Skip to main content

Armis

This Integration is part of the Armis Pack.#

Use the Armis integration to search alerts and devices, tag and untag devices, and set alert statuses. This integration was integrated and tested with the latest version of Armis.

Configure Armis on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Armis.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URLTrue
    Fetch incidentsFalse
    Incident typeFalse
    Maximum number of incidents per fetchFalse
    Fetch alerts with status (UNHANDLED, SUPPRESSED, RESOLVED)False
    Fetch alerts with typeThe type of alerts are Policy Violation, System Policy Violation,
    Anomaly Detection. If no type is chosen, all types will be fetched.False
    Minimum severity of alerts to fetchTrue
    First fetch timeFalse
    Trust any certificate (not secure)False
    Secret API KeyTrue
    Fetch Alerts AQLUse this parameter to fetch incidents using a free AQL string rather than the simpler alert type, severity, etc.False
    ProxyWhether to use the System proxyFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

armis-search-alerts#


Search Armis Alerts.

Base Command#

armis-search-alerts

Input#

Argument NameDescriptionRequired
max_resultsThe maximum number of results to get. Default is 50.Optional
time_frameFilter by start time.
Examples:
"3 days ago"
"1 month"
"2019-10-10T12:22:00"
"2019-10-10". Default is 3 days.
Optional
alert_idThe ID of the alert.Optional
severityA comma-separated list of alert severity levels by which to filter the search results. Possible values: "Low", "Medium", and "High".Optional
statusA comma-separated list of alert statuses by which to filter the search results. Possible values: "UNHANDLED", "SUPPRESSED", and "RESOLVED".Optional
alert_typeA comma-separated list of alert types by which to filter the search results. Possible values: "Policy Violation", "System Policy Violation", and "Anomaly Detection"Optional

Context Output#

PathTypeDescription
Armis.Alert.activityIdsNumberThe activity IDs of the alert.
Armis.Alert.activityUUIDsStringThe activity UUIDs of the alert.
Armis.Alert.alertIdNumberThe ID of the alert.
Armis.Alert.connectionIdsNumberThe connection IDs of the alert.
Armis.Alert.descriptionStringA text description of the alert.
Armis.Alert.deviceIdsNumberThe device IDs of the alert
Armis.Alert.severityStringThe severity of the alert.
Armis.Alert.statusStringThe status of the alert.
Armis.Alert.timeDateThe date and time the alert occurred.
Armis.Alert.titleStringThe title of the alert.
Armis.Alert.typeStringThe type of the alert.

Command Example#

!armis-search-alerts status=RESOLVED max_results=10

Context Example#

{
"Armis": {
"Alert": {
"activityIds": [
23314066,
23316462,
23317202,
23326470,
23341779,
23342441
],
"activityUUIDs": [
"enyZFHgBAAAC-vCT9nJG",
"0Hy2FHgBAAAC-vCTGnJB",
"3Hy_FHgBAAAC-vCTp3Kz",
"v3wSFXgBAAAC-vCTFnNL",
"_nxOGHgBAAAC-vCTUnc2",
"2HxpGHgBAAAC-vCT03jo"
],
"alertId": 3984,
"connectionIds": [
923419,
923501,
924451
],
"description": "Smart TV started connection to Corporate Network",
"deviceIds": [
165722,
532
],
"severity": "Medium",
"status": "Resolved",
"time": "2021-03-09T01:28:44.032944+00:00",
"title": "Smart TV connected to Corporate network",
"type": "System Policy Violation"
}
}
}

Human Readable Output#

Alerts#

SeverityTypeTimeStatusTitleDescriptionActivity IdsActivity UUI DsAlert IdConnection IdsDevice Ids
MediumSystem Policy Violation2021-03-09T01:28:44.032944+00:00ResolvedSmart TV connected to Corporate networkSmart TV started connection to Corporate Network23314066,
23316462,
23317202,
23326470,
23341779,
23342441
enyZFHgBAAAC-vCT9nJG,
0Hy2FHgBAAAC-vCTGnJB,
3Hy_FHgBAAAC-vCTp3Kz,
v3wSFXgBAAAC-vCTFnNL,
_nxOGHgBAAAC-vCTUnc2,
2HxpGHgBAAAC-vCT03jo
3984923419,
923501,
924451
165722,
532

armis-update-alert-status#


Updates the status for an alert.

Base Command#

armis-update-alert-status

Input#

Argument NameDescriptionRequired
alert_idThe ID of the alert to update.Required
statusNew status of the alert. Possible values are: UNHANDLED, RESOLVED, SUPPRESSED.Required

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#

armis-search-alerts-by-aql-string#


Searches the alerts with a raw AQL string.

Base Command#

armis-search-alerts-by-aql-string

Input#

Argument NameDescriptionRequired
aql_stringThe AQL string to by which to search.Required
max_resultsThe maximum number of results to get. Default is 50.Optional

Context Output#

PathTypeDescription
Armis.Alert.activityIdsNumberThe activity IDs of the alert.
Armis.Alert.activityUUIDsStringThe activity UUIDs of the alert.
Armis.Alert.alertIdNumberThe ID of the alert.
Armis.Alert.connectionIdsNumberThe connection IDs of the alert.
Armis.Alert.descriptionStringThe description of the alert.
Armis.Alert.deviceIdsNumberThe device IDs of the alert.
Armis.Alert.severityStringThe severity of the alert.
Armis.Alert.statusStringThe status of the alert.
Armis.Alert.timeDateThe date and time the alert occurred.
Armis.Alert.titleStringThe title of the alert.
Armis.Alert.typeStringThe type of the alert.

Command Example#

!armis-search-alerts-by-aql-string aql_string="alertId:(3821)"

Context Example#

{
"Armis": {
"Alert": {
"activityIds": [
22060159
],
"activityUUIDs": [
"nTiGqXcBAAAC-vCTfzPN"
],
"alertId": 3821,
"connectionIds": [],
"description": "The Armis security platform has detected a violation of a policy and generated an alert.",
"deviceIds": [
199808
],
"severity": "Medium",
"status": "Resolved",
"time": "2021-02-16T06:23:02.101479+00:00",
"title": "Unencrypted Traffic: SMB",
"type": "System Policy Violation"
}
}
}

Human Readable Output#

Alerts#

Alert IdDescriptionTypeTitleSeverityStatusTimeActivity IdsActivity UUI DsDevice Ids
3821The Armis security platform has detected a violation of a policy and generated an alert.System Policy ViolationUnencrypted Traffic: SMBMediumResolved2021-02-16T06:23:02.101479+00:0022060159nTiGqXcBAAAC-vCTfzPN199808

armis-tag-device#


Adds a tag to a device.

Base Command#

armis-tag-device

Input#

Argument NameDescriptionRequired
device_idThe ID of the device to add a tag to.Required
tagsThe tags to add to the device.Required

Context Output#

There is no context output for this command.

Command Example#

!armis-tag-device device_id=165722 tags=test

Human Readable Output#

Successfully Tagged device: 165722 with tags: ['test']

armis-untag-device#


Removes a tag from a device.

Base Command#

armis-untag-device

Input#

Argument NameDescriptionRequired
device_idThe ID of the device to remove a tag from.Required
tagsThe tags to remove from the device.Required

Context Output#

There is no context output for this command.

Command Example#

!armis-untag-device device_id=165722 tags=test

Human Readable Output#

Successfully Untagged device: 165722 with tags: ['test']

armis-search-devices#


Searches devices by identifiers.

Base Command#

armis-search-devices

Input#

Argument NameDescriptionRequired
nameThe name of the device.Optional
device_idThe ID of the device to search for.Optional
mac_addressThe MAC address of the device to search for.Optional
ip_addressThe IP address of the device to search for.Optional
device_typeThe device type to search for.Optional
time_frameThe time frame of the device to search for.Optional
max_resultsThe maximum number of results to get. Default is 50.Optional
risk_levelA comma-separated list of device risk levels by which to filter the results. Possible values: "Low", "Medium", and "High".'Optional

Context Output#

PathTypeDescription
Armis.Device.accessSwitchStringThe access switch of the device.
Armis.Device.categoryStringThe category of the device.
Armis.Device.firstSeenDateThe first time the device was seen.
Armis.Device.idNumberThe ID of the device.
Armis.Device.ipaddressStringThe IP address of the device.
Armis.Device.ipv6StringThe IPv6 address of the device.
Armis.Device.lastSeenDateThe last time the device was seen.
Armis.Device.macAddressStringThe MAC address of the device.
Armis.Device.manufacturerStringThe manufacturer of the device.
Armis.Device.modelStringThe model of the device.
Armis.Device.nameStringThe name of the device.
Armis.Device.operatingSystemStringThe operating system of the device.
Armis.Device.operatingSystemVersionStringThe operating system version of the device.
Armis.Device.purdueLevelStringThe purdue level of the device.
Armis.Device.riskLevelStringThe risk level of the device.
Armis.Device.sensorStringThe sensor of the device.
Armis.Device.siteStringThe site of the device.
Armis.Device.tagsStringThe tags of the device.
Armis.Device.typeStringThe type of the device.
Armis.Device.userStringThe user of the device.
Armis.Device.visibilityStringThe visibility of the device.

Command Example#

!armis-search-devices device_id=165722

Context Example#

{
"Armis": {
"Device": {
"accessSwitch": null,
"category": "Displays",
"dataSources": [
{
"firstSeen": "2020-10-15T07:02:24+00:00",
"lastSeen": "2021-03-11T18:12:43.196158+00:00",
"name": "Meraki",
"types": [
"WLC"
]
},
{
"firstSeen": "2020-10-15T07:03:04.312438+00:00",
"lastSeen": "2021-03-11T06:55:25.602145+00:00",
"name": "Traffic Inspection",
"types": [
"Traffic Inspection",
"Data Analysis"
]
}
],
"firstSeen": "2020-10-15T06:53:45+00:00",
"id": 165722,
"ipAddress": "10.82.0.76",
"ipv6": null,
"lastSeen": "2021-03-11T18:12:29.706176+00:00",
"macAddress": "8c:79:f5:17:1f:c4",
"manufacturer": "Samsung Electronics",
"model": "Smart TV",
"name": "samsung",
"operatingSystem": "Tizen",
"operatingSystemVersion": "5.0",
"riskLevel": 8,
"sensor": {
"name": "win-wap-trg-Downstairs",
"type": "Access Point"
},
"site": {
"location": "13 Permas Way, Truganina, Vic 3029",
"name": "Winslow Truganina"
},
"tags": [
"MERAKI_NETWORK=Winslow Truganina",
"Corporate"
],
"type": "TVs",
"user": "",
"visibility": "Full"
}
}
}

Human Readable Output#

Devices#

Risk LevelNameTypeIp AddressTagsId
8samsungTVs10.82.0.76MERAKI_NETWORK=Winslow Truganina,
Corporate
165722

armis-search-devices-by-aql#


Searches devices with a custom AQL search string.

Base Command#

armis-search-devices-by-aql

Input#

Argument NameDescriptionRequired
aql_stringThe AQL string.Required
max_resultsThe maximum number of results to get. Default is 50.Optional

Context Output#

PathTypeDescription
Armis.Device.accessSwitchStringThe access switch of the device.
Armis.Device.categoryStringThe category of the device.
Armis.Device.firstSeenDateThe first time the device was seen.
Armis.Device.idNumberThe ID of the device.
Armis.Device.ipaddressStringThe IP address of the device.
Armis.Device.ipv6StringThe IPv6 address of the device.
Armis.Device.lastSeenDateThe last time the device was seen.
Armis.Device.macAddressStringThe MAC address of the device.
Armis.Device.manufacturerStringThe manufacturer of the device.
Armis.Device.modelStringThe model of the device.
Armis.Device.nameStringThe name of the device.
Armis.Device.operatingSystemStringThe operating system of the device.
Armis.Device.operatingSystemVersionStringThe operating system version of the device.
Armis.Device.purdueLevelStringThe purdue level of the device.
Armis.Device.riskLevelStringThe risk level of the device.
Armis.Device.sensorStringThe sensor of the device.
Armis.Device.siteStringThe site of the device.
Armis.Device.tagsStringThe tags of the device.
Armis.Device.typeStringThe type of the device.
Armis.Device.userStringThe user of the device.
Armis.Device.visibilityStringThe visibility of the device.

Command Example#

!armis-search-devices-by-aql aql_string="macAddress:(a4:5d:36:c5:32:69)"

Context Example#

{
"Armis": {
"Device": {
"accessSwitch": "win-sw-hoc-01:po9",
"category": "Computers",
"dataSources": [
{
"firstSeen": "2020-10-01T11:56:48+00:00",
"lastSeen": "2021-03-11T20:26:40+00:00",
"name": "Meraki",
"types": [
"WLC"
]
},
{
"firstSeen": "2021-02-02T08:34:10.536715+00:00",
"lastSeen": "2021-03-11T20:21:22.374047+00:00",
"name": "Network Mapper",
"types": [
"Network Monitoring"
]
},
{
"firstSeen": "2020-07-05T11:25:24.128383+00:00",
"lastSeen": "2021-03-11T20:32:33.494314+00:00",
"name": "Traffic Inspection",
"types": [
"Traffic Inspection",
"Data Analysis"
]
}
],
"firstSeen": "2020-06-01T00:30:32.318087+00:00",
"id": 74745,
"ipAddress": "10.0.100.10",
"ipv6": null,
"lastSeen": "2021-03-11T20:32:33.494314+00:00",
"macAddress": "a4:5d:36:c5:32:69",
"manufacturer": "Hewlett Packard",
"model": "Hewlett device",
"name": "wc-shoretel.winslow.local",
"operatingSystem": "Windows",
"operatingSystemVersion": "Server 2008 R2",
"riskLevel": 10,
"sensor": {
"name": "win-wap-tfm-01",
"type": "Access Point"
},
"site": {
"location": "28 Merri Concourse, Campbellfield VIc 3061 Australia",
"name": "Winslow Small Plant"
},
"tags": [
"MERAKI_NETWORK=Winslow Campbellfield"
],
"type": "Servers",
"user": "",
"visibility": "Full"
}
}
}

Human Readable Output#

Devices#

Risk LevelNameTypeIp AddressTagsId
10wc-shoretel.winslow.localServers10.0.100.10MERAKI_NETWORK=Winslow Campbellfield74745