Extend Cortex XSIAM visibility into cloud assets from AWS.
Cortex XSIAM provides a unified, normalized asset inventory for cloud assets in AWS. This capability provides deeper visibility to all the assets and superior context for incident investigation.
To receive cloud assets from AWS, you must configure the Data Sources settings in Cortex XSIAM using the Cloud Inventory data collector to configure the AWS wizard. The AWS wizard includes instructions to be completed both in AWS and the AWS wizard screens. After you set up data collection, Cortex XSIAM begins receiving new data from the source.
As soon as Cortex XSIAM begins receiving cloud assets, you can view the data in → , where All Assets and Specific Cloud Assets pages display the data in a table format.
To configure the AWS cloud assets collection in Cortex XSIAM.
Open the AWS wizard in Cortex XSIAM.
Select
→ .On the Data Sources page, click Add Data Source, search for and select Cloud Inventory, and click Connect.
Click AWS.
Define the Account Details screen of the wizard.
Setting the connection parameters on the right-side of the screen is dependent on certain configurations in AWS as explained below.
Select the Organization Level as either Account (default), Organization, or Organization Unit. The Organization Level that you select changes the instructions and fields displayed on the screen.
Sign in to your AWS master account.
Create a stack called XDRCloudApp using the preset Cortex XSIAM template in AWS.
The following details are automatically filled in for you in the AWS CloudFormation stack template:
Stack Name: The default name for the stack is XDRCloudApp.
CortexXDRRoleName: The name of the role that will be used by Cortex XSIAM to authenticate and access the resources in your AWS account.
External ID: The Cortex XSIAM Cloud ID, a randomly generated UUID that is used to enable the trust relationship in the role's trust policy.
To create the stack, accept the IAM acknowledgment for resource creation by selecting the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox, and click Create Stack.
Wait for the Status to update to CREATE_COMPLETE in the Stacks page that is displayed, and select the XDRCloudAPP stack under the Stack name column in the table.
Select the Outputs tab and copy the Value of the Role ARN.
Paste the Role ARN value in one of the following fields in the Account Details screen in Cortex XSIAM. The field name is dependent on the Organization Level that you selected.
Account: Paste the value in the Account Role ARN field.
Organization: Paste the value in the Master Role ARN field.
Organization Unit: Paste the value in the Master Role ARN field.
Set the Root ID in Cortex XSIAM.
Note
This step is only relevant if you’ve configured the Organization Level as Organization in the Account Details screen in Cortex XSIAM. Otherwise, you can skip this step if the Organization Level is set to Account or Organization Unit.
From the main menu of the AWS Console, select
→ .Copy the Root ID displayed under the Root directory and paste it in the Root ID field in the Account Details screen in Cortex XSIAM.
Set the Organization Unit ID in Cortex XSIAM.
Note
This step is only relevant if you’ve configured the Organization Level as Organization Unit in the Account Details screen in Cortex XSIAM. Otherwise, you can skip this step if the Organization Level is set to Account or Organization.
On the main menu of the AWS Console, select your username, and then My Organization.
Select the Organization Unit with an icon-ou () beside it in the organizational structure that you want to configure.
Copy the ID and paste it in the Organization Unit ID field in the Account Details screen in Cortex XSIAM.
Define the following remaining connection parameters in the Account Details screen in Cortex XSIAM:
Account Role External ID / Master External ID: The name of this field is dependent on the Organization Level configured. This field is automatically populated with a value. You can either leave this value or replace it with another value.
Cortex XDR Collection Name: Specify a name for your Cortex XSIAM collection that is displayed underneath the Cloud Inventory configuration for this AWS collection.
Click Next.
Define the Configure Member Accounts screen of the wizard.
Note
This wizard screen is only displayed if you’ve configured the Organization Level as Organization or Organization Unit in the Account Details screen in Cortex XSIAM. Otherwise, you can skip this step when the Organization Level is set to Account.
Configuring member accounts is dependent on creating a stack set and configuring stack instances in AWS, which can be performed using either the Amazon Command Line Interface (CLI) or Cloud Formation template via the AWS Console. Use one of the following methods:
After Cortex XSIAM begins receiving AWS cloud assets, you can view the data in → , where All Assets and Specific Cloud Assets pages display the data in a table format. For more information, see Cloud Inventory Assets.