Armis
Integration version: 10.0
Use Cases
- Perform enrichment actions.
- Perform ingestion of the alerts.
- Perform triaging action (Update Alert Status).
Configure Armis integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| API Root | String | {{root}} | Yes | Armis API root |
| API Secret | Password | N/A | Yes | Armis API secret |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the Armis server is valid. |
Actions
Ping
Description
Test connectivity to Armis with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run on
The action doesn't use entities, nor has mandatory input parameters.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful: "Successfully connected to the Armis server with the provided connection parameters!" The action should fail and stop a playbook execution: if not successful: "Failed to connect to the Armis server! Error is {0}".format(exception.stacktrace) |
General |
Enrich Entities
Description
Enrich entities using information from Armis. Supported entities: IP, Mac Address.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Create Endpoint Insight | Checkbox | Checked | Yes | If enabled, action will create an insight containing information about the endpoints. |
Run on
This action runs on the following entities:
- IP Address
- Mac Address
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"accessSwitch": null,
"category": "Computers",
"dataSources": [
{
"firstSeen": "2021-03-07T04:04:22.562873+00:00",
"lastSeen": "2021-03-07T04:04:22.562873+00:00",
"name": "vSphere vCenter",
"types": [
"Asset & System Management",
"Virtualization"
]
},
{
"firstSeen": "2021-03-07T04:04:22.562873+00:00",
"lastSeen": "2021-03-07T04:04:22.562873+00:00",
"name": "Armis Smart Scanner",
"types": [
"Vulnerability Management"
]
}
],
"firstSeen": "2021-03-07T04:04:22.562873+00:00",
"id": 1616,
"ipAddress": "10.1.7.120",
"ipv6": null,
"lastSeen": "2021-03-21T08:05:40.244960+00:00",
"macAddress": "1a:db:ab:93:c2:e7",
"manufacturer": "VMware",
"model": "VMware Virtual Platform",
"name": "Acme-11313",
"operatingSystem": "CentOS",
"operatingSystemVersion": "6.6",
"purdueLevel": 4.0,
"riskLevel": 5,
"sensor": {
"name": "North conference room",
"type": "Physical Sensor"
},
"site": {
"location": "Palo Alto",
"name": "Palo Alto Offices"
},
"tags": [
"Discover",
"vCenter"
],
"type": "Virtual Machines",
"user": "",
"visibility": "Full"
}
Entity enrichment
| Enrichment field name | Logic - When to apply |
|---|---|
| category | When available in JSON |
| id | When available in JSON |
| ipAddress | When available in JSON |
| macAddress | When available in JSON |
| name | When available in JSON |
| os | When available in JSON |
| purdue_level | When available in JSON |
| risk_level | When available in JSON |
| tags | When available in JSON |
| type | When available in JSON |
| user | When available in JSON |
| visibility | When available in JSON |
| site | When available in JSON |
| link | When available in JSON |
Insights for endpoints
.png?authuser=00)
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if enriched some(is_success = true): "Successfully enriched the following entities using Armis:\n".format(entity.identifier) If didn't enrich some (is_success = true): "Action wasn't able to enriche the following entities using Armis:\n".format(entity.identifier) If didn't enrich all (is_success = false): "No entities were enriched". The action should fail and stop a playbook execution: |
General |
| Entity Table | Entity |
List Alert Connections
Description
List connections related to the alert in Armis.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Alert ID | Integer | Yes | Specify the id of the alert for which you want to pull connections data. | |
| Lowest Severity To Fetch | DDL | Medium Possible Values:
|
No | Specify the lowest severity of the connections that should be used when fetching them. |
| Max Connections To Return | Integer | 50 | No | Specify how many connections to return. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"band": null,
"channel": null,
"dhcpAuthenticationDuration": null,
"duration": 12339,
"endTimestamp": "2021-03-18T20:19:31.562873+00:00",
"id": 33355,
"inboundTraffic": 12412512,
"outboundTraffic": 19626489,
"protocol": "Bluetooth",
"radiusAuthenticationDuration": null,
"risk": "Medium",
"rssi": null,
"sensor": {
"name": "SPAN",
"type": "Switch"
},
"site": {
"location": "New York",
"name": "New York HQ"
},
"snr": null,
"sourceId": 2097,
"startTimestamp": "2021-03-18T16:53:52.562873+00:00",
"targetId": 217,
"title": "Connection between Jabra Stealth and Mark Thomas's iPhone",
"totalAssociationDuration": null,
"traffic": 32039001,
"wlanAssociationDuration": null
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if 200 and data is available (is_success = true): "Successfully returned connections related to the alert {alertId} based on the provided criteria in Armis." If 200 and no data is available (is_success=false): "No connections were found related to the alert {alertId} based on the provided criteria in Armis." The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "List Alert Connections". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Name: Available Communications Columns:
|
General |
Update Alert Status
Description
Update status of the alert in Armis.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Alert ID | Integer | Yes | Specify the id of the alert for which you want to update status. | |
| Status | DDL | Unhandled Possible values:
|
No | Specify what status should be set for the alert. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if 200 (is_success = true): "Successfully updated status of the alert "{alert id}" to "{status}" in Armis.". If 400 (is_success=true): "Alert "{alert id}" already has status "{status}" in Armis. " The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Update Alert Status". Reason: {0}''.format(error.Stacktrace) If 404: "Error executing action "Update Alert Status". Reason: alert "{alert id}" wasn't found in Armis.' |
General |
Connector
Armis - Alerts Connector
Description
Pull alerts with related activities from Armis.
Configure Armis - Alerts Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | alert_type | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | type | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern> | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | https://{{api_root}} | Yes | API root of the Armis instance. |
| API Secret | Password | N/A | Yes | API Secret of the Armis account. |
| Lowest Severity To Fetch | Low | Low | No | Lowest severity that will be used to fetch alerts. Possible values: Low, Medium, High. |
| Max Hours Backwards | Integer | 1 | No | Amount of hours from where to fetch alerts. |
| Max Alerts To Fetch | Integer | 10 | No | How many alerts to process per one connector iteration. Maximum is 1000. |
| Use whitelist as a blacklist | Checkbox | Checked | Yes | If enabled, whitelist will be used as a blacklist. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, verify the SSL certificate for the connection to the Armis server is valid. |
| Proxy Server Address | String | No | The address of the proxy server to use. | |
| Proxy Username | String | No | The proxy username to authenticate with. | |
| Proxy Password | Password | No | The proxy password to authenticate with. |
Connector rules
Proxy support
The connector supports Proxy.