Armis Update Alert Status
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Armis Update Alert Status playbook would be responsible to update the Alert status from the sentinel to the Armis Portal
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Armis |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 0 |
keyvault |
Managed | 1 | 1 |
http |
Built-in | 0 | 2 |
Action parameters (URLs, paths, function IDs)
keyvault (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_secret | get | /secrets/@{encodeURIComponent('ArmisAPISecretKey')}/value |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Armis_Alert_Status_Update_to_Portal | PATCH | @{variables('ArmisAPIBaseURL')}/api/v1/alerts/@{variables('ArmisAlertID')}/ |
— |
| Armis_Authentication | POST | @{variables('ArmisAPIBaseURL')}/api/v1/access_token/ |
— |
Additional Documentation
📄 Source: ArmisUpdateAlertStatus/readme.md
ArmisUpdateAlertStatus
Summary
This playbook can be used to update the status of an Armis alert from the Microsoft Sentinel platform.
Prerequisites
- Store Armis API secret key in Key Vault and obtain keyvault name and tenantId. a. Create a Key Vault with unique name b. Go to KeyVault -> secrets -> Generate/import and create 'ArmisAPISecretKey' for storing Armis API Secret Key
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required paramteres:
- Playbook Name: Enter the playbook name here
- Armis Instance Base URL : Base URL of Armis Instance
- keyvaultname: Name of keyvault where secrets are stored
- tenantId: TenantId where keyvault is located
Post-deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection like Microsoft Sentinel, Key vault.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
b. Configurations in Microsoft Sentinel
- In Microsoft Sentinel, analytics rules should be configured to trigger an incident. An incident should have the alertID - custom entity that contains alertId of each generated Armis alert and alertStatus - custom entity that contains alertStatus of each generated Armis alerts. It can be obtained from the corresponding field in Armis Alerts custom logs. Check the documentation to learn more about adding custom entities to incidents.
- Configure the automation rules to trigger the playbook.
Sample analytics rule query
<Armis Alerts Table Name> | where Type == "<Type field of the custom log table>" and status_s == "<Armis Alert Status>" and severity_s != "Low"
---
**Browse:** [🏠](../README.md) · [Solutions](../solutions-index.md) · [Connectors](../connectors-index.md) · [Methods](../methods-index.md) · [Tables](../tables-index.md) · [Content](../content/content-index.md) · [Parsers](../parsers/parsers-index.md) · [ASIM Parsers](../asim/asim-index.md) · [ASIM Products](../asim/asim-products-index.md) · [Logic Apps](../logic-apps/logic-apps-index.md) · [📊](../statistics.md)
↑ [Back to Playbooks](playbooks.md) · [Back to Armis](../solutions/armis.md)