EDR OCSF Ingest Integration Guide 🔗
Use the following instructions to configure an integration between an EDR product and Secureworks® Taegis™ XDR using the industry-standard OCSF (Open Cybersecurity Schema Framework) data format.
To use this integration, the EDR product must be able to upload batches of OCSF events to an Amazon S3 bucket. The batches must be in JSON Lines format, also known as newline-delimited JSON, and compressed with gzip.
Data Provided from Integration🔗
| Alerts | Auth | DNS | File Collection | HTTP | NIDS | Netflow | Process | File Modification | API Call | Registry | Scriptblock | Management | Persistence | Thread Injection | Generic | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| EDR OCSF Ingest | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Gather Required Information🔗
Important
This information should be provided by the EDR vendor, such as HarfangLab.
- Name of the EDR vendor
- Unique identifier of your tenant within the EDR vendor
-
Identifier of the AWS principal used by the EDR product, the following of which are supported:
- IAM User ARN — Example:
arn:aws:iam::123456789012:user/MyEDR - Canonical User ID — Example:
79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be - IAM Role ARN — Example:
arn:aws:iam::123456789012:role/MyEDR
- IAM User ARN — Example:
Create EDR OCSF Ingest Integration in XDR🔗
- From the Taegis Menu, navigate to Integrations > Cloud APIs, then select Add an Integration.
- Select the Custom tab.
- In the EDR OCSF Ingest section, select Setup.
- Enter a name for the integration.
- Enter the name of the EDR vendor.
- Enter the unique identifier of your tenant within the EDR vendor.
- Choose the appropriate type of AWS principal—IAM User, Canonical User ID, or IAM Role—for the EDR product and enter the corresponding identifier. This information should be provided by the EDR vendor.
-
Select Done.
Create XDR Integration -
Select the new integration in the Cloud API Integrations table, then select the Details tab.
-
Note the value of the following integration parameters:
- AccessPointAlias
- AWSRegion
- IAMAssumeRole (if the EDR product uses an IAM Role)
Note Integration Details
Configure OCSF Export in EDR Product🔗
- Follow your EDR vendor's instructions to configure an OCSF event export. Use the integration parameters obtained in the previous section as follows.
| Integration Parameter | Usage |
|---|---|
| AccessPointAlias | The S3 bucket name |
| AWSRegion | The AWS region of the S3 bucket (if required) |
| IAMAssumeRole | The IAM role that the EDR product has to assume (if the EDR product uses an IAM Role) |