Ingest Cloud Assets from Google Cloud Platform - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-05-22
Last date published
2024-07-01
Category
User Guide
Solution
Cloud
Abstract

Extend Cortex Xpanse visibility into cloud assets from Google Cloud Platform.

Cortex Xpanse provides a unified, normalized asset inventory for cloud assets in Google Cloud Platform (GCP). This capability provides deeper visibility to all the assets and superior context for incident investigation.

To receive cloud assets from GCP, you must configure the Collection Integrations settings in Cortex Xpanse using the Cloud Inventory data collector to configure the GCP wizard. The GCP wizard includes instructions to be completed both in GCP and the GCP wizard screens. After you set up data collection, Cortex Xpanse begins receiving new data from the source.

As soon as Cortex Xpanse begins receiving cloud assets, you can view the data in AssetsCloud Inventory, where All Assets and Specific Cloud Assets pages display the data in a table format.

To configure the GCP cloud assets collection in Cortex Xpanse.

  1. Open the GCP wizard in Cortex Xpanse.

    1. Select SettingsConfigurationsData CollectionCollection Integrations.

    2. In the Cloud Inventory configuration, click Add Instance to begin a new configuration.

    3. Click Google Cloud Platform.

  2. Define the Configure Account screen of the wizard.

    Setting the connection parameters on the right-side of the screen is dependent on certain configurations in GCP as explained below.

    1. Select the Organization Level as either Project (default), Folder, or Organization. The Organization Level that you select changes the instructions.

    2. Register your application for Cloud Asset API in Google Cloud Platform, Select a project where your application will be registered, and click Continue.

      gcp-register-app.png

      The Cloud Asset API is enabled.

      gcp-confirmation-api-enabled.png
    3. Click Continue to open the GCP Cloud Console.

    4. On the main menu, select the project menu.

    5. In the window that opens, perform the following.

      1. From the Select from menu, select the organization that you want.

      2. The next steps to perform in Google Cloud Platform are dependent on the Organizational Level you selected in Cortex Xpanse - Project, Folder, or Organization.

        • Project or Folder Organization Level—In the table, copy one of the following IDs that you want to configure and paste it in the designated field in the Configure Account screen in Cortex Xpanse . The field in Cortex Xpanse is dependent on the Organizational Level you selected.

          -Project—Contains a project icon (gcp-project-icon.png) beside it, and the ID should be pasted in the Project ID field in Cortex Xpanse.

          -Folder—Contains a folder icon (gcp-folder-icon.png) beside it, and the ID should be pasted in the Folder ID field in Cortex Xpanse.

          When you are finished, click CANCEL to close the window.

        • Organization is the Organization Level—Select the ellipsis icon (gcp-ellipsis-icon.png)Settings. In the Settings page, copy the Organization ID for the applicable organization that you want to configure and paste it in the Organization Id field in the Configure Account screen in Cortex Xpanse.

    6. Select the Hamburger menuStorageCloud StorageBrowser.

    7. You can either use an existing bucket from the list or create a new bucket. Copy the Name of the bucket and paste it in the Bucket Name field in the Configure Account screen in Cortex Xpanse.

    8. Define the following remaining connection parameters in the Configure Account screen in Cortex Xpanse.

      • Bucket Directory Name—You can either leave the default directory as Exported-Assets or define a new directory name that will be created for the exported assets collected for the bucket configured in GCP.

      • Cortex Xpanse Collection Name—Specify a name for your Cortex Xpanse collection that is displayed underneath the Cloud Inventory configuration for this GCP collection.

    9. Click Next.

  3. Define the Account Details screen of the wizard.

    1. Download the Terraform script. The name of the file downloaded is dependent on the Organizational Level that you configured in the Configure Account screen of the wizard.

      • Foldercortex-xdr-gcp-folder-ro.tf

      • Projectcortex-xdr-gcp-project-ro.tf

      • Organizationcortex-xdr-gcp-organization-ro.tf

    2. Login to the Google Cloud Shell.

      gcp-cloud-shell.png
    3. Click Continue to open the Cloud Shell Editor.

      gcp-cloud-shell-editor.png
    4. Select FileOpen, and Open the Terraform script that you downloaded from Cortex Xpanse.

    5. Use the following commands to upload the Terraform script, which you can copy from the Account Details screen in Cortex Xpanse using the copy icon (gcp-copy.png).

      1. terraform init—Initializes the Terraform script. You need to wait until the initialization is complete before running the next command as indicated in the image below.

        gcp-terraform-init-complete.png
      2. terraform apply—When running this command, you are asked to enter the following values.

        • var.assets_bucket_name—Specify the GCP storage Bucket Name that you configured in the Configure Account screen of the wizard to contain GCP cloud asset data.

        • var.host_project_id—Specify the GCP Project ID to host the XDR service account and bucket, which you registered your application. Ensure that you use a permanent project.

        • var.project_id—Specify the Project ID, Folder ID, or Organization ID that you configured in the Configure Account screen of the wizard from GCP.

          After specifying all the values, you need to Authorize gcloud to use your credentials to make this GCP API call in the Authorize Cloud Shell dialog box that is displayed.

          Before the action completes, you need to confirm whether you want to perform these actions, and after the process finishes running an Apply complete indication is displayed.

          gcp-terraform-apply-complete.png

          You can view the output JSON file called cortex-service-account-<GCP host project ID>.json by running the ls command.

    6. Download the JSON file from Google Cloud Shell.

      1. In the Google Cloud Shell console, select ellipsis icon (gcp-ellipsis-icon.png)Download.

        gcp-download-file-folder.png
      2. Select the JSON file produced after running the Terraform script, and click Download.

    7. Upload the downloaded Service Account Key JSON file in the Configure Account screen in Cortex Xpanse. You can drag and drop the file, or Browse to the file.

    8. Click Next.

  4. (Optional) Define the Change Asset Logs screen of the wizard.

    Note

    You can skip this step if you’ve already configured a Google Cloud Platform data collector with a Pub/Sub asset feed collection.

    1. In the GCP Console, search for Topics, and select the Topics link.

    2. CREATE TOPIC.

      gcp-create-a-topic.png
    3. Specify a Topic ID, and CREATE TOPIC.

      Note

      A Topic name is automatically populated underneath the Topic ID field.

      The new topic is listed in the table in the Topics page.

    4. Run the following command to create a feed on an asset using the gcloud CLI tool, which you can copy from the Change Asset Logs screen in Cortex Xpanse by selecting the copy icon (gcp-copy.png), and paste in the gcloud CLI tool.

      Note

      For more information on the gcloud CLI tool. see gcloud tool overview.

      gcloud asset feeds create <FEED_ID> --project=xdr-cloud-projectid --pubsub-topic="<Topic name>" --content-type=resource --asset-types="compute.googleapis.com/Instance,compute.googleapis.com/Image,compute.googleapis.com/Disk,compute.googleapis.com/Network,compute.googleapis.com/Subnetwork,compute.googleapis.com/Firewall,storage.googleapis.com/Bucket,cloudfunctions.googleapis.com/CloudFunction"

      The command contains a parameter already populated and parameters that you need to replace before running the command.

      • <FEED_ID>—Replace this placeholder text with a unique asset feed identifier of your choosing.

      • --project—This parameter is automatically populated from the Project ID field in the Configure Account screen wizard in Cortex Xpanse.

      • <Topic name>—Replace this placeholder text with the topic name you created in the Topic details page in the GCP console.

    5. In the GCP Console, search for Subscription, and select the Subscriptions link.

    6. CREATE SUBSCRIPTION for the topic you created.

    7. Set the following parameters.

      • Subscription ID—Specify a unique identifier for the subscription.

      • Select a Cloud Pub/Sub topic—Select the topic you created.

      • Delivery type—Select Pull.

    8. Click CREATE.

      The new subscription is listed in the table in the Subscriptions page.

    9. Select the subscription that you created for your topic and add PERMISSIONS for the subscriber in the Subscription details page.