Ingest Cloud Assets from Google Cloud Platform - Administrator Guide - Cortex XDR - Cortex

Ingest Cloud Assets from Google Cloud Platform - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product

Cortex XDR

License

Pro

Creation date

2023-03-22

Last date published

2023-09-25

Note

Ingesting Cloud Assets from Google Cloud Platform requires a Cortex XDR Pro per GB license.

Cortex XDR provides a unified, normalized asset inventory for cloud assets in Google Cloud Platform (GCP). This capability provides deeper visibility to all the assets and superior context for incident investigation.

To receive cloud assets from GCP, you must configure the Collection Integrations settings in Cortex XDR using the Cloud Inventory data collector to configure the GCP wizard. The GCP wizard includes instructions to be completed both in GCP and the GCP wizard screens. After you set up data collection, Cortex XDR begins receiving new data from the source.

As soon as Cortex XDR begins receiving cloud assets, you can view the data in Assets → Cloud Inventory, where All Assets and Specific Cloud Assets pages display the data in a table format.

To configure the GCP cloud assets collection in Cortex XDR.

Open the GCP wizard in Cortex XDR.
1. Select Settings → Configurations → Data Collection → Collection Integrations.
2. In the Cloud Inventory configuration, click Add Instance to begin a new configuration.
3. Click Google Cloud Platform.
Define the Configure Account screen of the wizard.
Setting the connection parameters on the right-side of the screen is dependent on certain configurations in GCP as explained below.
1. Select the Organization Level as either Project (default), Folder, or Organization. The Organization Level that you select changes the instructions.
2. Register your application for Cloud Asset API in Google Cloud Platform, Select a project where your application will be registered, and click Continue.
  The Cloud Asset API is enabled.
3. Click Continue to open the GCP Cloud Console.
4. On the main menu, select the project menu.
5. In the window that opens, perform the following.
  1. From the Select from menu, select the organization that you want.
  2. The next steps to perform in Google Cloud Platform are dependent on the Organizational Level you selected in Cortex XDR - Project, Folder, or Organization.
    Project or Folder Organization Level—In the table, copy one of the following IDs that you want to configure and paste it in the designated field in the Configure Account screen in Cortex XDR . The field in Cortex XDR is dependent on the Organizational Level you selected.
    -Project—Contains a project icon () beside it, and the ID should be pasted in the Project ID field in Cortex XDR.
    -Folder—Contains a folder icon () beside it, and the ID should be pasted in the Folder ID field in Cortex XDR.
    When you are finished, click CANCEL to close the window.
    Organization is the Organization Level—Select the ellipsis icon () → Settings. In the Settings page, copy the Organization ID for the applicable organization that you want to configure and paste it in the Organization Id field in the Configure Account screen in Cortex XDR.
6. Select the Hamburger menu → Storage → Cloud Storage → Browser.
7. You can either use an existing bucket from the list or create a new bucket. Copy the Name of the bucket and paste it in the Bucket Name field in the Configure Account screen in Cortex XDR.
8. Define the following remaining connection parameters in the Configure Account screen in Cortex XDR.
  - Bucket Directory Name—You can either leave the default directory as Exported-Assets or define a new directory name that will be created for the exported assets collected for the bucket configured in GCP.
  - Cortex XDR Collection Name—Specify a name for your Cortex XDR collection that is displayed underneath the Cloud Inventory configuration for this GCP collection.
9. Click Next.
Define the Account Details screen of the wizard.
1. Download the Terraform script. The name of the file downloaded is dependent on the Organizational Level that you configured in the Configure Account screen of the wizard.
  - Folder—cortex-xdr-gcp-folder-ro.tf
  - Project—cortex-xdr-gcp-project-ro.tf
  - Organization—cortex-xdr-gcp-organization-ro.tf
2. Login to the Google Cloud Shell.
3. Click Continue to open the Cloud Shell Editor.
4. Select File → Open, and Open the Terraform script that you downloaded from Cortex XDR.
5. Use the following commands to upload the Terraform script, which you can copy from the Account Details screen in Cortex XDR using the copy icon ().
  1. terraform init—Initializes the Terraform script. You need to wait until the initialization is complete before running the next command as indicated in the image below.
  2. terraform apply—When running this command, you are asked to enter the following values.
    var.assets_bucket_name—Specify the GCP storage Bucket Name that you configured in the Configure Account screen of the wizard to contain GCP cloud asset data.
    var.host_project_id—Specify the GCP Project ID to host the XDR service account and bucket, which you registered your application. Ensure that you use a permanent project.
    var.project_id—Specify the Project ID, Folder ID, or Organization ID that you configured in the Configure Account screen of the wizard from GCP.
    After specifying all the values, you need to Authorize gcloud to use your credentials to make this GCP API call in the Authorize Cloud Shell dialog box that is displayed.
    Before the action completes, you need to confirm whether you want to perform these actions, and after the process finishes running an Apply complete indication is displayed.
    You can view the output JSON file called cortex-service-account-<GCP host project ID>.json by running the ls command.
6. Download the JSON file from Google Cloud Shell.
  1. In the Google Cloud Shell console, select ellipsis icon () → Download.
  2. Select the JSON file produced after running the Terraform script, and click Download.
7. Upload the downloaded Service Account Key JSON file in the Configure Account screen in Cortex XDR. You can drag and drop the file, or Browse to the file.
8. Click Next.
(Optional) Define the Change Asset Logs screen of the wizard.
Note
You can skip this step if you’ve already configured a Google Cloud Platform data collector with a Pub/Sub asset feed collection.
1. In the GCP Console, search for Topics, and select the Topics link.
2. CREATE TOPIC.
3. Specify a Topic ID, and CREATE TOPIC.
  Note
  A Topic name is automatically populated underneath the Topic ID field.
  The new topic is listed in the table in the Topics page.
4. Run the following command to create a feed on an asset using the gcloud CLI tool, which you can copy from the Change Asset Logs screen in Cortex XDR by selecting the copy icon (), and paste in the gcloud CLI tool.
  Note
  For more information on the gcloud CLI tool. see gcloud tool overview.
```
gcloud asset feeds create <FEED_ID> --project=xdr-cloud-projectid --pubsub-topic="<Topic name>" --content-type=resource --asset-types="compute.googleapis.com/Instance,compute.googleapis.com/Image,compute.googleapis.com/Disk,compute.googleapis.com/Network,compute.googleapis.com/Subnetwork,compute.googleapis.com/Firewall,storage.googleapis.com/Bucket,cloudfunctions.googleapis.com/CloudFunction"
```
  The command contains a parameter already populated and parameters that you need to replace before running the command.
  - <FEED_ID>—Replace this placeholder text with a unique asset feed identifier of your choosing.
  - --project—This parameter is automatically populated from the Project ID field in the Configure Account screen wizard in Cortex XDR.
  - <Topic name>—Replace this placeholder text with the topic name you created in the Topic details page in the GCP console.
5. In the GCP Console, search for Subscription, and select the Subscriptions link.
6. CREATE SUBSCRIPTION for the topic you created.
7. Set the following parameters.
  - Subscription ID—Specify a unique identifier for the subscription.
  - Select a Cloud Pub/Sub topic—Select the topic you created.
  - Delivery type—Select Pull.
8. Click CREATE.
  The new subscription is listed in the table in the Subscriptions page.
9. Select the subscription that you created for your topic and add PERMISSIONS for the subscriber in the Subscription details page.
10. ADD PRINCIPAL to add permissions for the Service Account that you created the key for in the JSON file and uploaded to the Configure Account wizard screen in Cortex XDR. Set the following permissions for the Service Account.
  - New principals—Select the designated Service Account Key you created in the JSON file.
  - Select a role—Select Pub/Sub Subscriber.
11. Copy the Subscription name and paste it in the Subscription Name field on the right-side of the Change Asset Logs screen in Cortex XDR , and click Next.
  Note
  The Subscription Name is the name of the new Google Cloud Platform data collector that is configured with a Pub/Sub asset feed collection.
Review the Summary screen of the wizard.
If something needs to be corrected, you can go Back to correct it.
Click Create.
Once cloud assets from GCP start to come in, a green check mark appears underneath the Cloud Inventory configuration with the Last collection time displayed. It can take a few minutes for the Last Collection time to display as the processing completes.
Note
Whenever the Cloud Inventory data collector integrations are modified by using the Edit, Disable, or Delete options, it can take up to 10 minutes for these changes to be reflected in Cortex XDR.
In addition, if you created a Pub/Sub asset feed collection, a green check mark appears underneath the Google Cloud Platform configuration with the amount of data received.
After Cortex XDR begins receiving GCP cloud assets, you can view the data in Assets → Cloud Inventory, where All Assets and Specific Cloud Assets pages display the data in a table format. For more information, see Cloud Inventory Assets.