🔍 Armis Alerts

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Connectors Index

Attribute Value
Connector ID ArmisAlerts
Publisher Armis
Used in Solutions Armis
Collection Method Azure Function
Connector Definition Files ArmisAlerts_API_FunctionApp.json
Ingestion API UndeterminedAzure Function code contains both Log Ingestion API and HTTP Data Collector API patterns

The Armis Alerts connector gives the capability to ingest Armis Alerts into Microsoft Sentinel through the Armis REST API. Refer to the API documentation: https://<YourArmisInstance>.armis.com/api/v1/docs for more information. The connector provides the ability to get alert information from the Armis platform and to identify and prioritize threats in your environment. Armis uses your existing infrastructure to discover and identify devices without having to deploy any agents.

Tables Ingested

This connector ingests data into the following tables:

Table Transformations Ingestion API Lake-Only
Armis_Alerts_CL ? ?

💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.

Permissions

Resource Provider Permissions: - Workspace (Workspace): read and write permissions on the workspace are required. - Keys (Workspace): read permissions to shared keys for the workspace are required. See the documentation to learn more about workspace keys.

Custom Permissions: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions. - REST API Credentials/permissions: Armis Secret Key is required. See the documentation to learn more about API on the https://<YourArmisInstance>.armis.com/api/v1/doc

Setup Instructions

⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.

NOTE: This connector uses Azure Functions to connect to the Armis API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the Azure Functions pricing page for details.

(Optional Step) Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. Follow these instructions to use Azure Key Vault with an Azure Function App.

NOTE: This data connector depends on a parser based on a Kusto Function to work as expected. Follow these steps to create the Kusto functions alias, ArmisAlerts

STEP 1 - Configuration steps for the Armis API

Follow these instructions to create an Armis API secret key. 1. Log into your Armis instance 2. Navigate to Settings -> API Management 3. If the secret key has not already been created, press the Create button to create the secret key 4. To access the secret key, press the Show button 5. The secret key can now be copied and used during the Armis Alerts connector configuration

STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function

IMPORTANT: Before deploying the Armis Alert data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Armis API Authorization Key(s) - Workspace ID: WorkspaceId Note: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel. - Primary Key: PrimaryKey Note: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel.

3. Option 1 - Azure Resource Manager (ARM) Template

Use this method for automated deployment of the Armis connector.

  1. Click the Deploy to Azure button below.

    Deploy To Azure Deploy to Azure Gov 2. Select the preferred Subscription, Resource Group and Location. 3. Enter the below information : Function Name Workspace ID Workspace Key Armis Secret Key Armis URL (https://.armis.com/api/v1/) Armis Alert Table Name Armis Schedule Avoid Duplicates (Default: true) 4. Mark the checkbox labeled I agree to the terms and conditions stated above. 5. Click Purchase to deploy.

4. Option 2 - Manual Deployment of Azure Functions

Use the following step-by-step instructions to deploy the Armis Alert data connector manually with Azure Functions (Deployment via Visual Studio Code).

1. Deploy a Function App

NOTE: You will need to prepare VS code for Azure function development.

  1. Download the Azure Function App file. Extract archive to your local development computer.
  2. Start VS Code. Choose File in the main menu and select Open Folder.
  3. Select the top level folder from extracted files.
  4. Choose the Azure icon in the Activity bar, then in the Azure: Functions area, choose the Deploy to function app button. If you aren't already signed in, choose the Azure icon in the Activity bar, then in the Azure: Functions area, choose Sign in to Azure If you're already signed in, go to the next step.

  5. Provide the following information at the prompts:

    a. Select folder: Choose a folder from your workspace or browse to one that contains your function app.

    b. Select Subscription: Choose the subscription to use.

    c. Select Create new Function App in Azure (Don't choose the Advanced option)

    d. Enter a globally unique name for the function app: Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. ARMISXXXXX).

    e. Select a runtime: Choose Python 3.11

    f. Select a location for new resources. For better performance and lower costs choose the same region where Microsoft Sentinel is located.

  6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.

  7. Go to Azure Portal for the Function App configuration.

2. Configure the Function App

  1. In the Function App, select the Function App Name and select Configuration.
  2. In the Application settings tab, select + New application setting.
  3. Add each of the following application settings individually, with their respective values (case-sensitive): Workspace ID Workspace Key Armis Secret Key Armis URL (https://.armis.com/api/v1/) Armis Alert Table Name Armis Schedule Avoid Duplicates (Default: true) logAnalyticsUri (optional) - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://<CustomerId>.ods.opinsights.azure.us.
  4. Once all application settings have been entered, click Save.

Additional Documentation

📄 Source: Armis\Data Connectors\ArmisAlerts\README.md

ArmisAlerts Integration for Microsoft Sentinel

Introduction

This folder contains the Azure function time trigger code for ArmisAlerts-Microsoft Sentinel connector. The connector will run periodically and ingest the ArmisAlerts data into the Microsoft Sentinel logs custom table Armis_Alerts_CL.

Folders

  1. ArmisAlerts/ - This contains the package, requirements, ARM JSON file, connector page template JSON, and other dependencies.
  2. ArmisAlertSentinelConnector/ - This contains the Azure function source code along with sample data.

Installing for the users

After the solution is published, we can find the connector in the connector gallery of Microsoft Sentinel among other connectors in Data connectors section of Sentinel.

i. Go to Microsoft Sentinel -> Data Connectors

ii. Click on the ArmisAlerts connector, connector page will open.

iii. Click on the blue Deploy to Azure button.

It will lead to a custom deployment page where after user need to select Subscription, Resource Group and Location. And need to enter below information to configure Armis Alerts data connector. Function Name Workspace ID Workspace Key Armis Secret Key Armis URL (https://<armis-instance>.armis.com/api/v1/) Armis Alert Table Name Armis Schedule Avoid Duplicates (Default: true)

The connector should start ingesting the data into the logs at every time interval specified during configuration.

Installing for testing

i. Log in to Azure portal using the URL - https://preview.portal.azure.com/?feature.BringYourOwnConnector=true.

ii. Go to Microsoft Sentinel -> Data Connectors

iii. Click the “import” button at the top and select the json file Armis_Alert_API_FunctionApp.json downloaded on your local machine from Github.

iv. This will load the connector page and rest of the process will be same as the Installing for users guideline above.

Each invocation and its logs of the function can be seen in Function App service of Azure, available in the Azure Portal outside the Microsoft Sentinel.

i. Go to Function App and click on the function which you have deployed, identified with the given name at the deployment stage.

ii. Go to Functions -> ArmisAlertSentinelConnector -> Monitor

iii. By clicking on invocation time, you can see all the logs for that run.

Note: Furthermore we can check logs in Application Insights of the given function in detail if needed. We can search the logs by operation ID in Transaction search section.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Connectors Index