cartography 0.108.0rc2__py3-none-any.whl → 0.109.0rc1__py3-none-any.whl

cartography/_version.py

@@ -17,5 +17,5 @@ __version__: str
 __version_tuple__: VERSION_TUPLE
 version_tuple: VERSION_TUPLE
 
-__version__ = version = '0.108.0rc2'
-__version_tuple__ = version_tuple = (0, 108, 0, 'rc2')
+__version__ = version = '0.109.0rc1'
+__version_tuple__ = version_tuple = (0, 109, 0, 'rc1')

cartography/data/indexes.cypher

@@ -259,8 +259,6 @@ CREATE INDEX IF NOT EXISTS FOR (n:S3Bucket) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:S3Bucket) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:S3Bucket) ON (n.arn);
 CREATE INDEX IF NOT EXISTS FOR (n:S3Bucket) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:SecretsManagerSecret) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:SecretsManagerSecret) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:SecurityHub) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:SecurityHub) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:SpotlightVulnerability) ON (n.id);

cartography/data/jobs/cleanup/gcp_compute_vpc_cleanup.json

@@ -1,17 +1,5 @@
 {
   "statements": [
-    {
-      "query": "MATCH (n:GCPVpc) WHERE n.lastupdated <> $UPDATE_TAG WITH n LIMIT $LIMIT_SIZE DETACH DELETE (n)",
-      "iterative": true,
-      "iterationsize": 100,
-      "__comment__": "Delete GCP VPCs that no longer exist and detach them from all previously connected nodes."
-    },
-    {
-      "query": "MATCH (:GCPVpc)<-[r:RESOURCE]-(:GCPProject) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r)",
-      "iterative": true,
-      "iterationsize": 100,
-      "__comment__": "Remove GCP VPC-to-Project relationships that are out of date."
-    },
     {
       "query": "MATCH (:GCPInstance)-[r:MEMBER_OF_GCP_VPC]->(:GCPVpc) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r)",
       "iterative": true,

cartography/intel/aws/cloudtrail_management_events.py

@@ -381,13 +381,15 @@ def transform_web_identity_role_events_to_role_assumptions(
 
             # Only process GitHub Actions events
             if "token.actions.githubusercontent.com" in identity_provider:
-                # GitHub repo fullname is directly in userName (e.g., "sublimagesec/sublimage")
-                github_repo = user_identity.get("userName", "")
-                if not github_repo:
+                # Extract GitHub repo fullname from userName format: "repo:{organization}/{repository}:{context}"
+                user_name = user_identity.get("userName", "")
+                if not user_name:
                     logger.debug(
                         f"Missing userName in GitHub WebIdentity event: {event.get('EventId', 'unknown')}"
                     )
                     continue
+
+                github_repo = _extract_github_repo_from_username(user_name)
                 key = (github_repo, destination_principal)
 
                 if key in github_aggregated:
@@ -572,6 +574,37 @@ def _convert_assumed_role_arn_to_role_arn(assumed_role_arn: str) -> str:
     return assumed_role_arn
 
 
+def _extract_github_repo_from_username(user_name: str) -> str:
+    """
+    Extract GitHub repository fullname from CloudTrail userName field.
+
+    GitHub Actions CloudTrail events have userName in the format:
+    "repo:{organization}/{repository}:{context}"
+    """
+    if not user_name:
+        return ""
+
+    parts = user_name.split(":")
+
+    # Need at least 3 parts: ["repo", "{organization}/{repository}", "{context}"]
+    if len(parts) < 3 or parts[0] != "repo":
+        return ""
+
+    # Extract "{organization}/{repository}"
+    repo_fullname = parts[1]
+
+    # Validate it looks like "{organization}/{repository}" format
+    if repo_fullname.count("/") != 1:
+        return ""
+
+    # Ensure both organization and repo exist
+    owner, repo = repo_fullname.split("/")
+    if not owner or not repo:
+        return ""
+
+    return repo_fullname
+
+
 @timeit
 def cleanup(
     neo4j_session: neo4j.Session, current_aws_account_id: str, update_tag: int

cartography/intel/aws/ecr.py

@@ -6,9 +6,12 @@ from typing import List
 import boto3
 import neo4j
 
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.aws.ecr.image import ECRImageSchema
+from cartography.models.aws.ecr.repository import ECRRepositorySchema
+from cartography.models.aws.ecr.repository_image import ECRRepositoryImageSchema
 from cartography.util import aws_handle_regions
-from cartography.util import batch
-from cartography.util import run_cleanup_job
 from cartography.util import timeit
 from cartography.util import to_asynchronous
 from cartography.util import to_synchronous
@@ -74,33 +77,17 @@ def load_ecr_repositories(
     current_aws_account_id: str,
     aws_update_tag: int,
 ) -> None:
-    query = """
-    UNWIND $Repositories as ecr_repo
-        MERGE (repo:ECRRepository{id: ecr_repo.repositoryArn})
-        ON CREATE SET repo.firstseen = timestamp(),
-            repo.arn = ecr_repo.repositoryArn,
-            repo.name = ecr_repo.repositoryName,
-            repo.region = $Region,
-            repo.created_at = ecr_repo.createdAt
-        SET repo.lastupdated = $aws_update_tag,
-            repo.uri = ecr_repo.repositoryUri
-        WITH repo
-
-        MATCH (owner:AWSAccount{id: $AWS_ACCOUNT_ID})
-        MERGE (owner)-[r:RESOURCE]->(repo)
-        ON CREATE SET r.firstseen = timestamp()
-        SET r.lastupdated = $aws_update_tag
-    """
     logger.info(
         f"Loading {len(repos)} ECR repositories for region {region} into graph.",
     )
-    neo4j_session.run(
-        query,
-        Repositories=repos,
+    load(
+        neo4j_session,
+        ECRRepositorySchema(),
+        repos,
+        lastupdated=aws_update_tag,
         Region=region,
-        aws_update_tag=aws_update_tag,
-        AWS_ACCOUNT_ID=current_aws_account_id,
-    ).consume()  # See issue #440
+        AWS_ID=current_aws_account_id,
+    )
 
 
 @timeit
@@ -114,8 +101,13 @@ def transform_ecr_repository_images(repo_data: Dict) -> List[Dict]:
     for repo_uri in sorted(repo_data.keys()):
         repo_images = repo_data[repo_uri]
         for img in repo_images:
-            if "imageDigest" in img and img["imageDigest"]:
+            digest = img.get("imageDigest")
+            if digest:
+                tag = img.get("imageTag")
+                uri = repo_uri + (f":{tag}" if tag else "")
                 img["repo_uri"] = repo_uri
+                img["uri"] = uri
+                img["id"] = uri
                 repo_images_list.append(img)
             else:
                 logger.warning(
@@ -127,74 +119,51 @@ def transform_ecr_repository_images(repo_data: Dict) -> List[Dict]:
     return repo_images_list
 
 
-def _load_ecr_repo_img_tx(
-    tx: neo4j.Transaction,
-    repo_images_list: List[Dict],
-    aws_update_tag: int,
-    region: str,
-) -> None:
-    query = """
-    UNWIND $RepoList as repo_img
-        MERGE (ri:ECRRepositoryImage{id: repo_img.repo_uri + COALESCE(":" + repo_img.imageTag, '')})
-        ON CREATE SET ri.firstseen = timestamp()
-        SET ri.lastupdated = $aws_update_tag,
-            ri.tag = repo_img.imageTag,
-            ri.uri = repo_img.repo_uri + COALESCE(":" + repo_img.imageTag, ''),
-            ri.image_size_bytes = repo_img.imageSizeInBytes,
-            ri.image_pushed_at = repo_img.imagePushedAt,
-            ri.image_manifest_media_type = repo_img.imageManifestMediaType,
-            ri.artifact_media_type = repo_img.artifactMediaType,
-            ri.last_recorded_pull_time = repo_img.lastRecordedPullTime
-        WITH ri, repo_img
-
-        MERGE (img:ECRImage{id: repo_img.imageDigest})
-        ON CREATE SET img.firstseen = timestamp(),
-            img.digest = repo_img.imageDigest
-        SET img.lastupdated = $aws_update_tag,
-            img.region = $Region
-        WITH ri, img, repo_img
-
-        MERGE (ri)-[r1:IMAGE]->(img)
-        ON CREATE SET r1.firstseen = timestamp()
-        SET r1.lastupdated = $aws_update_tag
-        WITH ri, repo_img
-
-        MATCH (repo:ECRRepository{uri: repo_img.repo_uri})
-        MERGE (repo)-[r2:REPO_IMAGE]->(ri)
-        ON CREATE SET r2.firstseen = timestamp()
-        SET r2.lastupdated = $aws_update_tag
-    """
-    tx.run(
-        query,
-        RepoList=repo_images_list,
-        Region=region,
-        aws_update_tag=aws_update_tag,
-    )
-
-
 @timeit
 def load_ecr_repository_images(
     neo4j_session: neo4j.Session,
     repo_images_list: List[Dict],
     region: str,
+    current_aws_account_id: str,
     aws_update_tag: int,
 ) -> None:
     logger.info(
         f"Loading {len(repo_images_list)} ECR repository images in {region} into graph.",
     )
-    for repo_image_batch in batch(repo_images_list, size=10000):
-        neo4j_session.write_transaction(
-            _load_ecr_repo_img_tx,
-            repo_image_batch,
-            aws_update_tag,
-            region,
-        )
+    image_digests = {img["imageDigest"] for img in repo_images_list}
+    ecr_images = [{"imageDigest": d} for d in image_digests]
+
+    load(
+        neo4j_session,
+        ECRImageSchema(),
+        ecr_images,
+        lastupdated=aws_update_tag,
+        Region=region,
+        AWS_ID=current_aws_account_id,
+    )
+
+    load(
+        neo4j_session,
+        ECRRepositoryImageSchema(),
+        repo_images_list,
+        lastupdated=aws_update_tag,
+        Region=region,
+        AWS_ID=current_aws_account_id,
+    )
 
 
 @timeit
 def cleanup(neo4j_session: neo4j.Session, common_job_parameters: Dict) -> None:
     logger.debug("Running ECR cleanup job.")
-    run_cleanup_job("aws_import_ecr_cleanup.json", neo4j_session, common_job_parameters)
+    GraphJob.from_node_schema(ECRRepositorySchema(), common_job_parameters).run(
+        neo4j_session
+    )
+    GraphJob.from_node_schema(ECRRepositoryImageSchema(), common_job_parameters).run(
+        neo4j_session
+    )
+    GraphJob.from_node_schema(ECRImageSchema(), common_job_parameters).run(
+        neo4j_session
+    )
 
 
 def _get_image_data(
@@ -251,5 +220,11 @@ def sync(
             update_tag,
         )
         repo_images_list = transform_ecr_repository_images(image_data)
-        load_ecr_repository_images(neo4j_session, repo_images_list, region, update_tag)
+        load_ecr_repository_images(
+            neo4j_session,
+            repo_images_list,
+            region,
+            current_aws_account_id,
+            update_tag,
+        )
     cleanup(neo4j_session, common_job_parameters)

cartography/intel/aws/resourcegroupstaggingapi.py

@@ -1,5 +1,6 @@
 import logging
 from string import Template
+from typing import Any
 from typing import Dict
 from typing import List
 
@@ -56,6 +57,35 @@ def get_short_id_from_lb2_arn(alb_arn: str) -> str:
     return alb_arn.split("/")[-2]
 
 
+def get_resource_type_from_arn(arn: str) -> str:
+    """Return the resource type format expected by the Tagging API.
+
+    The Resource Groups Tagging API requires resource types in the form
+    ``service:resource``. Most ARNs embed the resource type in the fifth segment
+    after the service name. Load balancer ARNs add an extra ``app`` or ``net``
+    component that must be preserved. S3 and SQS ARNs only contain the service
+    name.  This helper extracts the appropriate string so that ARNs can be
+    grouped correctly for API calls.
+    """
+
+    parts = arn.split(":", 5)
+    service = parts[2]
+    if service in {"s3", "sqs"}:
+        return service
+
+    resource = parts[5]
+    if service == "elasticloadbalancing" and resource.startswith("loadbalancer/"):
+        segments = resource.split("/")
+        if len(segments) > 2 and segments[1] in {"app", "net"}:
+            resource_type = f"{segments[0]}/{segments[1]}"
+        else:
+            resource_type = segments[0]
+    else:
+        resource_type = resource.split("/")[0].split(":")[0]
+
+    return f"{service}:{resource_type}" if resource_type else service
+
+
 # We maintain a mapping from AWS resource types to their associated labels and unique identifiers.
 # label: the node label used in cartography for this resource type
 # property: the field of this node that uniquely identified this resource type
@@ -158,27 +188,27 @@ TAG_RESOURCE_TYPE_MAPPINGS: Dict = {
 @aws_handle_regions
 def get_tags(
     boto3_session: boto3.session.Session,
-    resource_type: str,
+    resource_types: list[str],
     region: str,
-) -> List[Dict]:
-    """
-    Create boto3 client and retrieve tag data.
-    """
-    # this is a temporary workaround to populate AWS tags for IAM roles.
-    # resourcegroupstaggingapi does not support IAM roles and no ETA is provided
-    # TODO: when resourcegroupstaggingapi supports iam:role, remove this condition block
-    if resource_type == "iam:role":
-        return get_role_tags(boto3_session)
+) -> list[dict[str, Any]]:
+    """Retrieve tag data for the provided resource types."""
+    resources: list[dict[str, Any]] = []
+
+    if "iam:role" in resource_types:
+        resources.extend(get_role_tags(boto3_session))
+        resource_types = [rt for rt in resource_types if rt != "iam:role"]
+
+    if not resource_types:
+        return resources
 
     client = boto3_session.client("resourcegroupstaggingapi", region_name=region)
     paginator = client.get_paginator("get_resources")
-    resources: List[Dict] = []
-    for page in paginator.paginate(
-        # Only ingest tags for resources that Cartography supports.
-        # This is just a starting list; there may be others supported by this API.
-        ResourceTypeFilters=[resource_type],
-    ):
-        resources.extend(page["ResourceTagMappingList"])
+
+    # Batch resource types into groups of 100
+    # (https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetResources.html)
+    for resource_types_batch in batch(resource_types, size=100):
+        for page in paginator.paginate(ResourceTypeFilters=resource_types_batch):
+            resources.extend(page["ResourceTagMappingList"])
     return resources
 
 
@@ -210,6 +240,9 @@ def _load_tags_tx(
             r.firstseen = timestamp()
     """,
     )
+    if not tag_data:
+        return
+
     query = INGEST_TAG_TEMPLATE.safe_substitute(
         resource_label=TAG_RESOURCE_TYPE_MAPPINGS[resource_type]["label"],
         property=TAG_RESOURCE_TYPE_MAPPINGS[resource_type]["property"],
@@ -262,6 +295,26 @@ def compute_resource_id(tag_mapping: Dict, resource_type: str) -> str:
     return resource_id
 
 
+def _group_tag_data_by_resource_type(
+    tag_data: List[Dict],
+    tag_resource_type_mappings: Dict,
+) -> Dict[str, List[Dict]]:
+    """Group raw tag data by the resource types Cartography supports."""
+
+    grouped: Dict[str, List[Dict]] = {rtype: [] for rtype in tag_resource_type_mappings}
+    for mapping in tag_data:
+        rtype = get_resource_type_from_arn(mapping["ResourceARN"])
+        if rtype in grouped:
+            grouped[rtype].append(mapping)
+        else:
+            logger.debug(
+                "Unknown tag resource type %s from ARN %s",
+                rtype,
+                mapping["ResourceARN"],
+            )
+    return grouped
+
+
 @timeit
 def cleanup(neo4j_session: neo4j.Session, common_job_parameters: Dict) -> None:
     run_cleanup_job(
@@ -285,8 +338,14 @@ def sync(
         logger.info(
             f"Syncing AWS tags for account {current_aws_account_id} and region {region}",
         )
+        all_tag_data = get_tags(
+            boto3_session, list(tag_resource_type_mappings.keys()), region
+        )
+        grouped = _group_tag_data_by_resource_type(
+            all_tag_data, tag_resource_type_mappings
+        )
         for resource_type in tag_resource_type_mappings.keys():
-            tag_data = get_tags(boto3_session, resource_type, region)
+            tag_data = grouped.get(resource_type, [])
             transform_tags(tag_data, resource_type)  # type: ignore
             logger.info(
                 f"Loading {len(tag_data)} tags for resource type {resource_type}",

cartography/intel/aws/secretsmanager.py

@@ -7,6 +7,7 @@ import neo4j
 
 from cartography.client.core.tx import load
 from cartography.graph.job import GraphJob
+from cartography.models.aws.secretsmanager.secret import SecretsManagerSecretSchema
 from cartography.models.aws.secretsmanager.secret_version import (
     SecretsManagerSecretVersionSchema,
 )
@@ -14,7 +15,6 @@ from cartography.stats import get_stats_client
 from cartography.util import aws_handle_regions
 from cartography.util import dict_date_to_epoch
 from cartography.util import merge_module_sync_metadata
-from cartography.util import run_cleanup_job
 from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
@@ -32,6 +32,37 @@ def get_secret_list(boto3_session: boto3.session.Session, region: str) -> List[D
     return secrets
 
 
+def transform_secrets(
+    secrets: List[Dict],
+) -> List[Dict]:
+    """
+    Transform AWS Secrets Manager Secrets to match the data model.
+    """
+    transformed_data = []
+    for secret in secrets:
+        # Start with a copy of the original secret data
+        transformed = dict(secret)
+
+        # Convert date fields to epoch timestamps
+        transformed["CreatedDate"] = dict_date_to_epoch(secret, "CreatedDate")
+        transformed["LastRotatedDate"] = dict_date_to_epoch(secret, "LastRotatedDate")
+        transformed["LastChangedDate"] = dict_date_to_epoch(secret, "LastChangedDate")
+        transformed["LastAccessedDate"] = dict_date_to_epoch(secret, "LastAccessedDate")
+        transformed["DeletedDate"] = dict_date_to_epoch(secret, "DeletedDate")
+
+        # Flatten nested RotationRules.AutomaticallyAfterDays property
+        if "RotationRules" in secret and secret["RotationRules"]:
+            rotation_rules = secret["RotationRules"]
+            if "AutomaticallyAfterDays" in rotation_rules:
+                transformed["RotationRulesAutomaticallyAfterDays"] = rotation_rules[
+                    "AutomaticallyAfterDays"
+                ]
+
+        transformed_data.append(transformed)
+
+    return transformed_data
+
+
 @timeit
 def load_secrets(
     neo4j_session: neo4j.Session,
@@ -40,48 +71,33 @@ def load_secrets(
     current_aws_account_id: str,
     aws_update_tag: int,
 ) -> None:
-    ingest_secrets = """
-    UNWIND $Secrets as secret
-        MERGE (s:SecretsManagerSecret{id: secret.ARN})
-        ON CREATE SET s.firstseen = timestamp()
-        SET s.name = secret.Name, s.arn = secret.ARN, s.description = secret.Description,
-            s.kms_key_id = secret.KmsKeyId, s.rotation_enabled = secret.RotationEnabled,
-            s.rotation_lambda_arn = secret.RotationLambdaARN,
-            s.rotation_rules_automatically_after_days = secret.RotationRules.AutomaticallyAfterDays,
-            s.last_rotated_date = secret.LastRotatedDate, s.last_changed_date = secret.LastChangedDate,
-            s.last_accessed_date = secret.LastAccessedDate, s.deleted_date = secret.DeletedDate,
-            s.owning_service = secret.OwningService, s.created_date = secret.CreatedDate,
-            s.primary_region = secret.PrimaryRegion, s.region = $Region,
-            s.lastupdated = $aws_update_tag
-        WITH s
-        MATCH (owner:AWSAccount{id: $AWS_ACCOUNT_ID})
-        MERGE (owner)-[r:RESOURCE]->(s)
-        ON CREATE SET r.firstseen = timestamp()
-        SET r.lastupdated = $aws_update_tag
-    """
-    for secret in data:
-        secret["LastRotatedDate"] = dict_date_to_epoch(secret, "LastRotatedDate")
-        secret["LastChangedDate"] = dict_date_to_epoch(secret, "LastChangedDate")
-        secret["LastAccessedDate"] = dict_date_to_epoch(secret, "LastAccessedDate")
-        secret["DeletedDate"] = dict_date_to_epoch(secret, "DeletedDate")
-        secret["CreatedDate"] = dict_date_to_epoch(secret, "CreatedDate")
-
-    neo4j_session.run(
-        ingest_secrets,
-        Secrets=data,
+    """
+    Load transformed secrets into Neo4j using the data model.
+    Expects data to already be transformed by transform_secrets().
+    """
+    logger.info(f"Loading {len(data)} Secrets for region {region} into graph.")
+
+    # Load using the schema-based approach
+    load(
+        neo4j_session,
+        SecretsManagerSecretSchema(),
+        data,
+        lastupdated=aws_update_tag,
         Region=region,
-        AWS_ACCOUNT_ID=current_aws_account_id,
-        aws_update_tag=aws_update_tag,
+        AWS_ID=current_aws_account_id,
     )
 
 
 @timeit
 def cleanup_secrets(neo4j_session: neo4j.Session, common_job_parameters: Dict) -> None:
-    run_cleanup_job(
-        "aws_import_secrets_cleanup.json",
-        neo4j_session,
-        common_job_parameters,
+    """
+    Run Secrets cleanup job using the data model.
+    """
+    logger.debug("Running Secrets cleanup job.")
+    cleanup_job = GraphJob.from_node_schema(
+        SecretsManagerSecretSchema(), common_job_parameters
     )
+    cleanup_job.run(neo4j_session)
 
 
 @timeit
@@ -121,8 +137,6 @@ def get_secret_versions(
 
 def transform_secret_versions(
     versions: List[Dict],
-    region: str,
-    aws_account_id: str,
 ) -> List[Dict]:
     """
     Transform AWS Secrets Manager Secret Versions to match the data model.
@@ -203,7 +217,15 @@ def sync(
         )
         secrets = get_secret_list(boto3_session, region)
 
-        load_secrets(neo4j_session, secrets, region, current_aws_account_id, update_tag)
+        transformed_secrets = transform_secrets(secrets)
+
+        load_secrets(
+            neo4j_session,
+            transformed_secrets,
+            region,
+            current_aws_account_id,
+            update_tag,
+        )
 
         all_versions = []
         for secret in secrets:
@@ -216,11 +238,7 @@ def sync(
             )
             all_versions.extend(versions)
 
-        transformed_data = transform_secret_versions(
-            all_versions,
-            region,
-            current_aws_account_id,
-        )
+        transformed_data = transform_secret_versions(all_versions)
 
         load_secret_versions(
             neo4j_session,

cartography/intel/entra/groups.py

@@ -59,10 +59,29 @@ async def get_group_members(
     return user_ids, group_ids
 
 
+@timeit
+async def get_group_owners(client: GraphServiceClient, group_id: str) -> list[str]:
+    """Get owner user IDs for a given group."""
+    owner_ids: list[str] = []
+    request_builder = client.groups.by_group_id(group_id).owners
+    page = await request_builder.get()
+    while page:
+        if page.value:
+            for obj in page.value:
+                odata_type = getattr(obj, "odata_type", "")
+                if odata_type == "#microsoft.graph.user":
+                    owner_ids.append(obj.id)
+        if not page.odata_next_link:
+            break
+        page = await request_builder.with_url(page.odata_next_link).get()
+    return owner_ids
+
+
 def transform_groups(
     groups: list[Group],
     user_member_map: dict[str, list[str]],
     group_member_map: dict[str, list[str]],
+    group_owner_map: dict[str, list[str]],
 ) -> list[dict[str, Any]]:
     """Transform API responses into dictionaries for ingestion."""
     result: list[dict[str, Any]] = []
@@ -82,6 +101,7 @@ def transform_groups(
             "deleted_date_time": g.deleted_date_time,
             "member_ids": user_member_map.get(g.id, []),
             "member_group_ids": group_member_map.get(g.id, []),
+            "owner_ids": group_owner_map.get(g.id, []),
         }
         result.append(transformed)
     return result
@@ -134,6 +154,12 @@ async def sync_entra_groups(
 
     user_member_map: dict[str, list[str]] = {}
     group_member_map: dict[str, list[str]] = {}
+    group_owner_map: dict[str, list[str]] = {}
+
+    for group in groups:
+        owners = await get_group_owners(client, group.id)
+        group_owner_map[group.id] = owners
+
     for group in groups:
         try:
             users, subgroups = await get_group_members(client, group.id)
@@ -144,7 +170,9 @@ async def sync_entra_groups(
             user_member_map[group.id] = []
             group_member_map[group.id] = []
 
-    transformed_groups = transform_groups(groups, user_member_map, group_member_map)
+    transformed_groups = transform_groups(
+        groups, user_member_map, group_member_map, group_owner_map
+    )
 
     load_tenant(neo4j_session, {"id": tenant_id}, update_tag)
     load_groups(neo4j_session, transformed_groups, update_tag, tenant_id)