Manage Your Cloud Inventory Assets

Cortex® XDR™ provides a central location to view and investigate information relating to inventory assets in the cloud.
Ingesting and Viewing Cloud Inventory Assets requires a Cortex XDR Pro per TB license.
The All Cloud Assets and Specific Cloud Assets pages provide a central location from which you can view and investigate information relating to inventory assets in the cloud. These cloud inventory assets are collected from Google Cloud Platform, Microsoft Azure, and Amazon Web Services depending on your defined cloud configurations, and are received by Cortex® XDR™ using the Cloud Inventory data collector. These pages are designed in a similar format so you can navigate to the page, view the data, and perform the same tasks to easily investigate your assets.
To manage your cloud inventory assets.
  1. Select
    Assets
    Cloud Inventory
    .
  2. View all
    All Cloud Assets
    by remaining on the page, or select a
    Specific Cloud Assets
    page from the list available on the left panel.
    By default, the pages displays all cloud assets according to the most recent time that the data was updated.
  3. (
    Optional
    ) Filter and review your assets.
    You can use the filter icon ( ) at the top of the page to build a filter from scratch or filter the individual columns to view the information you are looking for. To create a persistent filter, save ( ) it
  4. (
    Optional
    ) Export your filtered results to a tab-separated values (TSV) file using the Export to file icon ( ) on the top of page.
  5. (
    Optional
    ) Investigate any asset further by selecting the applicable row in the table to reveal a side panel.
    The side panel enables you to view additional data divided by sections, such as
    Asset Metadata
    and
    Asset Editors
    . The
    Asset Editors
    section also provides a link ( ) to open in a new tab a predefined query in XQL Search on the
    cloud_audit_log
    dataset to view the edit operations by the identity selected for this asset in the last 7 days.
    The following table describes the common side panel components that are displayed for all asset types and subtypes, and the specific side panel components based on the specific cloud assets type selected.
    Side Panel Component
    Description
    Example Image
    Common Side Panel Components
    Header
    The header row displays the following information about the asset.
    • The
      NAME
      of the asset as displayed in the table. If there is no value for the asset name, the
      SECONDARY ASSET ID
      for the asset is used.
    • The
      TYPE
      of asset.
    • Additional specific information per asset type, which is only displayed only if a value is available.
    • The cloud
      PROVIDER
      .
    Asset Metadata
    This section includes the following fields, which are displayed if the information is available from the output field values in the table.
    • Created at
      —Timestamp, which is not always available.
    • Updated at
      —Timestamp, which is not always available.
    • Region
      —Displays the region as provided by the Cloud provider.
    • Availability zone
      —Displays the
      AVAILABILITY ZONE
      according to the cloud provider.
    • Geo Location
      —Displays the normalized value indicating the geographic region, such as North America or Middle East.
    • Project
      —Displays the associated project name as provided by the Cloud provider. For each cloud provider the project is called something else.
      • AWS
        —Account
      • GCP
        —Project
      • Microsoft Azure
        —Subscription
    • Hierarchy
      —Displays the hierarchy of the associated
      PROJECT
      in the cloud provider separated by a forward slash (
      /
      ) similar to a file path.
      The
      Project
      is called something else in each cloud provider. For more information, see the
      PROJECT
      description.
    • Public IPs
      —Displays list of external public IPs.
    • Private IPs
      —Displays list of internal private IPs.
    • Cloud Tags
      —Displays any cloud tags or labels configured according to the cloud provider.
    • Last Reported Status
      —Last reported status of the asset, such as
      AVAILABLE
      or
      READY
      .
    Asset Editors
    A bar chart of the identities of the Asset Editors is displayed. Up to 5 editors are displayed in a horizontal bar chart listing the percentage of editing actions for a single identity. The chart data does not include any actions where the identity could not be resolved. If there are more than 5 editors, then not all editors are displayed, and the rest of the editors are displayed in an
    Others
    bar.
    The Asset Editor section provides a link ( ) to open in a new tab a predefined query in XQL Search on the
    cloud_audit_log
    dataset to view the edit operations by the identity selected for this asset in the last 7 days.
    A notification about the data is also provided using the format
    *Data since <timestamp>
    .
    Internet Exposure
    When there are any open external ports, the open ports and their corresponding details are displayed.
    • Title
      —The title format is
      <IP>:<port>
      . When you hover your mouse over the title, you expose the
      Show banner info
      icon, which opens a
      Banner
      window with the raw JSON text obtained from Cortex Xpanse containing the banner, which you can view in
      JSON VIEW
      (default) or
      TREE VIEW
      .
    • Observed Services
      —The type of service observed with the open external port, such as MySQL, HTTP, and TLS.
    • Observed at
      —A timestamp for when the open external port was noticed.
    Specific Side Panel Components
    VM Instance
    The
    TYPE
    of asset is set to
    Compute
    and the
    SUBTYPE
    is set to
    VM Instance
    . The header includes the following additional fields.
    • Machine type
      —Displays the type of machine.
    • Last started
      —Displays the last time the machine started.
    The following data is displayed in the panel.
    • Disks
      —A list of disks, where each disk has the following properties.
      • Disk name. When you hover over the disk name, you expose the
        Show Disk
        icon, which enables you to view in the side panel the associated disk information, such as the disk size in GB.
      • Boot Disk
        —Boolean value as either
        Yes
        or
        No
        .
      • Disk Type
        —Type of disk such as
        ebs
        or
        persistent
        .
    • Network Interfaces
      —List of Network Interfaces, where the following is displayed for each network interface, if the data exists.
      • Name on network interface.
      • IP
        —The IP address of the network interface.
      • When you hover over the network interface name, you expose different icons with different actions that you can perform to open different side panel components.
        -
        View associated VPC
        —Drills down to the
        VPC
        side panel component if the ID exists.
        -
        View network interface details
        —Drills down to the corresponding Network Interface row if the ID exists.
        -
        View associated subnet
        —Drills down to the
        Subnet
        side panel component if the ID exists.
    Disk
    Displays the following information in the Header.
    • Compute Disk
      as the specific cloud assets type.
    • Is Encrypted
      —Displays a boolean value as either
      Yes
      or
      No
      to indicate whether the disk is encrypted.
    • Size
      of the disk in GB.
    VPC
    Displays the following information in the Header.
    • Virtual Private Cloud (VPC)
      as the specific cloud assets type.
    • CIDRs
      —A list of CIDRs.
    • Default
      —Displays a boolean value as either
      Yes
      or
      No
      to indicate whether this asset is the default VPC.
    The following actions are available only if this information is provided from the cloud provider.
    • Show Peer networks
      —Pivot to a new tab with the
      VPC Networks
      table, which is filtered on the list of IDs.
    • Show Subnets
      —Pivot to a new tab with the
      Subnets
      table, which is filtered on the list of IDs.
    Subnet
    Displays the following information in the Header.
    • Subnet
      as the specific cloud assets type.
    • CIDRs
      —A list of CIDRs.
    Cloud Function
    Displays the following information in the Header.
    • Cloud Functions
      as the specific cloud assets type.
    • Runtime
      —Displays the runtime system, such as python3.9.
    • Memory Size
      —The amount of memory in MB.
    • Description
      —A description of the cloud function.
    Storage Bucket
    Displays the following information in the Header.
    • Storage Bucket
      as the specific cloud assets type.
    • Location Type
      —Displays the bucket location as either
      Regional
      or
      Multi Regional
    • Access Type
      —Displays the bucket access options as one of the following.
      • Public
      • Private
      • Fine Grained
      • Unknown
    Security Group
    Displays the following information in the Header.
    • Security Group (FW Rule)
      as the specific cloud assets type.
    • Group Name
      and
      Description
      for the Security Group, if available. In AWS, there is a name and description for the entire group, while in GCP per rule.
    A Security Group is a list of rules. A separate
    Rules
    section is displayed in the side panel that lists the following for each rule.
    • Name
      —Name of the rule.
    • Description
      —The description of the rule, if it exists.
    • Rules icon ( )—Opens a
      Banner
      window containing the raw JSON data extracted for the rule, which you can view in
      JSON VIEW
      (default) or
      TREE VIEW
      .
    Some providers provide the associated VPC for the Security Group and some provide an associated Network Interface. The actions are dependent on the available data, and are exposed when you hover over the
    INFO
    heading under the
    NETWORK INTERFACES
    section.
    • View associated VPC
      —Drills down to the
      VPC
      side panel component if the ID exists.
    • View network interface details
      —Drills down to the corresponding Network Interface row if the ID exists.
    • View associated subnet
      —Drills down to the
      Subnet
      side panel component if the ID exists.
  6. (
    Optional
    ) Manage cloud inventory assets, as needed.
    At any time, you can return to the
    All Cloud Assets
    or
    Specific Cloud Assets
    pages to view and manage your cloud inventory assets. To manage a cloud inventory asset, right-click the asset and select the desired action. Some actions are dependent on the type of cloud asset selected and the particular cell you are performing the action from.
    • Show rows with ‘<field name>’
      to filter the column list to only display the rows with a specific field name selected in the table.
    • Hide rows with ‘<field name>’
      to filter the column list to hide the rows with a specific field name selected in the table.
    • Copy text to clipboard
      to copy the text from a specific field in the row of an asset.
    • Copy entire row
      to copy the text from all the fields in a row of an asset.
    • Open IP View
      —For the
      External IPs
      and
      Internal IPs
      column fields in the assets table, you can open the IP Address View, which provides a powerful way to investigate and take action on an IP address by reducing the number of steps it takes to collect, research, and threat hunt related incidents.
    • Open in Quick Launcher
      —For the
      External IPs
      and
      Internal IPs
      column fields in the assets tables, you can open the Quick Launcher shortcut to search for information, perform common investigative tasks, or initiate response actions related to a specific IP address or CIDR.
    • Show rows 30 days prior to ‘<timestamp field>’
      —For all timestamp fields in the assets tables, you can filter the column list to only display the rows 30 days earlier than the selected timestamp field.
    • Show rows 30 days after to ‘<timestamp field>’
      —For all timestamp fields in the assets tables, you can filter the column list to only display the rows 30 days after the selected timestamp field.

Recommended For You