🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

AWS CloudTrail Integration Guide

cloud integrations amazon aws cloudtrail


The following instructions are for configuring an AWS CloudTrail integration to facilitate log ingestion into Secureworks® Taegis™ XDR.

Note

The following should be done in the same AWS region as your AWS CloudTrail logs bucket.

Typically the S3 bucket, CloudFormation template, and Lambda all should be in the same account and region for deployment. It is possible to configure your CloudTrail instance in a different account to emit logs to the cross-account S3 bucket. For information on how to do this, see Receiving CloudTrail Log Files from Multiple Accounts.

Data Provided from Integrations

  Antivirus Auth CloudAudit DHCP DNS Email Encrypt HTTP Management Netflow NIDS Thirdparty
AWS CloudTrail   V V                  

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Set Up AWS CloudTrail

Note

If you do not have login access to XDR, have someone who does help you complete any steps that require access. You can also contact your Secureworks® representative for help.

  1. From the Taegis Menu, select Integrations → Cloud APIs → Add an Integration.
  2. From the Optimized tab, choose AWS and then select Setup under AWS Cloudtrail.

Set up AWS CloudTrail Integration

Set up AWS CloudTrail Integration

  1. Select Download CloudFormation Shared Resources and save it as taegis-cloudformation-shared-resources.yaml.
  2. Select Download CloudFormation Lambda Template and save it as taegis-cloudformation-lambda-template.yaml.
  3. Select Download Lambda; the file should be named taegis-lambda-amd64.zip.
  4. Select Download Credentials.
  5. Select Create after you have downloaded all files.

Tip

You can consolidate cloudtrail logs into one account to simplify your deployment see Receiving CloudTrail Log Files from Multiple Accounts in the AWS CloudTrail User Guide for details.

Tip

You can consolidate cloudtrail logs into one region to simplify your deployment see Receiving CloudTrail Log Files from Multiple Regions in the AWS CloudTrail User Guide for details.

Upload the Lambda Executable and CloudFormation Templates to S3

  1. Log in to the AWS Console for the region (e.g., https://us-east-1.console.aws.amazon.com/cloudformation) with an account that has permissions to create roles, lambdas, secrets, and policies, or using a role that can assume another role with these permissions.
  2. In the Storage section, select S3.
  3. Create a new bucket or locate an existing bucket in which to store the Lambda executable and, optionally, the CloudFormation templates. The bucket does not need to be public, versioned, or encrypted.
  4. Upload the Lambda taegis-lambda-amd64.zip to the root of the bucket and take note of the bucket name.
  5. Optionally upload taegis-cloudformation-shared-resources.yaml and taegis-cloudformation-lambda-template.yaml to the same bucket.

Tip

Take note of the bucket name and the key, including any prefix. These identifiers are needed when you create a stack.

Create a Shared Resources Stack in Each AWS Region That Will Contain a Lambda Deployment

Important

The Shared Resources Stack (Steps 1-11) only needs to be deployed once per AWS region.

  1. Log in to the AWS Console for the region (e.g., https://us-east-1.console.aws.amazon.com/cloudformation) with an account that has permissions to create roles, lambdas, secrets, and policies, or using a role that can assume another role with these permissions.
  2. In the Management and Governance section, select CloudFormation.
  3. Select the Create Stack button to create a new stack using the taegis-cloudformation-shared-resources.yaml template provided.

Note

You might see a list of CloudFormation stacks when you select CloudFormation like the following image. If that is the case, select the Create Stack drop down and choose With new resources (standard).

Create New Stack

Create New Stack

  1. From the Prepare Template section, choose Template is ready.
  2. From the Specify Template section, choose Amazon S3 URL OR choose Upload a template file.
  3. If you choose Amazon S3 URL, input the CloudFormation object URL gathered previously into the Amazon S3 URL field. For example, https://cwl-poc.s3.amazonaws.com/taegis-cloudformation-shared-resources.yaml.

To find the URL, navigate to the S3 service and open the S3 bucket to which the taegis-cloudformation-shared-resources.yaml file was uploaded. Select the CloudFormation template, then click the Copy URL button.

Copy CloudFormation URL

Copy CloudFormation URL

  1. Select Next.
  2. Enter an appropriate stack name.

Note

Spaces are not allowed in stack names.

  1. Enter the contents of the credentials.txt file into the SecretValue field.
  2. Select the correct TaegisRegion based off of your XDR login URL; for example, select ctpx if you use https://ctpx.secureworks.com/login or foxtrot if you use https://foxtrot.taegis.secureworks.com/.
  3. Select Next.
  4. On the Configure stack options page, the default selections and values can be accepted. Select Next.
  5. On the Review and create page, Select Submit.

Create the Lambda Stack

Note

The AWS Lambda function uses two secret tokens to communicate with the Taegis™ XDR API.

  • A short-lived token which expires every 10 hours and is rotated by XDR
  • Long-lived credentials which do not expire
  1. Log in to the AWS Console for the region (e.g., https://us-east-1.console.aws.amazon.com/cloudformation) with an account that has permissions to create roles, lambdas, secrets, and policies, or using a role that can assume another role with these permissions.
  2. In the Management and Governance section, select CloudFormation.
  3. Select the Create Stack button.

Note

You might see a list of CloudFormation stacks when you select CloudFormation like the following image. If that is the case, select the Create Stack drop down and choose With new resources (standard).

Create New Stack

Create New Stack

  1. From the Prepare Template section, choose Template is ready.
  2. From the Specify Template section, choose Amazon S3 URL OR choose Upload a template file.
  3. If you choose Amazon S3 URL, input the CloudFormation object URL gathered previously into the Amazon S3 URL field. For example: https://cwl-poc.s3.amazonaws.com/taegis-cloudformation-lambda-template.yaml.

To find the URL, navigate to the S3 service and open the S3 bucket to which the taegis-cloudformation-lambda-template.yaml file was uploaded. Select the CloudFormation template, then click the Copy URL button.

Copy CloudFormation URL

Copy CloudFormation URL

  1. Select Next.
  2. Enter an appropriate stack name.

Note

Spaces are not allowed in stack names.

  1. Select IntegrationType from the dropdown. This describes what sort of log objects are in the NotificationBucket. If more than one type, or you are not sure, select generic.

Update Lambda Stack Integration Type

Update Lambda Stack Integration Type

  1. In the field NotificationBucket, enter the bucket name, not a URL or URI, that houses the CloudTrail Logs.
  2. (Optional) Enter the appropriate value into the SNSNotificationarn field if you wish to use SNS notifications going forward instead of S3 notifications.
  3. (Optional) Enter the appropriate value into the NotificationBucketCustomerManagedKMSarn if you wish to add the KMS key ARN that may be encrypting the objects in the NotificationBucket. The KMS key policy must have Enable IAM User Permissions. If not, the Lambda ARN can be added to your KMS key.
  4. The field TaegisLambdaS3BucketName should be the name of the S3 bucket that contains the Lambda that was previously uploaded.
  5. The field LambdaEnvKMSarn can be left empty. If populated, the KMS key must have Enable IAM User Permissions.
  6. The remaining fields can be left at their defaults.
  7. Select Next.

Complete Remaining Stack Options

  1. The configure stack options page is optional.
  2. Select Next.
  3. Review all parameters. Make sure that all fields you have specified from Step 9 through Step 15 have a valid value.

Review Lambda Parameters

Review Lambda Parameters

  1. Select the I acknowledge that AWS CloudFormation might create IAM resources checkbox and choose Submit.
  2. Wait at least 30 seconds and then select the refresh button. The process may take a minute or more to finish. A status of CREATE_COMPLETE for the stack indicates the process has finished. Discard the credential.txt file containing the client_id and client_secret downloaded in the Set Up AWS CloudTrail section. These values are now stored in the AWS SecretsManager.

Add the Lambda Trigger

  1. In the AWS console, switch to the Lambda service.
  2. Locate the new Lambda by name. The default name is {STACKNAME}-scwx-tdr-lambda-{INTEGRATIONTYPE}. For example: ct-demo-scwx-tdr-lambda-awscloudtrail.
  3. Select the Lambda name. The edit page for that Lambda displays.
  4. Expand the Function overview section and choose Add Trigger.
  5. In the Trigger Configuration editor, select the drop down menu and choose S3. Optionally, use an SNS trigger configured with a previously created topic.
  6. From the Bucket options, find the bucket containing the CloudTrail logs and select it.
  7. From the Event Type options, choose All Object Create Events.
  8. In the prefix field, enter the bucket prefix where the CloudTrail logs are located. Leave this blank if no prefix is used.
  9. Leave the suffix field blank.
  10. Check the following box to acknowledge the cost impact of a lambda function.
  11. Choose Add. The configuration page for that lambda displays again. A message displays at the top indicating adding a trigger was successful; for example, "The trigger wmikeking-CloudTrail was successfully added to function CloudTrail-Logs-TDR-Upload".
  12. The function is now receiving events from the trigger.

Important

AWS Lambda Concurrency Guidance

The Reserved Concurrency value set by the Taegis XDR CloudFormation template (taegis-cloudformation-lambda-template.yaml) is 5. For more information regarding Lambda concurrency and the calculation of a value appropriate for your environment, please reference Lambda function scaling in AWS Docs.

Please reference the following AWS documentation to the identify the values to be used in the concurrency calulation:

AWS Concurrent Execution Limit

If you see the following error when running your Lambda: Set up Cisco Umbrella Integration You need to request a quota increase from AWS to raise your concurrent execution limit. For more information, see Lambda quotas in AWS Docs.

Verification Steps

  1. Verify Lambda Runtime settings. The Runtime value should be Custom runtime on Amazon Linux 2.

Verify Lambda Runtime Settings

Verify Lambda Runtime Settings

  1. See Test AWS Lambda Logs to verify that the AWS Lambda function for your integration is working by configuring a test for it in the AWS Console.

  2. In the AWS console, go to the Lambda function that was installed. If there is an error, select Fix errors.

Fix Lambda Errors

Fix Lambda Errors

  1. See View AWS Lambda Logs to view logs generated by your AWS Lambda functions and verify successful uploads. This verifies the trigger is working, on the assumption there is new S3 data being published to the bucket.

{"level":"debug","time":"2023-11-15T19:27:19Z","message":"Uploading data to s3"}

Download Existing Integration Setup Files

If you need to add your CloudTrail integration to many regions or completely re-do the integration, you can download the existing set of integration files including the templates, Lambda, and credentials files at any time.

  1. From the Taegis XDR menu, navigate to Integrations → Cloud APIs.
  2. From the Cloud API Integrations table, click the download icon from the Actions column in the row of the integration you want to redo/modify.
  3. Select the Download Integration icon. The Download panel appears.

Download Existing Integration Files

Download Existing Integration Files

  1. Download any needed files.

Note

CloudTrail publishes duplicates of global service events unless explicitly disabled. XDR does not de-duplicate these events. If you want to prevent duplicates of these events in your XDR tenant, you must configure your AWS CloudTrail settings following the instructions available from AWS CloudTrail: Enabling and disabling logging global service events.

You can use Advanced Search to verify a successful set up by searching for events from the specific integration. For this integration, use this search:

from cloudaudit where sensor_type = 'AWS CloudTrail'

 

On this page: