S3 Event Archiving
cloud integrations amazon aws s3
The S3 Event Archiving feature allows you to copy event data from the Secureworks® Taegis™ XDR AWS S3 datastore to another datastore located in the same AWS region as the Secureworks® Taegis™ datastore. This is supported in all Taegis instances. Our US1 and US2 instances map to the AWS us-east-2
region, our US3 instance maps to the AWS us-west-2
region, and the EU instance maps to the AWS eu-central-1
region. This feature is enabled or disabled on a per-tenant basis as described below. Note that there are some requirements and constraints for feature enablement as follows.
Requirements and Constraints ⫘
-
The XDR platform only supports copying event data to another AWS S3 bucket controlled by the customer. Copies to other platform datastores, such as Azure and Google Cloud, are not supported at this time.
-
The data being copied from the XDR S3 bucket includes event data from all sources. This is an all-or-nothing copy with no configurable exclusion list for events at this time.
-
The copy occurs near real-time with a maximum delay of 30 minutes. When turning on S3 Event Archiving, the first set of file copy can occur with a delay of up to 90 minutes.
-
Copies are only permitted within the same region as the XDR instance housing the event data.
-
Only users with the Tenant Administrator privilege level of access may enable or disable this feature.
-
The event archival feature cannot ’back copy’ data at this time. Data is copied from the day the feature is enabled and going forward.
-
If a copy fails, retries are attempted starting at about a five-minute interval and will continue until the data is successfully copied.
Enable S3 Event Archiving ⫘
To enable S3 Event Archiving for your tenant, as an Administrator, follow these steps:
- From the Taegis Menu, select Integrations → Cloud APIs.
- Select Add an Integration from the top of the page.
Add an Integration
- From the Optimized tab, choose AWS.
- From the S3 Event Archiving section, select Setup.
Add S3 Event Archiving
- Follow the embedded instructions within XDR on the Set up S3 Event Archiving page to complete the enablement process. This requires setting up an AWS S3 bucket within the same XDR S3 bucket region and creating an IAM role that provides permission for XDR to copy the files into the S3 bucket. Once registration is complete, event archiving starts in approximately 15-20 minutes, after which the files are available in your S3 bucket.
Important
Copies are only permitted within the same region as the XDR instance housing the event data. At this time, us-east-2
(US1 and US2 instances), us-west-2
(US3 instance), and eu-central-1
(EU instance) regions are supported.
Enable S3 Event Archiving