Ingest Cloud Assets from Microsoft Azure

Extend Cortex® XDR™ visibility into cloud assets from Microsoft Azure.
Ingesting Cloud Assets from Microsoft Azure requires a Cortex XDR Pro per TB license.
Cortex XDR provides a unified, normalized asset inventory for cloud assets in Microsoft Azure. This capability provides deeper visibility to all the assets and superior context for incident investigation.
To receive cloud assets from Microsoft Azure, you must configure the Collection Integrations settings in Cortex XDR using the Cloud Inventory data collector to configure the Microsoft Azure wizard. The Microsoft Azure wizard includes instructions to be completed both in Microsoft Azure and the Microsoft Azure wizard screens. After you set up data collection, Cortex XDR begins receiving new data from the source.
As soon as Cortex XDR begins receiving cloud assets, you can view the data in
Assets
Cloud Inventory
, where
All Assets
and
Specific Cloud Assets
pages display the data in a table format.
To configure the Microsoft Azure cloud assets collection in Cortex XDR.
  1. Open the Microsoft Azure wizard in Cortex XDR.
    1. Select
      Settings ( )
      Configurations
      Data Collection
      Collection Integrations
      .
    2. In the
      Cloud Inventory
      configuration, click the
      here
      link to begin a new configuration.
    3. Click
      Azure
      .
  2. Define the
    Configure Account
    screen of the wizard.
    Setting the connection parameters on the right-side of the screen are dependent on certain configurations in Microsoft Azure as explained below.
    1. Select the
      Organization Level
      as either
      Subscription
      (default),
      Tenant
      , or
      Management Group
      . The
      Organization Level
      that you select changes the instructions and fields displayed on the screen.
    2. Login to your Microsoft Azure Portal.
    3. Search for
      Subscriptions
      , select
      Subscriptions
      , copy the applicable
      Subscription ID
      in Azure, and paste it in the
      Subscription ID
      field in the
      Configure Account
      screen wizard in Cortex XDR.
      This step is only relevant if you’ve configured the Organization Level as
      Subscription
      in the
      Configure Account
      screen in Cortex XDR. Otherwise, you can skip this step if the
      Organization Level
      is set to
      Tenant
      or
      Management Group
      .
    4. Search for
      Management groups
      , select
      Management groups
      , copy the applicable
      ID
      in Azure, and paste it in the
      Management Group ID
      field in the
      Configure Account
      screen wizard in Cortex XDR.
      This step is only relevant if you’ve configured the Organization Level as
      Management Group
      in the
      Configure Account
      screen in Cortex XDR. Otherwise, you can skip this step if the
      Organization Level
      is set to
      Subscription
      or
      Tenant
      .
    5. Search for
      Tenant properties
      , select
      Tenant properties
      , copy the Tenant ID in Azure, and paste it in the
      Tenant ID
      field in the
      Configure Account
      screen wizard in Cortex XDR.
    6. Specify a
      Cortex XDR Collection Name
      to be displayed underneath the
      Cloud Inventory
      configuration for this Azure collection.
    7. Click
      Next
      .
  3. Define the
    Account Details
    screen of the wizard.
    1. Download the Terraform
      script
      . The name of the file downloaded is dependent on the Organization Level that you configured in the
      Configure Account
      screen of the wizard.
      • Subscription
        cortex-xdr-azure-subscription-ro.tf
      • Management Group
        cortex-xdr-azure-group-ro.tf
      • Tenant
        cortex-xdr-azure-org-ro.tf
    2. Login to the Azure Cloud Shell portal., and select
      Bash
      .
    3. Click the upload/download icon ( ) to
      Upload
      the Terraform script to Cloud Shell, browse to the file, and click
      Open
      .
      A notification with the
      Upload destination
      is displayed on the bottom-right corner of the screen.
    4. Use the following commands to upload the Terraform script, which you can copy from the
      Account Details
      screen in Cortex XDR using the copy icon ( ).
      1. teraform init
        —Initializes the Terraform script. You need to wait until the initialization is complete before running the next command as indicated in the image below.
      2. terraform apply
        —When running this command you will be asked to enter the following values, which are dependent on the Organization Level that you configured.
        • var.subscription_id
          —Specify the Subscription ID that you configured in the
          Configure Account
          screen of the wizard from Microsoft Azure. This value only needs to be specified if the Subscription ID is set to
          Subscription
          .
        • var.management.group_id
          —Specify the Management Group ID that you configured in the
          Configure Account
          screen of the wizard from Microsoft Azure. This value only needs to be specified if the Management Group is set to
          Management Group
          .
        • var.tenant_id
          —Specify the Tenant ID that you configured in the
          Configure Account
          screen of the wizard from Microsoft Azure.
      Before the action completes, you need to confirm whether you want to perform these actions, and after the process finishes running an
      Apply complete
      indication is displayed.
    5. Copy the
      client_id
      value displayed in the Cloud Shell window and paste it in the
      Application Client ID
      field in the
      Account Details
      screen in Cortex XDR.
    6. Copy the
      secret
      value displayed in the Cloud Shell window and paste it in the
      Secret
      field in the
      Account Details
      screen in Cortex XDR.
    7. Download the JSON file from Cloud Shell using the upload/download icon ( ), so you have output field values for future reference.
    8. Click
      Next
      .
  4. Review the
    Summary
    screen of the wizard.
    If something needs to be corrected, you can go
    Back
    to correct it.
  5. Click
    Create
    .
    Once cloud assets from Azure start to come in, a green check mark appears underneath the
    Cloud Inventory
    configuration with the
    Last collection time
    displayed. It can take a few minutes for the
    Last Collection time
    to display as the processing completes.
    Whenever the Cloud Inventory data collector integrations are modified by using the
    Edit
    ,
    Disable
    , or
    Delete
    options, it can take up to 10 minutes for these changes to be reflected in Cortex XDR.
  6. After Cortex XDR begins receiving Azure cloud assets, you can view the data in
    Assets
    Cloud Inventory
    , where
    All Assets
    and
    Specific Cloud Assets
    pages display the data in a table format. For more information, see Cloud Inventory Assets.

Recommended For You