Skip to content

Remove Cloud Permissions🔗

Secureworks integrations leverage a least-privilege model, where the set of permissions requested will allow Secureworks read-only access to the data set to be integrated. Because of this, when an integration is deleted, Secureworks will remove any credentials sent and will stop collection of data; but, access configurations stored externally must be removed manually. This document outlines how users can manually remove permissions and configurations that allow Secureworks access to cloud data.

AWS🔗

AWS integrations leverage an IAM role to push data via a Lambda function. Since these artifacts are created via CloudFormation, CloudFormation can also be leveraged to remove all artifacts that were created by deleting the CloudFormation stack. Before deleting the CloudFormation stack, any triggers associated with the Lambda function must be removed.

To delete a CloudFormation stack:

  1. Access the AWS Console.

  2. Browse to your Lambda services.

    Lambda in AWS

  3. Select Lambda and find the related Lambda function. The name should be stackname-scwx-tdr-lambda-for-integrationName where stackName is the name of your stack, like cloudtrail-corp, and integrationName is the name of your AWS integration, like awscloudtrail.

    Select the Lambda Function

  4. Remove the trigger associated with the Lambda function.

    Remove Trigger

  5. Search for the CloudFormation stack that was created for the integration you wish to delete. The AWS CloudFormation stack name was named by user input at the time of deployment.

  6. Select the CloudFormation stack by selecting the stack name.

  7. Select Delete.

    Delete AWS CloudFormation stack

Microsoft Office 365 and Azure🔗

Microsoft Office 365 and Azure integrations leverage an application consent process to permit Secureworks access to data. Performing consent during the integration copies the application permission manifest into a security principal in the Azure tenant that is being integrated. This local security principal can be deleted to remove access.

To delete a security principal:

  1. From the Azure Portal, navigate to the Enterprise Applications services screen.

  2. Search for the application that was integrated. Use the following table to aid in searching:

    Secureworks integration Application ID Application Name
    Microsoft 365 d020ee65-6aec-47ff-b18f-7424c8a631df RC-TDR - Office 365
    Microsoft Azure Active Directory e6f06a01-1202-4e41-86d4-6a0cb45011e3 RC-TDR - Azure AD Audit
    Microsoft Graph Security cc4b19d5-2bcf-48d0-9633-fc1725d4f484 RC-TDR - Graph Security
    Microsoft Azure Activity
    • US1:4fdc73d3-9fdf-4b9a-95f0-0f2063ded53b
    • US2: 392cab40-8474-4fa9-a108-9ce447bf8c18
    • EU: 1f053f92-4e1d-4332-ba17-0f7d2ae322f3
    		 Secureworks Taegis - Azure Activity Logs Integration

  3. Select the service principal. Navigate to Manage > Properties and select Delete.

    Delete Azure Service Principal

Okta🔗

XDR obtains logs from Okta by creating an application by the client credential grant flow.

To remove the Okta API integration completely you must:

  1. Delete the integration from XDR, taking note of the service account name and the Org URL.
  2. Delete the application created by XDR in the Okta UI by either an API call or via the UI.