Armis Update Alert Status

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Armis Update Alert Status playbook would be responsible to update the Alert status from the sentinel to the Armis Portal

Additional Documentation

📄 Source: ArmisUpdateAlertStatus/readme.md

This playbook can be used to update the status of an Armis alert from the Microsoft Sentinel platform.

Store Armis API secret key in Key Vault and obtain keyvault name and tenantId. a. Create a Key Vault with unique name b. Go to KeyVault -> secrets -> Generate/import and create 'ArmisAPISecretKey' for storing Armis API Secret Key

To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
Fill in the required paramteres:
- Playbook Name: Enter the playbook name here
- Armis Instance Base URL : Base URL of Armis Instance
- keyvaultname: Name of keyvault where secrets are stored
- tenantId: TenantId where keyvault is located

Once deployment is complete, authorize each connection like Microsoft Sentinel, Key vault.

In Microsoft Sentinel, analytics rules should be configured to trigger an incident. An incident should have the alertID - custom entity that contains alertId of each generated Armis alert and alertStatus - custom entity that contains alertStatus of each generated Armis alerts. It can be obtained from the corresponding field in Armis Alerts custom logs. Check the documentation to learn more about adding custom entities to incidents.
Configure the automation rules to trigger the playbook.

``` | where Type == "" and status_s == "" and severity_s != "Low"

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊