Skip to main content

Armis

armis-icon.png

The Sumo Logic App for Armis offers enhanced visibility into both alerts and device data, making it easier to monitor and manage your device security. The app features dashboards that analyze alerts by severity, status, and type, providing a clear picture of the trend of alerts over time. Additionally, the app allows you to monitor devices by risk level, type, and category, and provides a table view of the latest devices with key information to keep your IT infrastructure secure.

Log Types​

The Sumo Logic App for Armis gathers log information from the following two sources.

Alerts. These are notifications or warnings generated when a potential security threat is detected. The alerts provide information about the type of threat, its severity, and other relevant details.

PathTypeDescription
activityIdsNumberThe activity IDs of the alert.
activityUUIDsStringThe activity UUIDs of the alert.
alertIdNumberThe ID of the alert.
connectionIdsNumberThe connection IDs of the alert.
descriptionStringA text description of the alert.
deviceIdsNumberThe device IDs of the alert.
severityStringThe severity of the alert.
statusStringThe status of the alert.
timeDateThe date and time the alert occurred.
titleStringThe title of the alert.
typeStringThe type of the alert.

Device. These logs are generated by the devices being managed by Armis and contain information about device activity, configuration changes, and other relevant details. The device logs help in understanding device behavior and assist in troubleshooting.

PathTypeDescription
accessSwitchStringThe access switch of the device.
categoryStringThe category of the device.
firstSeenDateThe first time the device was seen.
idNumberThe ID of the device.
ipaddressStringThe IP address of the device.
ipv6StringThe IPv6 address of the device.
lastSeenDateThe last time the device was seen.
macAddressStringThe MAC address of the device.
manufacturerStringThe manufacturer of the device.
modelStringThe model of the device.
nameStringThe name of the device.
operatingSystemStringThe operating system of the device.
operatingSystemVersionStringThe operating system version of the device.
purdueLevelStringThe purdue level of the device.
riskLevelStringThe risk level of the device.
sensorStringThe sensor of the device.
siteStringThe site of the device.

Sample Log Messages​

This section contains log messages for both Alerts and Device sources. It helps in monitoring activity and resolving issues.

Sample Alerts Log Messages

{
"data": {
"count": 10,
"next": 10,
"prev": null,
"results": [
{
"activityUUIDs": [
"zXBTUoUBAAAAAF_2V6Ae"
],
"alertId": 124,
"connectionIds": [

],
"description": "The Armis security platform has detected a violation of a policy and generated an alert.",
"deviceIds": [
83
],
"severity": "Medium",
"status": "Unhandled",
"time": "2022-12-27T06:44:31.638892+00:00",
"title": "Test Alerts - New Device",
"type": "System Policy Violation"
}
],
"total": 125
},
"success": true
}

Sample Device Log Messages

{
"data": {
"count": 83,
"next": null,
"prev": null,
"results": [
{
"accessSwitch": null,
"boundaries": "N/A",
"businessImpact": "Unassigned",
"category": "Handhelds",
"customProperties": {

},
"dataSources": [
{
"firstSeen": "2021-07-27T15:15:53+00:00",
"lastSeen": "2021-07-27T15:15:53+00:00",
"name": "API",
"types": [
"Data Upload"
]
},
{
"firstSeen": "2022-10-18T13:10:50.171951+00:00",
"lastSeen": "2022-10-28T11:02:59.289138+00:00",
"name": "User",
"types": [
"Data Upload"
]
}
],
"firstSeen": "2021-07-27T15:15:53+00:00",
"id": 2,
"ipAddress": "10.100.100.111",
"ipv6": "fe82:3::1ff:fe23:4567:890e",
"lastSeen": "2022-10-18T13:07:46.713618+00:00",
"macAddress": "BC:BC:BC:BC:AC:AB",
"manufacturer": "Apple",
"model": "iPhone 6SP",
"name": "test_device alt1",
"operatingSystem": "iOS",
"operatingSystemVersion": "16.0",
"riskLevel": 9,
"sensor": {
"name": "API",
"type": "API"
},
"site": {
"location": "No location",
"name": null
},
"tags": [

],
"type": "Mobile Phones",
"userIds": [

],
"visibility": "Full"
}
],
"total": 83
},
"success": true
}

Sample Queries​

This section contains the sample queries of both the Alerts and Device.

Total Alerts
_sourceCategory=ArmisDashboards alertId
| json "alertId","activityUUIDs","connectionIds","description","deviceIds","severity","status","time","title","type" as alertId,activityUUIDs,connectionIds,description,deviceIds,severity,status,time,title,type nodrop
| where severity matches"{{Severity}}" and status matches"{{Status}}" and type matches"{{Type}}"
| extract field=deviceIds "(?<ids>\b\d+\b)" multi
| where "{{Site}}" = "*" or [subquery: (_sourceCategory=ArmisDashboards id)
| json "id","site.name" as ids, site
| where site matches "{{Site}}"
| compose ids]
| count_distinct(alertId)
Device
_sourceCategory=ArmisDashboards id
| json "id","name","manufacturer","model","riskLevel","sensor","site.name","type","category","operatingSystem" as id, name, manufacturer, model, riskLevel, sensor, site, type, category, operatingSystem nodrop
| where site matches "{{Site}}" and manufacturer matches "{{Manufacturer}}" and type matches "{{Type}}"
| count_distinct(id)

Collecting Logs for Armis API​

This section explains how to collect logs from Armis API and ingest them into Sumo Logic. Refer to the Armis API Cloud-to-Cloud Integration to create the source and use the same source category while installing the app.

Installing the Armis App​

To install the app:

  1. From the Sumo Logic navigation, select App Catalog.
  2. In the Search Apps field, search for and then select your app.
    App_Catalog.png
  3. Optionally, you can scroll down to preview the dashboards included with the app. Then, click Install App (sometimes this button says Add Integration).
    note

    If your app has multiple versions, you'll need to select the version of the service you're using before installation.

  4. On the next configuration page, under Select Data Source for your App, complete the following fields:
    • Data Source. Select one of the following options:
      • Choose Source Category and select a source category from the list; or
      • Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. For example, _sourceCategory=MyCategory.
    • Folder Name. You can retain the existing name or enter a custom name of your choice for the app.
    • All Folders (optional). Default location is the Personal folder in your Library. If desired, you can choose a different location and/or click New Folder to add it to a new folder.
  5. Click Next.
  6. Look for the dialog confirming that your app was installed successfully.
    app-success.png

Once an app is installed, it will appear in your Personal folder or the folder that you specified. From here, you can share it with other users in your organization. Dashboard panels will automatically start to fill with data matching the time range query received since you created the panel. Results won't be available immediately, but within about 20 minutes, you'll see completed graphs and maps.

Viewing the Armis Dashboards​​

  • All dashboards have a set of filters that you can apply to the entire dashboard, as shown in the following example. Click the funnel icon in the top dashboard menu bar to display a scrollable list of filters that are applied across the entire dashboard.

    You can use filters to drill down and examine the data on a granular level. Filters include client country, client device type, client IP, client request host, client request URI, client request user agent, edge response status, origin IP, and origin response status.

  • Each panel has a set of filters that are applied to the results for that panel only, as shown in the following example. Click the funnel icon in the top panel menu bar to display a list of panel-specific filters.

Alerts Overview Dashboard​

Armis - Alerts Overview dashboard. The dashboard provides a comprehensive analysis of alerts, by categorizing them based on their severity, status, type, and presenting a trend of alerts over a specified period of time.
Armis-Alerts-Overview.png

Device Overview Dashboard​

Armis - Device Overview dashboard. The dashboard provides a table view of last-seen devices with key information to protect your IT infrastructure and offers visibility into devices based on risk levels, types, and categories.
Armis-Alerts-Overview.png

Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.