Notice
This feature is included with Cloud Posture Security, Cloud Runtime Security or Cortex XSIAM Premium license.
The Discovery Engine is an essential component of Cortex XSIAM's security posture management. The Discovery Engine scans your onboarded cloud accounts and discovers your assets, services and resources. The discovered assets are added to the Unified Asset Inventory. Once these assets are identified, they can be scanned for misconfigurations and vulnerabilities, ensuring the security of your cloud environments. The cloud service provider (CSP) permissions that are required for the Discovery Engine are available here.
The Discovery Engine performs three main functionalities:
Full discovery scans: The Discovery Engine calls all of the APIs in the discovery catalog (depending on the scope defined in the onboarding wizard) to scan every visible asset, service, and resource in the onboarded CSP. This full scan is performed every 12 hours.
Event Assisted Ingestion (EAI): Using the collection of audit logs (whether enabled as part of the onboarding process or collected separately using a data collector), Cortex XSIAM analyzes the audit logs and identifies specific events or changes to certain asset types. If a change is identified, it triggers the Discovery Engine to scan that specific resource. This enables near-real-time discovery for specific assets, including VMs and data assets across AWS and GCP.
On-demand scans: You can initiate a discovery scan for a specific CSP account or cloud instance using the Discover Now option. This option is available by right-clicking the account and selecting Discover Now . For a cloud instance, click the More options icon and select Discovery Now. Note that you can initiate an on-demand scan as long as there is no scan currently in progress. If a scan is already in progress, wait until it completes before initiating a new scan. A discovery scan can vary in duration based on the number of resources being scanned.
How does the Discovery Engine work?
The Discovery Engine is an API collection engine that gathers information about your cloud environment. The engine executes resource ingestion templates (RIT) that define which CSP APIs and actions to call in order to collect, stitch, and normalize data. This process ensures the information is consistent. Once normalized, relevant assets are added or updated in the unified asset inventory. The specific APIs it calls are detailed in the discovery catalog , organized according to RITs. The processed data collected by the RITs is used to maintain an up-to-date inventory of all your cloud assets in the unified asset inventory.
Technical details
API limits: The Discovery Engine has no limit to the number of CSP APIs it calls; the goal is to provide a current and comprehensive view of your entire cloud environment. The number of API calls made by the Discovery Engine depends on the number of resources in your cloud environment, the frequency of changes to EAI-supported assets, and how often you run on-demand scans.
Retry mechanism: The Discovery Engine implements an exponential backoff mechanism with up to three retries with a maximum of 1.5 minutes for retry attempts.
Infrastructure: The Discovery Engine always performs its functionality from the Cortex XSIAM tenant, regardless of whether you selected Cloud Scan or Scan with Outpost in the onboarding wizard.
Discovery catalog
The discovery catalog lists all of the resource ingestion templates (RIT). Each RIT has the following details:
RIT NAME: The name of the template
PROVIDER: The cloud service provider associated with this RIT
SERVICE: The specific API service invoked by the Discovery Engine as part of this RIT
ACTION: The action performed by the API service
SCOPE: Whether the action is performed on a regional scope or a global scope
ASSET TYPE: The asset type created from resources identified by this RIT. If there is no asset type listed, this RIT does not create an asset. It is an intermediary RIT used to support execution of other RITs.