Google SecOps - Automating Stale Account Suspensions with Google SecOps and Azure AD - Version 2

Version 2 Enhancements 🚀

Last week I posted about this use case, since then I have made some adjustments to make this integration more robust within an organisation with details below. 

Version 2 code can be found here: https://github.com/Darrenswift/google_secops_use_cases_repo

🚀 Enterprise Enhancements & Features

This connector has been heavily optimized for high-throughput, large-scale Google SecOps environments. It moves beyond standard API polling to include state management, network resilience, and UI protection.

📦 Smart Event Batching (Anti-Case Explosion)

To prevent SOAR UI degradation and alert fatigue, the connector aggregates breached users and chunks them into grouped cases.

• Dynamic Chunking: Limits cases to 80 events per case, safely staying under the platform's 90-event ingestion ceiling.
• Seamless Playbook Integration: Passes the grouped events directly to the SOAR Ontology engine, allowing playbooks to seamlessly loop through all users in the batch simultaneously.

🏥 Proactive Health Monitoring

Chronicle's udmSearch API has a hard cap of 10,000 returned events per query.

• Blindspot Detection: If the log volume hits this 10K ceiling, the script automatically spawns a dedicated Health Alert case (SecOps Connector Health).
• Operational Awareness: This acts as a "Check Engine" light, actively warning the engineering team that the API query is too broad and logs are potentially being dropped, preventing silent failures and false negatives.

⚡ Performance & Compute Optimizations

• Lexicographical Sorting: Removes computationally heavy datetime parsing from the main data ingestion loop. The script sorts and compares raw ISO 8601 strings in O(n) time and only executes the math calculation once per unique user at the very end of the run.
• Connection Pooling: Utilizes requests.Session() to reuse a single, persistent TCP connection, drastically reducing TLS handshake latency across hundreds of paginated API calls.

🛡️ Network Resilience & Reliability

• Automatic Retries: Implements a urllib3 Retry adapter. If the Google Cloud API throws a 429 Too Many Requests or 503 Service Unavailable due to load, the connector automatically backs off and retries.
• OAuth Token Failsafe: Includes a timer check inside the pagination loop. If log extraction runs longer than 50 minutes, the script automatically requests a fresh Google Cloud bearer token, preventing catastrophic 401 Unauthorized timeouts during massive data pulls.

🧹 Data Normalization & Filtering

• Case-Insensitive Deduplication: Email addresses are immediately converted to lowercase upon extraction. This naturally merges upper and lowercase variants (e.g., User@ vs user@), preventing duplicate playbook executions for the same identity without requiring complex evaluation logic.
• Targeted Exclusions: Includes a strict bypass filter to drop specific customer domains (e.g., @gmail.com), satisfying requirements to shield specific administrative or service accounts from automated suspension logic. See line 139 to adjust this filtering

📖 Code Readability & Maintainability

• Global Constants: "Magic numbers" (lookback periods, chunk sizes, page limits, and token refresh timers) have been moved to global constants at the top of the script. This makes the codebase self-documenting and allows future engineers to tune the integration parameters without digging through the pagination logic.