🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Using the File Upload API

Important

Before proceeding, complete the API Authentication steps in order to obtain a working access token.

You can use the File Upload API to send properly formatted log files to Secureworks® Taegis™ XDR for ingestion and normalization without a Taegis™ XDR Collector. If the log files are produced by a supported Taegis integrated syslog data source, the events are normalized according to the schema(s) associated with that data source. Otherwise, the events are normalized according to the Generic schema.

Uses of the File Upload API Include:

File Types Supported

Things to Consider

File Upload Process

  1. Generate an Access Token
  2. Request the S3 Presigned URL
  3. PUT the log file

REST API

Regions

The URL to access Taegis™ XDR APIs may differ according to the region your environment is deployed in:

  • US1— https://api.ctpx.secureworks.com
  • US2— https://api.delta.taegis.secureworks.com
  • US3— https://api.foxtrot.taegis.secureworks.com
  • EU— https://api.echo.taegis.secureworks.com

The examples in this Taegis™ XDR API documentation use https://api.ctpx.secureworks.com throughout. If you are in a different region substitute appropriately.

signed-s3url

Returns a URL in which you can PUT your logs.

POST https://api.ctpx.secureworks.com/s3-signer/v2/signed-s3url

URL Parameters

Name Type Description
file_name String The filename you are attempting to upload
content_length Integer The size in bytes of the file you are attempting to upload
sensor_id String Optional. Your desired sensor identifier. If omitted, the value defaults to toaster.localhost

Example

  1. Install the python dependencies:
pip install pprint
  1. Set the TAEGIS_API_ENDPOINT and ACCESS_TOKEN environment variables then run this Python script.
export TAEGIS_API_ENDPOINT="your_region_url"
export ACCESS_TOKEN="your_access_token"
#!/usr/bin/env python

import requests
from pprint import pprint
import os
from os import sys
import json

def upload_file(endpoint,token,filename, sensorid = "toaster.localhost", service = "Syslog"):
    contents = ""
    if os.path.exists(filename):
        content_length = os.path.getsize(filename)
        try:
            with open(filename,"rb") as fd:
                contents = fd.read()
        except OSError as err:
            print("OS error: {0}".format(err))
            sys.exit(2)
    else:
        print("The file does not exist")
        sys.exit(2)

    s3url = endpoint + "/s3-signer/v2/signed-s3url?file_name=" + filename + "&content_length=" + str(content_length) + "&service=Syslog"
    if sensorid != "":
        s3url += "&sensor_id=" + sensorid
    headers = {'Authorization': 'Bearer '+ token}

    response = requests.request(method = "POST", url = s3url, headers = headers)
    if response.status_code != 200:
        print("Failed to request a pre-signed url with error: {0}".format(response.text))

    res = json.loads(response.content)
    try:
        url = res['location']
    except:
        sys.exit(2)

    response = requests.put(url, data=contents)
    if response.status_code == 200:
        print("Upload success! of file {0} with sensorId {1}".format(filename,sensorid))
    else:
        print("Upload failed with error {0}".format(response.text))

if __name__ == "__main__":
    token = os.environ.get('ACCESS_TOKEN')
    endpoint = os.environ.get("TAEGIS_API_ENDPOINT")
    filename = sys.argv[1]
    upload_file(endpoint,token,filename)

 

On this page: