AWS CloudTrail Integration Guide
cloud integrations amazon aws cloudtrail
The following instructions are for configuring an AWS CloudTrail integration to facilitate log ingestion into Secureworks® Taegis™ XDR.
Note
The following should be done in the same AWS region as your AWS CloudTrail logs bucket.
Typically the S3 bucket, CloudFormation template, and Lambda all should be in the same account and region for deployment. It is possible to configure your CloudTrail instance in a different account to emit logs to the cross-account S3 bucket. For information on how to do this, see Receiving CloudTrail Log Files from Multiple Accounts.
Data Provided from Integrations ⫘
Antivirus | Auth | CloudAudit | DHCP | DNS | Encrypt | HTTP | Management | Netflow | NIDS | Thirdparty | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|
AWS CloudTrail | V | V |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Set Up AWS CloudTrail ⫘
Note
If you do not have login access to XDR, have someone who does help you complete any steps that require access. You can also contact your Secureworks® representative for help.
- From the Taegis Menu, select Integrations → Cloud APIs → Add an Integration.
- From the Optimized tab, choose AWS and then select Setup under AWS Cloudtrail.
Set up AWS CloudTrail Integration
- Select Download CloudFormation Shared Resources and save it as
taegis-cloudformation-shared-resources.yaml
. - Select Download CloudFormation Lambda Template and save it as
taegis-cloudformation-lambda-template.yaml
. - Select Download Lambda; the file should be named
taegis-lambda-amd64.zip
. - Select Download Credentials.
- Select Create after you have downloaded all files.
Tip
You can consolidate cloudtrail logs into one account to simplify your deployment see Receiving CloudTrail Log Files from Multiple Accounts in the AWS CloudTrail User Guide for details.
Tip
You can consolidate cloudtrail logs into one region to simplify your deployment see Receiving CloudTrail Log Files from Multiple Regions in the AWS CloudTrail User Guide for details.
Upload the Lambda Executable and CloudFormation Templates to S3 ⫘
- Log in to the AWS Console for the region (e.g., https://us-east-1.console.aws.amazon.com/cloudformation) with an account that has permissions to create roles, lambdas, secrets, and policies, or using a role that can assume another role with these permissions.
- In the Storage section, select S3.
- Create a new bucket or locate an existing bucket in which to store the Lambda executable and, optionally, the CloudFormation templates. The bucket does not need to be public, versioned, or encrypted.
- Upload the Lambda
taegis-lambda-amd64.zip
to the root of the bucket and take note of the bucket name. - Optionally upload
taegis-cloudformation-shared-resources.yaml
andtaegis-cloudformation-lambda-template.yaml
to the same bucket.
Tip
Take note of the bucket name and the key, including any prefix. These identifiers are needed when you create a stack.
Create a Shared Resources Stack in Each AWS Region That Will Contain a Lambda Deployment ⫘
Important
The Shared Resources Stack (Steps 1-11) only needs to be deployed once per AWS region.
- Log in to the AWS Console for the region (e.g., https://us-east-1.console.aws.amazon.com/cloudformation) with an account that has permissions to create roles, lambdas, secrets, and policies, or using a role that can assume another role with these permissions.
- In the Management and Governance section, select CloudFormation.
- Select the Create Stack button to create a new stack using the
taegis-cloudformation-shared-resources.yaml
template provided.
Note
You might see a list of CloudFormation stacks when you select CloudFormation like the following image. If that is the case, select the Create Stack drop down and choose With new resources (standard).
Create New Stack
- From the Prepare Template section, choose Template is ready.
- From the Specify Template section, choose Amazon S3 URL OR choose Upload a template file.
- If you choose Amazon S3 URL, input the CloudFormation object URL gathered previously into the Amazon S3 URL field. For example,
https://cwl-poc.s3.amazonaws.com/taegis-cloudformation-shared-resources.yaml
.
To find the URL, navigate to the S3 service and open the S3 bucket to which the taegis-cloudformation-shared-resources.yaml
file was uploaded. Select the CloudFormation template, then click the Copy URL button.
Copy CloudFormation URL
- Select Next.
- Enter an appropriate stack name.
Note
Spaces are not allowed in stack names.
- Enter the contents of the
credentials.txt
file into theSecretValue
field. - Select the correct
TaegisRegion
based off of your XDR login URL; for example, selectctpx
if you use https://ctpx.secureworks.com/login orfoxtrot
if you use https://foxtrot.taegis.secureworks.com/. - Select Next.
- On the Configure stack options page, the default selections and values can be accepted. Select Next.
- On the Review and create page, Select Submit.
Create the Lambda Stack ⫘
Note
The AWS Lambda function uses two secret tokens to communicate with the Taegis™ XDR API.
- A short-lived token which expires every 10 hours and is rotated by XDR
- Long-lived credentials which do not expire
- Log in to the AWS Console for the region (e.g., https://us-east-1.console.aws.amazon.com/cloudformation) with an account that has permissions to create roles, lambdas, secrets, and policies, or using a role that can assume another role with these permissions.
- In the Management and Governance section, select CloudFormation.
- Select the Create Stack button.
Note
You might see a list of CloudFormation stacks when you select CloudFormation like the following image. If that is the case, select the Create Stack drop down and choose With new resources (standard).
Create New Stack
- From the Prepare Template section, choose Template is ready.
- From the Specify Template section, choose Amazon S3 URL OR choose Upload a template file.
- If you choose Amazon S3 URL, input the CloudFormation object URL gathered previously into the Amazon S3 URL field. For example:
https://cwl-poc.s3.amazonaws.com/taegis-cloudformation-lambda-template.yaml
.
To find the URL, navigate to the S3 service and open the S3 bucket to which the taegis-cloudformation-lambda-template.yaml
file was uploaded. Select the CloudFormation template, then click the Copy URL button.
Copy CloudFormation URL
- Select Next.
- Enter an appropriate stack name.
Note
Spaces are not allowed in stack names.
- Select
IntegrationType
from the dropdown. This describes what sort of log objects are in theNotificationBucket
. If more than one type, or you are not sure, selectgeneric
.
Update Lambda Stack Integration Type
- In the field
NotificationBucket
, enter the bucket name, not a URL or URI, that houses the CloudTrail Logs. - (Optional) Enter the appropriate value into the
SNSNotificationarn
field if you wish to use SNS notifications going forward instead of S3 notifications. - (Optional) Enter the appropriate value into the
NotificationBucketCustomerManagedKMSarn
if you wish to add the KMS key ARN that may be encrypting the objects in theNotificationBucket
. The KMS key policy must haveEnable IAM User Permissions
. If not, the Lambda ARN can be added to your KMS key. - The field
TaegisLambdaS3BucketName
should be the name of the S3 bucket that contains the Lambda that was previously uploaded. - The field
LambdaEnvKMSarn
can be left empty. If populated, the KMS key must haveEnable IAM User Permissions
. - The remaining fields can be left at their defaults.
- Select Next.
Complete Remaining Stack Options ⫘
- The configure stack options page is optional.
- Select Next.
- Review all parameters. Make sure that all fields you have specified from Step 9 through Step 15 have a valid value.
Review Lambda Parameters
- Select the I acknowledge that AWS CloudFormation might create IAM resources checkbox and choose Submit.
- Wait at least 30 seconds and then select the refresh button. The process may take a minute or more to finish. A status of CREATE_COMPLETE for the stack indicates the process has finished. Discard the
credential.txt
file containing the client_id and client_secret downloaded in the Set Up AWS CloudTrail section. These values are now stored in the AWS SecretsManager.
Add the Lambda Trigger ⫘
- In the AWS console, switch to the Lambda service.
- Locate the new Lambda by name. The default name is {STACKNAME}-scwx-tdr-lambda-{INTEGRATIONTYPE}. For example:
ct-demo-scwx-tdr-lambda-awscloudtrail
. - Select the Lambda name. The edit page for that Lambda displays.
- Expand the Function overview section and choose Add Trigger.
- In the Trigger Configuration editor, select the drop down menu and choose S3. Optionally, use an SNS trigger configured with a previously created topic.
- From the Bucket options, find the bucket containing the CloudTrail logs and select it.
- From the Event Type options, choose All Object Create Events.
- In the prefix field, enter the bucket prefix where the CloudTrail logs are located. Leave this blank if no prefix is used.
- Leave the suffix field blank.
- Check the following box to acknowledge the cost impact of a lambda function.
- Choose Add. The configuration page for that lambda displays again. A message displays at the top indicating adding a trigger was successful; for example, "The trigger wmikeking-CloudTrail was successfully added to function CloudTrail-Logs-TDR-Upload".
- The function is now receiving events from the trigger.
Important
AWS Lambda Concurrency Guidance ⫘
The Reserved Concurrency value set by the Taegis XDR CloudFormation template (taegis-cloudformation-lambda-template.yaml
) is 5. For more information regarding Lambda concurrency and the calculation of a value appropriate for your environment, please reference Lambda function scaling in AWS Docs.
Please reference the following AWS documentation to the identify the values to be used in the concurrency calulation:
AWS Concurrent Execution Limit ⫘
If you see the following error when running your Lambda: You need to request a quota increase from AWS to raise your concurrent execution limit. For more information, see Lambda quotas in AWS Docs.
Verification Steps ⫘
- Verify Lambda Runtime settings. The
Runtime
value should be Custom runtime on Amazon Linux 2.
Verify Lambda Runtime Settings
-
See Test AWS Lambda Logs to verify that the AWS Lambda function for your integration is working by configuring a test for it in the AWS Console.
-
In the AWS console, go to the Lambda function that was installed. If there is an error, select Fix errors.
Fix Lambda Errors
- See View AWS Lambda Logs to view logs generated by your AWS Lambda functions and verify successful uploads. This verifies the trigger is working, on the assumption there is new S3 data being published to the bucket.
{"level":"debug","time":"2023-11-15T19:27:19Z","message":"Uploading data to s3"}
Download Existing Integration Setup Files ⫘
If you need to add your CloudTrail integration to many regions or completely re-do the integration, you can download the existing set of integration files including the templates, Lambda, and credentials files at any time.
- From the Taegis XDR menu, navigate to Integrations → Cloud APIs.
- From the Cloud API Integrations table, click the download icon from the Actions column in the row of the integration you want to redo/modify.
- Select the Download Integration icon. The Download panel appears.
Download Existing Integration Files
- Download any needed files.
Note
CloudTrail publishes duplicates of global service events unless explicitly disabled. XDR does not de-duplicate these events. If you want to prevent duplicates of these events in your XDR tenant, you must configure your AWS CloudTrail settings following the instructions available from AWS CloudTrail: Enabling and disabling logging global service events.
Verify Event Flow with Advanced Search ⫘
You can use Advanced Search to verify a successful set up by searching for events from the specific integration. For this integration, use this search:
from cloudaudit where sensor_type = 'AWS CloudTrail'
Related Topics ⫘
Test a Deployed AWS Lambda ⫘
View AWS Lambda Logs ⫘
Delete an Integration ⫘
Remove Cloud Permissions ⫘