Ingest Cloud Assets from AWS - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide
Abstract

Extend Cortex XSIAM visibility into cloud assets from AWS.

Cortex XSIAM provides a unified, normalized asset inventory for cloud assets in AWS. This capability provides deeper visibility to all the assets and superior context for incident investigation.

To receive cloud assets from AWS, you must configure the Data Sources settings in Cortex XSIAM using the Cloud Inventory data collector to configure the AWS wizard. The AWS wizard includes instructions to be completed both in AWS and the AWS wizard screens. After you set up data collection, Cortex XSIAM begins receiving new data from the source.

As soon as Cortex XSIAM begins receiving cloud assets, you can view the data in AssetsCloud Inventory, where All Assets and Specific Cloud Assets pages display the data in a table format.

To configure the AWS cloud assets collection in Cortex XSIAM.

  1. Open the AWS wizard in Cortex XSIAM.

    1. Select SettingsData Sources.

    2. In the Cloud Inventory configuration, click Add Instance to begin a new configuration.

    3. Click AWS.

  2. Define the Account Details screen of the wizard.

    Setting the connection parameters on the right-side of the screen is dependent on certain configurations in AWS as explained below.

    1. Select the Organization Level as either Account (default), Organization, or Organization Unit. The Organization Level that you select changes the instructions and fields displayed on the screen.

    2. Sign in to your AWS master account.

      aws-sign-in.png
    3. Create a stack called XDRCloudApp using the preset Cortex XSIAM template in AWS.

      The following details are automatically filled in for you in the AWS CloudFormation stack template.

      • Stack Name—The default name for the stack is XDRCloudApp.

      • CortexXDRRoleName—The name of the role that will be used by Cortex XSIAM to authenticate and access the resources in your AWS account.

      • External ID—The Cortex XSIAM Cloud ID, a randomly generated UUID that is used to enable the trust relationship in the role's trust policy.

      To create the stack, accept the IAM acknowledgment for resource creation by selecting the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox, and click Create Stack.

    4. Wait for the Status to update to CREATE_COMPLETE in the Stacks page that is displayed, and select the XDRCloudAPP stack under the Stack name column in the table.

    5. Select the Outputs tab and copy the Value of the Role ARN.

    6. Paste the Role ARN value in one of the following fields in the Account Details screen in Cortex XSIAM. The field name is dependent on the Organization Level that you selected.

      • Account—Paste the value in the Account Role ARN field.

      • Organization—Paste the value in the Master Role ARN field.

      • Organization Unit—Paste the value in the Master Role ARN field.

    7. Set the Root ID in Cortex XSIAM.

      Note

      This step is only relevant if you’ve configured the Organization Level as Organization in the Account Details screen in Cortex XSIAM. Otherwise, you can skip this step if the Organization Level is set to Account or Organization Unit.

      1. From the main menu of the AWS Console, select <your username>My Organization.

      2. Copy the Root ID displayed under the Root directory and paste it in the Root ID field in the Account Details screen in Cortex XSIAM.

    8. Set the Organization Unit ID in Cortex XSIAM.

      Note

      This step is only relevant if you’ve configured the Organization Level as Organization Unit in the Account Details screen in Cortex XSIAM. Otherwise, you can skip this step if the Organization Level is set to Account or Organization.

      1. On the main menu of the AWS Console, select your username, and then My Organization.

      2. Select the Organization Unit with an icon-ou (aws-ou-icon.png) beside it in the organizational structure that you want to configure.

      3. Copy the ID and paste it in the Organization Unit ID field in the Account Details screen in Cortex XSIAM.

    9. Define the following remaining connection parameters in the Account Details screen in Cortex XSIAM.

      • Account Role External ID / Master External ID—The name of this field is dependent on the Organization Level configured. This field is automatically populated with a value. You can either leave this value or replace it with another value.

      • Cortex XDR Collection Name—Specify a name for your Cortex XSIAM collection that is displayed underneath the Cloud Inventory configuration for this AWS collection.

    10. Click Next.

  3. Define the Configure Member Accounts screen of the wizard.

    Note

    This wizard screen is only displayed if you’ve configured the Organization Level as Organization or Organization Unit in the Account Details screen in Cortex XSIAM. Otherwise, you can skip this step when the Organization Level is set to Account.

    Configuring member accounts is dependent on creating a stack set and configuring stack instances in AWS, which can be performed using either the Amazon Command Line Interface (CLI) or Cloud Formation template via the AWS Console. Both of these methods are explained in the instructions below.

    • Define the account credentials using Amazon CLI.

      1. Select the Amazon CLI tab, which is displayed by default.

      2. Open the Amazon CLI.

        Note

        For more information on how to set up the AWS CLI tool, see the AWS Command Line Interface Documentation.

      3. Run the following command to create a stack set, which you can copy from the Configure Member Accounts screen by selecting the copy icon (gcp-copy.png), and paste in the Amazon CLI. This command includes the Role Name and External ID field values configured from the wizard screen.

        aws cloudformation create-stack-set --stack-set-name StackSetCortexXdr01 --template-url https://cortex-xdr-xcloud-onboarding-scripts-dev.s3.us-east-2.amazonaws.com/cortex-xdr-xcloud-master-dev-1.0.0.template --permission-model SERVICE_MANAGED --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=true --parameters ParameterKey=ExternalID,ParameterValue=c9a7024c-3f07-40ed-a4fb-c3a5eba778e2 --capabilities CAPABILITY_NAMED_IAM
      4. Run the following command to add stack instances to your stack set, which you can copy from the Configure Member Accounts screen by selecting the copy icon (gcp-copy.png), and paste in the Amazon CLI. For the --deployment-targets parameter, specify the organization root ID to deploy to all accounts in your organization, or specify Organization Unit IDs to deploy to all accounts in these Organization Units. In this parameter, you will need to replace <Org_OU_ID1>, <Org_OU_ID2>, and <Region> according to your AWS settings.

        aws cloudformation create-stack-instances --stack-set-name StackSetCortexXdr01 --deployment-targets OrganizationalUnitIds='["<Org_OU_ID1>", "<Org_OU_ID2>"]' --regions '["<Region>"]'

        In this example, the Organization Units are populated with ou-rcuk-1x5j1lwo and ou-rcuk-slr5lh0a IDs.

        aws cloudformation create-stack-instances --stack-set-name StackSet_myApp --deployment-targets OrganizationalUnitIds='["ou-rcuk-1x5j1lwo", "ou-rcuk-slr5lh0a"]' --regions '["eu-west-1"]'

        Once completed, in the AWS Console, select ServicesCloudFormationStackSets, and you can see the StackSet is now listed in the table.

    • Define the account credentials using AWS CloudFormation.

      1. Select the Cloud Formation tab.

      2. Download the CloudFormation template. The name of the file downloaded is called cortex-xdr-aws-master-ro-1.0.0.template.

      3. Sign in to your AWS Master Account using the AWS console, select ServicesCloudFormationStackSets, and click Create StackSet.

      4. Define the following settings.

        -Select Template is ready.

        -Select Upload a template file, Choose file, and select the CloudFormation template that you downloaded.

      5. Click Next.

      6. Define the following settings.

        -StackSet name—Specify a name for the StackSet.

        ExternalID—The ExternalID value specified here must be copied from the one populated in the External ID field on the right-side of the Configure Member Accounts screen in Cortex XSIAM .

      7. Click Next.

      8. Select Service-managed permissions, and click Next.

      9. Define the following settings.

        Deployment targets

        -Select Deploy to the organization.

        -Select Enabled for Automatic deployments.

        -Select Delete stacks for Account removal behavior.

        Specify regions

        -Select one region only. (It can be any region.)

        Deployment options

        -For the Maximum concurrent accounts, select Percentage, and in the field specify 100.

        -For the Failure tolerance, select Percentage, and in the field specify 100.

      10. Click Next.

      11. To create the StackSet, accept the IAM acknowledgment for resource creation by selecting the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox, and click Submit.

        When the process completes, the Status of the StackSet is SUCCEEDED in the StackSet details page.

  4. Review the Summary screen of the wizard.

    If something needs to be corrected, you can go Back to correct it.

  5. Click Create.

    Once cloud assets from AWS start to come in, a green check mark appears underneath the Cloud Inventory configuration with the Last collection time displayed. It can take a few minutes for the Last Collection time to display as the processing completes.

    Note

    Whenever the Cloud Inventory data collector integrations are modified by using the Edit, Disable, or Delete options, it can take up to 10 minutes for these changes to be reflected in Cortex XSIAM.

  6. After Cortex XSIAM begins receiving AWS cloud assets, you can view the data in AssetsCloud Inventory, where All Assets and Specific Cloud Assets pages display the data in a table format. For more information, see Cloud Inventory Assets.