twigs supports cloud native, agent less discovery of all 3 major cloud providers – AWS, Azure and GCP
Lets look at each one of them in subsequent sections.
AWS Cloud Discovery
Overview
Twigs supports cloud-native discovery for AWS i.e. twigs can ingest asset inventory gathered by AWS Systems Manager.
Pre-requisites
One needs to configure AWS Systems Manager to report asset inventory which is subsequently ingested by twigs. For more details on how to configure AWS Systems Manager, please refer to the links below:
AWS documentation on how to inventory all managed instances in your AWS account
ThreatWorx documentation on how to configure AWS Systems Manager
Steps
After you have configured AWS Systems Manager to gather inventory, then you can run twigs to ingest this collected inventory into your ThreatWorx instance by following the below mentioned steps:
Open a new shell / terminal
Check that twigs is installed and running properly by running below command:
twigs aws -h
Keep following AWS details handy to run the command:
AWS Account Identifier (AWS_ACCOUNT)
AWS Access Key (AWS_ACCESS_KEY)
AWS Secret Key (AWS_SECRET_KEY)
AWS Region (AWS_REGION)
AWS S3 Bucket (AWS_S3_BUCKET)
Run the command below:
twigs aws --aws_account AWS_ACCOUNT --aws_access_key AWS_ACCESS_KEY --aws_secret_key AWS_SECRET_KEY --aws_region AWS_REGION --aws_s3_bucket AWS_S3_BUCKET [--enable_tracking_tags]
It is suggested that you enable_tracking_tags, which allows you to easily identify AWS cloud instances in ThreatWorx
Note AWS cloud discovery may require some time depending on the number of EC2 instances in your AWS cloud setup.
After discovery is complete, you can login into ThreatWorx Console to view the newly discovered assets.
Azure Cloud Discovery
Overview
Twigs supports cloud-native discovery for Azure i.e. twigs can ingest asset inventory gathered by Azure in your Log Analytics Workspace.
Pre-requisites
Setting up a Azure Monitor in your Azure subscription requires some steps, you can refer to the documentation below:
Steps
After you have configured Azure Monitor to collect Azure VMs data in a Log Analytics Workspace, you can run twigs to ingest this collected inventory into your ThreatWorx instance by following the below mentioned steps:
Open a new shell / terminal
Check that twigs is installed and running properly by running below command:
twigs azure -h
You need the following information to run twigs command:
Azure Tenant Identifier (AZURE_TENANT_ID)
Azure Application Identifier (AZURE_APPLICATION_ID)
Azure Application Key (AZURE_APPLICATION_KEY)
Azure Subscription (AZURE_SUBSCRIPTION)
Azure Resource Group (AZURE_RESOURCE_GROUP)
Azure Log Analytics Workspace (AZURE_WORKSPACE)
You can get these details from Azure Portal.
If you do not know values for (AZURE_SUBSCRIPTION, AZURE_RESOURCE_GROUP, AZURE_WORKSPACE), then simply run twigs with no values for those and twigs will list out possible values (as shown below) by querying your Azure subscription. You can then select the right value.
twigs azure --azure_tenant_id “MY_TENANT_ID”
--azure_application_id “MY_APPLICATION_ID”
--azure_application_key “MY_APPLICATION_KEY”INFO
Started new run...INFO
Using handle specified in "TW_HANDLE" environment variable...
INFO Using token specified in "TW_TOKEN" environment variable...
INFO Using instance specified in "TW_INSTANCE" environment variable...
INFO Getting access token...
Missing details for subscription/resource group/workspace....
Available subscriptions with resource group and workspace details as below:
Subscription: MY_SUBSCRIPTION
** Resource group: MY_RESOURCE_GROUP1
** Resource group: MY_RESOURCE_GROUP2
** Resource group: MY_RESOURCE_GROUP3
** Workspace: MY_LOG_ANALYTICS_WORKSPACE
Please re-run twigs with appropriate values for subscription, resource group and workspace.
Run the command as shown below:
twigs azure --azure_tenant_id AZURE_TENANT_ID
--azure_application_id AZURE_APPLICATION_ID
--azure_application_key AZURE_APPLICATION_KEY
--azure_subscription AZURE_SUBSCRIPTION
--azure_resource_group AZURE_RESOURCE_GROUP
--azure_workspace AZURE_WORKSPACE [—enable_tracking_tags]
It is suggested that you enable_tracking_tags, which allows you to easily identify Azure cloud instances in ThreatWorx.
Note Azure cloud discovery may require some time depending on the number of VM instances in your Azure cloud setup.
After discovery is complete, you can login into ThreatWorx Console to view the newly discovered assets.
GCP Cloud Discovery
Overview
Twigs supports cloud-native discovery for Google Cloud Platform (GCP) i.e. using OS inventory management.
Pre-requisites
VM Manager needs to be enabled for the relevant GCP projects. VM Manager is a suite of tools provided by GCP that can be used to manage operating systems for large virtual machine (VM) fleets running Windows and Linux on Compute Engine. One of the features of the VM Manager is OS Inventory Management which enables GCP to keep an inventory of all VM instances and their associated metadata which can be used by ThreatWorx for vulnerability assessment.
The easiest way to enable VM Manager for your project is to follow the instructions for any running VM on your GCP project.
Enable VM Manager automatically for your project or VM
Google Cloud SDK is required. Please install it on the system that will run twigs, by following instructions mentioned here for your Operating System. The SDK provides tools (like the ‘gcloud’ CLI) which are used by twigs for discovering VM instances.
Steps
Once VM Manager is enabled for your compute instances in GCP, you can run twigs to ingest this collected inventory into your ThreatWorx instance by following the below mentioned steps:
Open a new shell / terminal
Check that twigs is installed and running properly by running below command:
twigs gcp -h
Sign in into your Google Cloud Platform instance using gcloud CLI as described here on the box where you will be running twigs.
You can run the command mentioned below:
twigs gcp [--enable_tracking_tags]
It is suggested that you enable_tracking_tags, which allows you to easily identify projects associated with discovered compute instances.
Note GCP cloud discovery may require some time depending on the number of compute instances in your GCP cloud setup.
After discovery is complete, you can login into ThreatWorx Console to view the newly discovered assets.