Release Notes: SecOps Inactive Accounts Connector (v4)

🚀 Enterprise Enhancements & Features

This connector has been heavily optimized for high-throughput, large-scale Google SecOps environments. It uses Google Security Operations' modern Asynchronous Search API to support high-volume data retrieval, state management, network resilience, and UI protection.

📦 Smart Event Batching (Anti-Case Explosion)

To prevent SOAR UI degradation and alert fatigue, the connector aggregates breached users and chunks them into grouped cases:

• Dynamic Chunking: Limits cases to 80 events per case, safely staying under the platform's ingestion ceiling.
• Seamless Playbook Integration: Passes the grouped events directly to the SOAR Ontology engine, allowing playbooks to seamlessly loop through all users in the batch simultaneously.

🏥 Proactive Health Monitoring (Upgraded to 1M Scale)

• Asynchronous API Capacity: Migrated from the synchronous udmSearch API to the asynchronous Search Session API, allowing the connector to retrieve up to 1,000,000 events (compared to the previous 10,000 limit).
• Blindspot Detection: The Health Alert ("Check Engine" light) threshold is now set to the 1,000,000 limit (ASYNC_LIMIT). If the query volume reaches or exceeds this capacity, the connector automatically spawns a dedicated Health Alert case (SecOps Connector Health) to warn the engineering team that the query window is too broad and logs may be dropped.

⚡ Performance & Compute Optimizations

• Asynchronous Query Execution: Moves away from blocking synchronous calls. The connector issues a POST request to spawn a background search session, polls for completion, and then streams the results, avoiding timeouts.
• Lexicographical Sorting: Removes computationally heavy datetime parsing from the main data ingestion loop. The script sorts and compares raw ISO 8601 strings in $O(n)$ time and only executes the math calculation once per unique user at the end of the run.
• Connection Pooling: Utilizes requests.Session() to reuse persistent TCP connections, reducing TLS handshake latency across paginated API calls.

🛡️ Network Resilience & Reliability

• Automatic Retries: Implements a urllib3 Retry adapter configured to catch and automatically retry on 429 (Rate Limited) or 5xx server errors. The adapter handles both the initial POST requests and subsequent paginated GET requests.
• OAuth Token Failsafe: Features timer checks in both the polling and pagination loops. If polling or data extraction runs longer than 50 minutes, the script automatically refreshes the bearer token to prevent 401 Unauthorized timeouts during massive data pulls.

🧹 Data Normalization & Filtering

• Case-Insensitive Deduplication: Email addresses are immediately converted to lowercase upon extraction. This merges variants (e.g., User@ vs user@), preventing duplicate playbook executions for the same identity.
• Targeted Exclusions: Includes standard exclusions to shield specific administrative or service accounts (e.g., service accounts or specific customer domains) from automated suspension logic.

📖 Code Readability & Maintainability

• Global Constants: All configuration variables (lookback periods, chunk sizes, page limits, token refresh intervals, and async limits) are defined at the top of the script. This makes the codebase self-documenting and allows future tuning without modifying the pagination logic.

GitHub Repository:

https://github.com/Darrenswift/google_secops_use_cases_repo