Using the File Upload API
Important
Before proceeding, complete the API Authentication steps in order to obtain a working access token.
You can use the File Upload API to send properly formatted log files to Secureworks® Taegis™ XDR for ingestion and normalization without a Taegis™ XDR Collector. If the log files are produced by a supported Secureworks® Taegis™ integrated syslog data source, the events are normalized according to the schema(s) associated with that data source. Otherwise, the events are normalized according to the Generic schema.
Tip
The Secureworks Professional Services team is here to help you realize the full potential from your Taegis XDR investment if a higher level of support is desired. Our highly skilled consultants can help you deploy faster, optimize quicker, and accelerate your time to value. For more information, see Professional Services Overview.
Uses of the File Upload API Include: ⫘
- Batch processing of logs files on a syslog aggregation point
- Devices that cannot connect to a XDR Collector
File Types Supported ⫘
- Plain text
- GNU zipped (.gz)
Things to Consider ⫘
- With a single PUT operation, you can upload files up to 100 MB in size.
- The minimum file size is 1024 bytes.
- The Access Token is valid for 10 hours and should be cached rather than creating a new Token with each operation.
File Upload Process ⫘
- Generate an Access Token
- Request the S3 Presigned URL
- PUT the log file
REST API ⫘
Regions
The URL to access XDR APIs may differ according to the region your environment is deployed in:
- US1—
https://api.ctpx.secureworks.com - US2—
https://api.delta.taegis.secureworks.com - US3—
https://api.foxtrot.taegis.secureworks.com - EU—
https://api.echo.taegis.secureworks.com
The examples in this XDR API documentation use https://api.ctpx.secureworks.com throughout. If you are in a different region substitute appropriately.
signed-s3url ⫘
Returns a URL in which you can PUT your logs.
POST https://api.ctpx.secureworks.com/s3-signer/v2/signed-s3url
URL Parameters ⫘
| Name | Type | Description |
|---|---|---|
| file_name | String | The filename you are attempting to upload |
| content_length | Integer | The size in bytes of the file you are attempting to upload |
| sensor_id | String | Optional. Your desired sensor identifier. If omitted, the value defaults to toaster.localhost |
Example ⫘
- Install the python dependencies:
pip install pprint
- Set the TAEGIS_API_ENDPOINT and ACCESS_TOKEN environment variables then run this Python script.
export TAEGIS_API_ENDPOINT="your_region_url"
export ACCESS_TOKEN="your_access_token"
#!/usr/bin/env python
import requests
from pprint import pprint
import os
from os import sys
import json
def upload_file(endpoint,token,filename, sensorid = "toaster.localhost", service = "Syslog"):
contents = ""
if os.path.exists(filename):
content_length = os.path.getsize(filename)
try:
with open(filename,"rb") as fd:
contents = fd.read()
except OSError as err:
print("OS error: {0}".format(err))
sys.exit(2)
else:
print("The file does not exist")
sys.exit(2)
s3url = endpoint + "/s3-signer/v2/signed-s3url?file_name=" + filename + "&content_length=" + str(content_length) + "&service=Syslog"
if sensorid != "":
s3url += "&sensor_id=" + sensorid
headers = {'Authorization': 'Bearer '+ token}
response = requests.request(method = "POST", url = s3url, headers = headers)
if response.status_code != 200:
print("Failed to request a pre-signed url with error: {0}".format(response.text))
res = json.loads(response.content)
try:
url = res['location']
except:
sys.exit(2)
response = requests.put(url, data=contents)
if response.status_code == 200:
print("Upload success! of file {0} with sensorId {1}".format(filename,sensorid))
else:
print("Upload failed with error {0}".format(response.text))
if __name__ == "__main__":
token = os.environ.get('ACCESS_TOKEN')
endpoint = os.environ.get("TAEGIS_API_ENDPOINT")
filename = sys.argv[1]
upload_file(endpoint,token,filename)