Ingest Cloud Assets from Google Cloud Platform

Extend Cortex® XDR™ visibility into cloud assets from Google Cloud Platform.
Ingesting Cloud Assets from Google Cloud Platform requires a Cortex® XDR™ Pro per TB license.
Cortex XDR provides a unified, normalized asset inventory for cloud assets in Google Cloud Platform (GCP). This capability provides deeper visibility to all the assets and superior context for incident investigation.
To receive cloud assets from GCP, you must configure the Collection Integrations settings in Cortex XDR using the Cloud Inventory data collector to configure the GCP wizard. The GCP wizard includes instructions to be completed both in GCP and the GCP wizard screens. After you set up data collection, Cortex XDR begins receiving new data from the source.
As soon as Cortex XDR begins receiving cloud assets, you can view the data in
Assets
Cloud Inventory
, where
All Assets
and
Specific Cloud Assets
pages display the data in a table format.
To configure the GCP cloud assets collection in Cortex XDR.
  1. Open the GCP wizard in Cortex XDR.
    1. Select
      Settings ( )
      Configurations
      Data Collection
      Collection Integrations
      .
    2. In the
      Cloud Inventory
      configuration, click the
      here
      link to begin a new configuration.
    3. Click
      Google Cloud Platform
      .
  2. Define the
    Configure Account
    screen of the wizard.
    Setting the connection parameters on the right-side of the screen are dependent on certain configurations in GCP as explained below.
    1. Select the
      Organization Level
      as either
      Project
      (default),
      Folder
      , or
      Organization
      . The
      Organization Level
      that you select changes the instructions.
    2. Register your application for Cloud Asset API in Google Cloud Platform,
      Select a project where your application will be registered
      , and click
      Continue
      .
      The Cloud Asset API is enabled.
    3. Click
      Continue
      to open the GCP Cloud Console.
    4. On the main menu, select the project menu.
    5. In the window that opens, perform the following.
      1. From the
        Select from
        menu, select the organization that you want.
      2. The next steps to perform in Google Cloud Platform are dependent on the Organization Level you selected in Cortex XDR -
        Project
        ,
        Folder
        , or
        Organization
        .
        • Project or Folder Organization Level
          —In the table, copy one of the following
          ID
          s that you want to configure and paste it in the designated field in the
          Configure Account
          screen in Cortex XDR. The field in Cortex XDR is dependent on the Organization Level you selected.
          -Project
          —Contains a project icon ( ) beside it, and the
          ID
          should be pasted in the
          Project ID
          field in Cortex XDR.
          -Folder
          —Contains a folder icon ( ) beside it, and the
          ID
          should be pasted in the
          Folder ID
          field in Cortex XDR.
          When you are finished, click
          CANCEL
          to close the window.
        • Organization is the Organization Level
          —Select the
          ellipsis icon ( )
          Settings
          . In the
          Settings
          page, copy the
          Organization ID
          for the applicable organization that you want to configure and paste it in the
          Organization Id
          field in the
          Configure Account
          screen in Cortex XDR.
    6. Select the
      Hamburger menu
      Storage
      Cloud Storage
      Browser
      .
    7. You can either use an existing bucket from the list or create a new bucket. Copy the
      Name
      of the bucket and paste it in the
      Bucket Name
      field in the
      Configure Account
      screen in Cortex XDR.
    8. Define the following remaining connection parameters in the
      Configure Account
      screen in Cortex XDR.
      • Bucket Directory Name
        —You can either leave the default directory as
        Exported-Assets
        or define a new directory name that will be created for the exported assets collected for the bucket configured in GCP.
      • Cortex XDR Collection Name
        —Specify a name for your Cortex XDR collection that is displayed underneath the
        Cloud Inventory
        configuration for this GCP collection.
    9. Click
      Next
      .
  3. Define the
    Account Details
    screen of the wizard.
    1. Download the Terraform
      script
      . The name of the file downloaded is dependent on the Organization Level that you configured in the
      Configure Account
      screen of the wizard.
      • Folder
        cortex-xdr-gcp-folder-ro.tf
      • Project
        cortex-xdr-gcp-project-ro.tf
      • Organization
        cortex-xdr-gcp-organization-ro.tf
    2. Login to the Google Cloud Shell.
    3. Click
      Continue
      to open the
      Cloud Shell Editor
      .
    4. Select
      File
      Open
      , and
      Open
      the Terraform script that you downloaded from Cortex XDR.
    5. Use the following commands to upload the Terraform script, which you can copy from the
      Account Details
      screen in Cortex XDR using the copy icon ( ).
      1. teraform init
        —Initializes the Terraform script. You need to wait until the initialization is complete before running the next command as indicated in the image below.
      2. terraform apply
        —When running this command you will be asked to enter the following values.
        • var.assets_bucket_name
          —Specify the GCP storage Bucket Name that you configured in the
          Configure Account
          screen of the wizard to contain GCP cloud asset data.
        • var.host_project_id
          —Specify the GCP Project ID to host the XDR service account and bucket, which you registered your application. Ensure that you use a permanent project.
        • var.project_id
          —Specify the
          Project ID
          ,
          Folder ID
          , or
          Organization ID
          that you configured in the
          Configure Account
          screen of the wizard from GCP.
          After specifying all the values, you need to
          Authorize
          gcloud to use your credentials to make this GCP API call in the
          Authorize Cloud Shell
          dialog box that is displayed.
          Before the action completes, you need to confirm whether you want to perform these actions, and after the process finishes running an
          Apply complete
          indication is displayed.
          You can view the output JSON file called
          cortex-service-account-<GCP host project ID>.json
          by running the
          ls
          command.
    6. Download the JSON file from Google Cloud Shell.
      1. In the Google Cloud Shell console, select
        ellipsis icon ( )
        Download
        .
      2. Select the JSON file produced after running the Terraform script, and click
        Download
        .
    7. Upload the downloaded Service Account Key JSON file in the
      Configure Account
      screen in Cortex XDR. You can drag and drop the file, or
      Browse
      to the file.
    8. Click
      Next
      .
  4. (
    Optional
    ) Define the
    Change Asset Logs
    screen of the wizard.
    You can skip this step if you’ve already configured a Google Cloud Platform data collector with a Pub/Sub asset feed collection.
    1. In the GCP Console, search for
      Topics
      , and select the
      Topics
      link.
    2. CREATE TOPIC
      .
    3. Specify a
      Topic ID
      , and
      CREATE TOPIC
      .
      A
      Topic name
      is automatically populated underneath the
      Topic ID
      field.
      The new topic is listed in the table in the
      Topics
      page.
    4. Run the following command to create a feed on an asset using the gcloud CLI tool, which you can copy from the
      Change Asset Logs
      screen in Cortex XDR by selecting the copy icon ( ), and paste in the gcloud CLI tool.
      For more information on the gcloud CLI tool. see gcloud tool overview.
      gcloud asset feeds create <FEED_ID> --project=xdr-cloud-projectid --pubsub-topic="<Topic name>" --content-type=resource --asset-types="compute.googleapis.com/Instance,compute.googleapis.com/Image,compute.googleapis.com/Disk,compute.googleapis.com/Network,compute.googleapis.com/Subnetwork,compute.googleapis.com/Firewall,storage.googleapis.com/Bucket,cloudfunctions.googleapis.com/CloudFunction"
      The command contains a parameter already populated and parameters that you need to replace before running the command.
      • <FEED_ID>
        —Replace this placeholder text with a unique asset feed identifier of your choosing.
      • --project
        —This parameter is automatically populated from the
        Project ID
        field in the
        Configure Account
        screen wizard in Cortex XDR.
      • <Topic name>
        —Replace this placeholder text with the name of the topic you created in the
        Topic details
        page in the GCP console.
    5. In the GCP Console, search for
      Subscription
      , and select the
      Subsciptions
      link.
    6. CREATE SUBSCRIPTION
      for the topic you created.
    7. Set the following parameters.
      • Subscription ID
        —Specify a unique identifier for the subscription.
      • Select a Cloud Pub/Sub topic
        —Select the topic you created.
      • Delivery type
        —Select
        Pull
        .
    8. Click
      CREATE
      .
      The new subscription is listed in the table in the
      Subscriptions
      page.
    9. Select the subscription that you created for your topic and add
      PERMISSIONS
      for the subscriber in the
      Subscription details
      page.
    10. ADD PRINCIPAL
      to add permissions for the Service Account that you created the key for in the JSON file and uploaded to the
      Configure Account
      wizard screen in Cortex XDR. Set the following permissions for the Service Account.
      • New principals
        —Select the designated Service Account Key as you created in the JSON file.
      • Select a role
        —Select
        Pub/Sub Subscriber
        .
    11. Copy the
      Subscription name
      and paste it in the
      Subscription Name
      field on the right-side of the
      Change Asset Logs
      screen in Cortex XDR, and click
      Next
      .
      The
      Subscription Name
      is the name of the new Google Cloud Platform data collector that is configured with a Pub/Sub asset feed collection in Cortex XDR under
      Settings ( )
      Configurations
      Data Collection
      Collection Integrations
      Google Cloud Platform
      .
  5. Review the
    Summary
    screen of the wizard.
    If something needs to be corrected, you can go
    Back
    to correct it.
  6. Click
    Create
    .
    Once cloud assets from GCP start to come in, a green check mark appears underneath the
    Cloud Inventory
    configuration with the
    Last collection time
    displayed. It can take a few minutes for the
    Last Collection time
    to display as the processing completes.
    Whenever the Cloud Inventory data collector integrations are modified by using the
    Edit
    ,
    Disable
    , or
    Delete
    options, it can take up to 10 minutes for these changes to be reflected in Cortex XDR.
    In addition, if you created a Pub/Sub asset feed collection, a green check mark appears underneath the
    Google Cloud Platform
    configuration with the amount of data received.
  7. After Cortex XDR begins receiving GCP cloud assets, you can view the data in
    Assets
    Cloud Inventory
    , where
    All Assets
    and
    Specific Cloud Assets
    pages display the data in a table format. For more information, see Cloud Inventory Assets.

Recommended For You