Ingest Cloud Assets from Microsoft Azure - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Extend Cortex XDR visibility into cloud assets from Microsoft Azure.

Note

Ingesting Cloud Assets from Microsoft Azure requires a Cortex XDR Pro per GB license.

Cortex XDR provides a unified, normalized asset inventory for cloud assets in Microsoft Azure. This capability provides deeper visibility to all the assets and superior context for incident investigation.

To receive cloud assets from Microsoft Azure, you must configure the Collection Integrations settings in Cortex XDR using the Cloud Inventory data collector to configure the Microsoft Azure wizard. The Microsoft Azure wizard includes instructions to be completed both in Microsoft Azure and the Microsoft Azure wizard screens. After you set up data collection, Cortex XDR begins receiving new data from the source.

As soon as Cortex XDR begins receiving cloud assets, you can view the data in AssetsCloud Inventory, where All Assets and Specific Cloud Assets pages display the data in a table format.

To configure the Microsoft Azure cloud assets collection in Cortex XDR.

  1. Open the Microsoft Azure wizard in Cortex XDR.

    1. Select SettingsConfigurationsData CollectionCollection Integrations.

    2. In the Cloud Inventory configuration, click Add Instance to begin a new configuration.

    3. Click Azure.

  2. Define the Configure Account screen of the wizard.

    Setting the connection parameters on the right-side of the screen are dependent on certain configurations in Microsoft Azure as explained below.

    1. Select the Organization Level as either Subscription (default), Tenant, or Management Group. The Organization Level that you select changes the instructions and fields displayed on the screen.

    2. Login to your Microsoft Azure Portal.

    3. Search for Subscriptions, select Subscriptions, copy the applicable Subscription ID in Azure, and paste it in the Subscription ID field in the Configure Account screen wizard in Cortex XDR.

      Note

      This step is only relevant if you’ve configured the Organization Level as Subscription in the Configure Account screen in Cortex XDR. Otherwise, you can skip this step if the Organization Level is set to Tenant or Management Group.

    4. Search for Management groups, select Management groups, copy the applicable ID in Azure, and paste it in the Management Group ID field in the Configure Account screen wizard in Cortex XDR.

      Note

      This step is only relevant if you’ve configured the Organization Level as Management Group in the Configure Account screen in Cortex XDR. Otherwise, you can skip this step if the Organization Level is set to Subscription or Tenant.

    5. Search for Tenant properties, select Tenant properties, copy the Tenant ID in Azure, and paste it in the Tenant ID field in the Configure Account screen wizard in Cortex XDR.

    6. Specify a Cortex XDR Collection Name to be displayed underneath the Cloud Inventory configuration for this Azure collection.

    7. Click Next.

  3. Define the Account Details screen of the wizard.

    1. Download the Terraform script. The name of the file downloaded is dependent on the Organization Level that you configured in the Configure Account screen of the wizard.

      • Subscriptioncortex-xdr-azure-subscription-ro.tf

      • Management Groupcortex-xdr-azure-group-ro.tf

      • Tenantcortex-xdr-azure-org-ro.tf

        Warning

        To run the Terraform scipt when configuring the Organization Level at the Tenant level, you must first ensure that you elevate user access to manage all Azure subscriptions and management groups for the User Access Administrator role. For more information, see the Microsoft Azure documentation.

    2. Login to the Azure Cloud Shell portal, and select Bash.

    3. Click the upload/download icon (azure-cloud-shell-upload-icon.png) to Upload the Terraform script to Cloud Shell, browse to the file, and click Open.

      A notification with the Upload destination is displayed on the bottom-right corner of the screen.

    4. Use the following commands to upload the Terraform script, which you can copy from the Account Details screen in Cortex XDR using the copy icon (gcp-copy.png).

      1. terraform init—Initializes the Terraform script. You need to wait until the initialization is complete before running the next command as indicated in the image below.

        azure-terraform-init-successful.png
      2. terraform apply—When running this command you will be asked to enter the following values, which are dependent on the Organization Level that you configured.

        Note

        Before running this command, ensure that your Azure CLI client is logged in by running az login. For more information, see Sign in with Azure CLI.

        • var.subscription_id—Specify the Subscription ID that you configured in the Configure Account screen of the wizard from Microsoft Azure. This value only needs to be specified if the Subscription ID is set to Subscription.

        • var.management.group_id—Specify the Management Group IDthat you configured in the Configure Account screen of the wizard from Microsoft Azure. This value only needs to be specified if the Microsoft Group is set to Management Group.

        • var.tenant_id—Specify the Tenant ID that you configured in the Configure Account screen of the wizard from Microsoft Azure.

      Before the action completes, you need to confirm whether you want to perform these actions, and after the process finishes running an Apply complete indication is displayed.

      azure-apply-complete.png
    5. Copy the client_id value displayed in the Cloud Shell window and paste it in the Application Client ID field in the Account Details screen in Cortex XDR.

    6. Copy the secret value displayed in the Cloud Shell window and paste it in the Secret field in the Account Details screen in Cortex XDR.

    7. Download the JSON file from Cloud Shell using the upload/download icon (azure-cloud-shell-upload-icon.png), so you have output field values for future reference.

    8. Click Next.

  4. Review the Summary screen of the wizard.

    If something needs to be corrected, you can go Back to correct it.

  5. Click Create.

    Once cloud assets from Azure start to come in, a green check mark appears underneath the Cloud Inventory configuration with the Last collection time displayed. It can take a few minutes for the Last Collection time to display as the processing completes.

    Note

    Whenever the Cloud Inventory data collector integrations are modified by using the Edit, Disable, or Delete options, it can take up to 10 minutes for these changes to be reflected in Cortex XDR.

  6. After Cortex XDR begins receiving Azure cloud assets, you can view the data in AssetsCloud Inventory, where All Assets and Specific Cloud Assets pages display the data in a table format. For more information, see Cloud Inventory Assets.