🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Lambda Migration

integrations cloud aws amazon lambda


The following instructions are for updating the Secureworks® Taegis™ XDR Lambda function used in the following integrations:

Download Files from XDR

  1. From the left-hand side navigation in XDR, select Integrations → Cloud APIs.
  2. Select the Download Integration icon for any any active Lambda deployments

Download Integration Button

Download Integration Button

  1. Select Download CloudFormation Shared Resources and save it as taegis-cloudformation-shared-resources.yaml.
  2. Select Download CloudFormation Lambda Template and save it as taegis-cloudformation-lambda-template.yaml.
  3. Select Download Lambda; the file should be named taegis-lambda-amd64.zip.
  4. Select Download Credentials.

Download Lambda Integration Files

Download Lambda Integration Files

Upload the Lambda Executable and CloudFormation Templates to S3

  1. Log in to the AWS Console for the region (e.g., https://us-east-1.console.aws.amazon.com/cloudformation) with an account that has permissions to create roles, lambdas, secrets, and policies, or using a role that can assume another role with these permissions.
  2. In the Storage section, select S3.
  3. Create a new bucket or locate an existing bucket in which to store the Lambda executable and, optionally, the CloudFormation templates. The bucket does not need to be public, versioned, or encrypted.
  4. Upload the Lambda taegis-lambda-amd64.zip to the root of the bucket and take note of the bucket name.
  5. Optionally upload taegis-cloudformation-shared-resources.yaml and taegis-cloudformation-lambda-template.yaml to the same bucket.

Tip

Take note of the bucket name and the key, including any prefix. These identifiers are needed when you create a stack.

Update in Each AWS Region That Contains the Existing Lambda Deployment

Create a Shared Resources Stack in Each AWS Region That Contains a Lambda Deployment

Important

The Shared Resources Stack (Steps 1-11) only needs to be deployed once per AWS region.

  1. Log in to the AWS Console for the region (e.g., https://us-east-1.console.aws.amazon.com/cloudformation) with an account that has permissions to create roles, lambdas, secrets, and policies, or using a role that can assume another role with these permissions.
  2. In the Management and Governance section, select CloudFormation.
  3. Select the Create Stack button to create a new stack using the taegis-cloudformation-shared-resources.yaml template provided.

Note

You might see a list of CloudFormation stacks when you select CloudFormation like the following image. If that is the case, select the Create Stack drop down and choose With new resources (standard).

Create New Stack

Create New Stack

  1. From the Prepare Template section, choose Template is ready.
  2. From the Specify Template section, choose Amazon S3 URL OR choose Upload a template file.

  3. If you choose Amazon S3 URL, input the CloudFormation object URL gathered previously into the Amazon S3 URL field. For example, https://cwl-poc.s3.amazonaws.com/taegis-cloudformation-shared-resources.yaml.

  4. Select Next.

  5. Enter an appropriate stack name.

Note

Spaces are not allowed in stack names.

  1. Enter the contents of the credentials.txt file into the SecretValue field.
  2. Select the correct TaegisRegion based off of your XDR login URL; for example, select ctpx if you use https://ctpx.secureworks.com/login or foxtrot if you use https://foxtrot.taegis.secureworks.com/.
  3. Select Next.
  4. On the Configure stack options page, the default selections and values can be accepted. Select Next.
  5. On the Review and create page, Select Submit.

Update the Current Running Lambda Stack

  1. Log in to the AWS Console for the region (e.g., https://us-east-1.console.aws.amazon.com/cloudformation) with an account that has permissions to create roles, lambdas, secrets, and policies, or using a role that can assume another role with these permissions.
  2. In the Management and Governance section, select CloudFormation.
  3. Select the button for the existing XDR Lambda CloudFormation stack.

Note

During the intial Lambda deployment, any string could be used to name the Lambda CloudFormation stack. The default CloudFormation template description may be helpful in identifying the existing Lambda CloudFormation stack. For example, “This CloudFormation template deploys the SecureWorks TDR Lambda function for <integration name> logs stored in an S3 bucket.” where <integration name> is, for example, “awscloudtrail”

  1. From the top right, select Update.

Update Lambda Stack

Update Lambda Stack

  1. Select Replace current template.

Replace Existing Lambda Stack

Replace Existing Lambda Stack

  1. Either Upload a template file and choose taegis-cloudformation-lambda-template.yaml, or if you uploaded the template to an S3 bucket, use the Amazon S3 URL option.
  2. Select Next.

Make the Updates to the Current Running Lambda Stack

  1. Select IntegrationType from the dropdown. This describes what sort of log objects are in the NotificationBucket. If more than one type, or you are not sure, select generic.

Update Lambda Stack Integration Type

Update Lambda Stack Integration Type

  1. The field NotificationBucket does not need to be changed.
  2. The field SNSNotificationarn does not need to be changed, unless you wish to use SNS notifications going forward instead of S3 notifications.
  3. The field NotificationBucketCustomerManagedKMSarn does not need to be changed, unless you wish to add the KMS key ARN that may be encrypting the objects in the NotificationBucket. The KMS key policy must have Enable IAM User Permissions. If not, the Lambda ARN can be added to your KMS key.
  4. The field TeagisLambdaS3BucketName should be the bucketName specified in the Upload the Lambda Executable and CloudFormation Templates to S3 section.
  5. The field LambdaEnvKMSarn can be left empty. If populated, the KMS key must have Enable IAM User Permissions.
  6. The remaining fields can be left at their defaults.
  7. Select Next.

Complete Remaining Stack Options

  1. On the Configure stack options page, accept the defaults and click Next.
  2. Review the stack changes. The Action, Logical ID, Resource type and Replacement values should match the following:

CloudFormation Change Set Preview

CloudFormation Change Set Preview

  1. Select the I acknowledge that AWS CloudFormation might create IAM resources checkbox and choose Submit.

Verification Steps

  1. In the AWS console for the region (e.g., https://us-east-1.console.aws.amazon.com/), navigate to Amazon S3 (e.g. https://s3.console.aws.amazon.com/s3/home?region=us-east-2), and select the S3 bucket where logs are hosted (Notification Bucket).

S3 Bucket Properties

S3 Bucket Properties

  1. Navigate to the Event notifications section. If a Lambda function exists, select and delete it.

S3 Event Notification

S3 Event Notification

  1. Navigate to the Lambda service, select the recently updated Lambda function (e.g. lab-network-lambda-scwx-tdr-lambda-awscloudtrail), and add the S3 trigger.

  2. Verify Lambda Runtime settings. The Runtime value should be Custom runtime on Amazon Linux 2.

Verify Lambda Runtime Settings

Verify Lambda Runtime Settings

  1. See Test AWS Lambda Logs to verify that the AWS Lambda function for your integration is working by configuring a test for it in the AWS Console.

  2. In the AWS console, go to the Lambda function that was installed. If there is an error, select Fix errors.

Fix Lambda Errors

Fix Lambda Errors

  1. See View AWS Lambda Logs to view logs generated by your AWS Lambda functions and verify successful uploads. This verifies the trigger is working, on the assumption there is new S3 data being published to the bucket.

{"level":"debug","time":"2023-11-15T19:27:19Z","message":"Uploading data to s3"}

 

On this page: