Movatterモバイル変換

[0]ホーム
URL:

Loading
  1. Elastic Docs/
  2. Reference/
  3. Ingestion tools/
  4. Elastic integrations

Armis

Version0.4.1 (View all)
Subscription level
What's this?		Basic
Developed by
What's this?		Elastic
Ingestion method(s)API
Minimum Kibana version(s)9.0.0
8.18.0

Armis is an enterprise-class security platform designed to provide visibility and protection for managed, unmanaged, and IoT devices. It enables organizations to detect threats, manage vulnerabilities, and enforce security policies across their network.

Use this integration to collect and parse data from your Armis instance.

This module has been tested against the Armis API versionv1.

The Armis integration collects three types of logs.

  • Devices: Fetches the latest updates for all devices monitored by Armis.
  • Alerts: Gathers alerts associated with all devices monitored by Armis.
  • Vulnerabilities: Retrieves detected vulnerabilities and possible mitigation steps across all devices monitored by Armis.

Note:

  1. Thevulnerability data stream retrieves information by first fetching vulnerabilities and then identifying the devices where these vulnerabilities were detected, using a chained call between the vulnerability search and vulnerability match endpoints.

Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer toAgentless integrations and theAgentless integrations FAQ.

Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.

Elastic Agent must be installed. For more details, check the Elastic Agentinstallation instructions.

  1. Log in to your Armis portal.
  2. Navigate to theSettings tab.
  3. SelectAsset Management & Security.
  4. Go toAPI Management and generate aSecret Key.
  1. In Kibana navigate toManagement >Integrations.
  2. In the search bar, typeArmis.
  3. Select theArmis integration and add it.
  4. Add all the required integration configuration parameters, including the URL, Secret Key to enable data collection.
  5. Save the integration.

In thevulnerability data stream, our filtering mechanism for thevulnerability search API relies specifically on thelastDetected field. This means that when a user takes action on a vulnerability andlastDetected updates, only then will the event for that vulnerability be retrieved. Initially, we assumed this field would always have a value and could be used as a cursor timestamp for fetching data between intervals. However, due to inconsistencies in the API response, we observed cases wherelastDetected isnull.

  • If you get the following errors in thevulnerability data stream, reduce the page size in your request.

    Common errors:

    • 502 Bad Gateway
    • 414 Request-URI Too Large

  • If you encounter issues in thealert data stream, particularly during the initial data fetch, reduce the initial interval.

    Example error:

    • The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.

This is thealert dataset.

An example event foralert looks as following:

Example
{    "@timestamp": "2025-03-29T00:12:57.306Z",    "agent": {        "ephemeral_id": "b8961f6d-527f-4e75-a54e-4440c07d7ff7",        "id": "6e0e7fed-f6da-48e7-aa1c-3ae3eb605196",        "name": "elastic-agent-41603",        "type": "filebeat",        "version": "8.18.0"    },    "armis": {        "alert": {            "activity_uuids": [                "6f3d6d3a-6732-44cc-9d63-10a38277fb15"            ],            "affected_devices_count": 1,            "alert_id": "61",            "classification": "Security - Other",            "description": "The Armis security platform has detected a violation of a policy and generated an alert.",            "device_ids": [                "854"            ],            "severity": "Critical",            "status": "Unhandled",            "status_change_time": "2025-03-29T00:12:57.306Z",            "time": "2025-03-29T00:12:57.306Z",            "title": "[Risk] Device Susceptible to Ransomware",            "type": "System Policy Violation"        }    },    "data_stream": {        "dataset": "armis.alert",        "namespace": "53950",        "type": "logs"    },    "ecs": {        "version": "8.17.0"    },    "elastic_agent": {        "id": "6e0e7fed-f6da-48e7-aa1c-3ae3eb605196",        "snapshot": false,        "version": "8.18.0"    },    "event": {        "agent_id_status": "verified",        "dataset": "armis.alert",        "id": "61",        "ingested": "2025-05-23T09:34:03Z",        "kind": "alert",        "original": "{\"activityUUIDs\":[\"6f3d6d3a-6732-44cc-9d63-10a38277fb15\"],\"affectedDevicesCount\":1,\"alertId\":61,\"classification\":\"Security - Other\",\"connectionIds\":[],\"description\":\"The Armis security platform has detected a violation of a policy and generated an alert.\",\"destinationEndpoints\":[],\"deviceIds\":[854],\"lastAlertUpdateTime\":null,\"mitreAttackLabels\":null,\"policyId\":null,\"policyLabels\":null,\"policyTitle\":null,\"severity\":\"Critical\",\"sourceEndpoints\":[],\"status\":\"Unhandled\",\"statusChangeTime\":\"2025-03-29T00:12:57.306928+00:00\",\"time\":\"2025-03-29T00:12:57.306928+00:00\",\"title\":\"[Risk] Device Susceptible to Ransomware\",\"type\":\"System Policy Violation\"}",        "severity": 99    },    "host": {        "id": [            "854"        ]    },    "input": {        "type": "cel"    },    "message": "The Armis security platform has detected a violation of a policy and generated an alert.",    "observer": {        "product": "Asset Management and Security",        "vendor": "Armis"    },    "related": {        "hosts": [            "854"        ]    },    "tags": [        "preserve_original_event",        "preserve_duplicate_custom_fields",        "forwarded",        "armis-alert"    ]}
Exported fields
FieldDescriptionType
@timestampEvent timestamp.date
armis.alert.activity_uuidskeyword
armis.alert.affected_devices_countlong
armis.alert.alert_idkeyword
armis.alert.classificationkeyword
armis.alert.connection_idskeyword
armis.alert.descriptionkeyword
armis.alert.destination_endpointskeyword
armis.alert.device_idskeyword
armis.alert.friendly_namekeyword
armis.alert.last_alert_update_timedate
armis.alert.mitre_attack_labelskeyword
armis.alert.policy_idkeyword
armis.alert.policy_labelskeyword
armis.alert.policy_titlekeyword
armis.alert.severitykeyword
armis.alert.source_endpointskeyword
armis.alert.statuskeyword
armis.alert.status_change_timedate
armis.alert.timedate
armis.alert.titlekeyword
armis.alert.typekeyword
data_stream.datasetData stream dataset.constant_keyword
data_stream.namespaceData stream namespace.constant_keyword
data_stream.typeData stream type.constant_keyword
event.datasetEvent dataset.constant_keyword
event.moduleEvent module.constant_keyword
input.typeType of filebeat input.keyword
labels.is_transform_sourceDistinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering.constant_keyword
log.offsetLog offset.long

This is thedevice dataset.

An example event fordevice looks as following:

Example
{    "@timestamp": "2025-03-29T10:43:55.988Z",    "agent": {        "ephemeral_id": "79a5a547-4482-4565-8d97-c4beaef9ec06",        "id": "6c6c935d-c274-485e-9f33-edc5f6e46f26",        "name": "elastic-agent-72754",        "type": "filebeat",        "version": "8.18.0"    },    "armis": {        "device": {            "boundaries": "Corporate",            "business_impact": "Unassigned",            "category": "Network Equipment",            "data_sources": [                {                    "first_seen": "2024-10-09T05:09:02.988Z",                    "last_seen": "2025-03-29T10:43:55.988Z",                    "name": "Knowledge Base",                    "types": [                        "Traffic Inspection",                        "Data Analysis"                    ]                }            ],            "display_title": "Test",            "first_seen": "2024-10-09T05:09:02.988Z",            "id": "1154",            "ip_address": [                "89.160.20.128"            ],            "last_seen": "2025-03-29T10:43:55.988Z",            "mac_address": [                "50:76:AF:D3:3F:AB"            ],            "manufacturer": "Test Manufacturer",            "model": "Test Model",            "name": "Test Name",            "names": [                "Test Names"            ],            "operating_system": "Windows",            "operating_system_version": "Server 2016",            "purdue_level": 4,            "risk_level": 10,            "sensor": {                "name": "test Enterprise",                "type": "test LAN Controller"            },            "site": {                "location": "Zurich",                "name": "Zurich Enterprise"            },            "tags": [                "Misconfigurations"            ],            "type": "Switches",            "type_enum": "SWITCH",            "visibility": "Full"        }    },    "data_stream": {        "dataset": "armis.device",        "namespace": "69402",        "type": "logs"    },    "device": {        "manufacturer": "Test Manufacturer",        "model": {            "name": "Test Model"        }    },    "ecs": {        "version": "8.17.0"    },    "elastic_agent": {        "id": "6c6c935d-c274-485e-9f33-edc5f6e46f26",        "snapshot": false,        "version": "8.18.0"    },    "event": {        "agent_id_status": "verified",        "category": [            "host"        ],        "dataset": "armis.device",        "ingested": "2025-05-23T09:34:53Z",        "kind": "event",        "original": "{\"accessSwitch\":null,\"boundaries\":\"Corporate\",\"businessImpact\":\"Unassigned\",\"category\":\"Network Equipment\",\"customProperties\":{},\"dataSources\":[{\"firstSeen\":\"2024-10-09T05:09:02.988081+00:00\",\"instances\":[],\"lastSeen\":\"2025-03-29T10:43:55.988081+00:00\",\"name\":\"Knowledge Base\",\"types\":[\"Traffic Inspection\",\"Data Analysis\"]}],\"displayTitle\":\"Test\",\"firstSeen\":\"2024-10-09T05:09:02.988081+00:00\",\"id\":1154,\"ipAddress\":\"89.160.20.128\",\"ipv6\":[],\"lastSeen\":\"2025-03-29T10:43:55.988081+00:00\",\"macAddress\":\"50:76:AF:D3:3F:AB\",\"manufacturer\":\"Test Manufacturer\",\"model\":\"Test Model\",\"name\":\"Test Name\",\"names\":\"Test Names\",\"operatingSystem\":\"Windows\",\"operatingSystemVersion\":\"Server 2016\",\"protections\":[],\"purdueLevel\":4,\"riskLevel\":10,\"sensor\":{\"name\":\"test Enterprise\",\"type\":\"test LAN Controller\"},\"site\":{\"location\":\"Zurich\",\"name\":\"Zurich Enterprise\"},\"tags\":[\"Misconfigurations\"],\"type\":\"Switches\",\"typeEnum\":\"SWITCH\",\"userIds\":[],\"visibility\":\"Full\"}",        "start": "2024-10-09T05:09:02.988Z",        "type": [            "info"        ]    },    "host": {        "id": "1154",        "ip": [            "89.160.20.128"        ],        "mac": [            "50-76-AF-D3-3F-AB"        ],        "name": [            "test names"        ],        "os": {            "family": "windows",            "type": "windows",            "version": "Server 2016"        },        "risk": {            "static_score": 10        },        "type": "Network Equipment"    },    "input": {        "type": "cel"    },    "observer": {        "product": "Asset Management and Security",        "vendor": "Armis"    },    "related": {        "hosts": [            "test names"        ],        "ip": [            "89.160.20.128"        ]    },    "tags": [        "preserve_original_event",        "preserve_duplicate_custom_fields",        "forwarded",        "armis-device"    ]}
Exported fields
FieldDescriptionType
@timestampEvent timestamp.date
armis.device.access_switchkeyword
armis.device.boundarieskeyword
armis.device.business_impactkeyword
armis.device.categorykeyword
armis.device.custom_propertiesflattened
armis.device.data_sources.first_seendate
armis.device.data_sources.instances.first_seendate
armis.device.data_sources.instances.last_seendate
armis.device.data_sources.instances.namekeyword
armis.device.data_sources.last_seendate
armis.device.data_sources.namekeyword
armis.device.data_sources.typeskeyword
armis.device.display_titlekeyword
armis.device.first_seendate
armis.device.idkeyword
armis.device.ip_addressip
armis.device.ip_v6ip
armis.device.last_seendate
armis.device.mac_addresskeyword
armis.device.manufacturerkeyword
armis.device.modelkeyword
armis.device.namekeyword
armis.device.nameskeyword
armis.device.operating_systemkeyword
armis.device.operating_system_versionkeyword
armis.device.protections.creation_timedate
armis.device.protections.device_idkeyword
armis.device.protections.last_seen_timedate
armis.device.protections.protection_namekeyword
armis.device.purdue_leveldouble
armis.device.risk_levellong
armis.device.sensor.namekeyword
armis.device.sensor.typekeyword
armis.device.site.locationkeyword
armis.device.site.namekeyword
armis.device.tagskeyword
armis.device.typekeyword
armis.device.type_enumkeyword
armis.device.user_idskeyword
armis.device.visibilitykeyword
data_stream.datasetData stream dataset.constant_keyword
data_stream.namespaceData stream namespace.constant_keyword
data_stream.typeData stream type.constant_keyword
event.datasetEvent dataset.constant_keyword
event.moduleEvent module.constant_keyword
input.typeType of filebeat input.keyword
labels.is_transform_sourceDistinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering.constant_keyword
log.offsetLog offset.long

This is thevulnerability dataset.

An example event forvulnerability looks as following:

Example
{    "@timestamp": "2025-04-03T10:38:59.297Z",    "agent": {        "ephemeral_id": "9a91aa96-816b-428a-8fc8-b3fef827ea46",        "id": "d9276d97-c6ed-47e9-b06a-987409dc7ee8",        "name": "elastic-agent-32198",        "type": "filebeat",        "version": "8.18.0"    },    "armis": {        "vulnerability": {            "affected_devices_count": 13,            "attack_complexity": "Low",            "attack_vector": "Network",            "availability_impact": "High",            "confidentiality_impact": "High",            "cve_uid": "CVE-2024-44148",            "cvss_score": 10,            "description": "This issue was addressed with improved validation of file attributes.",            "epss_percentile": 0.31,            "epss_score": 0.00139,            "exploitability_score": 3.9,            "first_detected": "2025-04-03T09:18:31.915Z",            "has_remediation_info": "No",            "id": "CVE-2024-44148",            "impact_score": 6,            "integrity_impact": "High",            "last_detected": "2025-04-03T10:38:59.372Z",            "num_of_exploits": 0,            "number_of_threat_actors": 0,            "privileges_required": "None",            "published_date": "2024-09-17T00:15:50.617Z",            "scope": "Changed",            "score": 10,            "severity": "Critical",            "status": "Open",            "type": "OS",            "user_interaction": "None",            "vulnerability_match": {                "confidence_level": "High",                "cve_uid": "CVE-2024-44148",                "device_id": "109",                "first_detected": "2025-04-03T10:38:59.297Z",                "has_remediation_info": "No",                "last_detected": "2025-04-03T10:38:59.297Z",                "match_criteria_string": "OS",                "status": "Open",                "status_source": "Discovered by Armis"            }        }    },    "data_stream": {        "dataset": "armis.vulnerability",        "namespace": "56787",        "type": "logs"    },    "device": {        "id": "109"    },    "ecs": {        "version": "8.17.0"    },    "elastic_agent": {        "id": "d9276d97-c6ed-47e9-b06a-987409dc7ee8",        "snapshot": false,        "version": "8.18.0"    },    "event": {        "agent_id_status": "verified",        "category": [            "vulnerability"        ],        "dataset": "armis.vulnerability",        "ingested": "2025-05-23T09:35:42Z",        "kind": "event",        "original": "{\"affectedDevicesCount\":13,\"attackComplexity\":\"Low\",\"attackVector\":\"Network\",\"availabilityImpact\":\"High\",\"avmRating\":null,\"avmRatingManualChangeReason\":null,\"avmRatingManualChangedBy\":\"\",\"avmRatingManualUpdateTime\":null,\"botnets\":null,\"cisaDueDate\":null,\"commonName\":null,\"confidentialityImpact\":\"High\",\"cveUid\":\"CVE-2024-44148\",\"cvssScore\":10,\"cvssScoreV4\":null,\"description\":\"This issue was addressed with improved validation of file attributes.\",\"epssPercentile\":0.31,\"epssScore\":0.00139,\"exploitabilityScore\":3.9,\"firstDetected\":\"2025-04-03T09:18:31.915543+00:00\",\"firstReferencePublishDate\":null,\"firstWeaponizedReferencePublishDate\":null,\"hasRansomware\":null,\"hasRemediationInfo\":\"No\",\"id\":\"CVE-2024-44148\",\"impactScore\":6,\"integrityImpact\":\"High\",\"isWeaponized\":null,\"lastDetected\":\"2025-04-03T10:38:59.372389+00:00\",\"latestExploitUpdate\":null,\"numOfExploits\":0,\"numberOfThreatActors\":0,\"privilegesRequired\":\"None\",\"publishedDate\":\"2024-09-17T00:15:50.617000+00:00\",\"reportedByGoogleZeroDays\":null,\"scope\":\"Changed\",\"score\":10,\"severity\":\"Critical\",\"status\":\"Open\",\"threatActors\":null,\"threatTags\":null,\"type\":\"OS\",\"userInteraction\":\"None\",\"vulnerability_match\":{\"advisoryId\":null,\"avmRating\":null,\"confidenceLevel\":\"High\",\"confidenceLevelDescription\":null,\"cveUid\":\"CVE-2024-44148\",\"deviceId\":109,\"firstDetected\":\"2025-04-03T10:38:59.297015+00:00\",\"hasRemediationInfo\":\"No\",\"lastDetected\":\"2025-04-03T10:38:59.297015+00:00\",\"matchCriteriaString\":\"OS\",\"recommendedSteps\":null,\"remediationTypes\":null,\"status\":\"Open\",\"statusChangeReason\":null,\"statusSource\":\"Discovered by Armis\"}}",        "start": "2025-04-03T09:18:31.915Z",        "type": [            "info"        ]    },    "host": {        "id": "109"    },    "input": {        "type": "cel"    },    "message": "This issue was addressed with improved validation of file attributes.",    "observer": {        "product": "Asset Management and Security",        "vendor": "Armis"    },    "related": {        "hosts": [            "109"        ]    },    "tags": [        "preserve_original_event",        "preserve_duplicate_custom_fields",        "forwarded",        "armis-vulnerability"    ],    "threat": {        "indicator": {            "last_seen": "2025-04-03T10:38:59.297Z"        }    },    "vulnerability": {        "category": [            "Network"        ],        "description": "This issue was addressed with improved validation of file attributes.",        "id": "CVE-2024-44148",        "scanner": {            "vendor": "Armis"        },        "severity": "Critical"    }}
Exported fields
FieldDescriptionType
@timestampEvent timestamp.date
armis.vulnerability.affected_devices_countlong
armis.vulnerability.attack_complexitykeyword
armis.vulnerability.attack_vectorkeyword
armis.vulnerability.availability_impactkeyword
armis.vulnerability.avm_ratingkeyword
armis.vulnerability.avm_rating_manual_change_reasonkeyword
armis.vulnerability.avm_rating_manual_changed_bykeyword
armis.vulnerability.avm_rating_manual_update_timedate
armis.vulnerability.botnetskeyword
armis.vulnerability.cisa_due_datedate
armis.vulnerability.common_namekeyword
armis.vulnerability.confidentiality_impactkeyword
armis.vulnerability.cve_uidkeyword
armis.vulnerability.cvss_scoredouble
armis.vulnerability.cvss_score_v4keyword
armis.vulnerability.descriptionkeyword
armis.vulnerability.epss_percentiledouble
armis.vulnerability.epss_scoredouble
armis.vulnerability.exploitability_scoredouble
armis.vulnerability.first_detecteddate
armis.vulnerability.first_reference_publish_datedate
armis.vulnerability.first_weaponized_reference_publish_datedate
armis.vulnerability.has_ransomwareboolean
armis.vulnerability.has_remediation_infokeyword
armis.vulnerability.idkeyword
armis.vulnerability.impact_scoredouble
armis.vulnerability.integrity_impactkeyword
armis.vulnerability.is_weaponizedboolean
armis.vulnerability.last_detecteddate
armis.vulnerability.latest_exploit_updatedate
armis.vulnerability.num_of_exploitslong
armis.vulnerability.number_of_threat_actorslong
armis.vulnerability.privileges_requiredkeyword
armis.vulnerability.published_datedate
armis.vulnerability.reported_by_google_zero_daysboolean
armis.vulnerability.scopekeyword
armis.vulnerability.scoredouble
armis.vulnerability.severitykeyword
armis.vulnerability.statuskeyword
armis.vulnerability.threat_actorskeyword
armis.vulnerability.threat_tagskeyword
armis.vulnerability.typekeyword
armis.vulnerability.user_interactionkeyword
armis.vulnerability.vulnerability_match.advisory_idkeyword
armis.vulnerability.vulnerability_match.avm_ratingkeyword
armis.vulnerability.vulnerability_match.confidence_levelkeyword
armis.vulnerability.vulnerability_match.confidence_level_descriptionkeyword
armis.vulnerability.vulnerability_match.cve_uidkeyword
armis.vulnerability.vulnerability_match.device_idkeyword
armis.vulnerability.vulnerability_match.first_detecteddate
armis.vulnerability.vulnerability_match.has_remediation_infokeyword
armis.vulnerability.vulnerability_match.last_detecteddate
armis.vulnerability.vulnerability_match.match_criteria_stringkeyword
armis.vulnerability.vulnerability_match.recommended_stepskeyword
armis.vulnerability.vulnerability_match.remediation_typeskeyword
armis.vulnerability.vulnerability_match.statuskeyword
armis.vulnerability.vulnerability_match.status_change_reasonkeyword
armis.vulnerability.vulnerability_match.status_sourcekeyword
data_stream.datasetData stream dataset.constant_keyword
data_stream.namespaceData stream namespace.constant_keyword
data_stream.typeData stream type.constant_keyword
event.datasetEvent dataset.constant_keyword
event.moduleEvent module.constant_keyword
input.typeType of filebeat input.keyword
labels.is_transform_sourceDistinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering.constant_keyword
log.offsetLog offset.long

This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.

Alerts Dashboard
Devices Dashboard
Vulnerabilities Dashboard
Changelog
VersionDetailsMinimum Kibana version
0.4.1Bug fix (View pull request)
Downgrade theformat_version to the minimum version that supports all the necessary features for the package.		9.0.0
8.18.0
0.4.0Enhancement (View pull request)
Improve documentation to align with new guidelines.		9.0.0
8.18.0
0.3.0Enhancement (View pull request)
Useterminate processor instead offail processor to handle agent errors.		9.0.0
8.18.0
0.2.0Enhancement (View pull request)
Remove duplicated installation instructions from the documentation.		9.0.0
8.18.0
0.1.1Bug fix (View pull request)
Add temporary processor to remove the fields added by the Agentless policy.		9.0.0
8.18.0
0.1.0Enhancement (View pull request)
Initial release.		9.0.0
8.18.0
[8]ページ先頭
©2009-2026 Movatter.jp