Manage Your Cloud Inventory Assets - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-19
Category
Administrator Guide
Abstract

Cortex XDR provides a central location to view and investigate information relating to inventory assets in the cloud.

Note

Ingesting and Viewing Cloud Inventory Assets requires a Cortex XDR Pro per GB license.

The All Cloud Assets and Specific Cloud Assets pages provide a central location from which you can view and investigate information relating to inventory assets in the cloud. These cloud inventory assets are collected from Google Cloud Platform, Microsoft Azure, and Amazon Web Services depending on your defined cloud configurations, and are received by Cortex XDR using the Cloud Inventory data collector. These pages are designed in a similar format so you can navigate to the page, view the data, and perform the same tasks to easily investigate your assets.

To manage your cloud inventory assets.

  1. Select AssetsCloud Inventory.

  2. View All Cloud Assets by remaining on the page, or select a Specific Cloud Assets page from the list available on the left panel.

    By default, the page displays all cloud assets according to the most recent time that the data was updated.

  3. (Optional) Filter and review your assets.

    You can use the filter icon (filter-icon.png) at the top of the page to build a filter from scratch or filter the individual columns to view the information you are looking for. To create a persistent filter, save (save-icon.png) it

  4. (Optional) Export your filtered results to a tab-separated values (TSV) file using the Export to file icon (export-icon.png) on the top of the page.

  5. (Optional) Investigate any asset further by selecting the applicable row in the table to reveal a side panel.

    The side panel enables you to view additional data divided by sections, such as Asset Metadata and Asset Editors. The Asset Editors section also provides a link (link-icon.png) to open in a new tab a predefined query in XQL Search on the cloud_audit_log dataset to view the edit operations by the identity selected for this asset in the last 7 days.

    The following table describes the common side panel components that are displayed for all asset types and subtypes and the specific side panel components based on the specific cloud assets type selected.

    Side Panel Component

    Description

    Example Image

    Common Side Panel Components

    Header

    The header row displays the following information about the asset.

    • The NAME of the asset as displayed in the table. If there is no value for the asset name, the SECONDARY ASSET ID for the asset is used.

    • The TYPE of asset.

    • Additional specific information per asset type, which is only displayed only if a value is available.

    • The cloud PROVIDER.

    header-example.png

    Asset Metadata

    This section includes the following fields, which are displayed if the information is available from the output field values in the table.

    • Created at—Timestamp, which is not always available.

    • Updated at—Timestamp, which is not always available.

    • Region—Displays the region as provided by the Cloud provider.

    • Availability zone—Displays the AVAILABILITY ZONE according to the cloud provider.

    • Geo Location—Displays the normalized value indicating the geographic region, such as North America or the Middle East.

    • Project—Displays the associated project name as provided by the Cloud provider. For each cloud provider, the project is called something else.

      • AWS—Account

      • GCP—Project

      • Microsoft Azure—Subscription

    • Hierarchy—Displays the hierarchy of the associated PROJECT in the cloud provider separated by a forward slash (/) similar to a file path.

      Note

      The Project is called something else in each cloud provider. For more information, see the PROJECT description.

    • Public IPs—Displays a list of external public IPs.

    • Private IPs—Displays a list of internal private IPs.

    • Cloud Tags—Displays any cloud tags or labels configured according to the cloud provider.

    • Last Reported Status—Last reported status of the asset, such as AVAILABLE or READY.

    asset-metadata.png

    Asset Editors

    A bar chart of the identities of the Asset Editors is displayed. Up to 5 editors are displayed in a horizontal bar chart listing the percentage of editing actions for a single identity. The chart data does not include any actions where the identity could not be resolved. If there are more than 5 editors, then not all editors are displayed, and the rest of the editors are displayed in an Others bar.

    The Asset Editor section provides a link (link-icon.png) to open in a new tab a predefined query in XQL Search on the cloud_audit_log dataset to view the edit operations by the identity selected for this asset in the last 7 days.

    A notification about the data is also provided using the format *Data since <timestamp>.

    asset-editors-example.png

    Internet Exposure

    When there are any open external ports, the open ports and their corresponding details are displayed.

    • Title—The title format is <IP>:<port>. When you hover your mouse over the title, you expose the Show banner info icon, which opens a Banner window with the raw JSON text obtained from Xpanse containing the banner, which you can view in JSON VIEW (default) or TREE VIEW.

    • Observed Services—The type of service observed with the open external port, such as MySQL, HTTP, and TLS.

    • Observed at—A timestamp for when the open external port was noticed.

    internet-exposure.png

    Specific Side Panel Components

    VM Instance

    The TYPE of asset is set to Compute and the SUBTYPE is set to VM Instance. The header includes the following additional fields.

    • Machine type—Displays the type of machine.

    • Last started—Displays the last time the machine started.

    The following data is displayed in the panel.

    • Disks—A list of disks, where each disk has the following properties.

      • Disk name. When you hover over the disk name, you expose the Show Disk icon, which enables you to view in the side panel the associated disk information, such as the disk size in GB.

      • Boot Disk—Boolean value as either Yes or No.

      • Disk Type—Type of disk such as ebs or persistent.

    • Network Interfaces—List of Network Interfaces, where the following is displayed for each network interface if the data exists.

      • Name on the network interface.

      • IP—The IP address of the network interface.

      • When you hover over the network interface name, you expose different icons with different actions that you can perform to open different side panel components.

        -View associated VPC—Drills down to the VPC side panel component if the ID exists.

        -View network interface details—Drills down to the corresponding Network Interface row if the ID exists.

        -View associated subnet—Drills down to the Subnet side panel component if the ID exists.

    vm-instance-example.png

    Disk

    Displays the following information in the Header.

    • Compute Disk as the specific cloud assets type.

    • Is Encrypted—Displays a boolean value as either Yes or No to indicate whether the disk is encrypted.

    • Size of the disk in GB.

    disk-example.png

    VPC

    Displays the following information in the Header.

    • Virtual Private Cloud (VPC) as the specific cloud assets type.

    • CIDRs—A list of CIDRs.

    • Default—Displays a boolean value as either Yes or No to indicate whether this asset is the default VPC.

    The following actions are available only if this information is provided by the cloud provider.

    • Show Peer networks—Pivot to a new tab with the VPC Networks table, which is filtered on the list of IDs.

    • Show Subnets—Pivot to a new tab with the Subnets table, which is filtered on the list of IDs.

    vpc-header-example.png

    Subnet

    Displays the following information in the Header.

    • Subnet as the specific cloud assets type.

    • CIDRs—A list of CIDRs.

    subnet-header-example.png

    Cloud Function

    Displays the following information in the Header.

    • Cloud Functions as the specific cloud assets type.

    • Runtime—Displays the runtime system, such as python3.9.

    • Memory Size—The amount of memory in MB.

    • Description—A description of the cloud function.

    cloud-functions-header.png

    Storage Bucket

    Displays the following information in the Header.

    • Storage Bucket as the specific cloud assets type.

    • Location Type—Displays the bucket location as either Regional or Multi Regional

    • Access Type—Displays the bucket access options as one of the following.

      • Public

      • Private

      • Fine Grained

      • Unknown

    storage-bucket-header.png

    Security Group

    Displays the following information in the Header.

    • Security Group (FW Rule) as the specific cloud assets type.

    • Group Name and Description for the Security Group, if available. In AWS, there is a name and description for the entire group, while in GCP per rule.

    A Security Group is a list of rules. A separate Rules section is displayed in the side panel that lists the following for each rule.

    • Name—Name of the rule.

    • Description—The description of the rule, if it exists.

    • Rules icon (rules-icon.png)—Opens a Banner window containing the raw JSON data extracted for the rule, which you can view in JSON VIEW (default) or TREE VIEW.

    Some providers provide the associated VPC for the Security Group and some provide an associated Network Interface. The actions are dependent on the available data and are exposed when you hover over the INFO heading under the NETWORK INTERFACES section.

    • View associated VPC—Drills down to the VPC side panel component if the ID exists.

    • View network interface details—Drills down to the corresponding Network Interface row if the ID exists.

    • View associated subnet—Drills down to the Subnet side panel component if the ID exists.

    security-group-example.png
  6. (Optional) Manage cloud inventory assets, as needed.

    At any time, you can return to the All Cloud Assets or Specific Cloud Assets pages to view and manage your cloud inventory assets. To manage a cloud inventory asset, right-click the asset and select the desired action. Some actions are dependent on the type of cloud asset selected and the particular cell you are performing the action from.

    • Show rows with ‘<field name>’ to filter the column list to only display the rows with a specific field name selected in the table.

    • Hide rows with ‘<field name>’ to filter the column list to hide the rows with a specific field name selected in the table.

    • Copy text to clipboard to copy the text from a specific field in the row of an asset.

    • Copy entire row to copy the text from all the fields in a row of an asset.

    • Open IP View—For the External IPs and Internal IPs column fields in the assets table, you can open the IP Address View, which provides a powerful way to investigate and take action on an IP address by reducing the number of steps it takes to collect, research, and threat hunt related incidents.

    • Open in Quick Launcher—For the External IPs and Internal IPs column fields in the assets tables, you can open the Quick Launcher shortcut to search for information, perform common investigative tasks, or initiate response actions related to a specific IP address or CIDR.

    • Show rows 30 days prior to ‘<timestamp field>’—For all timestamp fields in the assets tables, you can filter the column list to only display the rows 30 days earlier than the selected timestamp field.

    • Show rows 30 days after to ‘<timestamp field>’—For all timestamp fields in the assets tables, you can filter the column list to only display the rows 30 days after the selected timestamp field.