When onboarding your cloud instance using the onboarding wizard, after you download the authentication template and execute it in your cloud environment, notification is sent to Cortex XSIAM and a cloud instance is created. This connection between your cloud environment and the Cortex XSIAM cloud instance typically occurs automatically.
There are several scenarios when the instance should be connected manually:
You executed the template in your cloud environment and your environment is an air-gapped network. In this case, the notification to create the instance in Cortex XSIAM does not happen.
You have executed the template, but the instance has not appeared in Cloud Instances. This is often due to connectivity or firewall issues.
You have a specific need to connect the instance manually.
To manually connect a cloud instance, you need to identify the pending instance you want to connect. In Cloud Instances, remove the default filter that excludes pending instances. Right-click on a pending instance and select View Details to see the configuration details of that specific pending instance. After you have identified the pending instance you want to connect manually, right-click and select Manually connect an instance. For more information on pending instances, see Pending cloud instances.
In AWS Management Console, navigate to CloudFormation. Use the following table to guide you on where to obtain the necessary input for the manual onboarding. Not every field appears in every manual onboarding instance.
Connect Instance input field | Value |
|---|---|
Organization ID | Onboarded organization ID. |
Organizational Unit ID | Onboarded organizational unit ID. |
Account ID | Onboarded account ID. |
Role ARN | The value of → . |
External ID | The value of → . |
Audit Logs SQS URL | The value of → . |
Audit Logs Role ARN | The value of → → . |
Audit Logs Audience | Automatically populated. |
Outpost Scanner Role ARN | The value of → → . |
Open your local terminal (Command prompt, PowerShell, or Terminal).
Log in to your GCP account using the gcloud CLI:
gcloud auth login
Display the values of all defined output variables in your Terraform configuration, formatted as a JSON object:
terraform output -json
Use the following table to guide you on which values in the output map to the necessary input for the manual onboarding. Not every field appears in every manual onboarding instance.
Connect Instance input field | Value |
|---|---|
Organization ID | organization_id.value |
Project ID | project_id.value |
Folder ID | folder_id.value |
Service Account Email | service_account_email.value |
Audit Logs Audit Pubsub Subscription ID | resources_data.value.AUDIT_LOGS.audit_pubsub_subscription_id |
Audit Logs Service Account Email | resources_data.value.AUDIT_LOGS.audit_service_account_email |
Outpost Scanner Service Account Email | resources_data.value.OUTPOST_SCANNER.outpost_scanner_service_account_email |
Open your local terminal (Command prompt, PowerShell, or Terminal).
Log in to your Azure account using the Azure CLI:
az login
Display the values of all defined output variables in your Terraform configuration, formatted as a JSON object:
terraform output -json
Use the following table to guide you on which values in the output map to the necessary input for the manual onboarding. Not every field appears in every manual onboarding instance.
Connect Instance input field | Value |
|---|---|
Resource Group Location (only for subscription scope) | Onboarded resource group location |
Resource Group Name | Automatically populated |
Audit Logs Audience | Automatically populated |
Audit Logs Storage Account Name | resources_data.value.AUDIT_LOGS.storage_account_name |
Audit Logs Tenant ID | Automatically populated |
Audit Logs Client ID | resources_data.value.AUDIT_LOGS.client_id |
Audit Logs Namespace | resources_data.value.AUDIT_LOGS.namespace |
Audit Logs Eventhub Name | resources_data.value.AUDIT_LOGS.eventhub_name |
Audit Logs Azure Audit Eventhub Consumer Group Name | resources_data.value.AUDIT_LOGS.azure_audit_eventhub_consumer_group_name |
Navigate to the Microsoft Azure Portal and log in.
Use the following table to guide you on which values in the output map to the necessary input for the manual onboarding. Not every field appears in every manual onboarding instance.
Connect Instance input field | Value |
|---|---|
Resource Group Location (only for subscription scope) | Onboarded resource group location |
Resource Group Name | Automatically populated |
Audit Logs Audience | Automatically populated |
Audit Logs Storage Account Name | Navigate to Storage accounts and filter by resource group. |
Audit Logs Tenant ID | Automatically populated |
Audit Logs Client ID | Navigate to App registrations and sort by time. The default name starts with "auditlogsapp". |
Audit Logs Namespace | Navigate to Event Hubs and filter by resource group. |
Audit Logs Eventhub Name | Navigate to Event Hubs and select the Event Hub Namespace. Under Event Hubs, take the value in the Name column. |
Audit Logs Azure Audit Eventhub Consumer Group Name | Navigate to Event Hubs -and select the Event Hub Namespace and then the Event Hub. Under Consumer Groups, use the value in the Name column, but not ‘$Default’. |
Open your local terminal (Command prompt, PowerShell, or Terminal).
Log in to your OCI account using the OCI CLI:
oci session authenticate
Display the values of all defined output variables in your Terraform configuration, formatted as a JSON object:
terraform output -json
Use the following table to guide you on which values in the output map to the necessary input for the manual onboarding. Not every field appears in every manual onboarding instance.
Connect instance input field
Value
Tenancy OCID
tenancy_ocid.value
Home Region
home_region.value
Cortex Policy
cortex_policy.value
Cortex Group
cortex_group.value
Authentication Method
The authentication method being used
Open your local terminal (Command prompt, PowerShell, or Terminal).
Log in to your Alibaba Cloud account using the aliyun CLI:
aliyun auth login
Display the values of all defined output variables in your Terraform configuration, formatted as a JSON object:
terraform output -json
Use the following table to guide you on which values in the output map to the necessary input for the manual onboarding. Not every field appears in every manual onboarding instance.
Connect instance input field
Value
Alibaba Cloud Account ID
alibaba_cloud_account_id.value
Alibaba Cloud Region
alibaba_cloud_region.value
RAM Role ARN
ram_role_arn.value
OIDC Provider ARN
oidc_provider_arn.value
authentication method
The authentication method being used