Armis¶
About¶
Allows for reports over various periods of time to support everything from business intelligence and investment strategies to cyber intelligence and threat hunting.
Product Details¶
Vendor URL: ARMIS
Product Type: EDR
Product Tier: Tier III
Integration Method: SYSLOG
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 95%
Data Label: ARMIS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| activities.0.title | security_result.description |
| activities.0.type | security_result.category_details |
| auth_target | target.hostname |
| auth_target | target.ip |
| classification | security_result.category_details |
| content | vulns.description |
| decision_data.host | target.hostname |
| decision_data.port | target.port |
| decision_data.protocol | target.application |
| displayTitle | principal.hostname |
| id | metadata.product_log_id |
| isAccessPoint | security_result.detection_fields |
| isCorporate | security_result.detection_fields |
| isEncrypted | security_result.detection_fields |
| isNetworkBridge | security_result.detection_fields |
| isSensor | security_result.detection_fields |
| isShadowNetwork | security_result.detection_fields |
| isUnencrypted | security_result.detection_fields |
| policy.actionType | security_result.severity |
| policy.owner | observer.hostname |
| policy.rules | security_result.about.labels Rules |
| relatedDevices.0.category | principal.asset.category |
| relatedDevices.0.ip | principal.ip |
| relatedDevices.0.model | principal.asset.hardware |
| relatedDevices.0.user | principal.user.userid |
| riskLevel | security_result.severity_details |
| status | security_result.outcomes |
| title | security_result.summary |
| type | metadata.product_event_type |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Generic | GENERIC_EVENT |
Log Sample¶
<14>1 2023-12-10T04:24:43.884625+00:00 armisappliance8153 armis 1 - - {"id": 1234, "type": "SYSTEM_POLICY_VIOLATION", "_time": "2023-12-10T04:25:01.589+00:00", "title": "AWS Assets without EPP/EDR Agent", "policy": {"actionParams": {"title": "AWS Assets without EPP/EDR Agent", "alertDescription": "Cloud Assets without EPP/EDR agent installed. You can always edit policy conditions once added to be specific for your available EPP/EDR.", "alertClassificationId": 1, "timeBack": null, "emailRecipients": ""}, "actions": [{"actionParams": {"title": "AWS Assets without EPP/EDR Agent", "alertDescription": "Cloud Assets without EPP/EDR agent installed. You can always edit policy conditions once added to be specific for your available EPP/EDR.", "alertClassificationId": 1, "timeBack": null, "emailRecipients": ""}, "actionType": "ALERT_MEDIUM", "actionTypeDisplay": "Alert Medium"}], "actionType": "ALERT_MEDIUM", "actionTypeDisplay": "Alert Medium", "alertClassificationId": 1, "timeBack": null, "creationTime": 1676563953158, "description": "Cloud Assets without EPP/EDR agent installed. You can always edit policy conditions once added to be specific for your available EPP/EDR.", "enforcementListId": null, "groupingElement": null, "hourFilter": null, "id": 12345, "isActive": true, "isBoundary": false, "isEditable": true, "isRepeating": false, "labels": ["aws", "value_pack"], "lastActiveChange": null, "modificationTime": 1676565299653, "optionsKey": null, "owner": "observer@example.com", "parentId": null, "policyParams": {}, "recurringThreshold": 1, "repeatingTimeFrame": {"unit": "Seconds", "amount": 30.0}, "rootAqlEntity": "DEVICE", "rules": {"and": ["dataSource:(name:AWS) !dataSource:(name:CrowdStrike,CylancePROTECT,SentinelOne,\"Carbon Black Defense\",\"Symantec Endpoint Protection\",\"FireEye Endpoint Protection\") inventoryStatus:Managed type:\"Virtual Machines\""]}, "sensors": null, "tags": [], "timezone": "America/New_York", "title": "AWS Assets without EPP/EDR Agent", "weekdayFilter": null}, "status": "UNKNOWN_STATUS", "content": "The Armis security platform has detected a violation of a policy and generated an alert.\n\n**Recommended actions**:\n\n * Find and quarantine the offending device/s if necessary. They are located near the sensor labeled <sensor id=\"1334\">Amazon Web Services (AWS) (AWS)</sensor>.\n\n * Look at the timeline of other activities by the same devices, and see if there are any other activities that might be important, and create policies for those or for combinations of them.\n\n * Investigate other activities that would generate this alert and refine the policy if necessary.\n\n", "severity": "MEDIUM", "riskLevel": 7, "timestamp": "2023-12-10T04:25:01.589+00:00", "activities": [{"UUID": "A1234B1234C1234-W", "type": "DEVICE_PROFILE_POLICY_VIOLATION", "title": "Detected device profile policy violation for api-example-2023", "content": "", "timestamp": "2023-12-10T04:25:01.589+00:00", "decision_data": null}], "description": "Cloud Assets without EPP/EDR agent installed. You can always edit policy conditions once added to be specific for your available EPP/EDR.", "relatedLinks": [], "classification": "Security - Other", "relatedDevices": [{"id": 123456, "ip": "10.10.1.11", "ipv6": null, "name": "api-example-2023", "site": null, "type": "VIRTUAL_MACHINE", "user": "* * * *", "model": "t2.small", "sensor": {"name": "Amazon Web Services (AWS) (AWS)", "type": "Amazon Web Services"}, "category": "COMPUTER", "isSensor": false, "riskLevel": 1, "identifier": "01:2B:C3:D4:56:7D", "isCorporate": false, "isEncrypted": false, "displayTitle": "api-example-2023", "isAccessPoint": false, "isUnencrypted": false, "isNetworkBridge": false, "isShadowNetwork": false}]}
Sample Parsing¶
extensions.vulns.vulnerabilities.description = "The Armis security platform has detected a violation of a policy and generated an alert.\n\n**Recommended actions**:\n\n * Find and quarantine the offending device/s if necessary. They are located near the sensor labeled <sensor id=\"1334\">Amazon Web Services (AWS) (AWS)</sensor>.\n\n * Look at the timeline of other activities by the same devices, and see if there are any other activities that might be important, and create policies for those or for combinations of them.\n\n * Investigate other activities that would generate this alert and refine the policy if necessary.\n\n"
metadata.base_labels.log_types = "ARMIS"
metadata.description = "Cloud Assets without EPP/EDR agent installed. You can always edit policy conditions once added to be specific for your available EPP/EDR."
metadata.event_type = "GENERIC_EVENT"
metadata.log_type = "ARMIS"
metadata.product_event_type = "SYSTEM_POLICY_VIOLATION"
metadata.product_log_id = "1234"
metadata.vendor_name = "ARMIS"
observer.hostname = "observer@example.com"
principal.asset.category = "COMPUTER"
principal.asset.hardware.model = "t2.small"
principal.hostname = "api-example-2023"
principal.ip = "10.10.1.11"
principal.user.userid = "* * * *"
security_result.category_details = "DEVICE_PROFILE_POLICY_VIOLATION"
security_result.category_details = "Security - Other"
security_result.description = "Detected device profile policy violation for api-example-2023"
security_result.detection_fields.key = "isAccessPoint"
security_result.detection_fields.value = "false"
security_result.detection_fields.key = "isCorporate"
security_result.detection_fields.value = "false"
security_result.detection_fields.key = "isEncrypted"
security_result.detection_fields.value = "false"
security_result.detection_fields.key = "isSensor"
security_result.detection_fields.value = "false"
security_result.detection_fields.key = "isUnencrypted"
security_result.detection_fields.value = "false"
security_result.detection_fields.key = "isNetworkBridge"
security_result.detection_fields.value = "false"
security_result.detection_fields.key = "isShadowNetwork"
security_result.detection_fields.value = "false"
security_result.severity = "MEDIUM"
security_result.severity_details = "7"
security_result.summary = "AWS Assets without EPP/EDR Agent"