Armis connector protects from cyber threats created by the onslaught of unmanaged IoT devices. This connector facilitates operations to get alerts and devices list, update the status of alerts, tag, and untag devices.
This document provides information about the Armis Connector that facilitates automated interactions with an Armis server using FortiSOAR™ playbooks. Add the Armis Connector as a step in FortiSOAR™ playbooks and perform automated operations with Armis.
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 7.4.0-3024
Armis Version Tested on: v1
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Armis Connector in version 1.1.0:
text
to datetime
7 days
from the Time Frame parameter7 days
from the Time Frame parameterUse the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-armis
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Armis connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Armis server to which you will connect and perform the automated operations. |
API Key | API key to access the Armis endpoint to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get Alerts List | Retrieves a detailed list of alerts from the Armis server based on filters like Alert ID, Time Frame, Risk level, and other criteria that you have specified. | get_alerts Investigation |
Get Alerts By Armis Standard Query | Retrieves a detailed list of alerts from the Armis server based on the Armis Standard Query that you have specified. | get_alerts_by_asq Investigation |
Update Alert Status | Updates the status of a specific alert on the Armis server based on the alert ID and the alert status that you have specified. Following permissions are required:
|
update_alert_status Investigation |
Get Devices List | Retrieves a detailed list of devices from the Armis server based on the filters like device name, device ID, MAC address, and other criteria that you have specified. | get_devices Investigation |
Get Devices By Armis Standard Query | Retrieves a detailed list of devices from the Armis server based on the Armis Standard Query that you have specified. | get_devices_by_asq Investigation |
Update Device | Updates one or more of the device's attributes based on the input parameters that you have specified. Permissions required: Device › Manage › Edit. | update_device Investigation |
Add Device Tag | Adds tags to a device based on the device ID and tag name that you have specified. Permissions required: Device > Manage > Tags. | add_device_tags Investigation |
Remove Device Tag | Removes tags from a device based on the device ID and tag name that you have specified. Permissions required: Device > Manage > Tags. | remove_device_tags Investigation |
Get Policies List | Retrieves a detailed list of policies from the Armis server. Permissions required: Policy > Read. | get_policies Investigation |
Update Policy | Updates a policy based on the input parameters that you have specified. Permissions required: Policy > Manage. | update_policy Investigation |
Get Reports List | Retrieves a detailed list of reports from the Armis server. Permissions required: Report > Read. | get_reports Investigation |
Get Vulnerability Matches | Retrieves a detailed list of vulnerability matches from the Armis server based on the input parameters that you have specified. Permissions required: Vulnerability > Read. | get_vulnerability_matches Investigation |
Parameter | Description |
---|---|
Alert ID | (Optional) Specify an alert ID to retrieve the specified alert's details from the Armis server. |
Start Time | (Optional) Specify the start date and time to retrieve alerts from the Armis server. |
Risk Level | (Optional) Select risk levels to filter alerts retrieved based on your selection from the following options:
|
Status | (Optional) Select the status to filter alerts retrieved based on your selection from the following options:
|
Alert Type | (Optional) Select the alert type to filter alerts retrieved based on your selection from the following options:
|
Sites | (Optional) Specify the sites whose associated records you want to retrieve from the Armis server. |
Number of Records to Return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following:
|
The output contains the following populated JSON schema:
{
"data": {
"count": "",
"next": "",
"prev": "",
"results": [
{
"activityUUIDs": [],
"alertId": "",
"connectionIds": [],
"description": "",
"deviceIds": [],
"severity": "",
"status": "",
"time": "",
"title": "",
"type": ""
}
],
"total": ""
},
"success": ""
}
Parameter | Description |
---|---|
Armis Standard Query | (Optional) Specify the Armis Standard Query to retrieve alerts from the Armis server based on your specified query. |
Number of Records to Return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following:
|
The output contains the following populated JSON schema:
{
"data": {
"count": "",
"next": "",
"prev": "",
"results": [
{
"activityUUIDs": [],
"alertId": "",
"connectionIds": [],
"description": "",
"deviceIds": [],
"severity": "",
"status": "",
"time": "",
"title": "",
"type": ""
}
],
"total": ""
},
"success": ""
}
Parameter | Description |
---|---|
Alert ID | Specify an alert ID to update its status on the Armis server. |
Status | Specify the status of the alert to update on the Armis server. |
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
Parameter | Description |
---|---|
Device Name | (Optional) Specify a device name to retrieve the specified device details from the Armis server. |
Device ID | (Optional) Specify a device ID to retrieve its details from the Armis server. |
MAC Address | (Optional) Specify a device MAC Address to retrieve its details from the Armis server. |
IP Address | (Optional) Specify a device IP Address to retrieve its details from the Armis server. |
Device Type | (Optional) Specify the types of device to retrieve from the Armis server. |
Risk Level | (Optional) Select risk levels to filter devices retrieved based on your selection from the following options:
|
Sites | (Optional) Specify the sites whose associated records you want to retrieve from the Armis server. |
Time Frame | (Optional) Specify the time frame within which to retrieve the devices from the Armis server. |
Number of Records to Return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following:
|
The output contains the following populated JSON schema:
{
"data": {
"count": "",
"next": "",
"prev": "",
"results": [
{
"accessSwitch": "",
"boundaries": "",
"businessImpact": "",
"category": "",
"customProperties": {},
"dataSources": [
{
"firstSeen": "",
"lastSeen": "",
"name": "",
"types": []
}
],
"firstSeen": "",
"id": "",
"ipAddress": "",
"ipv6": "",
"lastSeen": "",
"macAddress": "",
"manufacturer": "",
"model": "",
"name": "",
"operatingSystem": "",
"operatingSystemVersion": "",
"purdueLevel": "",
"riskLevel": "",
"sensor": {
"name": "",
"type": ""
},
"site": {
"location": "",
"name": ""
},
"tags": [],
"type": "",
"userIds": [],
"visibility": ""
}
],
"total": ""
},
"success": ""
}
Parameter | Description |
---|---|
Armis Standard Query | (Optional) Specify the Armis Standard Query to retrieve devices from the Armis server based on your specified query. |
Number of Records to Return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following:
|
The output contains the following populated JSON schema:
{
"data": {
"count": "",
"next": "",
"prev": "",
"results": [
{
"accessSwitch": "",
"boundaries": "",
"businessImpact": "",
"category": "",
"customProperties": {},
"dataSources": [
{
"firstSeen": "",
"lastSeen": "",
"name": "",
"types": []
}
],
"firstSeen": "",
"id": "",
"ipAddress": "",
"ipv6": "",
"lastSeen": "",
"macAddress": "",
"manufacturer": "",
"model": "",
"name": "",
"operatingSystem": "",
"operatingSystemVersion": "",
"purdueLevel": "",
"riskLevel": "",
"sensor": {
"name": "",
"type": ""
},
"site": {
"location": "",
"name": ""
},
"tags": [],
"type": "",
"userIds": [],
"visibility": ""
}
],
"total": ""
},
"success": ""
}
Parameter | Description |
---|---|
Device ID | Specify a device ID to update its details on the Armis server. |
Attributes | Specify the JSON containing attributes and their values to update on the device. |
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
Parameter | Description |
---|---|
Device ID | Specify a device ID to which to add tags on the Armis server. |
Tags | Specify a comma-separated list of tags to add to the specified device. |
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
Parameter | Description |
---|---|
Device ID | Specify a device ID from which to remove tags on the Armis server. |
Tags | Specify a comma-separated list of tags to remove from the specified device. |
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
Parameter | Description |
---|---|
Number of Records to Return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following:
|
The output contains the following populated JSON schema:
{
"data": {
"count": "",
"next": "",
"policies": [
{
"action": {
"params": {
"consolidation": {
"amount": "",
"unit": ""
},
"severity": "",
"type": ""
},
"type": ""
},
"actions": [
{
"params": {
"consolidation": {
"amount": "",
"unit": ""
},
"severity": "",
"type": ""
},
"type": ""
}
],
"description": "",
"id": "",
"isEnabled": "",
"labels": "",
"name": "",
"ruleType": "",
"rules": {
"and": [
""
]
}
}
],
"prev": "",
"total": ""
},
"success": ""
}
Parameter | Description |
---|---|
Policy ID | Specify a policy ID to update its details on the Armis server. |
Attributes | Specify the JSON containing attributes and their values to update attributes of a policy. |
The output contains the following populated JSON schema:
{
"data": {
"action": {
"params": {
"consolidation": {
"amount": "",
"unit": ""
},
"severity": "",
"type": ""
},
"type": ""
},
"actions": [
{
"params": {
"consolidation": {
"amount": "",
"unit": ""
},
"severity": "",
"type": ""
},
"type": ""
}
],
"description": "",
"id": "",
"isEnabled": "",
"labels": "",
"name": "",
"ruleType": "",
"rules": {
"and": []
}
},
"success": ""
}
None.
The output contains the following populated JSON schema:
{
"data": {
"items": [
{
"asq": "",
"creationTime": "",
"id": "",
"isScheduled": "",
"reportName": ""
}
],
"total": ""
},
"success": ""
}
Parameter | Description |
---|---|
Input Type | Select one of the input types to retrieve vulnerability matches from Armis server
|
Device IDs / Vulnerability IDs | Specify a list of comma-separated device IDs or vulnerability IDs to retrieve vulnerability matches from the Armis server. |
Number of Records to Return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following:
|
The output contains the following populated JSON schema:
{
"data": {
"paging": {
"from": "",
"length": "",
"next": "",
"prev": "",
"to": "",
"total": ""
},
"sample": [
{
"avmRating": "",
"confidenceLevel": "",
"cveUid": "",
"deviceId": "",
"firstDetected": "",
"lastDetected": "",
"matchCriteriaString": "",
"status": ""
}
]
},
"success": ""
}
The Sample - Armis - 1.1.0
playbook collection comes bundled with the Armis connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation › Playbooks section in FortiSOAR™ after importing the Armis connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling data from Armis. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map Armis content to related FortiSOAR™ modules.
On the Field Mapping screen, map the fields of a Armis indicators to the fields of an indicator present in FortiSOAR™.
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Armis, so that the content gets pulled from the Armis integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from Armis every 5 minutes, click Every X Minute and in the minute box enter */5
. This would mean that based on the configuration you have set up, data, i.e., indicators will be pulled from Armis every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
Armis connector protects from cyber threats created by the onslaught of unmanaged IoT devices. This connector facilitates operations to get alerts and devices list, update the status of alerts, tag, and untag devices.
This document provides information about the Armis Connector that facilitates automated interactions with an Armis server using FortiSOAR™ playbooks. Add the Armis Connector as a step in FortiSOAR™ playbooks and perform automated operations with Armis.
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 7.4.0-3024
Armis Version Tested on: v1
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Armis Connector in version 1.1.0:
text
to datetime
7 days
from the Time Frame parameter7 days
from the Time Frame parameterUse the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-armis
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Armis connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Armis server to which you will connect and perform the automated operations. |
API Key | API key to access the Armis endpoint to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get Alerts List | Retrieves a detailed list of alerts from the Armis server based on filters like Alert ID, Time Frame, Risk level, and other criteria that you have specified. | get_alerts Investigation |
Get Alerts By Armis Standard Query | Retrieves a detailed list of alerts from the Armis server based on the Armis Standard Query that you have specified. | get_alerts_by_asq Investigation |
Update Alert Status | Updates the status of a specific alert on the Armis server based on the alert ID and the alert status that you have specified. Following permissions are required:
|
update_alert_status Investigation |
Get Devices List | Retrieves a detailed list of devices from the Armis server based on the filters like device name, device ID, MAC address, and other criteria that you have specified. | get_devices Investigation |
Get Devices By Armis Standard Query | Retrieves a detailed list of devices from the Armis server based on the Armis Standard Query that you have specified. | get_devices_by_asq Investigation |
Update Device | Updates one or more of the device's attributes based on the input parameters that you have specified. Permissions required: Device › Manage › Edit. | update_device Investigation |
Add Device Tag | Adds tags to a device based on the device ID and tag name that you have specified. Permissions required: Device > Manage > Tags. | add_device_tags Investigation |
Remove Device Tag | Removes tags from a device based on the device ID and tag name that you have specified. Permissions required: Device > Manage > Tags. | remove_device_tags Investigation |
Get Policies List | Retrieves a detailed list of policies from the Armis server. Permissions required: Policy > Read. | get_policies Investigation |
Update Policy | Updates a policy based on the input parameters that you have specified. Permissions required: Policy > Manage. | update_policy Investigation |
Get Reports List | Retrieves a detailed list of reports from the Armis server. Permissions required: Report > Read. | get_reports Investigation |
Get Vulnerability Matches | Retrieves a detailed list of vulnerability matches from the Armis server based on the input parameters that you have specified. Permissions required: Vulnerability > Read. | get_vulnerability_matches Investigation |
Parameter | Description |
---|---|
Alert ID | (Optional) Specify an alert ID to retrieve the specified alert's details from the Armis server. |
Start Time | (Optional) Specify the start date and time to retrieve alerts from the Armis server. |
Risk Level | (Optional) Select risk levels to filter alerts retrieved based on your selection from the following options:
|
Status | (Optional) Select the status to filter alerts retrieved based on your selection from the following options:
|
Alert Type | (Optional) Select the alert type to filter alerts retrieved based on your selection from the following options:
|
Sites | (Optional) Specify the sites whose associated records you want to retrieve from the Armis server. |
Number of Records to Return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following:
|
The output contains the following populated JSON schema:
{
"data": {
"count": "",
"next": "",
"prev": "",
"results": [
{
"activityUUIDs": [],
"alertId": "",
"connectionIds": [],
"description": "",
"deviceIds": [],
"severity": "",
"status": "",
"time": "",
"title": "",
"type": ""
}
],
"total": ""
},
"success": ""
}
Parameter | Description |
---|---|
Armis Standard Query | (Optional) Specify the Armis Standard Query to retrieve alerts from the Armis server based on your specified query. |
Number of Records to Return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following:
|
The output contains the following populated JSON schema:
{
"data": {
"count": "",
"next": "",
"prev": "",
"results": [
{
"activityUUIDs": [],
"alertId": "",
"connectionIds": [],
"description": "",
"deviceIds": [],
"severity": "",
"status": "",
"time": "",
"title": "",
"type": ""
}
],
"total": ""
},
"success": ""
}
Parameter | Description |
---|---|
Alert ID | Specify an alert ID to update its status on the Armis server. |
Status | Specify the status of the alert to update on the Armis server. |
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
Parameter | Description |
---|---|
Device Name | (Optional) Specify a device name to retrieve the specified device details from the Armis server. |
Device ID | (Optional) Specify a device ID to retrieve its details from the Armis server. |
MAC Address | (Optional) Specify a device MAC Address to retrieve its details from the Armis server. |
IP Address | (Optional) Specify a device IP Address to retrieve its details from the Armis server. |
Device Type | (Optional) Specify the types of device to retrieve from the Armis server. |
Risk Level | (Optional) Select risk levels to filter devices retrieved based on your selection from the following options:
|
Sites | (Optional) Specify the sites whose associated records you want to retrieve from the Armis server. |
Time Frame | (Optional) Specify the time frame within which to retrieve the devices from the Armis server. |
Number of Records to Return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following:
|
The output contains the following populated JSON schema:
{
"data": {
"count": "",
"next": "",
"prev": "",
"results": [
{
"accessSwitch": "",
"boundaries": "",
"businessImpact": "",
"category": "",
"customProperties": {},
"dataSources": [
{
"firstSeen": "",
"lastSeen": "",
"name": "",
"types": []
}
],
"firstSeen": "",
"id": "",
"ipAddress": "",
"ipv6": "",
"lastSeen": "",
"macAddress": "",
"manufacturer": "",
"model": "",
"name": "",
"operatingSystem": "",
"operatingSystemVersion": "",
"purdueLevel": "",
"riskLevel": "",
"sensor": {
"name": "",
"type": ""
},
"site": {
"location": "",
"name": ""
},
"tags": [],
"type": "",
"userIds": [],
"visibility": ""
}
],
"total": ""
},
"success": ""
}
Parameter | Description |
---|---|
Armis Standard Query | (Optional) Specify the Armis Standard Query to retrieve devices from the Armis server based on your specified query. |
Number of Records to Return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following:
|
The output contains the following populated JSON schema:
{
"data": {
"count": "",
"next": "",
"prev": "",
"results": [
{
"accessSwitch": "",
"boundaries": "",
"businessImpact": "",
"category": "",
"customProperties": {},
"dataSources": [
{
"firstSeen": "",
"lastSeen": "",
"name": "",
"types": []
}
],
"firstSeen": "",
"id": "",
"ipAddress": "",
"ipv6": "",
"lastSeen": "",
"macAddress": "",
"manufacturer": "",
"model": "",
"name": "",
"operatingSystem": "",
"operatingSystemVersion": "",
"purdueLevel": "",
"riskLevel": "",
"sensor": {
"name": "",
"type": ""
},
"site": {
"location": "",
"name": ""
},
"tags": [],
"type": "",
"userIds": [],
"visibility": ""
}
],
"total": ""
},
"success": ""
}
Parameter | Description |
---|---|
Device ID | Specify a device ID to update its details on the Armis server. |
Attributes | Specify the JSON containing attributes and their values to update on the device. |
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
Parameter | Description |
---|---|
Device ID | Specify a device ID to which to add tags on the Armis server. |
Tags | Specify a comma-separated list of tags to add to the specified device. |
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
Parameter | Description |
---|---|
Device ID | Specify a device ID from which to remove tags on the Armis server. |
Tags | Specify a comma-separated list of tags to remove from the specified device. |
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
Parameter | Description |
---|---|
Number of Records to Return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following:
|
The output contains the following populated JSON schema:
{
"data": {
"count": "",
"next": "",
"policies": [
{
"action": {
"params": {
"consolidation": {
"amount": "",
"unit": ""
},
"severity": "",
"type": ""
},
"type": ""
},
"actions": [
{
"params": {
"consolidation": {
"amount": "",
"unit": ""
},
"severity": "",
"type": ""
},
"type": ""
}
],
"description": "",
"id": "",
"isEnabled": "",
"labels": "",
"name": "",
"ruleType": "",
"rules": {
"and": [
""
]
}
}
],
"prev": "",
"total": ""
},
"success": ""
}
Parameter | Description |
---|---|
Policy ID | Specify a policy ID to update its details on the Armis server. |
Attributes | Specify the JSON containing attributes and their values to update attributes of a policy. |
The output contains the following populated JSON schema:
{
"data": {
"action": {
"params": {
"consolidation": {
"amount": "",
"unit": ""
},
"severity": "",
"type": ""
},
"type": ""
},
"actions": [
{
"params": {
"consolidation": {
"amount": "",
"unit": ""
},
"severity": "",
"type": ""
},
"type": ""
}
],
"description": "",
"id": "",
"isEnabled": "",
"labels": "",
"name": "",
"ruleType": "",
"rules": {
"and": []
}
},
"success": ""
}
None.
The output contains the following populated JSON schema:
{
"data": {
"items": [
{
"asq": "",
"creationTime": "",
"id": "",
"isScheduled": "",
"reportName": ""
}
],
"total": ""
},
"success": ""
}
Parameter | Description |
---|---|
Input Type | Select one of the input types to retrieve vulnerability matches from Armis server
|
Device IDs / Vulnerability IDs | Specify a list of comma-separated device IDs or vulnerability IDs to retrieve vulnerability matches from the Armis server. |
Number of Records to Return | Select whether you want this operation to Fetch Limited Records or Fetch All Records. To Fetch Limited Records specify the following:
|
The output contains the following populated JSON schema:
{
"data": {
"paging": {
"from": "",
"length": "",
"next": "",
"prev": "",
"to": "",
"total": ""
},
"sample": [
{
"avmRating": "",
"confidenceLevel": "",
"cveUid": "",
"deviceId": "",
"firstDetected": "",
"lastDetected": "",
"matchCriteriaString": "",
"status": ""
}
]
},
"success": ""
}
The Sample - Armis - 1.1.0
playbook collection comes bundled with the Armis connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation › Playbooks section in FortiSOAR™ after importing the Armis connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling data from Armis. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map Armis content to related FortiSOAR™ modules.
On the Field Mapping screen, map the fields of a Armis indicators to the fields of an indicator present in FortiSOAR™.
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Armis, so that the content gets pulled from the Armis integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from Armis every 5 minutes, click Every X Minute and in the minute box enter */5
. This would mean that based on the configuration you have set up, data, i.e., indicators will be pulled from Armis every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.