Ingest Cloud Assets from Microsoft Azure - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-05-22
Last date published
2024-09-03
Category
User Guide
Solution
Cloud
Abstract

Extend Cortex Xpanse visibility into cloud assets from Microsoft Azure.

Cortex Xpanse provides a unified, normalized asset inventory for cloud assets in Microsoft Azure. This capability provides deeper visibility to all the assets and superior context for incident investigation.

To receive cloud assets from Microsoft Azure, you must configure the Collection Integrations settings in Cortex Xpanse using the Cloud Inventory data collector to configure the Microsoft Azure wizard. The Microsoft Azure wizard includes instructions to be completed both in Microsoft Azure and the Microsoft Azure wizard screens. After you set up data collection, Cortex Xpanse begins receiving new data from the source.

As soon as Cortex Xpanse begins receiving cloud assets, you can view the data in AssetsCloud Inventory, where All Assets and Specific Cloud Assets pages display the data in a table format.

To configure the Microsoft Azure cloud assets collection in Cortex Xpanse.

  1. Open the Microsoft Azure wizard in Cortex Xpanse.

    1. Select SettingsConfigurationsData CollectionCollection Integrations.

    2. In the Cloud Inventory configuration, click Add Instance to begin a new configuration.

    3. Click Azure.

  2. Define the Configure Account screen of the wizard.

    Setting the connection parameters on the right-side of the screen are dependent on certain configurations in Microsoft Azure as explained below.

    1. Select the Organization Level as either Subscription (default), Tenant, or Management Group. The Organization Level that you select changes the instructions and fields displayed on the screen.

    2. Login to your Microsoft Azure Portal.

    3. Search for Subscriptions, select Subscriptions, copy the applicable Subscription ID in Azure, and paste it in the Subscription ID field in the Configure Account screen wizard in Cortex Xpanse.

      Note

      This step is only relevant if you’ve configured the Organization Level as Subscription in the Configure Account screen in Cortex Xpanse. Otherwise, you can skip this step if the Organization Level is set to Tenant or Management Group.

    4. Search for Management groups, select Management groups, copy the applicable ID in Azure, and paste it in the Management Group ID field in the Configure Account screen wizard in Cortex Xpanse.

      Note

      This step is only relevant if you’ve configured the Organization Level as Management Group in the Configure Account screen in Cortex Xpanse. Otherwise, you can skip this step if the Organization Level is set to Subscription or Tenant.

    5. Search for Tenant properties, select Tenant properties, copy the Tenant ID in Azure, and paste it in the Tenant ID field in the Configure Account screen wizard in Cortex Xpanse.

    6. Specify a Cortex Xpanse Collection Name to be displayed underneath the Cloud Inventory configuration for this Azure collection.

    7. Click Next.

  3. Define the Account Details screen of the wizard.

    1. Download the Terraform script. The name of the file downloaded is dependent on the Organization Level that you configured in the Configure Account screen of the wizard.

      • Subscriptioncortex-xdr-azure-subscription-ro.tf

      • Management Groupcortex-xdr-azure-group-ro.tf

      • Tenantcortex-xdr-azure-org-ro.tf

    2. Login to the Azure Cloud Shell portal, and select Bash.

    3. Click the upload/download icon (azure-cloud-shell-upload-icon.png) to Upload the Terraform script to Cloud Shell, browse to the file, and click Open.

      A notification with the Upload destination is displayed on the bottom-right corner of the screen.

    4. Use the following commands to upload the Terraform script, which you can copy from the Account Details screen in Cortex Xpanse using the copy icon (gcp-copy.png).

      1. terraform init—Initializes the Terraform script. You need to wait until the initialization is complete before running the next command as indicated in the image below.

        azure-terraform-init-successful.png
      2. terraform apply—When running this command you will be asked to enter the following values, which are dependent on the Organization Level that you configured.

        Note

        Before running this command, ensure that your Azure CLI client is logged in by running az login. For more information, see Sign in with Azure CLI.

        • var.subscription_id—Specify the Subscription ID that you configured in the Configure Account screen of the wizard from Microsoft Azure. This value only needs to be specified if the Subscription ID is set to Subscription.

        • var.management.group_id—Specify the Management Group IDthat you configured in the Configure Account screen of the wizard from Microsoft Azure. This value only needs to be specified if the Microsoft Group is set to Management Group.

        • var.tenant_id—Specify the Tenant ID that you configured in the Configure Account screen of the wizard from Microsoft Azure.

      Before the action completes, you need to confirm whether you want to perform these actions, and after the process finishes running an Apply complete indication is displayed.

      azure-apply-complete.png
    5. Copy the client_id value displayed in the Cloud Shell window and paste it in the Application Client ID field in the Account Details screen in Cortex Xpanse.

    6. Copy the secret value displayed in the Cloud Shell window and paste it in the Secret field in the Account Details screen in Cortex Xpanse.

    7. Download the JSON file from Cloud Shell using the upload/download icon (azure-cloud-shell-upload-icon.png), so you have output field values for future reference.

    8. Click Next.

  4. Review the Summary screen of the wizard.

    If something needs to be corrected, you can go Back to correct it.

  5. Click Create.

    Once cloud assets from Azure start to come in, a green check mark appears underneath the Cloud Inventory configuration with the Last collection time displayed. It can take a few minutes for the Last Collection time to display as the processing completes.

    Note

    Whenever the Cloud Inventory data collector integrations are modified by using the Edit, Disable, or Delete options, it can take up to 10 minutes for these changes to be reflected in Cortex Xpanse.

  6. After Cortex Xpanse begins receiving Azure cloud assets, you can view the data in AssetsCloud Inventory, where All Assets and Specific Cloud Assets pages display the data in a table format. For more information, see Cloud Inventory Assets.

Once you've configured the Azure cloud collection integration, it may take up to 48 hours for new asset records, services, websites, alerts, and incidents to appear in Expander. This is because the collection process must run multiple times to ensure that data is only loaded for high confidence resources and can be properly combined with Xpanse global scan findings.

If after 48 hours you still don't see new assets, services, websites, alerts, and incidents, check for errors on the collection integration configuration page in Settings. You should also ensure that there are active compute instances in the linked subscription, tenant, or management group.