🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Lambda Migration

integrations cloud aws amazon lambda


The following instructions are for updating the Secureworks® Taegis™ XDR Lambda function used in the following integrations:

Download Files from Secureworks® Taegis™ XDR

  1. From the left-hand side navigation in Taegis™ XDR, select Integrations → Cloud APIs.
  2. Select the Download Integration icon for any any active Lambda deployments

Download Integration Button

Download Integration Button

  1. Select Download CloudFormation Shared Resources and save it as taegis-cloudformation-shared-resources.yaml.
  2. Select Download CloudFormation Lambda Template and save it as taegis-cloudformation-lambda-template.yaml.
  3. Select Download Lambda; the file should be named taegis-lambda-amd64.zip.
  4. Select Download Credentials.

Download Lambda Integration Files

Download Lambda Integration Files

Update in Each AWS Region That Contains the Existing Lambda Deployment

Install the Common Infrastructure and Artifacts

  1. Log in to the AWS Console for the region (e.g., https://us-east-1.console.aws.amazon.com/cloudformation) with an account that has permissions to create roles, lambdas, secrets, and policies, or using a role that can assume another role with these permissions.
  2. In the Management and Governance section, select CloudFormation.
  3. Select the Create Stack button to create a new stack using the taegis-cloudformation-shared-resources.yaml template provided.

Note

You might see a list of CloudFormation stacks when you select CloudFormation like the following image. If that is the case, select the Create Stack drop down and choose With new resources (standard).

Create New Stack

Create New Stack

  1. From the Prepare Template section, choose Template is ready.
  2. From the Specify Template section, choose Amazon S3 URL OR choose Upload a template file.
  3. If you choose Amazon S3 URL, input the CloudFormation object URL gathered previously into the Amazon S3 URL field. For example, https://cwl-poc.s3.amazonaws.com/taegis-cloudformation-shared-resources.yaml.

  4. Select Next.

  5. Enter an appropriate stack name.

Note

Spaces are not allowed in stack names.

  1. Enter the contents of the credentials.txt file into the SecretValue field.
  2. Select the correct TaegisRegion based off of your Taegis™ XDR login URL; for example, select ctpx if you use https://ctpx.secureworks.com/login or foxtrot if you use https://foxtrot.taegis.secureworks.com/.
  3. Select Next.

Update the Current Running Lambda Stack

  1. In the AWS console for the region (e.g., https://us-east-1.console.aws.amazon.com/cloudformation) select the button for the existing Lambda stack.
  2. From the top right, select Update.

Update Lambda Stack

Update Lambda Stack

  1. Select Replace current template.

Replace Existing Lambda Stack

Replace Existing Lambda Stack

  1. Either Upload a template file and choose taegis-cloudformation-lambda-template.yaml, or if you uploaded the template in Step 8, use the Amazon S3 URL option.
  2. Select Next.

Make the Updates to the Current Running Lambda Stack

  1. Select IntegrationType from the dropdown. This describes what sort of log objects are in the NotificationBucket. If more than one type, or you are not sure, select generic.

Update Lambda Stack Integration Type

Update Lambda Stack Integration Type

  1. The field NotificationBucket does not need to be changed.
  2. The field SNSNotificationarn does not need to be changed, unless you wish to use SNS notifications going forward instead of S3 notifications.
  3. The field NotificationBucketCustomerManagedKMSarn does not need to be changed, unless you wish to add the KMS key ARN that may be encrypting the objects in the NotificationBucket. The KMS key policy must have Enable IAM User Permissions. If not, the Lambda ARN can be added to your KMS key.
  4. The field TeagisLambdaS3BucketName should be the bucketName used in Step 7.
  5. The field LambdaEnvKMSarn can be left empty. If populated, the KMS key must have Enable IAM User Permissions.
  6. The remaining fields can be left at their defaults.
  7. Select Next.

Complete Remaining Stack Options

  1. The page configure stack options is optional.
  2. Select Next.
  3. Review the stack changes. The Action, Logical ID, Resource type and Replacement values should match the following:

CloudFormation Change Set Preview

CloudFormation Change Set Preview

  1. Select the I acknowledge that AWS CloudFormation might create IAM resources checkbox and choose Submit.

Verification Steps

  1. Verify Lambda Runtime settings. The Runtime value should be Custom runtime on Amazon Linux 2.

Verify Lambda Runtime Settings

Verify Lambda Runtime Settings

  1. See Test AWS Lambda Logs to verify that the AWS Lambda function for your integration is working by configuring a test for it in the AWS Console.

  2. In the AWS console, go to the Lambda function that was installed. If there is an error, select Fix errors.

Fix Lambda Errors

Fix Lambda Errors

  1. See View AWS Lambda Logs to view logs generated by your AWS Lambda functions and verify successful uploads. This verifies the trigger is working, on the assumption there is new S3 data being published to the bucket.

{"level":"debug","time":"2023-11-15T19:27:19Z","message":"Uploading data to s3"}

 

On this page: