Skip to content

HTTP Ingest Transport Method Overview🔗

Summary🔗

In certain scenarios, security telemetry is generated as a continuous stream rather than in periodic batches, allowing for near real-time analysis and inspection of potential threats. In these scenarios, a more direct per-message integration with Secureworks® Taegis™ XDR is ideal.

XDR HTTP Ingest enables a customer to post security-relevant logs in a streaming fashion.

Since XDR HTTP Ingest supports the capability to post logs in a streaming manner, it facilitates near-real-time monitoring and inspection of emerging threats, enhancing the responsiveness to potential security incidents. Additionally, this streaming functionality broadens the platform's integration scope, making it compatible with a wider array of applications and systems that necessitate this real-time approach to logging.

Reference Architecture🔗

HTTP Ingest Reference Architecture

Example Scenario🔗

The local IT security team utilizes a cloud-based API that collects audit logs of user actions by calling the API on a regular basis and retrieves all new audited actions users have performed. The security team utilizes a customized script to post the messages retrieved from the API to XDR as they are collected, enabling near real-time ingest of the audited actions to XDR.

Note

HTTP Ingest is a transport mechanism. Some optimized integrations use HTTP Ingest internally to deliver data from supported third-party sources, in which case XDR applies source-specific normalization and detections to the delivered data. When HTTP Ingest is used directly to deliver data from a source that is not part of an existing optimized integration, it serves as a custom transport for a custom integration. The transport of data into Taegis is guaranteed for any source that posts well-formed requests, but downstream outcomes, like normalization into typed schemas, search relevance, and source-specific detections, depend on whether the data source is recognized. Records from unrecognized sources are preserved using the generic schema and may require Custom Parsers and Custom Detection Rules to be fully usable.

Setup🔗

HTTP Ingest can be configured by following the setup guide.

Detailed API Guidance🔗

For developer-facing details on supported content types, payload size recommendations, response codes, retry behavior, integration key rotation, and tenant scoping, see Get Started with the HTTP Ingest API.