Skip to content

Amazon AWS Lambda Update🔗

The following instructions are for updating the Secureworks® Taegis™ XDR Lambda function used in the following integrations:

  • AWS CloudTrail
  • AWS CloudWatch Logs
  • Amazon Applicaiton Load Balancer (ALB)
  • Amazon VPC Flow Logs
  • AWS Web Application Firewall
  • Cisco Umbrella
  • Any integrations that send log files to the File Upload API using the XDR Lambda function.

Download Files from XDR🔗

  1. From the Taegis Menu, select Integrations → Cloud APIs.

  2. Select the Download Integration icon for any any active Lambda deployments

    Download Integration Button

  3. Select Download CloudFormation Shared Resources and save it as taegis-cloudformation-shared-resources.yaml.

  4. Select Download CloudFormation Lambda Template and save it as taegis-cloudformation-lambda-template.yaml.
  5. Select Download Lambda; the file should be named taegis-lambda-amd64.zip.

  6. Select Download Credentials.

    Download Lambda Integration Files

Update in Each AWS Region that Contains the Existing Lambda Deployment🔗

Important

Repeat the following steps (1-30) for all the existing Lambda deployments in all AWS regions.

Upload the Lambda Executable and CloudFormation Templates to S3🔗

  1. Log in to the AWS Console for the region (e.g., https://us-east-1.console.aws.amazon.com/cloudformation) with an account that has permissions to create roles, lambdas, secrets, and policies, or using a role that can assume another role with these permissions.
  2. In the Storage section, select S3.
  3. Create a new bucket or locate an existing bucket in which to store the Lambda executable and, optionally, the CloudFormation templates. The bucket does not need to be public, versioned, or encrypted.
  4. Upload the Lambda taegis-lambda-amd64.zip to the root of the bucket and take note of the bucket name.

  5. Optionally upload taegis-cloudformation-shared-resources.yaml and taegis-cloudformation-lambda-template.yaml to the same bucket.

    Tip

    Take note of the bucket name and the key, including any prefix. These identifiers are needed when you create a stack.

Update the Current Running Lambda Stack🔗

  1. Log in to the AWS Console for the region (e.g., https://us-east-1.console.aws.amazon.com/cloudformation) with an account that has permissions to create roles, lambdas, secrets, and policies, or using a role that can assume another role with these permissions.
  2. In the Management and Governance section, select CloudFormation.

  3. Select the button for the existing XDR Lambda CloudFormation stack.

    Note

    During the initial Lambda deployment, any string could be used to name the Lambda CloudFormation stack. The default CloudFormation template description may be helpful in identifying the existing Lambda CloudFormation stack. For example, “This CloudFormation template deploys the SecureWorks TDR Lambda function for <integration name> logs stored in an S3 bucket.” where <integration name> is, for example, awscloudtrail.

  4. From the top right, select Update.

    Update Lambda Stack

  5. Select Replace current template.

    Replace Existing Lambda Stack

  6. Either Upload a template file and choose taegis-cloudformation-lambda-template.yaml, or if you uploaded the template to an S3 bucket, use the Amazon S3 URL option.

  7. Select Next.

Make the Updates to the Current Running Lambda Stack🔗

  1. The field IntegrationType does not need to be changed.

  2. The field NotificationBucket does not need to be changed.

  3. The field SNSNotificationarn does not need to be changed, unless you wish to use SNS notifications going forward instead of S3 notifications.
  4. The field NotificationBucketCustomerManagedKMSarn does not need to be changed, unless you wish to add the KMS key ARN that may be encrypting the objects in the NotificationBucket. The KMS key policy must have Enable IAM User Permissions. If not, the Lambda ARN can be added to your KMS key.
  5. The field TaegisLambdaS3BucketName should be the bucketName specified in the Upload the Lambda Executable and CloudFormation Templates to S3 section.
  6. The field LambdaEnvKMSarn can be left empty. If populated, the KMS key must have Enable IAM User Permissions.
  7. The remaining fields can be left at their defaults.
  8. Select Next.

Complete Remaining Stack Options🔗

  1. On the Configure stack options page, accept the defaults and click Next.

  2. Review the stack changes. The Action, Logical ID, Resource type and Replacement values should match the following:

    CloudFormation Change Set Preview

  3. Select the I acknowledge that AWS CloudFormation might create IAM resources checkbox and choose Submit.

Verification Steps🔗

  1. In the AWS console for the region (e.g., https://us-east-1.console.aws.amazon.com/), navigate to Amazon S3 (e.g. https://s3.console.aws.amazon.com/s3/home?region=us-east-2), and select the S3 bucket where logs are hosted (Notification Bucket).

    S3 Bucket Properties

  2. Navigate to the Event notifications section. If a Lambda function exists, select and delete it.

    S3 Event Notification

  3. Navigate to the Lambda service, select the recently updated Lambda function (e.g. lab-network-lambda-scwx-tdr-lambda-awscloudtrail), and add the S3 trigger.

  4. Verify Lambda Runtime settings. The Runtime value should be Custom runtime on Amazon Linux 2.

    Verify Lambda Runtime Settings

  5. See Test AWS Lambda Logs to verify that the AWS Lambda function for your integration is working by configuring a test for it in the AWS Console.

  6. In the AWS console, go to the Lambda function that was installed. If there is an error, select Fix errors.

    Fix Lambda Errors

  7. See View AWS Lambda Logs to view logs generated by your AWS Lambda functions and verify successful uploads. This verifies the trigger is working, on the assumption there is new S3 data being published to the bucket.

    {"level":"debug","time":"2023-11-15T19:27:19Z","message":"Uploading data to s3"}