Skip to main content

Cloud ConnectorsExabeam Cloud Connectors Configuration Guide

Armis Cloud Connector

This integration provides support for ingesting alert logs and device context from Armis. The Armis integration enables a wide variety of detection IOT/OT use cases, as well as alert enrichment, contextualization and prioritization, and allows analysts to triage and investigate alerts more effectively in IOT/OT environments.

Armis Endpoints

Endpoint

Frequency

Description

Limitations

Alert Logs

10 Minutes

This endpoint is turned on by default and ingests Alert Logs

Subject to Armis API quota limitations.

Device Context

Weekly

  • This endpoint is turned on by default and ingests Device Context.

  • It requires additional configuration (see Device Context endpoint configuration section below).

  • This configuration will be automatically present in all SaaS deployments that have the Advanced Analytics product. Pushing Device Context to Data Lake is not supported.

  • If the configuration is not present, the following message will be displayed:

    "If you would like to enable Device Context pushing to your Advanced Analytics instance, please follow the onboarding guide. Pushing Device Context to Data Lake is not supported, and in order to avoid this error you can stop this endpoint”

  • After the configuration is present and the endpoint is turned on, the Device Context will be periodically pushed to a Context Table named armis_device_info

  • Subject to Armis API quota limitations.

  • Up to 250K devices are supported. If the number of devices is higher than 250K, this endpoint will be in error state, with the following error message:

    “Your deployment has more than the supported 250K devices: X devices”

Prerequisites to Configure the Armis Cloud Connector

Before you can configure the Armis Cloud Connector, you must obtain the API Key and Tenant Name. For on-premises deployments, you must also Configure Device Context Endpoint

API Key

To obtain the API Key:

  1. Create an Armis user with Read-Only permissions for Alerts and for Devices. You can use the OOTB Read Only role, and assign this role to your user

  2. Generate an API Secret Key for this user using the Armis API Management UI (see screenshot below), and copy it in order to use in Cloud Connector configuration in the next step.

    image1.png

Tenant Name

To obtain the Tenant Name:

  1. To obtain the Tenant Name, log in to your Armis dashboard and identify the prefix of the URL. For example:

    image2.png

  2. Record the Tenant Name. In this example, the name is partner-demo.

Configure Device Context Endpoint

Note

This configuration is required for on-premises deployments only. In SaaS deployments, it is done automatically and no user action is required.

To push Device Context using the Rest API to your Advanced Analytics deployment, your Armis Cloud Connectors deployment must be configured with the IP Address of your Advanced Analytics deployment and the Authentication token.

  1. Obtain your Advanced Analytics Authentication token from the Advanced Analytics Settings UI: https://AA_UI_IP/settings.

    1. Go to Cluster Authorization Token under the Admin Operations card.

    2. Click the + sign on the right.

    3. Give your token a Name.

    4. For Expiry Date choose Permanent.

    5. Verify that the Permission Level is Administrator.

    6. Click Add Token and save the value.

    7. Obtaining the External IP of the aa-master node using the ifconfig command or using your preferred method.

  2. After you obtained the configuration details, you can supply them to the Exabeam Cloud Connectors platform using the following methods:

    If you haven’t upgraded the Exabeam Cloud Connectors platform yet and plan to perform an upgrade, you can supply the parameters directly to the upgrade script (substitute <VALUE> with the proper values):

    • aaexternalip=<VALUE>

    • aatoken=<VALUE>

    If you already have upgraded the Exabeam Cloud Connectors platform, you can manually add the credentials:

    1. Go to your Cloud Connectors install directory.

      This will typically be under /opt/exabeam/data/sk4/. If not, check the installation dir by running systemctl status sk4compose and observing the location of the docker-compose.yml file under ExecStart.

    2. Open the .env file for editing.

    3. Add the following two lines at the bottom of the file (substitute <VALUE> with the proper values). The code is case sensitive.

      AA_AUTH_TOKEN=<VALUE>
AA_EXTERNAL_IP=<VALUE>

Configure the Armis Cloud Connector

  1. Complete the Prerequisites to Configure the Armis Cloud Connector.

  2. Log in to the Exabeam Cloud Connectors platform with your registered credentials.

  3. Navigate to Settings > Accounts > Add Account.

  4. Click Select Service to Add, then select Armis from the list.

  5. Fill in the following information:

    image3.png

    • Account Name – Provide this cloud connector a meaningful name. Exabeam uses this name to identify the cloud connector across the Exabeam Cloud Connectors platform and in entire events sent by your connector to your SIEM/Log/Splunk system.

    • Description – Enter any text that describes the specific cloud connector function and provides meaning for your organization.

    • API Key – Enter the API Key you obtained during the prerequisites workflows.

    • Tenant Name – Enter the tenant name you obtained during the prerequisites workflows.

  6. To confirm that the Exabeam Cloud Connector platform communicates with the service, click Test Connection.

  7. Click Done to save your changes. The cloud connector is now set up on the Exabeam Cloud Connector platform.

  8. To ensure that the connector is ready to send and collect data, Start the connector and check that the status shows OK.