Armis
Armis is an asset management tool that scans your hosts and cloud resources to generate alerts and security findings. You can bring alert, cloud resource, host, and vulnerability data from Armis into Brinqa to construct a unified view of your attack surface, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Armis and how to obtain that information from Armis. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Armis from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Armis with Brinqa:
-
Server URL: Your organization's Armis Server URL. The default URL format is
https://<tenant>.armis.com, where<tenant>is your organization's tenant name. For example, if your tenant name isbrinqa, the URL would behttps://brinqa.armis.com. -
API Secret Key: The API key associated with the Armis account, which must have, at the very least, the Read Only role assigned to it. This is considered the minimum role required to read and retrieve data from the Armis API.
Sample cURL Commandcurl -X GET "https://api.armis.com/v1/search" \
-H "x-api-key: YOUR_API_KEY"
Generate an Armis API key
For the Armis connector to use the Armis API, you must provide an API key. To generate a new API key, follow these steps:
-
Log in to your organization's Armis server as an administrator.
-
Navigate to Settings > API Management.
-
Click Create.
This page also includes links to the Armis API Docs and API Guide. These links are located under the Usage Example section.
Your new API key displays. While you can come back to this page and obtain your API key, it is recommended that you handle it with caution by storing it in a safe and secure location.
If you do not have the permissions to create an API key, contact your Armis administrator. For additional information, see Armis documentation.
Additional settings
The Armis connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Armis API before giving up and reporting a failure. The default setting is 5.
-
Skip certificate verification: Select this option to allow for untrusted certificates.
Types of data to retrieve
The Armis connector can retrieve the following types of data from the Armis API:
Table 1: Data retrieved from Armis
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Armis Alert | Yes | Alert |
| Armis Alert Definition | Yes | Alert Definition |
| Armis Cloud Resource | Yes | Cloud Resource |
| Armis Host | Yes | Host |
| Armis Vulnerability | Yes | Vulnerability |
| Armis Vulnerability Definition | Yes | Vulnerability Definition |
For detailed steps on how to view the data retrieved from Armis in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Armis Alert
Table 2: Armis Alert attribute mappings
| Armis Field Name | Maps to Brinqa Attribute |
|---|---|
| alert.activityIds | activities |
| alert.alertId | uid |
| alert.deviceIds | targets |
| alert.status | providerStatus |
| alert.status - category of normalized value | statusCategory |
| alert.status - normalized | sourceStatus |
| alert.status - normalized | status |
| alert.time | sourceLastModified |
| alert.title or alert.alertId | name |
Armis Alert Definition
Table 3: Armis Alert Definition attribute mappings
| Armis Field Name | Maps to Brinqa Attribute |
|---|---|
| alert.severity | sourceSeverity |
| alert.title | name |
| alert.type | categories |
| getFindingSeverityScore(normalizedSeverity) | severityScore |
| normalizeFindingSeverity(alert.severity) | severity |
| uid | uid |
Armis Cloud Resource
Table 4: Armis Cloud Resource attribute mappings
| Armis Field Name | Maps to Brinqa Attribute |
|---|---|
| device.category / device.type | categories |
| device.firstSeen | firstSeen |
| device.id | uid |
| device.ipAddress | ipAddresses |
| device.lastSeen | lastSeen |
| device.macAddress | macAddresses |
| device.manufacturer | manufacturer |
| device.model | model |
| device.name | name |
| device.name - normalized | hostnames |
| device.operatingSystem / device.operatingSystemVersion | operatingSystem |
| device.riskLevel | riskLevel |
| device.sensor.name | sensor |
| device.site.name | site |
| device.tags | tags |
| device.type | deviceType |
| device.user | user |
Armis Host
Table 5: Armis Host attribute mappings
| Armis Field Name | Maps to Brinqa Attribute |
|---|---|
| device.category / device.type | categories |
| device.firstSeen | firstSeen |
| device.id | uid |
| device.ipAddress | ipAddresses |
| device.lastSeen | lastSeen |
| device.macAddress | macAddresses |
| device.manufacturer | manufacturer |
| device.model | model |
| device.name | name |
| device.name - normalized | hostnames |
| device.operatingSystem / device.operatingSystemVersion | operatingSystem |
| device.riskLevel | riskLevel |
| device.sensor.name | sensor |
| device.site.name | site |
| device.tags | tags |
| device.type | deviceType |
| device.user | user |
Armis Vulnerability
Table 6: Armis Vulnerability attribute mappings
| Armis Field Name | Maps to Brinqa Attribute |
|---|---|
| vulnerabilityMatch.confidenceLevel | confidenceLevel |
| vulnerabilityMatch.cveUid | type |
| vulnerabilityMatch.cveUid + "_" + vulnerabilityMatch.deviceId | uid |
| vulnerabilityMatch.cveUid + "_" + vulnerabilityMatch.deviceId | name |
| vulnerabilityMatch.deviceId | targets |
| vulnerabilityMatch.firstDetected | firstFound |
| vulnerabilityMatch.lastDetected | lastFound |
| vulnerabilityMatch.matchCriteriaString | matchCriteria |
| vulnerabilityMatch.status | providerStatus |
| getFindingStatusCategory(normalizeFindingStatus(vulnerabilityMatch.status)) | statusCategory |
| normalizeFindingStatus(vulnerabilityMatch.status) | sourceStatus |
| normalizeFindingStatus(vulnerabilityMatch.status) | status |
Armis Vulnerability Definition
Table 7: Armis Vulnerability Definition attribute mappings
| Armis Field Name | Maps to Brinqa Attribute |
|---|---|
| vulnerability.affectedDevicesCount | affectedDeviceCount |
| vulnerability.attackComplexity | cvssV3Ac |
| vulnerability.attackVector | cvssV3Av |
| vulnerability.availabilityImpact | cvssV3Ai |
| vulnerability.botnets | botnets |
| vulnerability.cisaDueDate | cisaDueDate |
| vulnerability.commonName | name |
| vulnerability.confidentialityImpact | cvssV3Ci |
| vulnerability.cveUid | cveIds |
| vulnerability.cveUid | cveRecords |
| vulnerability.cveUid | uid |
| vulnerability.cvssScore | cvssV3BaseScore |
| vulnerability.description | summary |
| vulnerability.epssPercentile | epssPercentile |
| vulnerability.epssScore | epssScore |
| vulnerability.exploitabilityScore | exploitabilityScore |
| vulnerability.firstReferencePublishDate | firstRefPublishDate |
| vulnerability.firstWeaponizedReferencePublishDate | firstWeaponizedRefPublishDate |
| vulnerability.hasRansomware | hasRansomware |
| vulnerability.impactScore | impactScore |
| vulnerability.integrityImpact | cvssV3Ii |
| vulnerability.isWeaponized | isWeaponized |
| vulnerability.latestExploitUpdate | latestExploitUpdate |
| vulnerability.numOfExploits | numOfExploits |
| vulnerability.numberOfThreatActors | numOfThreatActors |
| vulnerability.orgPriority | orgPriority |
| vulnerability.privilegesRequired | cvssV3Pr |
| vulnerability.publishedDate | publishedDate |
| vulnerability.reportedByGoogleZeroDays | reportedByGoogleZeroDays |
| vulnerability.scope | cvssV3Scope |
| vulnerability.score | score |
| vulnerability.severity | severity |
| vulnerability.threatTags | threatTags |
| vulnerability.userInteraction | cvssV3Ui |
Operation options
The Armis connector supports the following operation options. See connector operation options for information about how to apply them.
Table 8: Armis connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Alert | query | Any valid Armis Standard Query (ASQ) string | A query written in the Armis Standard Query (ASQ) language. For more information, see Armis ASQ documentation. | Key: query Value: severity:High status:Active !source:"Policy Violation". This key and value combination retrieves only active high-severity alerts that are not sourced from policy violations. |
| Alert Definition | query | Any valid Armis Standard Query (ASQ) string | A query written in the Armis Standard Query (ASQ) language. For more information, see Armis ASQ documentation. | Key: query Value: type:"Vulnerability Alert" !severity:Low. This key and value combination retrieves only vulnerability alert definitions excluding those with low severity. |
| Cloud Resource | query | Any valid Armis Standard Query (ASQ) string | A query written in the Armis Standard Query (ASQ) language. For more information, see Armis ASQ documentation. | Key: query Value: !type:Unknown,"Access Point Interface" boundary:"Corporate" connected:true. This key and value combination excludes unknown types, includes only corporate-boundary devices, and requires connected assets. |
| Host | query | Any valid Armis Standard Query (ASQ) string | A query written in the Armis Standard Query (ASQ) language. For more information, see Armis ASQ documentation. | Key: query Value: riskLevel:High !type:Printer,"Access Point Interface". This key and value combination retrieves high-risk hosts while excluding printers and access points. |
| Vulnerability | query | Any valid Armis Standard Query (ASQ) string | A query written in the Armis Standard Query (ASQ) language. For more information, see Armis ASQ documentation. | Key: query Value: !cve:CVE-2020-12345 severity:Critical patchStatus:Unpatched. This key and value combination retrieves critical unpatched vulnerabilities excluding those tied to CVE-2020-12345. |
| Vulnerability Definition | query | Any valid Armis Standard Query (ASQ) string | A query written in the Armis Standard Query (ASQ) language. For more information, see Armis ASQ documentation. | Key: query Value: vendor:Microsoft cvss:>=8.0 !exploitability:None. This key and value combination retrieves high-severity Microsoft vulnerabilities that are not marked as non-exploitable. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Armis connector uses the Armis API v1. Specifically, it uses the following endpoints:
Table 9: Armis API Endpoints
| Connector Object | API Endpoints |
|---|---|
| Armis Alert | GET /api/v1/search/ |
| Armis Alert Definition | GET /api/v1/search/ |
| Armis Cloud Resource | GET /api/v1/search/ |
| Armis Host | GET /api/v1/search/ |
| Armis Vulnerability | GET /api/v1/search/ |
| Armis Vulnerability Definition | GET /api/v1/search/ |
Changelog
The Armis connector has undergone the following changes:
Table 10: Armis connector changelog
| Version | Description | Date Published |
|---|---|---|
| 3.0.0 | Initial Integration+ release. | June 18th, 2025 |