Configure S3 Ingest - Secureworks-Managed🔗
The following instructions are for configuring the S3 Ingest - Secureworks-Managed transport to facilitate ingestion from data sources that can send logs to an AWS S3 bucket. S3 Ingest - Secureworks-Managed does not require XDR customers to own or maintain the S3 bucket(s) to which logs are sent.
Gather Required Information🔗
Important
This information should be provided by the data source vendor.
- The AWS IAM identity (IAM User, Canonical User ID, or IAM Role) of the data source.
Complete the Integration in XDR🔗
XDR supports two types of AWS S3 ingest integrations:
- The data source vendor requires an ownership challenge token to be sent to the S3 destination.
- The data source vendor DOES NOT require an ownership challenge token to be sent to the S3 destination.
Ownership Challenge Token is Required🔗
-
From the Taegis Menu, select Integrations → Cloud APIs.
-
Select Add an Integration from the top of the page.
Add an Integration -
Select the Custom tab, and select Setup from the S3 Ingest - Secureworks-Managed (with ownership token challenge) section.
S3 Ingest - Secureworks-Managed (Challenge Token) -
Enter a name for the integration.
-
Choose the appropriate identity type (IAM User, Canonical User ID, or IAM Role) for the data source and enter the corresponding value (this information should be provided by the data source vendor).
-
Select Done.
Ownership Challenge Token is NOT Required🔗
-
From the Taegis Menu, select Integrations → Cloud APIs.
-
Select Add an Integration from the top of the page.
Add an Integration -
Select the Custom tab, and select Setup from the S3 Ingest - Secureworks-Managed (without ownership token challenge) section.
S3 Ingest - Secureworks-Managed (No Challenge Token) -
Enter a name for the integration.
-
Choose the appropriate identity type (IAM User, Canonical User ID, or IAM Role) for the data source and enter the corresponding value (this information should be provided by the data source vendor).
-
Select Done.
Integration Scenarios🔗
This section provides the integration parameters provided by XDR for use in the data source portion of the integration. The possible integration parameters differ based on the ownership challenge token requirement and the identity type being used.
Find these parameters by opening the integration created in the preceding section from the Cloud APIs table and selecting the Details tab.
Scenario 1: S3 Ingest - Secureworks-Managed (without ownership token challenge) using IAM User or Canonical User ID🔗
| Integration Parameter | Value |
|---|---|
| IAMUser / CanonicalUserID | The identity value provided during the creation of the XDR integration |
| AccessPointAlias | On the data source side, enter this value for the S3 Bucket name |
| AWSRegion | On the data source side, if the AWS Region is required, enter this value |
| LogFolderPath | On the data source side, enter this value for the location (path) where logs should be sent |
Scenario 2: S3 Ingest - Secureworks-Managed (without ownership token challenge) using IAM Role🔗
| Integration Parameter | Value |
|---|---|
| IAMRole | The identity value provided during the creation of the XDR integration |
| AccessPointAlias | On the data source side, enter this value for the S3 Bucket name |
| AWSRegion | On the data source side, if the AWS Region is required, enter this value |
| LogFolderPath | On the data source side, enter this value for the location (path) where logs should be sent |
| IAMAssumeRole | On the data source side, enter this value for the Role ARN that the vendor has to assume |
Scenario 3: S3 Ingest - Secureworks-Managed (with ownership token challenge) using IAM User or Canonical User ID🔗
| Integration Parameter | Value |
|---|---|
| IAMUser / CanonicalUserID | The identity value provided during the creation of the XDR integration |
| AccessPointAlias | On the data source side, enter this value for the S3 Bucket name |
| AWSRegion | On the data source side, if the AWS Region is required, enter this value |
| LogFolderPath | On the data source side, enter this value for the location (path) where logs should be sent |
| OwnershipToken | On the data source side, use this value as the token to prove the ownership of the S3 bucket |
Scenario 4: S3 Ingest - Secureworks-Managed (without ownership token challenge) using IAM Role🔗
| Integration Parameter | Value |
|---|---|
| IAMUser / CanonicalUserID | This is the input entered by the tenant for creating the integration |
| AccessPointAlias | On the data source side, enter this value for the S3 Bucket name |
| AWSRegion | On the data source side, if the AWS Region is required, enter this value |
| LogFolderPath | On the data source side, enter this value for the location (path) where logs should be sent |
| IAMAssumeRole | On the data source side, enter this value for the Role ARN that the vendor has to assume |
| OwnershipToken | On the data source side, use this value as the token to prove the ownership of the S3 bucket |