Ingest Cloud Assets from Google Cloud Platform - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex - Security Operations

Cortex XDR Pro Administrator Guide
Product
Cortex XDR
License
Pro
Creation date
2023-03-30
Last date published
2023-03-30

Note

Ingesting Cloud Assets from Google Cloud Platform requires a Cortex XDR Pro per TB license.

Cortex XDR provides a unified, normalized asset inventory for cloud assets in Google Cloud Platform (GCP). This capability provides deeper visibility to all the assets and superior context for incident investigation.

To receive cloud assets from GCP, you must configure the Collection Integrations settings in Cortex XDR using the Cloud Inventory data collector to configure the GCP wizard. The GCP wizard includes instructions to be completed both in GCP and the GCP wizard screens. After you set up data collection, Cortex XDR begins receiving new data from the source.

As soon as Cortex XDR begins receiving cloud assets, you can view the data in Assets → Cloud Inventory, where All Assets and Specific Cloud Assets pages display the data in a table format.

To configure the GCP cloud assets collection in Cortex XDR.

  1. Open the GCP wizard in Cortex XDR.

    1. Select Settings → Configurations → Data Collection → Collection Integrations.

    2. In the Cloud Inventory configuration, click Add Instance to begin a new configuration.

    3. Click Google Cloud Platform.

  2. Define the Configure Account screen of the wizard.

    Setting the connection parameters on the right-side of the screen is dependent on certain configurations in GCP as explained below.

    1. Select the Organization Level as either Project (default), Folder, or Organization. The Organization Level that you select changes the instructions.

    2. Register your application for Cloud Asset API in Google Cloud Platform, Select a project where your application will be registered, and click Continue.

      gcp-register-app.png

      The Cloud Asset API is enabled.

      gcp-confirmation-api-enabled.png

    3. Click Continue to open the GCP Cloud Console.

    4. On the main menu, select the project menu.

    5. In the window that opens, perform the following.

      gcp-select-from-window.png

      1. From the Select from menu, select the organization that you want.

      2. The next steps to perform in Google Cloud Platform are dependent on the Organizational Level you selected in Cortex XDR - Project, Folder, or Organization.

        • Project or Folder Organization Level—In the table, copy one of the following IDs that you want to configure and paste it in the designated field in the Configure Account screen in Cortex XDR . The field in Cortex XDR is dependent on the Organizational Level you selected.

          -Project—Contains a project icon (gcp-project-icon.png) beside it, and the ID should be pasted in the Project ID field in Cortex XDR.

          -Folder—Contains a folder icon (gcp-folder-icon.png) beside it, and the ID should be pasted in the Folder ID field in Cortex XDR.

          When you are finished, click CANCEL to close the window.

        • Organization is the Organization Level—Select the ellipsis icon (gcp-ellipsis-icon.png) → Settings. In the Settings page, copy the Organization ID for the applicable organization that you want to configure and paste it in the Organization Id field in the Configure Account screen in Cortex XDR.

          gcp-organization-id.png

    6. Select the Hamburger menu → Storage → Cloud Storage → Browser.

      gcp-bucket-list.png

    7. You can either use an existing bucket from the list or create a new bucket. Copy the Name of the bucket and paste it in the Bucket Name field in the Configure Account screen in Cortex XDR.

    8. Define the following remaining connection parameters in the Configure Account screen in Cortex XDR.

      • Bucket Directory Name—You can either leave the default directory as Exported-Assets or define a new directory name that will be created for the exported assets collected for the bucket configured in GCP.

      • Cortex XDR Collection Name—Specify a name for your Cortex XDR collection that is displayed underneath the Cloud Inventory configuration for this GCP collection.

    9. Click Next.

  3. Define the Account Details screen of the wizard.

    1. Download the Terraform script. The name of the file downloaded is dependent on the Organizational Level that you configured in the Configure Account screen of the wizard.

      • Folder—cortex-xdr-gcp-folder-ro.tf

      • Project—cortex-xdr-gcp-project-ro.tf

      • Organization—cortex-xdr-gcp-organization-ro.tf

    2. Login to the Google Cloud Shell.

      gcp-cloud-shell.png

    3. Click Continue to open the Cloud Shell Editor.

      gcp-cloud-shell-editor.png

    4. Select File → Open, and Open the Terraform script that you downloaded from Cortex XDR.

    5. Use the following commands to upload the Terraform script, which you can copy from the Account Details screen in Cortex XDR using the copy icon (gcp-copy.png).

      1. terraform init—Initializes the Terraform script. You need to wait until the initialization is complete before running the next command as indicated in the image below.