Armis

Integration version: 10.0

Use Cases

  1. Perform enrichment actions.
  2. Perform ingestion of the alerts.
  3. Perform triaging action (Update Alert Status).

Configure Armis integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter name Type Default value Is mandatory Description
API Root String {{root}} Yes Armis API root
API Secret Password N/A Yes Armis API secret
Verify SSL Checkbox Checked Yes If enabled, verifies that the SSL certificate for the connection to the Armis server is valid.

Actions

Ping

Description

Test connectivity to Armis with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run on

The action doesn't use entities, nor has mandatory input parameters.

Action results

Script result
Script result name Value options Example
is_success True/False is_success:False
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

if successful: "Successfully connected to the Armis server with the provided connection parameters!"

The action should fail and stop a playbook execution:

if not successful: "Failed to connect to the Armis server! Error is {0}".format(exception.stacktrace)

General

Enrich Entities

Description

Enrich entities using information from Armis. Supported entities: IP, Mac Address.

Parameters

Parameter name Type Default value Is mandatory Description
Create Endpoint Insight Checkbox Checked Yes If enabled, action will create an insight containing information about the endpoints.

Run on

This action runs on the following entities:

  • IP Address
  • Mac Address

Action results

Script result
Script result name Value options Example
is_success True/False is_success:False

JSON result

{
    "accessSwitch": null,
    "category": "Computers",
    "dataSources": [
        {
            "firstSeen": "2021-03-07T04:04:22.562873+00:00",
            "lastSeen": "2021-03-07T04:04:22.562873+00:00",
            "name": "vSphere vCenter",
            "types": [
                "Asset & System Management",
                "Virtualization"
            ]
        },
        {
            "firstSeen": "2021-03-07T04:04:22.562873+00:00",
            "lastSeen": "2021-03-07T04:04:22.562873+00:00",
            "name": "Armis Smart Scanner",
            "types": [
                "Vulnerability Management"
            ]
        }
    ],
    "firstSeen": "2021-03-07T04:04:22.562873+00:00",
    "id": 1616,
    "ipAddress": "10.1.7.120",
    "ipv6": null,
    "lastSeen": "2021-03-21T08:05:40.244960+00:00",
    "macAddress": "1a:db:ab:93:c2:e7",
    "manufacturer": "VMware",
    "model": "VMware Virtual Platform",
    "name": "Acme-11313",
    "operatingSystem": "CentOS",
    "operatingSystemVersion": "6.6",
    "purdueLevel": 4.0,
    "riskLevel": 5,
    "sensor": {
        "name": "North conference room",
        "type": "Physical Sensor"
    },
    "site": {
        "location": "Palo Alto",
        "name": "Palo Alto Offices"
    },
    "tags": [
        "Discover",
        "vCenter"
    ],
    "type": "Virtual Machines",
    "user": "",
    "visibility": "Full"
}

Entity enrichment

Enrichment field name Logic - When to apply
category When available in JSON
id When available in JSON
ipAddress When available in JSON
macAddress When available in JSON
name When available in JSON
os When available in JSON
purdue_level When available in JSON
risk_level When available in JSON
tags When available in JSON
type When available in JSON
user When available in JSON
visibility When available in JSON
site When available in JSON
link When available in JSON

Insights for endpoints

Example of insights for endpoints

Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

if enriched some(is_success = true): "Successfully enriched the following entities using Armis:\n".format(entity.identifier)

If didn't enrich some (is_success = true): "Action wasn't able to enriche the following entities using Armis:\n".format(entity.identifier)

If didn't enrich all (is_success = false): "No entities were enriched".

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

General
Entity Table Entity

List Alert Connections

Description

List connections related to the alert in Armis.

Parameters

Parameter name Type Default value Is mandatory Description
Alert ID Integer Yes Specify the id of the alert for which you want to pull connections data.
Lowest Severity To Fetch DDL

Medium

Possible Values:

  • Low
  • Medium
  • High
No Specify the lowest severity of the connections that should be used when fetching them.
Max Connections To Return Integer 50 No Specify how many connections to return.

Run on

This action doesn't run on entities.

Action results

Script result
Script result name Value options Example
is_success True/False is_success:False

JSON result

{
    "band": null,
    "channel": null,
    "dhcpAuthenticationDuration": null,
    "duration": 12339,
    "endTimestamp": "2021-03-18T20:19:31.562873+00:00",
    "id": 33355,
    "inboundTraffic": 12412512,
    "outboundTraffic": 19626489,
    "protocol": "Bluetooth",
    "radiusAuthenticationDuration": null,
    "risk": "Medium",
    "rssi": null,
    "sensor": {
        "name": "SPAN",
        "type": "Switch"
    },
    "site": {
        "location": "New York",
        "name": "New York HQ"
    },
    "snr": null,
    "sourceId": 2097,
    "startTimestamp": "2021-03-18T16:53:52.562873+00:00",
    "targetId": 217,
    "title": "Connection between Jabra Stealth and Mark Thomas's iPhone",
    "totalAssociationDuration": null,
    "traffic": 32039001,
    "wlanAssociationDuration": null
}
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

if 200 and data is available (is_success = true): "Successfully returned connections related to the alert {alertId} based on the provided criteria in Armis."

If 200 and no data is available (is_success=false): "No connections were found related to the alert {alertId} based on the provided criteria in Armis."

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other: "Error executing action "List Alert Connections". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Name: Available Communications

Columns:

  • Title
  • Protocol
  • Severity
  • Start Time
  • End Time
General

Update Alert Status

Description

Update status of the alert in Armis.

Parameters

Parameter name Type Default value Is mandatory Description
Alert ID Integer Yes Specify the id of the alert for which you want to update status.
Status DDL

Unhandled

Possible values:

  • Unhandled
  • Suppressed
  • Resolved
No Specify what status should be set for the alert.

Run on

This action doesn't run on entities.

Action results

Script result
Script result name Value options Example
is_success True/False is_success:False
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

if 200 (is_success = true): "Successfully updated status of the alert "{alert id}" to "{status}" in Armis.".

If 400 (is_success=true): "Alert "{alert id}" already has status "{status}" in Armis. "

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Update Alert Status". Reason: {0}''.format(error.Stacktrace)

If 404: "Error executing action "Update Alert Status". Reason: alert "{alert id}" wasn't found in Armis.'

General

Connector

Armis - Alerts Connector

Description

Pull alerts with related activities from Armis.

Configure Armis - Alerts Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter name Type Default value Is mandatory Description
Product Field Name String alert_type Yes Enter the source field name in order to retrieve the Product Field name.
Event Field Name String type Yes Enter the source field name in order to retrieve the Event Field name.
Environment Field Name String "" No

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

Environment Regex Pattern> String .* No

A regex pattern to run on the value found in the "Environment Field Name" field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field via regex logic.

If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Integer 180 Yes Timeout limit for the python process running the current script.
API Root String https://{{api_root}} Yes API root of the Armis instance.
API Secret Password N/A Yes API Secret of the Armis account.
Lowest Severity To Fetch Low Low No Lowest severity that will be used to fetch alerts. Possible values: Low, Medium, High.
Max Hours Backwards Integer 1 No Amount of hours from where to fetch alerts.
Max Alerts To Fetch Integer 10 No How many alerts to process per one connector iteration. Maximum is 1000.
Use whitelist as a blacklist Checkbox Checked Yes If enabled, whitelist will be used as a blacklist.
Verify SSL Checkbox Unchecked Yes If enabled, verify the SSL certificate for the connection to the Armis server is valid.
Proxy Server Address String No The address of the proxy server to use.
Proxy Username String No The proxy username to authenticate with.
Proxy Password Password No The proxy password to authenticate with.

Connector rules

Proxy support

The connector supports Proxy.