PDF Version: ArmisConfigurationGuide.pdf
API Guides: Armis Search API.pdf
Step by Step Instructions
Authorization type: Custom token
API endpoint: https://<your_api_domain>/api/v1/search/
API Information:
App Info:
Complete the dialogues as shown above. These details don’t impact the function of the app and can be set up as you see fit.
2. API Credentials
API Credentials:
Auth Type: Custom Token
Event URL: https://<your_api_domain_here>//api/v1/search/
Token Type: Other
Refresh Token Endpoint URL: https://<your_api_domain>//api/v1/access_token/?secret_key= <put_your_secret_key_value_here>
Access Token Endpoint URL: https://<your_api_domain>//api/v1/access_token/?secret_key= <put_your_secret_key_value_here>
Request Payload(Optional): NA
Token Path: data.access_token
Content Type: application/json
Request Method: GET
In Event URL: you have you enter your
<your_api_domain_here>
In Refresh and Access Token Endpoint URL, you have to enter the Secret Key Value
<put_your_secret_key_value_here>
In the Params you have to enter the below value
Key: aql
Value: in:alerts timeFrame:"1 DAYS"
Note: - while creating the custom app, first time in Params we need enter in value => in:alerts timeFrame:"1 DAYS", after the first scheduler gets triggered, again we need to edit the custom app and changed it back to "5 MINUTES" in Params.
Use the details above to populate the dialogues. Include the Token Endpoints from your Armis configuration.
3. API Configuration:
In the Params you have to enter the below value
Note: - while creating the custom app, first time in Params we need enter in value => in:alerts timeFrame:"1 DAYS", after the first scheduler gets triggered, again we need to edit the custom app and changed it back to "5 MINUTES" in Params.
Use the details above to complete the dialogues.
4. Mapping
Raw Log Data:
{
"activityUUIDs": [
"XXXX"
],
"alertId": XXXX,
"connectionIds": [],
"description": "Mitre Tactic: Command and Control. Mitre Technique: Application Layer Protocol. This policy detects VNC communication with an external counterpart.",
"deviceIds": [
XXXX
],
"severity": "Medium",
"status": "Unhandled",
"time": "2023-10-12T06:15:45.160812+00:00",
"title": "XXXX",
"type": "System Policy Violation"
}
Fields Mapping:
Use the table above as a guide - the left hand side is the new log data, and the right hand side represents which USM key to drag it onto. Use the search bars above both sides to find the exact matches. Once finished, click “next”.
5. Summary Fields
Select which fields you would like in the summary. See above as an example. This step is completely at your discretion and doesn’t impact app operations. All log details will be available in “Event Details”.
6. API Response:
{
"data": {
"count": 3,
"next": null,
"prev": 0,
"results": [
{
"activityUUIDs": [
"XXXX"
],
"alertId": XXXX,
"connectionIds": [],
"description": "Mitre Tactic: Command and Control. Mitre Technique: Application Layer Protocol. This policy detects VNC communication with an external counterpart.",
"deviceIds": [
XXXX
],
"severity": "Medium",
"status": "Unhandled",
"time": "2023-09-01T05:46:15.049211+00:00",
"title": "XXXX",
"type": "System Policy Violation"
},
.............................
.............................
.............................
.............................
{
"activityUUIDs": [
"XXXX",
"XXXX",
"XXXX",
"XXXX",
],
"alertId": XXXX,
"connectionIds": [],
"description": "Mitre Tactic: Command and Control. Mitre Technique: Application Layer Protocol. This policy detects SSH communication with an external counterpart.",
"deviceIds": [
XXXX
],
"severity": "Medium",
"status": "Unhandled",
"time": "2023-09-01T03:25:35.137869+00:00",
"title": "XXXX",
"type": "System Policy Violation"
}
7. Preview:
"Save and Close" to finalize app.