contact your designated Query Sales Engineer or Customer Success Manager. If you are using a free tenant, please contact Query Customer Success via the Support email in the Help section, or via Intercom within your tenant.

Updated 4 days ago