Armis

About this document

This document provides step-by-step instructions to configure Armis Integration in SAFE and pull assets and vulnerability findings from the tool.

Introduction

Armis integration allows you to import your assets and any security issues (vulnerabilities) from Armis into SAFE. Admins in SAFE can set this up from the Armis card on the Integrations page.

Once you set it up, all your assets from Armis, including OT (Other Technologies) and IoT (Internet of Things) assets, will be imported. This helps you understand the security risks of your assets and offers steps to improve your security.

Prerequisites

• Assets are already set up and assessed in Armis.

• An Armis user account with Admin rights or enough permissions to create a new user and role for SAFE.

• SAFE access with Admin rights.

Generate connection details

To connect SAFE with Armis, you'll need two things: the Armis Base URL and the Secret API Key. Here's how to get them:

4.1 Create a custom read-only role

1. Login to the Armis portal.

2. Go to Settings > Roles & Permissions from the left menu.

   

3. Find the Read-only role under Predefined Roles and copy it by clicking the copy icon.

   

4. Update the name of the role as per your preference.

   

5. Make sure to check the box for Generate API Secret Key.

   

4.2 Create a new User

1. Go to Settings > Users from the left menu.

   

2. Click the Add User button.

   

3. Fill in the required details:

   1. Name - As per user preference.

   2. Username - As per user preference.

   3. Email - As per user preference.

   4. Roles - Select the role created at the end of Section 4.1.

      

   5. Allowed Sites - Users have an option here to select only some sites or All Sites. Assets from the selected sites will be pulled into SAFE for risk posture analysis.

      

4. Click Add.

5. A temporary password will appear—save this.

   

4.2.1 (Optional) Bypass SAML Authentication

If Armis uses SAML for login, and you want to use a generic user for SAFE, create a user as in Section 4.2, then contact Armis Support to enable non-SAML login for this user.

4.3 Generate the Secret API key

1. Log out and then log back in as the user you just created, using the temporary password.

2. Go to Settings > API Management.

   

3. Click Create to generate a Secret API Key.

   

4. Copy the generated Key.

   

   ---

Configure Armis in SAFE

Now, set up the integration in SAFE:

1. Go to the Integrations page and click on the Armis card.

2. On the Configure page, enter:

   • Armis Base URL: The URL you use to log in to Armis.

   • Secret API Key: The key you generated in Section 4.1.

   • Tags: (Optional) You can use this field to only import certain assets by entering tags from Armis, separated by commas (e.g., myCloudAssetsTag1, myIoTAssetsTag2).

3. If you don't want to update the asset's metadata (like names), uncheck Update Existing Assets Metadata.

4. If you want to automatically add new assets from Armis into SAFE, check Auto Onboard New Assets.

5. Click Test Connection.

6. Once the connection is verified, click Save.

7. Click Sync Now to start the import immediately.

Custom Fields (Tags) Support

1. Armis integration supports two custom fields:

   1. armis-tags: This will pull in asset tags from Armis.

   2. armis-device-type: This will pull in asset types from Armis.

To use these, go to Settings > Custom Fields in SAFE and create these fields with the exact names listed above.

Viewing Results

To see the imported assets and their assessment:

1. Go to the Integrations page and click on the Armis card.

2. You'll see two tabs: Finding View and Asset View.

   • Finding View: Shows all the security issues (findings) imported from Armis.

   • Asset View: Lists all the assets imported or updated from Armis.

You can also go to Technology and filter the asset list to see only those from Armis.

FAQs

1. What filters are applied when pulling vulnerabilities from Armis?

• SAFE only pulls vulnerabilities from Armis that are:

  • Severity: Critical, High, or Medium.

  • Status: Open or Ticketed.

2. What does "assets skipped count" mean in the sync details card?

• An asset pulled from Armis will be skipped and not ingested into SAFE if it meets any of the following conditions:

  • The attached vulnerability (CVE) does not have a severity rating of Critical, High, or Medium.

  • The status of the attached vulnerability (CVE) is not "Open" or “ticketed”.

  • The asset name is null or empty.

3. Why do I see OT and IoT in SAFE’s Attack Surface field for some assets?

• With Armis integration, SAFE adds two new attack surfaces: OT (Other Technologies) and IoT (Internet of Things). If Armis identifies an asset as OT or IoT, SAFE will categorize it under these new fields.