Am I reading the correct user guide?
Am I reading the correct user guide?
Some connectors on the Vulcan help center offer multiple user guides tailored to different setups and versions.
Click on 'How to connect' on the Connector's setup page to open the right guide for your setup and version, ensuring accuracy and relevance.
Overview
About Armis
The Armis Asset Intelligence & Security Platform aggregates, deduplicates, and normalizes asset data from your existing solutions to provide a consistently accurate inventory, uncover security gaps, and automate action — streamlining your operations.
Why integrate Armis into the Vulcan platform?
The Armis connector by Vulcan integrates with the Armis platform to pull and ingest Host assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
Armis Details
Supported products | |
Category | IoT (Internet of Things) |
Ingested asset type(s) | Hosts |
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the following:
Armis account URL/Instance (i.e., https://vulcan.armis.com)
Armis Secret API Key
Generating Armis API KEY
Log in to Armis and click Settings > API Management.
Click Create to create the secret key.
Click Show to access the secret key.
Copy the secret.
Configuring the Armis Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Armis icon.
Set up the Connector as follows:
Enter the Armis Instance ((i.e., https://vulcan.armis.com) and the API Key you generated earlier.
Select the device categories you want to fetch for the Vulcan Platform.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Armis instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the Armis icon shows Connected, the sync is complete.
Armis in the Vulcan Platform
Viewing Armis vulnerabilities in the Vulcan Platform
To view vulnerabilities by Connector/Source:
Go to the Vulnerabilities page.
Use the Search or Filter input box to select the Vulnerability Source or Connector filter.
Select Armis from the vulnerability source/Connector list to filter results.
Click on any vulnerability for more vulnerability details.
Viewing Armis assets in the Vulcan Platform
To view assets by Connector/Source:
Go to the Assets page.
Click on the relevant asset type tab (Hosts in this case).
Use the Search or filter input box to select Connector from the drop-down selection.
Select Armis from the Asset source/Connector list to filter results and view all synced assets.
See the complete list of available asset filters per asset type
Taking Action on vulnerabilities and assets detected by Armis
To take remediation action on vulnerabilities and assets detected by Armis:
Go to the Vulnerabilities / Assets Page.
Click on the Search and Filter input box and select Connector from the drop-down selection.
Locate the Armis option to view all synced vulnerabilities/assets.
Select the relevant Vulnerability out of the results list.
Click Take Action.
Automating remediation actions on vulnerabilities detected by Armis
Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Armis Connector.
From Armis to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Armis through an API to pull relevant vulnerabilities and asset data and map it to the Vulcan Platform pages and fields.
Host fields mapping
Armis API field | Vulcan field |
id | Asset Uniqueness criteria |
name OR macAddress OR ipAddress | Host Name (hostname) |
operatingSystem | Host OS (os) |
operatingSystemVersion | Host OS Version (os_version) |
ipAddress | Host IP (ip ) |
ipAddress | Host external IP (ip ) |
macAddress | Host MAC addresses (mac_address) |
firstSeen | Host first Seen (first_seen) |
lastSeen | Host Last report (last_seen) |
id, site.name, boundaries, category, type, businessImpact, riskLevel, sensor.name, sensor.type, dataSources | Host details(added_data)
|
tags | Host Tags - Vendor’s tags (tags) |
site.name, boundaries, category, type, sensor.name, sensor.type, businessImpact, riskLevel | Host Tags - Additional (tags) |
matchCriteriaString | Host Component - Package name (package) |
matchCriteriaString | Image Component - Package Version(package_version) |
alertId OR matchCriteriaString | Vulnerability instance uniqueness criteria |
firstDetected OR time | Vulnerability instance First seen (first_seen) |
lastDetected | Vulnerability instance Last seen (last_seen) |
alertId, severity | Vulnerability instance details (added_data) |
cveUid OR title | Unique Vulnerability uniqueness criteria |
cveUid OR title | Vulnerability title (title) |
cvssScore OR severity | Vulnerability score (cvss_score) |
description | Vulnerability description (description) |
severity, type, numberOfThreatActors, userInteraction, privilegesRequired, hasRansomware, isWeaponized, attackComplexity, availabilityImpact, confidentialityImpact, integrityImpact, epssScore, exploitabilityScore, impactScore | Vulnerability details (added_data) |
cveUid | CVE/S (report_item_cve) |
attackVector | CVSS attack vector (cvss3_vector) |
armis|host|{% if cveUid %}{{ cveUid }}{% else %}{{ title }}{% endif %} | cloud_vv_id |
recommendedSteps | Solution uniqueness criteria |
“Remediation from Armis“ | Fix - Title (title) |
recommendedSteps | Fix - Description(description) |
Vulnerability status mapping
Armis Alert Status | Vulcan Status |
UNHANDLED, Open | Vulnerable |
RESOLVED | Fixed |
- | Ignored - false positive |
SUPPRESSED, Ignored | Ignored - risk acknowledged |
Vulnerability score mapping
Armis score | Vulcan score |
Critical | 10 |
High | 7 |
Medium | 5 |
Low | 3 |
- | 0 |
Status Update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).
The table below lists how the status update mechanism works in the Armis connector for the vulnerabilities and assets in the Vulcan Platform.
Update type in Vulcan | Mechanism (When?) |
The asset is archived | - Asset not seen for X days according to "Last Seen". |
The vulnerability instance status changes to "Fixed" | - Vulnerability status on the connector's side changes to "RESOLVED/FIX".
|
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
Support and Expected Behaviour
Support and expected behavior remarks on some Armis ingested vs. un-ingested fields:
The following categories of assets aren't ingested:
Inputs
Server Rack Components (ServerRackConponent)
Other (Unknown).
Devices are ingested based on their archiving setting on the connector setup page. For example, if it’s set to 30, the API call will only return devices from the last 30 days.
API Endpoints in Use
API version: 1.0
API | Use in Vulcan |
/api/v1/access_token/ | Authentication |
/api/v1/search/ | assets, vulnerabilities (alerts), asset-vulnerability connections (alerts), vulnerability enrichment (CVEs) |
/api/v1/vulnerability-match/ | vulnerabilities (CVEs), asset-vulnerability connections (CVEs) |
Data Validation
This section shows how to validate and compare data between Vulcan and the Armis platform.
Matching Assets Count
In Armis:
Navigate to the Assets tab and then click on Devices.
Click on the search bar at the upper portion of the screen.
Update the Time Frame to match the archiving settings in Vulcan.
Remove the Visibility filter.
Click +Add Filter and choose Category.
Set the categories to align with those configured in Vulcan, excluding “Input”, “Server Rack Components”, and “Unknown”.
Click outside the search bar to apply the filter.
Under the title Devices, you will see the number of assets that should appear for the connector in Vulcan.
In Vulcan:
Navigate to Assets and filter by Connector > Armis.
The number of assets should match the count in Armis.
Matching Vulnerabilities
Note: Armis does not have a mechanism to export all active vulnerabilities. The vulnerabilities page contains all known vulnerabilities, not just active ones.
Validations if Vulnerability is Not Present in Vulcan:
No asset has this vulnerability: Verify the asset-vulnerability mapping.
Asset-Vulnerability Map: Ensure the mapping aligns between Armis and Vulcan.
Matching Asset-Vulnerability Instances count
Individual Device Vulnerabilities in Armis:
Go to the device page of a device from anywhere in Armis.
To see CVE type asset-vulnerability instances, click on the Risks tab and then on the Vulnerabilities section. Note the total number of CVE asset-vulnerability instances.
To see Alert type asset-vulnerability instances, click on the Alerts tab. Note the total number of Alert asset-vulnerability instances.
Combining these two totals should match the number of asset-vulnerability instances for the asset in Vulcan. Ensure you filter only for active vulnerabilities in Vulcan, as that’s the default behavior in Armis.
Validation if Connection is Not Present in Vulcan:
Connection status: If the connection moves to fixed, you will be able to see it in the fixed screen in Vulcan.