Skip to main content
Armis Connector

Learn all about integrating Armis into the Vulcan Platform

Updated over 5 months ago

Am I reading the correct user guide?

Some connectors on the Vulcan help center offer multiple user guides tailored to different setups and versions.

Click on 'How to connect' on the Connector's setup page to open the right guide for your setup and version, ensuring accuracy and relevance.


Overview

About Armis

The Armis Asset Intelligence & Security Platform aggregates, deduplicates, and normalizes asset data from your existing solutions to provide a consistently accurate inventory, uncover security gaps, and automate action — streamlining your operations.

Why integrate Armis into the Vulcan platform?

The Armis connector by Vulcan integrates with the Armis platform to pull and ingest Host assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

Armis Details

Supported products

Category

IoT (Internet of Things)

Ingested asset type(s)

Hosts

Integration type

UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)

Supported version and type

SaaS (latest)


Connector Setup

Prerequisites and user permissions

Before you begin configuring the Connector, make sure you have the following:

  • Armis account URL/Instance (i.e., https://vulcan.armis.com)

  • Armis Secret API Key

Generating Armis API KEY

  1. Log in to Armis and click Settings > API Management.

  2. Click Create to create the secret key.

  3. Click Show to access the secret key.

  4. Copy the secret.

Configuring the Armis Connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the Armis icon.

  4. Set up the Connector as follows:

  5. Select the device categories you want to fetch for the Vulcan Platform.

  6. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Armis instance, then click Create (or Save Changes).

  7. Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.

  8. Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.

  9. To confirm the sync is complete, navigate to the Connectors page. Once the Armis icon shows Connected, the sync is complete.


Armis in the Vulcan Platform

Viewing Armis vulnerabilities in the Vulcan Platform

To view vulnerabilities by Connector/Source:

  1. Go to the Vulnerabilities page.

  2. Use the Search or Filter input box to select the Vulnerability Source or Connector filter.

  3. Select Armis from the vulnerability source/Connector list to filter results.

  4. Click on any vulnerability for more vulnerability details.

Viewing Armis assets in the Vulcan Platform

To view assets by Connector/Source:

  1. Go to the Assets page.

  2. Click on the relevant asset type tab (Hosts in this case).

  3. Use the Search or filter input box to select Connector from the drop-down selection.

  4. Select Armis from the Asset source/Connector list to filter results and view all synced assets.
    See the complete list of available asset filters per asset type

Taking Action on vulnerabilities and assets detected by Armis

To take remediation action on vulnerabilities and assets detected by Armis:

  1. Go to the Vulnerabilities / Assets Page.

  2. Click on the Search and Filter input box and select Connector from the drop-down selection.

  3. Locate the Armis option to view all synced vulnerabilities/assets.

  4. Select the relevant Vulnerability out of the results list.

  5. Click Take Action.

Automating remediation actions on vulnerabilities detected by Armis

Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Armis Connector.


From Armis to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with Armis through an API to pull relevant vulnerabilities and asset data and map it to the Vulcan Platform pages and fields.

Host fields mapping

Armis API field

Vulcan field

id

Asset Uniqueness criteria

name OR macAddress OR ipAddress

Host Name (hostname)

operatingSystem

Host OS (os)

operatingSystemVersion

Host OS Version (os_version)

ipAddress

Host IP (ip )

ipAddress

Host external IP (ip )

macAddress

Host MAC addresses (mac_address)

firstSeen

Host first Seen (first_seen)

lastSeen

Host Last report (last_seen)

id, site.name, boundaries, category, type, businessImpact, riskLevel, sensor.name, sensor.type, dataSources

Host details(added_data)

tags

Host Tags - Vendor’s tags (tags)

site.name, boundaries, category, type, sensor.name, sensor.type, businessImpact, riskLevel

Host Tags - Additional (tags)

matchCriteriaString

Host Component - Package name (package)

matchCriteriaString

Image Component - Package Version(package_version)

alertId OR matchCriteriaString

Vulnerability instance uniqueness criteria

firstDetected OR time

Vulnerability instance First seen (first_seen)

lastDetected

Vulnerability instance Last seen (last_seen)

alertId, severity

Vulnerability instance details (added_data)

cveUid OR title

Unique Vulnerability uniqueness criteria

cveUid OR title

Vulnerability title (title)

cvssScore OR severity

Vulnerability score (cvss_score)

description

Vulnerability description (description)

severity, type, numberOfThreatActors, userInteraction, privilegesRequired, hasRansomware, isWeaponized, attackComplexity, availabilityImpact, confidentialityImpact, integrityImpact, epssScore, exploitabilityScore, impactScore

Vulnerability details (added_data)

cveUid

CVE/S (report_item_cve)

attackVector

CVSS attack vector (cvss3_vector)

armis|host|{% if cveUid %}{{ cveUid }}{% else %}{{ title }}{% endif %}

cloud_vv_id

recommendedSteps

Solution uniqueness criteria

“Remediation from Armis“

Fix - Title (title)

recommendedSteps

Fix - Description(description)

Vulnerability status mapping

Armis Alert Status

Vulcan Status

UNHANDLED, Open

Vulnerable

RESOLVED

Fixed

-

Ignored - false positive

SUPPRESSED, Ignored

Ignored - risk acknowledged

Vulnerability score mapping

Armis score

Vulcan score

Critical

10

High

7

Medium

5

Low

3

-

0

Status Update Mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).

The table below lists how the status update mechanism works in the Armis connector for the vulnerabilities and assets in the Vulcan Platform.

Update type in Vulcan

Mechanism (When?)

The asset is archived

- Asset not seen for X days according to "Last Seen".

The vulnerability instance status changes to "Fixed"

- Vulnerability status on the connector's side changes to "RESOLVED/FIX".

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

Support and Expected Behaviour

Support and expected behavior remarks on some Armis ingested vs. un-ingested fields:

  • The following categories of assets aren't ingested:

    • Inputs

    • Server Rack Components (ServerRackConponent)

    • Other (Unknown).

  • Devices are ingested based on their archiving setting on the connector setup page. For example, if it’s set to 30, the API call will only return devices from the last 30 days.

API Endpoints in Use

API version: 1.0

API

Use in Vulcan

/api/v1/access_token/

Authentication

/api/v1/search/

assets, vulnerabilities (alerts), asset-vulnerability connections (alerts), vulnerability enrichment (CVEs)

/api/v1/vulnerability-match/

vulnerabilities (CVEs), asset-vulnerability connections (CVEs)


Data Validation

This section shows how to validate and compare data between Vulcan and the Armis platform.

Matching Assets Count

In Armis:

  1. Navigate to the Assets tab and then click on Devices.

  2. Click on the search bar at the upper portion of the screen.

  3. Update the Time Frame to match the archiving settings in Vulcan.

  4. Remove the Visibility filter.

  5. Click +Add Filter and choose Category.

  6. Set the categories to align with those configured in Vulcan, excluding “Input”, “Server Rack Components”, and “Unknown”.

  7. Click outside the search bar to apply the filter.

  8. Under the title Devices, you will see the number of assets that should appear for the connector in Vulcan.

In Vulcan:

  1. Navigate to Assets and filter by Connector > Armis.

  2. The number of assets should match the count in Armis.

Matching Vulnerabilities

Note: Armis does not have a mechanism to export all active vulnerabilities. The vulnerabilities page contains all known vulnerabilities, not just active ones.

Validations if Vulnerability is Not Present in Vulcan:

  • No asset has this vulnerability: Verify the asset-vulnerability mapping.

  • Asset-Vulnerability Map: Ensure the mapping aligns between Armis and Vulcan.

Matching Asset-Vulnerability Instances count

Individual Device Vulnerabilities in Armis:

  1. Go to the device page of a device from anywhere in Armis.

  2. To see CVE type asset-vulnerability instances, click on the Risks tab and then on the Vulnerabilities section. Note the total number of CVE asset-vulnerability instances.

  3. To see Alert type asset-vulnerability instances, click on the Alerts tab. Note the total number of Alert asset-vulnerability instances.

  4. Combining these two totals should match the number of asset-vulnerability instances for the asset in Vulcan. Ensure you filter only for active vulnerabilities in Vulcan, as that’s the default behavior in Armis.

Validation if Connection is Not Present in Vulcan:

  • Connection status: If the connection moves to fixed, you will be able to see it in the fixed screen in Vulcan.

Did this answer your question?