All Cloud Assets - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-05-06
Last date published
2024-07-12
Category
Administrator Guide
Abstract

Cortex XSIAM enables you to view all your cloud assets from the various cloud assets categories on the All Cloud Assets page.

Note

Ingesting and Viewing Cloud Inventory Assets requires a Cortex XSIAM Pro per GB license.

The All Cloud Assets page enables you to view all your cloud assets from the various cloud assets categories that you configured for collection from Google Cloud Platform, Microsoft Azure, and Amazon Web Services using the Cloud Inventory data collector.

To view the All Cloud Assets page, select AssetsCloud InventoryAll Cloud Assets.

By default, the All Cloud Assets page displays all cloud assets according to the most recent time that the data was updated. To search for specific assets, use the filters above the results table to narrow the results. You can export the tables and respective asset views to a tab-separated values (TSV) file. From the All Cloud Assets page, you can also manage the asset's output using the right-click pivot menu. For more information, see Manage Your Cloud Inventory Assets.

The All Cloud Assets table is comprised of a number of common fields that are available when viewing any of the Specific Cloud Assets pages. The TYPE and SUBTYPE fields are only available in the All Cloud Assets table as these fields determine the Specific Cloud Assets categories, and can be used to filter the different types of assets from the entire list of assets.

When any row in the table is selected, a side panel on the right with greater details is displayed, where you can view additional data divided by sections, such as Asset Metadata and Asset Editors. The Asset Editors section also provides a link to open a predefined query in XQL Search on the cloud_audit_log dataset to view the edit operations by the identity selected for this asset in the last 7 days.

The following table describes the fields that are available when viewing All Cloud Assets in alphabetical order.

Note

Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is exposed by default.

Field

Description

AVAILABILITY ZONE*

Displays the AVAILABILITY ZONE according to the cloud provider.

CLOUD TAGS*

Displays any cloud tags or labels configured according to the cloud provider.

CREATION TIME*

Displays the time that the cloud asset was created.1 This information is not always available.

EXTERNAL IPS*

Displays a list of external public IPs.

GEO REGION*

Displays the normalized value indicating the geographic region, such as North America or the Middle East.

HEIRARCHY*

Displays the hierarchy of the associated PROJECT in the cloud provider separated by a forward slash (/) similar to a file path.

Note

The PROJECT is called something else in each cloud provider. For more information, see the PROJECT description.

INTEGRATION KEY

Internal Cortex XSIAM identification of the integration collection.

INTERNAL IPS*

Displays list of internal private IPs.

INTERNET EXPOSURE (PORTS)*

Displays a list of ports, where the details regarding these ports are available to view in the side panel.

LAST REPORTED STATUS*

Last reported status of the asset, such as AVAILABLE or READY.

NAME*

Name that describes the asset as given in the cloud provider if provided.

PROJECT*

Displays the associated project name as provided by the Cloud provider. For each cloud provider, the project is called something else.

  • AWS—Account

  • GCP—Project

  • Microsoft Azure—Subscription

PROJECT ID

Displays the associated project ID as provided by the Cloud provider, where the project is called something else in each cloud provider. See PROJECT description.

PROVIDER*

The cloud provider used to collect these cloud assets is either GCP, AWS, or Azure.

RAW ASSET

Internal Cortex XSIAM debug information that displays the raw data used to parse the data.

REGION*

Displays the region as provided by the Cloud provider.

RESOURCE GROUP

Displays the RESOURCE GROUP when using an Azure PROVIDER.

RESOURCE ID

Displays the RESOURCE ID as provided by the cloud provider.

SECONDARY ASSET ID

Displays a SECONDARY ASSET ID provided by the cloud provider that is used in Cortex XSIAM to identify the asset if a NAME is not provided.

SUBTYPE*

The subtype of cloud asset based on the TYPE configured, which can be defined as one of the following.

Note

Each Subtype is displayed with an icon beside it.

  • VM Instance

  • Bucket

  • Disk

  • Image

  • Subnet

  • Security Group

  • Other

This field is unique to the All Cloud Assets table.

TYPE*

Type of cloud asset, which can be defined as one of the following.

  • Compute

  • Cloud Function

  • Storage

  • Other

This field is unique to the All Cloud Assets table.

UPDATE TIME*

Displays the time that the cloud asset was updated. This information is not always available.

Due to a known AWS synchronization issue, where the creation time displayed in the AWS Console does not match the actual time when the AWS Bucket was created, the CREATION TIME in Cortex XSIAM does not always match the AWS Console as Cortex XSIAM displays the actual time.