Ingest cloud assets from Google Cloud Platform - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Extend Cortex XSIAM visibility into cloud assets from Google Cloud Platform.

Cortex XSIAM provides a unified, normalized asset inventory for cloud assets in Google Cloud Platform (GCP). This capability provides deeper visibility to all the assets and superior context for incident investigation.

To receive cloud assets from GCP, you must configure the Data Sources settings in Cortex XSIAM using the Cloud Inventory data collector to configure the GCP wizard. The GCP wizard includes instructions to be completed both in GCP and the GCP wizard screens. After you set up data collection, Cortex XSIAM begins receiving new data from the source.

As soon as Cortex XSIAM begins receiving cloud assets, you can view the data in AssetsCloud Inventory, where All Assets and Specific Cloud Assets pages display the data in a table format.

To configure the GCP cloud assets collection in Cortex XSIAM.

  1. Open the GCP wizard in Cortex XSIAM.

    1. Select SettingsData Sources.

    2. On the Data Sources page, click Add Data Source, search for and select Cloud Inventory, and click Connect.

    3. Click Google Cloud Platform.

  2. Define the Configure Account screen of the wizard.

    Setting the connection parameters on the right-side of the screen is dependent on certain configurations in GCP as explained below.

    1. Select the Organization Level as either Project (default), Folder, or Organization. The Organization Level that you select changes the instructions.

    2. Register your application for Cloud Asset API in Google Cloud Platform, Select a project where your application will be registered, and click Continue.

      The Cloud Asset API is enabled.

    3. Click Continue to open the GCP Cloud Console.

    4. On the main menu, select the project menu.

    5. In the window that opens, perform the following:

      1. From the Select from menu, select the organization that you want.

      2. The next steps to perform in Google Cloud Platform are dependent on the Organizational Level you selected in Cortex XSIAM - Project, Folder, or Organization.

        • Project or Folder Organization Level: In the table, copy one of the following IDs that you want to configure and paste it in the designated field in the Configure Account screen in Cortex XSIAM . The field in Cortex XSIAM is dependent on the Organizational Level you selected.

          -Project: Contains a project icon (gcp-project-icon.png) beside it, and the ID should be pasted in the Project ID field in Cortex XSIAM.

          -Folder: Contains a folder icon (gcp-folder-icon.png) beside it, and the ID should be pasted in the Folder ID field in Cortex XSIAM.

          When you are finished, click CANCEL to close the window.

        • Organization is the Organization Level: Select the ellipsis icon (gcp-ellipsis-icon.png)Settings. In the Settings page, copy the Organization ID for the applicable organization that you want to configure and paste it in the Organization Id field in the Configure Account screen in Cortex XSIAM.

    6. Select the menu iconStorageCloud StorageBrowser.

    7. You can either use an existing bucket from the list or create a new bucket. Copy the Name of the bucket and paste it in the Bucket Name field in the Configure Account screen in Cortex XSIAM.

    8. Define the following remaining connection parameters in the Configure Account screen in Cortex XSIAM.

      • Bucket Directory Name: You can either leave the default directory as Exported-Assets or define a new directory name that will be created for the exported assets collected for the bucket configured in GCP.

      • Cortex XDR Collection Name: Specify a name for your Cortex XSIAM collection that is displayed underneath the Cloud Inventory configuration for this GCP collection.

    9. Click Next.

  3. Define the Account Details screen of the wizard.

    1. Download the Terraform script. The name of the file downloaded is dependent on the Organizational Level that you configured in the Configure Account screen of the wizard.

      • Folder: cortex-xdr-gcp-folder-ro.tf

      • Project: cortex-xdr-gcp-project-ro.tf

      • Organization: cortex-xdr-gcp-organization-ro.tf

    2. Login to the Google Cloud Shell.

      gcp-cloud-shell.png
    3. Click Continue to open the Cloud Shell Editor.

      gcp-cloud-shell-editor.png
    4. Select FileOpen, and Open the Terraform script that you downloaded from Cortex XSIAM.

    5. Use the following commands to upload the Terraform script, which you can copy from the Account Details screen in Cortex XSIAM using the copy icon (gcp-copy.png).

      1. terraform init: Initializes the Terraform script. You need to wait until the initialization is complete before running the next command as indicated in the image below.

        gcp-terraform-init-complete.png
      2. terraform apply: When running this command, you are asked to enter the following values.

        • var.assets_bucket_name: Specify the GCP storage Bucket Name that you configured in the Configure Account screen of the wizard to contain GCP cloud asset data.

        • var.host_project_id: Specify the GCP Project ID to host the XDR service account and bucket, which you registered your application. Ensure that you use a permanent project.

        • var.project_id: Specify the Project ID, Folder ID, or Organization ID that you configured in the Configure Account screen of the wizard from GCP.

          After specifying all the values, you need to Authorize gcloud to use your credentials to make this GCP API call in the Authorize Cloud Shell dialog box that is displayed.

          Before the action completes, you need to confirm whether you want to perform these actions, and after the process finishes running an Apply complete indication is displayed.

          gcp-terraform-apply-complete.png

          You can view the output JSON file called cortex-service-account-<GCP host project ID>.json by running the ls command.

    6. Download the JSON file from Google Cloud Shell.

      1. In the Google Cloud Shell console, select ellipsis icon (gcp-ellipsis-icon.png)Download.

        gcp-download-file-folder.png
      2. Select the JSON file produced after running the Terraform script, and click Download.

    7. Upload the downloaded Service Account Key JSON file in the Configure Account screen in Cortex XSIAM. You can drag and drop the file, or Browse to the file.

    8. Click Next.

  4. (Optional) Define the Change Asset Logs screen of the wizard.

    Note

    You can skip this step if you’ve already configured a Google Cloud Platform data collector with a Pub/Sub asset feed collection.

    1. In the GCP Console, search for Topics, and select the Topics link.

    2. CREATE TOPIC.

    3. Specify a Topic ID, and CREATE TOPIC.

      Note

      A Topic name is automatically populated underneath the Topic ID field.

      The new topic is listed in the table in the Topics page.

    4. Run the following command to create a feed on an asset using the gcloud CLI tool, which you can copy from the Change Asset Logs screen in Cortex XSIAM by selecting the copy icon (gcp-copy.png), and paste in the gcloud CLI tool.

      Note

      For more information on the gcloud CLI tool. see gcloud tool overview.

      gcloud asset feeds create <FEED_ID> --project=xdr-cloud-projectid --pubsub-topic="<Topic name>" --content-type=resource --asset-types="compute.googleapis.com/Instance,compute.googleapis.com/Image,compute.googleapis.com/Disk,compute.googleapis.com/Network,compute.googleapis.com/Subnetwork,compute.googleapis.com/Firewall,storage.googleapis.com/Bucket,cloudfunctions.googleapis.com/CloudFunction"

      The command contains a parameter already populated and parameters that you need to replace before running the command.

      • <FEED_ID>: Replace this placeholder text with a unique asset feed identifier of your choosing.

      • --project: This parameter is automatically populated from the Project ID field in the Configure Account screen wizard in Cortex XSIAM.

      • <Topic name>—Replace this placeholder text with the topic name you created in the Topic details page in the GCP console.

    5. In the GCP Console, search for Subscription, and select the Subscriptions link.

    6. CREATE SUBSCRIPTION for the topic you created.

    7. Set the following parameters.

      • Subscription ID: Specify a unique identifier for the subscription.

      • Select a Cloud Pub/Sub topic: Select the topic you created.

      • Delivery type: Select Pull.

    8. Click CREATE.

      The new subscription is listed in the table in the Subscriptions page.

    9. Select the subscription that you created for your topic and add PERMISSIONS for the subscriber in the Subscription details page.

    10. ADD PRINCIPAL to add permissions for the Service Account that you created the key for in the JSON file and uploaded to the Configure Account wizard screen in Cortex XSIAM. Set the following permissions for the Service Account.

      • New principals: Select the designated Service Account Key you created in the JSON file.

      • Select a role: Select Pub/Sub Subscriber.

    11. Copy the Subscription name and paste it in the Subscription Name field on the right-side of the Change Asset Logs screen in Cortex XSIAM , and click Next.

      Note

      The Subscription Name is the name of the new Google Cloud Platform data collector that is configured with a Pub/Sub asset feed collection.

  5. Review the Summary screen of the wizard.

    If something needs to be corrected, you can go Back to correct it.

  6. Click Create.

    Once cloud assets from GCP start to come in, a green check mark appears underneath the Cloud Inventory configuration with the Last collection time displayed. It can take a few minutes for the Last Collection time to display as the processing completes.

    Note

    Whenever the Cloud Inventory data collector integrations are modified by using the Edit, Disable, or Delete options, it can take up to 10 minutes for these changes to be reflected in Cortex XSIAM.

    In addition, if you created a Pub/Sub asset feed collection, a green check mark appears underneath the Google Cloud Platform configuration with the amount of data received.

  7. After Cortex XSIAM begins receiving GCP cloud assets, you can view the data in AssetsCloud Inventory, where All Assets and Specific Cloud Assets pages display the data in a table format. For more information, see Cloud Inventory Assets.