Extend Cortex XDR visibility into cloud assets from AWS.
Notice
Ingestion of cloud assets from AWS requires a Cortex XDR Pro per GB license.
Cortex XDR provides a unified, normalized asset inventory for cloud assets in AWS. This capability provides deeper visibility to all the assets and superior context for incident investigation.
To receive cloud assets from AWS, you must configure the Collection Integrations settings in Cortex XDR using the Cloud Inventory data collector to configure the AWS wizard. The AWS wizard includes instructions to be completed both in AWS and the AWS wizard screens. After you set up data collection, Cortex XDR begins receiving new data from the source.
As soon as Cortex XDR begins receiving cloud assets, you can view the data in → , where All Assets and Specific Cloud Assets pages display the data in a table format.
To configure the AWS cloud assets collection in Cortex XDR.
Open the AWS wizard in Cortex XDR.
Select
→ → → .In the Cloud Inventory configuration, click Add Instance.
Click AWS.
Define the Account Details screen of the wizard.
Setting the connection parameters on the right-side of the screen is dependent on certain configurations in AWS as explained below.
Select the Organization Level as either Account (default), Organization, or Organization Unit. The Organization Level that you select changes the instructions and fields displayed on the screen.
Sign in to your AWS master account.
Create a stack called XDRCloudApp using the preset Cortex XDR template in AWS.
The following details are automatically filled in for you in the AWS CloudFormation stack template:
Stack Name: The default name for the stack is XDRCloudApp.
CortexXDRRoleName: The name of the role that will be used by Cortex XDR to authenticate and access the resources in your AWS account.
External ID: The Cortex XDR Cloud ID, a randomly generated UUID that is used to enable the trust relationship in the role's trust policy.
To create the stack, accept the IAM acknowledgment for resource creation by selecting the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox, and click Create Stack.
Wait for the Status to update to CREATE_COMPLETE in the Stacks page that is displayed, and select the XDRCloudAPP stack under the Stack name column in the table.
Select the Outputs tab and copy the Value of the Role ARN.
Paste the Role ARN value in one of the following fields in the Account Details screen in Cortex XDR. The field name is dependent on the Organization Level that you selected.
Account: Paste the value in the Account Role ARN field.
Organization: Paste the value in the Master Role ARN field.
Organization Unit: Paste the value in the Master Role ARN field.
Set the Root ID in Cortex XDR.
Note
This step is only relevant if you’ve configured the Organization Level as Organization in the Account Details screen in Cortex XDR. Otherwise, you can skip this step if the Organization Level is set to Account or Organization Unit.
From the main menu of the AWS Console, select
→ .Copy the Root ID displayed under the Root directory and paste it in the Root ID field in the Account Details screen in Cortex XDR.
Set the Organization Unit ID in Cortex XDR.
Note
This step is only relevant if you’ve configured the Organization Level as Organization Unit in the Account Details screen in Cortex XDR. Otherwise, you can skip this step if the Organization Level is set to Account or Organization.
On the main menu of the AWS Console, select your username, and then My Organization.
Select the Organization Unit with an icon-ou () beside it in the organizational structure that you want to configure.
Copy the ID and paste it in the Organization Unit ID field in the Account Details screen in Cortex XDR.
Define the following remaining connection parameters in the Account Details screen in Cortex XDR:
Account Role External ID / Master External ID: The name of this field is dependent on the Organization Level configured. This field is automatically populated with a value. You can either leave this value or replace it with another value.
Cortex XDR Collection Name: Specify a name for your Cortex XDR collection that is displayed underneath the Cloud Inventory configuration for this AWS collection.
Click Next.
Define the Configure Member Accounts screen of the wizard.
Note
This wizard screen is only displayed if you’ve configured the Organization Level as Organization or Organization Unit in the Account Details screen in Cortex XDR. Otherwise, you can skip this step when the Organization Level is set to Account.
Configuring member accounts is dependent on creating a stack set and configuring stack instances in AWS, which can be performed using either the Amazon Command Line Interface (CLI) or Cloud Formation template via the AWS Console. Use one of the following methods:
After Cortex XDR begins receiving AWS cloud assets, you can view the data in → , where All Assets and Specific Cloud Assets pages display the data in a table format. For more information, see Cloud Inventory Assets.