Armis v1.1.0

About the connector

Armis connector protects from cyber threats created by the onslaught of unmanaged IoT devices. This connector facilitates operations to get alerts and devices list, update the status of alerts, tag, and untag devices.

This document provides information about the Armis Connector that facilitates automated interactions with an Armis server using FortiSOAR™ playbooks. Add the Armis Connector as a step in FortiSOAR™ playbooks and perform automated operations with Armis.

Version information

Connector Version: 1.1.0

FortiSOAR™ Version Tested on: 7.4.0-3024

Armis Version Tested on: v1

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.1.0

Following enhancements have been made to the Armis Connector in version 1.1.0:

• This connector version is now certified.
• Added following new actions:
  • Update Device
  • Get Policies List
  • Update Policy
  • Get Reports List
  • Get Vulnerability Matches
• Renamed following actions:
  • Renamed Add Tags to a Device to Add Device Tag
  • Renamed Remove Tags from a Device to Remove Device Tag
• Updated following actions:
  • Get Alerts List
    • Added the following new parameters:
      • Sites
      • Records to return
      • Limit
      • Offset
    • Time Frame parameter renamed to Start Time
    • Input type for the Time Frame parameter changed from text to datetime
    • Removed the Max Alerts parameter
    • Removed the default value of 7 days from the Time Frame parameter
    • Updated the output schema for this action
  • Get Devices List
    • Added the following new parameters:
      • Sites
      • Records to return
      • Limit
      • Offset
    • Removed the Max Devices parameter
    • Removed the default value of 7 days from the Time Frame parameter
    • Updated the output schema for this action
  • Get Alerts By Armis Standard Query
    • Added the following new parameters
      • Records to return
      • Limit
      • Offset
    • Removed the Max Alerts parameter
    • Updated the output schema for this action
  • Get Devices By Armis Standard Query
    • Added the following new parameters
      • Records to return
      • Limit
      • Offset
    • Removed the Max Devices parameter
    • Updated the output schema for this action
  • You can now configure data ingestion using the Data Ingestion Wizard. The Data Ingestion Wizard also supports multiple configurations specified on the Configurations tab of the Armis connector that ensures usage of respective global variables while ingesting data based on the selected configuration.

  Installing the connector

  Use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.

  You can also use the yum command as a root user to install the connector:

  yum install cyops-connector-armis

  Prerequisites to configuring the connector

  • You must have the URL of the Armis server to connect and perform automated operations and API Key to access that server.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on the Armis server.

  Minimum Permissions Required

  • Not applicable

  Configuring the connector

  For the procedure to configure a connector, click here

  Configuration parameters

  In FortiSOAR™, on the Connectors page, click the Armis connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

  Parameter	Description
  Server URL	URL of the Armis server to which you will connect and perform the automated operations.
  API Key	API key to access the Armis endpoint to which you will connect and perform the automated operations.
  Verify SSL	Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True.

  Actions supported by the connector

  The following automated operations can be included in playbooks and you can also use the annotations to access operations:

  Function	Description	Annotation and Category
  Get Alerts List	Retrieves a detailed list of alerts from the Armis server based on filters like Alert ID, Time Frame, Risk level, and other criteria that you have specified.	get_alerts Investigation
  Get Alerts By Armis Standard Query	Retrieves a detailed list of alerts from the Armis server based on the Armis Standard Query that you have specified.	get_alerts_by_asq Investigation
  Update Alert Status	Updates the status of a specific alert on the Armis server based on the alert ID and the alert status that you have specified. Following permissions are required: Alert › Manage › Resolve Alert › Manage › Suppress	update_alert_status Investigation
  Get Devices List	Retrieves a detailed list of devices from the Armis server based on the filters like device name, device ID, MAC address, and other criteria that you have specified.	get_devices Investigation
  Get Devices By Armis Standard Query	Retrieves a detailed list of devices from the Armis server based on the Armis Standard Query that you have specified.	get_devices_by_asq Investigation
  Update Device	Updates one or more of the device's attributes based on the input parameters that you have specified. Permissions required: Device › Manage › Edit.	update_device Investigation
  Add Device Tag	Adds tags to a device based on the device ID and tag name that you have specified. Permissions required: Device > Manage > Tags.	add_device_tags Investigation
  Remove Device Tag	Removes tags from a device based on the device ID and tag name that you have specified. Permissions required: Device > Manage > Tags.	remove_device_tags Investigation
  Get Policies List	Retrieves a detailed list of policies from the Armis server. Permissions required: Policy > Read.	get_policies Investigation
  Update Policy	Updates a policy based on the input parameters that you have specified. Permissions required: Policy > Manage.	update_policy Investigation
  Get Reports List	Retrieves a detailed list of reports from the Armis server. Permissions required: Report > Read.	get_reports Investigation
  Get Vulnerability Matches	Retrieves a detailed list of vulnerability matches from the Armis server based on the input parameters that you have specified. Permissions required: Vulnerability > Read.	get_vulnerability_matches Investigation

  operation: Get Alerts List

  Input parameters

  Parameter	Description
  Alert ID	(Optional) Specify an alert ID to retrieve the specified alert's details from the Armis server.
  Start Time	(Optional) Specify the start date and time to retrieve alerts from the Armis server.
  Risk Level	(Optional) Select risk levels to filter alerts retrieved based on your selection from the following options: High Medium Low
  Status	(Optional) Select the status to filter alerts retrieved based on your selection from the following options: UNHANDLED SUPPRESSED RESOLVED
  Alert Type	(Optional) Select the alert type to filter alerts retrieved based on your selection from the following options: Policy Violation System Policy Violation Anomaly Detection
  Sites	(Optional) Specify the sites whose associated records you want to retrieve from the Armis server.
  Number of Records to Return	Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following: Limit: Specify the maximum number of alerts that this operation should return. Default:10 Offset: Specify the count of the first few records to skip while retrieving response.

  Output

  The output contains the following populated JSON schema:
  {
"data": {
"count": "",
"next": "",
"prev": "",
"results": [
{
"activityUUIDs": [],
"alertId": "",
"connectionIds": [],
"description": "",
"deviceIds": [],
"severity": "",
"status": "",
"time": "",
"title": "",
"type": ""
}
],
"total": ""
},
"success": ""
}

  operation: Get Alerts By Armis Standard Query

  Input parameters

  Parameter	Description
  Armis Standard Query	(Optional) Specify the Armis Standard Query to retrieve alerts from the Armis server based on your specified query.
  Number of Records to Return	Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following: Limit: Specify the maximum number of alerts that this operation should return. Default:10 Offset: Specify the count of the first few records to skip while retrieving response.

  Output

  The output contains the following populated JSON schema:
  {
"data": {
"count": "",
"next": "",
"prev": "",
"results": [
{
"activityUUIDs": [],
"alertId": "",
"connectionIds": [],
"description": "",
"deviceIds": [],
"severity": "",
"status": "",
"time": "",
"title": "",
"type": ""
}
],
"total": ""
},
"success": ""
}

  operation: Update Alert Status

  Input parameters

  Parameter	Description
  Alert ID	Specify an alert ID to update its status on the Armis server.
  Status	Specify the status of the alert to update on the Armis server.

  Output

  The output contains the following populated JSON schema:
  {
"status": "",
"message": ""
}

  operation: Get Devices List

  Input parameters

  Parameter	Description
  Device Name	(Optional) Specify a device name to retrieve the specified device details from the Armis server.
  Device ID	(Optional) Specify a device ID to retrieve its details from the Armis server.
  MAC Address	(Optional) Specify a device MAC Address to retrieve its details from the Armis server.
  IP Address	(Optional) Specify a device IP Address to retrieve its details from the Armis server.
  Device Type	(Optional) Specify the types of device to retrieve from the Armis server.
  Risk Level	(Optional) Select risk levels to filter devices retrieved based on your selection from the following options: High Medium Low
  Sites	(Optional) Specify the sites whose associated records you want to retrieve from the Armis server.
  Time Frame	(Optional) Specify the time frame within which to retrieve the devices from the Armis server.
  Number of Records to Return	Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following: Limit: Specify the maximum number of alerts that this operation should return. Default:10 Offset: Specify the count of the first few records to skip while retrieving response.

  Output

  The output contains the following populated JSON schema:
  {
"data": {
"count": "",
"next": "",
"prev": "",
"results": [
{
"accessSwitch": "",
"boundaries": "",
"businessImpact": "",
"category": "",
"customProperties": {},
"dataSources": [
{
"firstSeen": "",
"lastSeen": "",
"name": "",
"types": []
}
],
"firstSeen": "",
"id": "",
"ipAddress": "",
"ipv6": "",
"lastSeen": "",
"macAddress": "",
"manufacturer": "",
"model": "",
"name": "",
"operatingSystem": "",
"operatingSystemVersion": "",
"purdueLevel": "",
"riskLevel": "",
"sensor": {
"name": "",
"type": ""
},
"site": {
"location": "",
"name": ""
},
"tags": [],
"type": "",
"userIds": [],
"visibility": ""
}
],
"total": ""
},
"success": ""
}

  operation: Get Devices By Armis Standard Query

  Input parameters

  Parameter	Description
  Armis Standard Query	(Optional) Specify the Armis Standard Query to retrieve devices from the Armis server based on your specified query.
  Number of Records to Return	Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following: Limit: Specify the maximum number of alerts that this operation should return. Default:10 Offset: Specify the count of the first few records to skip while retrieving response.

  Output

  The output contains the following populated JSON schema:
  {
"data": {
"count": "",
"next": "",
"prev": "",
"results": [
{
"accessSwitch": "",
"boundaries": "",
"businessImpact": "",
"category": "",
"customProperties": {},
"dataSources": [
{
"firstSeen": "",
"lastSeen": "",
"name": "",
"types": []
}
],
"firstSeen": "",
"id": "",
"ipAddress": "",
"ipv6": "",
"lastSeen": "",
"macAddress": "",
"manufacturer": "",
"model": "",
"name": "",
"operatingSystem": "",
"operatingSystemVersion": "",
"purdueLevel": "",
"riskLevel": "",
"sensor": {
"name": "",
"type": ""
},
"site": {
"location": "",
"name": ""
},
"tags": [],
"type": "",
"userIds": [],
"visibility": ""
}
],
"total": ""
},
"success": ""
}

  operation: Update Device

  Input parameters

  Parameter	Description
  Device ID	Specify a device ID to update its details on the Armis server.
  Attributes	Specify the JSON containing attributes and their values to update on the device.

  Output

  The output contains the following populated JSON schema:
  {
"status": "",
"message": ""
}

  operation: Add Device Tag

  Input parameters

  Parameter	Description
  Device ID	Specify a device ID to which to add tags on the Armis server.
  Tags	Specify a comma-separated list of tags to add to the specified device.

  Output

  The output contains the following populated JSON schema:
  {
"status": "",
"message": ""
}

  operation: Remove Device Tag

  Input parameters

  Parameter	Description
  Device ID	Specify a device ID from which to remove tags on the Armis server.
  Tags	Specify a comma-separated list of tags to remove from the specified device.

  Output

  The output contains the following populated JSON schema:
  {
"status": "",
"message": ""
}

  operation: Get Policies List

  Input parameters

  Parameter	Description
  Number of Records to Return	Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following: Limit: Specify the maximum number of alerts that this operation should return. Default:10 Offset: Specify the count of the first few records to skip while retrieving response.

  Output

  The output contains the following populated JSON schema:
  {
"data": {
"count": "",
"next": "",
"policies": [
{
"action": {
"params": {
"consolidation": {
"amount": "",
"unit": ""
},
"severity": "",
"type": ""
},
"type": ""
},
"actions": [
{
"params": {
"consolidation": {
"amount": "",
"unit": ""
},
"severity": "",
"type": ""
},
"type": ""
}
],
"description": "",
"id": "",
"isEnabled": "",
"labels": "",
"name": "",
"ruleType": "",
"rules": {
"and": [
""
]
}
}
],
"prev": "",
"total": ""
},
"success": ""
}

  operation: Update Policy

  Input parameters

  Parameter	Description
  Policy ID	Specify a policy ID to update its details on the Armis server.
  Attributes	Specify the JSON containing attributes and their values to update attributes of a policy.

  Output

  The output contains the following populated JSON schema:
  {
"data": {
"action": {
"params": {
"consolidation": {
"amount": "",
"unit": ""
},
"severity": "",
"type": ""
},
"type": ""
},
"actions": [
{
"params": {
"consolidation": {
"amount": "",
"unit": ""
},
"severity": "",
"type": ""
},
"type": ""
}
],
"description": "",
"id": "",
"isEnabled": "",
"labels": "",
"name": "",
"ruleType": "",
"rules": {
"and": []
}
},
"success": ""
}

  operation: Get Reports List

  Input parameters

  None.

  Output

  The output contains the following populated JSON schema:
  {
"data": {
"items": [
{
"asq": "",
"creationTime": "",
"id": "",
"isScheduled": "",
"reportName": ""
}
],
"total": ""
},
"success": ""
}

  operation: Get Vulnerability Matches

  Input parameters

  Parameter	Description
  Input Type	Select one of the input types to retrieve vulnerability matches from Armis server Device IDs Vulnerability IDs
  Device IDs / Vulnerability IDs	Specify a list of comma-separated device IDs or vulnerability IDs to retrieve vulnerability matches from the Armis server.
  Number of Records to Return	Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following: Limit: Specify the maximum number of alerts that this operation should return. Default:10 Offset: Specify the count of the first few records to skip while retrieving response.

  Output

  The output contains the following populated JSON schema:
  {
"data": {
"paging": {
"from": "",
"length": "",
"next": "",
"prev": "",
"to": "",
"total": ""
},
"sample": [
{
"avmRating": "",
"confidenceLevel": "",
"cveUid": "",
"deviceId": "",
"firstDetected": "",
"lastDetected": "",
"matchCriteriaString": "",
"status": ""
}
]
},
"success": ""
}

  Included playbooks

  The Sample - Armis - 1.1.0 playbook collection comes bundled with the Armis connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation › Playbooks section in FortiSOAR™ after importing the Armis connector.

  • Add Device Tag
  • Armis > Fetch and Create
  • Armis > Ingest
  • Get Alerts By Armis Standard Query
  • Get Alerts List
  • Get Devices By Armis Standard Query
  • Get Devices List
  • Get Policies List
  • Get Reports List
  • Get Vulnerability Matches
  • Remove Device Tag
  • Update Alert Status
  • Update Device
  • Update Policy

  Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

  Data Ingestion Support

  Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling data from Armis. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.

  Configure Data Ingestion

  You can configure data ingestion using the Data Ingestion Wizard to seamlessly map Armis content to related FortiSOAR™ modules.

  1. To begin configuring data ingestion, click Configure Data Ingestion on the Armis connector's Configurations page.
     Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
     
     Sample data is required to create a field mapping between Armis data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch alerts from Armis. You can specify the Pull Alerts Created in Past X minutes, Risk Level, Status, Alert Type and Sites to fetch alerts from Armis. The fetched data is used to create a mapping between the Armis data and FortiSOAR™ indicators.
     
     Once you have completed specifying the configurations, click Fetch Data.

  3. On the Field Mapping screen, map the fields of a Armis indicators to the fields of an indicator present in FortiSOAR™.
     
     For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.

  4. (Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Armis, so that the content gets pulled from the Armis integration into FortiSOAR™.
     On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
     In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from Armis every 5 minutes, click Every X Minute and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., indicators will be pulled from Armis every 5 minutes.
     
     Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.