Ingest Cloud Assets from Microsoft Azure - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-03-30
Last date published
2023-03-30

Note

Ingesting Cloud Assets from Microsoft Azure requires a Cortex XDR Pro per TB license.

Cortex XDR provides a unified, normalized asset inventory for cloud assets in Microsoft Azure. This capability provides deeper visibility to all the assets and superior context for incident investigation.

To receive cloud assets from Microsoft Azure, you must configure the Collection Integrations settings in Cortex XDR using the Cloud Inventory data collector to configure the Microsoft Azure wizard. The Microsoft Azure wizard includes instructions to be completed both in Microsoft Azure and the Microsoft Azure wizard screens. After you set up data collection, Cortex XDR begins receiving new data from the source.

As soon as Cortex XDR begins receiving cloud assets, you can view the data in AssetsCloud Inventory, where All Assets and Specific Cloud Assets pages display the data in a table format.

To configure the Microsoft Azure cloud assets collection in Cortex XDR.

  1. Open the Microsoft Azure wizard in Cortex XDR.

    1. Select SettingsConfigurationsData CollectionCollection Integrations.

    2. In the Cloud Inventory configuration, click Add Instance to begin a new configuration.

    3. Click Azure.

  2. Define the Configure Account screen of the wizard.

    Setting the connection parameters on the right-side of the screen are dependent on certain configurations in Microsoft Azure as explained below.

    1. Select the Organization Level as either Subscription (default), Tenant, or Management Group. The Organization Level that you select changes the instructions and fields displayed on the screen.

    2. Login to your Microsoft Azure Portal.

    3. Search for Subscriptions, select Subscriptions, copy the applicable Subscription ID in Azure, and paste it in the Subscription ID field in the Configure Account screen wizard in Cortex XDR.

      Note

      This step is only relevant if you’ve configured the Organization Level as Subscription in the Configure Account screen in Cortex XDR. Otherwise, you can skip this step if the Organization Level is set to Tenant or Management Group.

      azure-subscriptions.png
    4. Search for Management groups, select Management groups, copy the applicable ID in Azure, and paste it in the Management Group ID field in the Configure Account screen wizard in Cortex XDR.

      Note

      This step is only relevant if you’ve configured the Organization Level as Management Group in the Configure Account screen in Cortex XDR. Otherwise, you can skip this step if the Organization Level is set to Subscription or Tenant.

      azure-management-groups.png
    5. Search for Tenant properties, select Tenant properties, copy the Tenant ID in Azure, and paste it in the Tenant ID field in the Configure Account screen wizard in Cortex XDR.

      azure-tenant-properties.png
    6. Specify a Cortex XDR Collection Name to be displayed underneath the Cloud Inventory configuration for this Azure collection.

    7. Click Next.

  3. Define the Account Details screen of the wizard.

    1. Download the Terraform script. The name of the file downloaded is dependent on the Organization Level that you configured in the Configure Account screen of the wizard.

      • Subscriptioncortex-xdr-azure-subscription-ro.tf

      • Management Groupcortex-xdr-azure-group-ro.tf

      • Tenantcortex-xdr-azure-org-ro.tf

        Warning

        To run the Terraform scipt when configuring the Organization Level at the Tenant level, you must first ensure that you elevate user access to manage all Azure subscriptions and management groups for the User Access Administrator role. For more information, see the Microsoft Azure documentation.

    2. Login to the Azure Cloud Shell portal, and select Bash.

    3. Click the upload/download icon (azure-cloud-shell-upload-icon.png) to Upload the Terraform script to Cloud Shell, browse to the file, and click Open.

      A notification with the Upload destination is displayed on the bottom-right corner of the screen.

    4. Use the following commands to upload the Terraform script, which you can copy from the Account Details screen in Cortex XDR using the copy icon (gcp-copy.png).

      1. terraform init—Initializes the Terraform script. You need to wait until the initialization is complete before running the next command as indicated in the image below.

        azure-terraform-init-successful.png
      2. terraform apply—When running this command you will be asked to enter the following values, which are dependent on the Organization Level that you configured.

        Note

        Before running this command, ensure that your Azure CLI client is logged in by running az login. For more information, see Sign in with Azure CLI.

        • var.subscription_id—Specify the Subscription ID that you configured in the Configure Account screen of the wizard from Microsoft Azure. This value only needs to be specified if the Subscription ID is set to Subscription.

        • var.management.group_id—Specify the Management Group IDthat you configured in the Configure Account screen of the wizard from Microsoft Azure. This value only needs to be specified if the Microsoft Group is set to Management Group.

        • var.tenant_id—Specify the Tenant ID that you configured in the Configure Account screen of the wizard from Microsoft Azure.

      Before the action completes, you need to confirm whether you want to perform these actions, and after the process finishes running an Apply complete indication is displayed.