{ "name": "armis", "title": "Armis", "version": "0.4.0", "release": "beta", "description": "Collect logs from Armis with Elastic Agent.", "type": "integration", "download": "/epr/armis/armis-0.4.0.zip", "path": "/package/armis/0.4.0", "icons": [ { "src": "/img/armis-logo.svg", "path": "/package/armis/0.4.0/img/armis-logo.svg", "title": "Armis logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.18.0 || ^9.0.0" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "vulnerability_management", "network_security" ], "signature_path": "/epr/armis/armis-0.4.0.zip.sig", "format_version": "3.4.0", "readme": "/package/armis/0.4.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/armis-alerts.png", "path": "/package/armis/0.4.0/img/armis-alerts.png", "title": "Alerts Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/armis-devices.png", "path": "/package/armis/0.4.0/img/armis-devices.png", "title": "Devices Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/armis-vulnerabilities.png", "path": "/package/armis/0.4.0/img/armis-vulnerabilities.png", "title": "Vulnerabilities Dashboard", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/armis/0.4.0/LICENSE.txt", "/package/armis/0.4.0/changelog.yml", "/package/armis/0.4.0/manifest.yml", "/package/armis/0.4.0/validation.yml", "/package/armis/0.4.0/docs/README.md", "/package/armis/0.4.0/img/armis-alerts.png", "/package/armis/0.4.0/img/armis-devices.png", "/package/armis/0.4.0/img/armis-logo.svg", "/package/armis/0.4.0/img/armis-vulnerabilities.png", "/package/armis/0.4.0/data_stream/alert/lifecycle.yml", "/package/armis/0.4.0/data_stream/alert/manifest.yml", "/package/armis/0.4.0/data_stream/alert/sample_event.json", "/package/armis/0.4.0/data_stream/device/lifecycle.yml", "/package/armis/0.4.0/data_stream/device/manifest.yml", "/package/armis/0.4.0/data_stream/device/sample_event.json", "/package/armis/0.4.0/data_stream/vulnerability/manifest.yml", "/package/armis/0.4.0/data_stream/vulnerability/sample_event.json", "/package/armis/0.4.0/kibana/dashboard/armis-68592f5a-9c7b-4398-a723-510d5e48a8b1.json", "/package/armis/0.4.0/kibana/dashboard/armis-8a59c91d-69fd-4cf4-ab75-e9205ecbd095.json", "/package/armis/0.4.0/kibana/dashboard/armis-f988ffbb-80b9-42c2-8009-bbcc59d33347.json", "/package/armis/0.4.0/kibana/search/armis-0d7ec13b-880a-4fcc-8ff2-1af9cfd7cb31.json", "/package/armis/0.4.0/kibana/search/armis-4f132e91-3d6d-4e05-b67a-f00b2e87b95d.json", "/package/armis/0.4.0/kibana/search/armis-b7925646-4f62-4db4-8779-8d9202575fdd.json", "/package/armis/0.4.0/data_stream/alert/fields/base-fields.yml", "/package/armis/0.4.0/data_stream/alert/fields/beats.yml", "/package/armis/0.4.0/data_stream/alert/fields/fields.yml", "/package/armis/0.4.0/data_stream/alert/fields/is-transform-source-true.yml", "/package/armis/0.4.0/data_stream/device/fields/base-fields.yml", "/package/armis/0.4.0/data_stream/device/fields/beats.yml", "/package/armis/0.4.0/data_stream/device/fields/fields.yml", "/package/armis/0.4.0/data_stream/device/fields/is-transform-source-true.yml", "/package/armis/0.4.0/data_stream/vulnerability/fields/base-fields.yml", "/package/armis/0.4.0/data_stream/vulnerability/fields/beats.yml", "/package/armis/0.4.0/data_stream/vulnerability/fields/fields.yml", "/package/armis/0.4.0/data_stream/vulnerability/fields/is-transform-source-true.yml", "/package/armis/0.4.0/elasticsearch/transform/latest_alert/manifest.yml", "/package/armis/0.4.0/elasticsearch/transform/latest_alert/transform.yml", "/package/armis/0.4.0/elasticsearch/transform/latest_device/manifest.yml", "/package/armis/0.4.0/elasticsearch/transform/latest_device/transform.yml", "/package/armis/0.4.0/data_stream/alert/agent/stream/cel.yml.hbs", "/package/armis/0.4.0/data_stream/alert/elasticsearch/ilm/default_policy.json", "/package/armis/0.4.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml", "/package/armis/0.4.0/data_stream/device/agent/stream/cel.yml.hbs", "/package/armis/0.4.0/data_stream/device/elasticsearch/ilm/default_policy.json", "/package/armis/0.4.0/data_stream/device/elasticsearch/ingest_pipeline/default.yml", "/package/armis/0.4.0/data_stream/vulnerability/agent/stream/cel.yml.hbs", "/package/armis/0.4.0/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml", "/package/armis/0.4.0/elasticsearch/transform/latest_alert/fields/base-fields.yml", "/package/armis/0.4.0/elasticsearch/transform/latest_alert/fields/beats.yml", "/package/armis/0.4.0/elasticsearch/transform/latest_alert/fields/ecs.yml", "/package/armis/0.4.0/elasticsearch/transform/latest_alert/fields/fields.yml", "/package/armis/0.4.0/elasticsearch/transform/latest_alert/fields/is-transform-source-false.yml", "/package/armis/0.4.0/elasticsearch/transform/latest_device/fields/base-fields.yml", "/package/armis/0.4.0/elasticsearch/transform/latest_device/fields/beats.yml", "/package/armis/0.4.0/elasticsearch/transform/latest_device/fields/ecs.yml", "/package/armis/0.4.0/elasticsearch/transform/latest_device/fields/fields.yml", "/package/armis/0.4.0/elasticsearch/transform/latest_device/fields/is-transform-source-false.yml" ], "policy_templates": [ { "name": "armis", "title": "Armis logs", "description": "Collect Armis logs.", "inputs": [ { "type": "cel", "vars": [ { "name": "url", "type": "url", "title": "URL", "description": "Base URL of the Armis API.", "multi": false, "required": true, "show_user": false }, { "name": "secret_key", "type": "password", "title": "Secret Key", "description": "Secret Key of Armis.", "multi": false, "required": true, "show_user": true }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "i.e. certificate_authorities, supported_protocols, verification_mode etc.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Armis logs via API", "description": "Collecting Armis logs via API." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "armis.alert", "ilm_policy": "logs-armis.alert-default_policy", "title": "Alert", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Alert logs from Armis API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Armis API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "page_size", "type": "text", "title": "Page Size", "description": "Page size for the response of the Armis API.", "multi": false, "required": true, "show_user": false, "default": 2000 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "armis-alert" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve armis.alert fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Alert Logs", "description": "Collecting Alert logs via API.", "enabled": true, "ingestion_method": "API" } ], "package": "armis", "path": "alert" }, { "type": "logs", "dataset": "armis.device", "ilm_policy": "logs-armis.device-default_policy", "title": "Device", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Device logs from Armis API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Armis API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "page_size", "type": "text", "title": "Page Size", "description": "Page size for the response of the Armis API.", "multi": false, "required": true, "show_user": false, "default": 2000 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "armis-device" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve armis.device fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Device Logs", "description": "Collecting Device logs via API.", "enabled": true, "ingestion_method": "API" } ], "package": "armis", "path": "device" }, { "type": "logs", "dataset": "armis.vulnerability", "title": "Vulnerability", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Vulnerability logs from Armis API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Armis API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "page_size", "type": "text", "title": "Page Size", "description": "Page size for the response of the Armis API.", "multi": false, "required": true, "show_user": false, "default": 89 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "armis-vulnerability" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve armis.vulnerability fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Vulnerability Logs", "description": "Collect Vulnerability logs via API.", "enabled": true, "ingestion_method": "API" } ], "package": "armis", "path": "vulnerability" } ] }