Armis Alerts Activities

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Connectors Index

Attribute Value
Connector ID ArmisAlertsActivities
Publisher Armis
Used in Solutions Armis
Collection Method Azure Function
Connector Definition Files ArmisAlertsActivities_API_FunctionApp.json
Ingestion API UndeterminedAzure Function code contains both Log Ingestion API and HTTP Data Collector API patterns

The Armis Alerts Activities connector gives the capability to ingest Armis Alerts and Activities into Microsoft Sentinel through the Armis REST API. Refer to the API documentation: https://<YourArmisInstance>.armis.com/api/v1/docs for more information. The connector provides the ability to get alert and activity information from the Armis platform and to identify and prioritize threats in your environment. Armis uses your existing infrastructure to discover and identify devices without having to deploy any agents.

Tables Ingested

This connector ingests data into the following tables:

Table Transformations Ingestion API Lake-Only
Armis_Activities_CL ? ?
Armis_Alerts_CL ? ?

💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.

Permissions

Resource Provider Permissions: - Workspace (Workspace): read and write permissions on the workspace are required. - Keys (Workspace): read permissions to shared keys for the workspace are required. See the documentation to learn more about workspace keys.

Custom Permissions: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions. - REST API Credentials/permissions: Armis Secret Key is required. See the documentation to learn more about API on the https://<YourArmisInstance>.armis.com/api/v1/doc

Setup Instructions

⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.

NOTE: This connector uses Azure Functions to connect to the Armis API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the Azure Functions pricing page for details.

(Optional Step) Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. Follow these instructions to use Azure Key Vault with an Azure Function App.

NOTE: This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArmisActivities/ArmisAlerts and load the function code. The function usually takes 10-15 minutes to activate after solution installation/update.

STEP 1 - Configuration steps for the Armis API

Follow these instructions to create an Armis API secret key. 1. Log into your Armis instance 2. Navigate to Settings -> API Management 3. If the secret key has not already been created, press the Create button to create the secret key 4. To access the secret key, press the Show button 5. The secret key can now be copied and used during the Armis Alerts Activities connector configuration

STEP 2 - App Registration steps for the Application in Microsoft Entra ID

This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID: 1. Sign in to the Azure portal. 2. Search for and select Microsoft Entra ID. 3. Under Manage, select App registrations > New registration. 4. Enter a display Name for your application. 5. Select Register to complete the initial app registration. 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the Application (client) ID and Tenant ID. The client ID and Tenant ID is required as configuration parameters for the execution of Armis Alerts Activities Data Connector.

Reference link: https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app

STEP 3 - Add a client secret for application in Microsoft Entra ID

Sometimes called an application password, a client secret is a string value required for the execution of Armis Alerts Activities Data Connector. Follow the steps in this section to create a new Client Secret: 1. In the Azure portal, in App registrations, select your application. 2. Select Certificates & secrets > Client secrets > New client secret. 3. Add a description for your client secret. 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months. 5. Select Add. 6. Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page. The secret value is required as configuration parameter for the execution of Armis Alerts Activities Data Connector.

Reference link: https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret

STEP 4 - Get Object ID of your application in Microsoft Entra ID

After creating your app registration, follow the steps in this section to get Object ID: 1. Go to Microsoft Entra ID. 2. Select Enterprise applications from the left menu. 3. Find your newly created application in the list (you can search by the name you provided). 4. Click on the application. 5. On the overview page, copy the Object ID. This is the AzureEntraObjectId needed for your ARM template role assignment.

STEP 5 - Assign role of Contributor to application in Microsoft Entra ID

Follow the steps in this section to assign the role: 1. In the Azure portal, Go to Resource Group and select your resource group. 2. Go to Access control (IAM) from left panel. 3. Click on Add, and then select Add role assignment. 4. Select Contributor as role and click on next. 5. In Assign access to, select User, group, or service principal. 6. Click on add members and type your app name that you have created and select it. 7. Now click on Review + assign and then again click on Review + assign.

Reference link: https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal

STEP 6 - Create a Keyvault

Follow these instructions to create a new Keyvault. 1. In the Azure portal, Go to Key vaults. Click create. 2. Select Subsciption, Resource Group and provide unique name of keyvault.

NOTE: Create a separate key vault for each API key within one workspace.

STEP 7 - Create Access Policy in Keyvault

Follow these instructions to create access policy in Keyvault. 1. Go to keyvaults, select your keyvault, go to Access policies on left side panel. Click create. 2. Select all keys & secrets permissions. Click next. 3. In the principal section, search by application name which was generated in STEP - 2. Click next.

NOTE: Ensure the Permission model in the Access Configuration of Key Vault is set to 'Vault access policy'

STEP 8 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function

IMPORTANT: Before deploying the Armis Device data connector, have the Armis API Authorization Key(s) readily available..

9. Option 1 - Azure Resource Manager (ARM) Template

Use this method for automated deployment of the Armis connector.

  1. Click the Deploy to Azure button below.

    Deploy To Azure Deploy to Azure Gov 2. Select the preferred Subscription, Resource Group and Location. 3. Enter the below information : Function Name Workspace Name
    Armis Secret Key Armis URL (https://.armis.com/api/v1/) Armis Alert Table Name Armis Activity Table Name Severity (Default: Low) Armis Schedule KeyVault Name Azure Client Id Azure Client Secret Azure Entra ObjectID
    Tenant Id 4. Mark the checkbox labeled I agree to the terms and conditions stated above. 5. Click Purchase to deploy.

10. Option 2 - Manual Deployment of Azure Functions

Use the following step-by-step instructions to deploy the Armis Alerts Activities data connector manually with Azure Functions (Deployment via Visual Studio Code).

1. Deploy a Function App

NOTE: You will need to prepare VS code for Azure function development.

  1. Download the Azure Function App file. Extract archive to your local development computer.
  2. Start VS Code. Choose File in the main menu and select Open Folder.
  3. Select the top level folder from extracted files.
  4. Choose the Azure icon in the Activity bar, then in the Azure: Functions area, choose the Deploy to function app button. If you aren't already signed in, choose the Azure icon in the Activity bar, then in the Azure: Functions area, choose Sign in to Azure If you're already signed in, go to the next step.

  5. Provide the following information at the prompts:

    a. Select folder: Choose a folder from your workspace or browse to one that contains your function app.

    b. Select Subscription: Choose the subscription to use.

    c. Select Create new Function App in Azure (Don't choose the Advanced option)

    d. Enter a globally unique name for the function app: Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. ARMISXXXXX).

    e. Select a runtime: Choose Python 3.12

    f. Select a location for new resources. For better performance and lower costs choose the same region where Microsoft Sentinel is located.

  6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.

  7. Go to Azure Portal for the Function App configuration.

2. Configure the Function App

  1. In the Function App, select the Function App Name and select Configuration.
  2. In the Application settings tab, select + New application setting.
  3. Add each of the following application settings individually, with their respective values (case-sensitive): Workspace Name
    Armis Secret Key Armis URL (https://.armis.com/api/v1/) Armis Alert Table Name Armis Activity Table Name Severity (Default: Low) Armis Schedule KeyVault Name Azure Client Id Azure Client Secret Azure Entra ObjectID
    Tenant Id logAnalyticsUri (optional) - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://<CustomerId>.ods.opinsights.azure.us.
  4. Once all application settings have been entered, click Save.

Additional Documentation

📄 Source: Armis\Data Connectors\ArmisAlertsActivities\README.md

ArmisAlertsActivities Integration for Microsoft Sentinel

Introduction

This folder contains the Azure function time trigger code for ArmisAlertsActivities-Microsoft Sentinel connector. The connector will run periodically and ingest the Armis Alerts & Activities data into the Microsoft Sentinel logs custom table Armis_Alerts_CL and Armis_Activities_CL.

Folders

  1. ArmisAlertsActivities/ - This contains the package, requirements, ARM JSON file, connector page template JSON, and other dependencies.
  2. ArmisAlertActivitySentinelConnector/ - This contains the Azure function source code along with sample data.

Installing for the users

After the solution is published, we can find the connector in the connector gallery of Microsoft Sentinel among other connectors in Data connectors section of Sentinel.

i. Go to Microsoft Sentinel -> Data Connectors

ii. Click on the ArmisAlertsActivities connector, connector page will open.

iii. Click on the blue Deploy to Azure button.

It will lead to a custom deployment page where after user need to select Subscription, Resource Group and Location. And need to enter below information to configure Armis Alerts data connector. Function Name Workspace ID Workspace Key Armis Secret Key Armis URL (https://<armis-instance>.armis.com/api/v1/) Armis Alert Table Name Armis Activity Table Name Armis Schedule Avoid Duplicates (Default: true)

The connector should start ingesting the data into the logs at every time interval specified during configuration.

Installing for testing

i. Log in to Azure portal using the URL - https://preview.portal.azure.com/?feature.BringYourOwnConnector=true.

ii. Go to Microsoft Sentinel -> Data Connectors

iii. Click the “import” button at the top and select the json file ArmisAlertsActivities_API_FunctionApp.json downloaded on your local machine from Github.

iv. This will load the connector page and rest of the process will be same as the Installing for users guideline above.

Each invocation and its logs of the function can be seen in Function App service of Azure, available in the Azure Portal outside the Microsoft Sentinel.

i. Go to Function App and click on the function which you have deployed, identified with the given name at the deployment stage.

ii. Go to Functions -> ArmisAlertActivitySentinelConnector -> Monitor

iii. By clicking on invocation time, you can see all the logs for that run.

Note: Furthermore we can check logs in Application Insights of the given function in detail if needed. We can search the logs by operation ID in Transaction search section.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Connectors Index