diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index ea703f2d634..d25e47e1259 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -21,6 +21,7 @@
/packages/apache_tomcat @elastic/obs-infraobs-integrations
/packages/apm @elastic/obs-ds-intake-services
/packages/arista_ngfw @elastic/sec-deployment-and-devices
+/packages/armis @elastic/security-service-integrations
/packages/atlassian_bitbucket @elastic/security-service-integrations
/packages/atlassian_confluence @elastic/security-service-integrations
/packages/atlassian_jira @elastic/security-service-integrations
diff --git a/packages/armis/_dev/build/build.yml b/packages/armis/_dev/build/build.yml
new file mode 100644
index 00000000000..97fc8aa10cd
--- /dev/null
+++ b/packages/armis/_dev/build/build.yml
@@ -0,0 +1,3 @@
+dependencies:
+ ecs:
+ reference: git@v8.17.0
diff --git a/packages/armis/_dev/build/docs/README.md b/packages/armis/_dev/build/docs/README.md
new file mode 100755
index 00000000000..b0d21a7f09c
--- /dev/null
+++ b/packages/armis/_dev/build/docs/README.md
@@ -0,0 +1,130 @@
+# Armis
+
+[Armis](https://www.armis.com/) is an enterprise-class security platform designed to provide visibility and protection for managed, unmanaged, and IoT devices. It enables organizations to detect threats, manage vulnerabilities, and enforce security policies across their network.
+
+Use this integration to collect and parse data from your Armis instance.
+
+## Compatibility
+
+This module has been tested against the Armis API version **v1**.
+
+## Data Streams
+
+The Armis integration collects three types of logs.
+
+- **Devices** : Fetches the latest updates for all devices monitored by Armis.
+- **Alerts** : Gathers alerts associated with all devices monitored by Armis.
+- **Vulnerabilities** : Retrieves detected vulnerabilities and possible mitigation steps across all devices monitored by Armis.
+
+**Note** :
+
+1. The **vulnerability data stream** retrieves information by first fetching vulnerabilities and then identifying the devices where these vulnerabilities were detected, using a chained call between the vulnerability search and vulnerability match endpoints.
+
+## Requirements
+
+### Agentless Enabled Integration
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
+### Agent Based Installation
+- Elastic Agent must be installed
+- You can install only one Elastic Agent per host.
+- Elastic Agent is required to stream data from the GCP Pub/Sub or REST API and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+#### Installing and managing an Elastic Agent:
+
+You have a few options for installing and managing an Elastic Agent:
+
+#### Install a Fleet-managed Elastic Agent (recommended):
+
+With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.
+
+#### Install Elastic Agent in standalone mode (advanced users):
+
+With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.
+
+#### Install Elastic Agent in a containerized environment:
+
+You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry and we provide deployment manifests for running on Kubernetes.
+
+There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).
+
+## Setup
+
+### To collect logs through REST API, follow the below steps:
+
+1. Log in to your Armis portal.
+2. Navigate to the **Settings** tab.
+3. Select **Asset Management & Security**.
+4. Go to **API Management** and generate a **Secret Key**.
+
+### Enabling the integration in Elastic:
+
+1. In Kibana navigate to Management > Integrations.
+2. In "Search for integrations" top bar, search for `Armis`.
+3. Select the "Armis" integration from the search results.
+4. Select "Add Armis" to add the integration.
+5. Add all the required integration configuration parameters, including the URL, Secret Key to enable data collection.
+6. Select "Save and continue" to save the integration.
+
+## Limitations
+
+1. In the **vulnerability data stream**, our filtering mechanism for the **vulnerability search API** relies specifically on the `lastDetected` field. This means that when a user takes action on a vulnerability and `lastDetected` updates, only then will the event for that vulnerability be retrieved. Initially, we assumed this field would always have a value and could be used as a cursor timestamp for fetching data between intervals. However, due to inconsistencies in the API response, we observed cases where `lastDetected` is `null`.
+
+## Troubleshooting
+
+- If you are seeing below mentioned errors in the **vulnerability data stream**, try reducing the page size in your request.
+
+ **Common errors:**
+ - `502 Bad Gateway`
+ - `414 Request-URI Too Large`
+
+- If you are encountering issues in the **alert data stream**, particularly during the initial data fetch, try reducing the initial interval.
+
+ **Example error:**
+ - `The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.`
+
+## Logs reference
+
+### Alert
+
+This is the `alert` dataset.
+
+#### Example
+
+An example event for `alert` looks as following:
+
+{{event "alert"}}
+
+#### Exported fields
+
+{{fields "alert"}}
+
+### Device
+
+This is the `device` dataset.
+
+#### Example
+
+An example event for `device` looks as following:
+
+{{event "device"}}
+
+#### Exported fields
+
+{{fields "device"}}
+
+### Vulnerability
+
+This is the `vulnerability` dataset.
+
+#### Example
+
+An example event for `vulnerability` looks as following:
+
+{{event "vulnerability"}}
+
+#### Exported fields
+
+{{fields "vulnerability"}}
diff --git a/packages/armis/_dev/deploy/docker/docker-compose.yml b/packages/armis/_dev/deploy/docker/docker-compose.yml
new file mode 100644
index 00000000000..1fe242b7ccf
--- /dev/null
+++ b/packages/armis/_dev/deploy/docker/docker-compose.yml
@@ -0,0 +1,15 @@
+version: '3.0'
+services:
+ armis:
+ image: docker.elastic.co/observability/stream:v0.17.1
+ hostname: armis
+ ports:
+ - 8090
+ volumes:
+ - ./files:/files:ro
+ environment:
+ PORT: '8090'
+ command:
+ - http-server
+ - --addr=:8090
+ - --config=/files/config.yml
diff --git a/packages/armis/_dev/deploy/docker/files/config.yml b/packages/armis/_dev/deploy/docker/files/config.yml
new file mode 100755
index 00000000000..0529e12e92c
--- /dev/null
+++ b/packages/armis/_dev/deploy/docker/files/config.yml
@@ -0,0 +1,793 @@
+rules:
+ - path: /api/v1/access_token/
+ methods: ['POST']
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {"data":{"access_token":"XXXX","expiration_utc":"2025-04-03T08:48:17.963452+00:00"},"success":true}
+ - path: /api/v1/search/
+ methods: ['GET']
+ query_params:
+ aql: "{aql:.*}"
+ length: 1
+ orderBy: statusChangeTime
+ from: 1
+ request_headers:
+ Authorization:
+ - "XXXX"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "data": {
+ "count": 1,
+ "next": 2,
+ "prev": 0,
+ "results": [
+ {
+ "activityUUIDs": [
+ "f63f0d20-5642-4631-a8a6-d8f8be63b1d4",
+ "2a76b04d-4470-4484-a3c6-6f2fbe96ba09",
+ "99a8bf84-dddb-437e-b53b-1d2eba754d24"
+ ],
+ "affectedDevicesCount": 1,
+ "alertId": 70,
+ "classification": "Security - Other",
+ "connectionIds": [],
+ "description": "Mitre Tactic: Command and Control. Compromised systems will attempt to establish communication with their C2 systems. ",
+ "destinationEndpoints": [],
+ "deviceIds": [534],
+ "lastAlertUpdateTime": null,
+ "mitreAttackLabels": null,
+ "policyId": null,
+ "policyLabels": null,
+ "policyTitle": null,
+ "severity": "Critical",
+ "sourceEndpoints": [],
+ "status": "Unhandled",
+ "statusChangeTime": "2025-03-29T02:50:06.124100+00:00",
+ "time": "2025-03-29T02:50:06.124100+00:00",
+ "title": "Communication to a suspicious host",
+ "type": "System Policy Violation"
+ }
+ ],
+ "total": 3
+ },
+ "success": true
+ }
+ `}}
+ - path: /api/v1/search/
+ methods: ['GET']
+ query_params:
+ aql: "{aql:.*}"
+ length: 1
+ orderBy: statusChangeTime
+ from: 2
+ request_headers:
+ Authorization:
+ - "XXXX"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "data": {
+ "count": 1,
+ "next": null,
+ "prev": 1,
+ "results": [
+ {
+ "activityUUIDs": ["6f3d6d3a-6732-44cc-9d63-10a38277fb15"],
+ "affectedDevicesCount": 1,
+ "alertId": 61,
+ "classification": "Security - Other",
+ "connectionIds": [],
+ "description": "The Armis security platform has detected a violation of a policy and generated an alert.",
+ "destinationEndpoints": [],
+ "deviceIds": [854],
+ "lastAlertUpdateTime": null,
+ "mitreAttackLabels": null,
+ "policyId": null,
+ "policyLabels": null,
+ "policyTitle": null,
+ "severity": "Critical",
+ "sourceEndpoints": [],
+ "status": "Unhandled",
+ "statusChangeTime": "2025-03-29T00:12:57.306928+00:00",
+ "time": "2025-03-29T00:12:57.306928+00:00",
+ "title": "[Risk] Device Susceptible to Ransomware",
+ "type": "System Policy Violation"
+ }
+ ],
+ "total": 3
+ },
+ "success": true
+ }
+ `}}
+ - path: /api/v1/search/
+ methods: ['GET']
+ query_params:
+ aql: "{aql:.*}"
+ length: 1
+ orderBy: statusChangeTime
+ from: null
+ request_headers:
+ Authorization:
+ - "XXXX"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "data": {
+ "count": 1,
+ "next": 1,
+ "prev": null,
+ "results": [
+ {
+ "activityUUIDs": [
+ "ec44388f-9530-4ca3-9781-8029905776ef",
+ "0b0900f0-b118-4892-86a3-c06f42f848f3"
+ ],
+ "affectedDevicesCount": 2,
+ "alertId": 71,
+ "classification": "Security - Other",
+ "connectionIds": [],
+ "description": "The Armis security platform has detected a violation of a policy and generated an alert.",
+ "destinationEndpoints": [],
+ "deviceIds": [19, 469],
+ "lastAlertUpdateTime": null,
+ "mitreAttackLabels": null,
+ "policyId": null,
+ "policyLabels": null,
+ "policyTitle": null,
+ "severity": "Critical",
+ "sourceEndpoints": [],
+ "status": "Unhandled",
+ "statusChangeTime": "2025-04-02T09:40:44.016184+00:00",
+ "time": "2025-03-29T02:50:06.124100+00:00",
+ "title": "[Threat] Heavy Port Scan in Network",
+ "type": "System Policy Violation"
+ }
+ ],
+ "total": 3
+ },
+ "success": true
+ }
+ `}}
+ - path: /api/v1/search/
+ methods: ['GET']
+ query_params:
+ aql: "{aql:.*}"
+ length: 1
+ orderBy: lastSeen
+ from: 1
+ request_headers:
+ Authorization:
+ - "XXXX"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "data": {
+ "count": 1,
+ "next": 2,
+ "prev": 0,
+ "results": [
+ {
+ "accessSwitch": null,
+ "boundaries": "Corporate",
+ "businessImpact": "Unassigned",
+ "category": "Imaging",
+ "customProperties": {},
+ "dataSources": [
+ {
+ "firstSeen": "2025-03-13T17:31:02.861100+00:00",
+ "instances": [],
+ "lastSeen": "2025-03-29T22:50:06.124100+00:00",
+ "name": "Knowledge Base",
+ "types": ["Traffic Inspection", "Data Analysis"]
+ },
+ {
+ "firstSeen": "2022-10-26T01:02:15.030100+00:00",
+ "instances": [],
+ "lastSeen": "2022-10-26T18:45:42.030100+00:00",
+ "name": "SPAN/TAP",
+ "types": ["Switch"]
+ },
+ {
+ "firstSeen": "2023-03-15T18:45:42.030100+00:00",
+ "instances": [],
+ "lastSeen": "2025-03-26T20:31:29.597100+00:00",
+ "name": "Traffic Inspection",
+ "types": ["Traffic Inspection", "Data Analysis"]
+ },
+ {
+ "firstSeen": "2024-10-11T11:18:22.620093+00:00",
+ "instances": [],
+ "lastSeen": "2025-03-22T05:07:19.620093+00:00",
+ "name": "User",
+ "types": ["Data Upload"]
+ }
+ ],
+ "displayTitle": "display_title_Test",
+ "firstSeen": "2025-03-13T17:31:02.861100+00:00",
+ "id": 1177,
+ "ipAddress": "81.2.69.142",
+ "ipv6": [],
+ "lastSeen": "2025-03-29T22:50:06.124100+00:00",
+ "macAddress": "17:1C:1B:9B:D2:AA",
+ "manufacturer": "Test Manufacturer",
+ "model": "Test Model",
+ "name": "test-accc8ec36cf9",
+ "names": "test-accc8ec36cf9",
+ "operatingSystem": "Linux",
+ "operatingSystemVersion": "4.4.27",
+ "protections": [],
+ "purdueLevel": 4,
+ "riskLevel": 100,
+ "sensor": {
+ "name": "Test Enterprise",
+ "type": "Test Controller"
+ },
+ "site": { "location": "Geneva", "name": "Geneva Enterprise" },
+ "tags": [
+ "Privileged"
+ ],
+ "type": "IP Cameras",
+ "typeEnum": "IP_CAMERA",
+ "userIds": [],
+ "visibility": "Full"
+ }
+ ],
+ "total": 3
+ },
+ "success": true
+ }
+ `}}
+ - path: /api/v1/search/
+ methods: ['GET']
+ query_params:
+ aql: "{aql:.*}"
+ length: 1
+ orderBy: lastSeen
+ from: 2
+ request_headers:
+ Authorization:
+ - "XXXX"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "data": {
+ "count": 1,
+ "next": null,
+ "prev": 1,
+ "results": [
+ {
+ "accessSwitch": null,
+ "boundaries": "Corporate",
+ "businessImpact": "Unassigned",
+ "category": "Network Equipment",
+ "customProperties": {},
+ "dataSources": [
+ {
+ "firstSeen": "2024-10-09T05:09:02.988081+00:00",
+ "instances": [],
+ "lastSeen": "2025-03-29T10:43:55.988081+00:00",
+ "name": "Knowledge Base",
+ "types": ["Traffic Inspection", "Data Analysis"]
+ }
+ ],
+ "displayTitle": "Test",
+ "firstSeen": "2024-10-09T05:09:02.988081+00:00",
+ "id": 1154,
+ "ipAddress": "89.160.20.128",
+ "ipv6": [],
+ "lastSeen": "2025-03-29T10:43:55.988081+00:00",
+ "macAddress": "50:76:AF:D3:3F:AB",
+ "manufacturer": "Test Manufacturer",
+ "model": "Test Model",
+ "name": "Test Name",
+ "names": "Test Names",
+ "operatingSystem": "Windows",
+ "operatingSystemVersion": "Server 2016",
+ "protections": [],
+ "purdueLevel": 4,
+ "riskLevel": 10,
+ "sensor": {
+ "name": "test Enterprise",
+ "type": "test LAN Controller"
+ },
+ "site": { "location": "Zurich", "name": "Zurich Enterprise" },
+ "tags": [
+ "Misconfigurations"
+ ],
+ "type": "Switches",
+ "typeEnum": "SWITCH",
+ "userIds": [],
+ "visibility": "Full"
+ }
+ ],
+ "total": 3
+ },
+ "success": true
+ }
+ `}}
+ - path: /api/v1/search/
+ methods: ['GET']
+ query_params:
+ aql: "{aql:.*}"
+ length: 1
+ orderBy: lastSeen
+ from: null
+ request_headers:
+ Authorization:
+ - "XXXX"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "data": {
+ "count": 1,
+ "next": 1,
+ "prev": null,
+ "results": [
+ {
+ "accessSwitch": "test Enterprise",
+ "boundaries": "Corporate",
+ "businessImpact": "Unassigned",
+ "category": "Computers",
+ "customProperties": {},
+ "dataSources": [
+ {
+ "firstSeen": "2024-12-09T12:01:57.101791+00:00",
+ "instances": [],
+ "lastSeen": "2025-03-28T19:04:01.132100+00:00",
+ "name": "Active Directory",
+ "types": ["Asset & System Management", "Identity Provider"]
+ },
+ {
+ "firstSeen": "2025-03-18T10:48:01.124100+00:00",
+ "instances": [],
+ "lastSeen": "2025-03-29T22:50:07.124100+00:00",
+ "name": "Knowledge Base",
+ "types": ["Traffic Inspection", "Data Analysis"]
+ },
+ {
+ "firstSeen": "2024-10-11T11:18:22.620093+00:00",
+ "instances": [],
+ "lastSeen": "2025-03-22T05:07:19.620093+00:00",
+ "name": "User",
+ "types": ["Data Upload"]
+ }
+ ],
+ "displayTitle": "test_display",
+ "firstSeen": "2025-03-21T16:59:58.360310+00:00",
+ "id": 1176,
+ "ipAddress": "67.43.156.0",
+ "ipv6": ["fe80::647b:ba0f:9628:6014"],
+ "lastSeen": "2025-03-29T22:50:07.124100+00:00",
+ "macAddress": "50:76:AF:D3:3F:AB",
+ "manufacturer": "test Manufacturer",
+ "model": "test model",
+ "name": "test_name",
+ "names": "test_names",
+ "operatingSystem": "Windows",
+ "operatingSystemVersion": "10",
+ "protections": [],
+ "purdueLevel": 4,
+ "riskLevel": 80,
+ "sensor": {
+ "name": "test Enterprise",
+ "type": "Access Switch"
+ },
+ "site": { "location": "test", "name": "test Enterprise" },
+ "tags": [
+ "Corporate"
+ ],
+ "type": "Laptops",
+ "typeEnum": "LAPTOP",
+ "userIds": [4],
+ "visibility": "Full"
+ }
+ ],
+ "total": 3
+ },
+ "success": true
+ }
+ `}}
+ - path: /api/v1/search/
+ methods: ['GET']
+ query_params:
+ aql: "{aql:.*}"
+ length: 1
+ orderBy: lastDetected
+ from: 1
+ request_headers:
+ Authorization:
+ - "XXXX"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "data": {
+ "count": 1,
+ "next": 2,
+ "prev": 0,
+ "results": [
+ {
+ "affectedDevicesCount": 13,
+ "attackComplexity": "Low",
+ "attackVector": "Network",
+ "availabilityImpact": "High",
+ "avmRating": null,
+ "avmRatingManualChangeReason": null,
+ "avmRatingManualChangedBy": "",
+ "avmRatingManualUpdateTime": null,
+ "botnets": null,
+ "cisaDueDate": null,
+ "commonName": null,
+ "confidentialityImpact": "High",
+ "cveUid": "CVE-2024-44146",
+ "cvssScore": 10,
+ "cvssScoreV4": null,
+ "description": "A logic issue was addressed with improved file handling.",
+ "epssPercentile": 0.31,
+ "epssScore": 0.00139,
+ "exploitabilityScore": 3.9,
+ "firstDetected": "2025-04-03T09:18:31.915543+00:00",
+ "firstReferencePublishDate": null,
+ "firstWeaponizedReferencePublishDate": null,
+ "hasRansomware": null,
+ "hasRemediationInfo": "No",
+ "id": "CVE-2024-44146",
+ "impactScore": 6,
+ "integrityImpact": "High",
+ "isWeaponized": null,
+ "lastDetected": "2025-04-03T10:38:59.372389+00:00",
+ "latestExploitUpdate": null,
+ "numOfExploits": 0,
+ "numberOfThreatActors": 0,
+ "privilegesRequired": "None",
+ "publishedDate": "2024-09-17T00:15:50.523000+00:00",
+ "reportedByGoogleZeroDays": null,
+ "scope": "Changed",
+ "score": 10,
+ "severity": "Critical",
+ "status": "Open",
+ "threatActors": null,
+ "threatTags": null,
+ "type": "OS",
+ "userInteraction": "None"
+ }
+ ],
+ "total": 3
+ },
+ "success": true
+ }
+ `}}
+ - path: /api/v1/search/
+ methods: ['GET']
+ query_params:
+ aql: "{aql:.*}"
+ length: 1
+ orderBy: lastDetected
+ from: 2
+ request_headers:
+ Authorization:
+ - "XXXX"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "data": {
+ "count": 1,
+ "next": null,
+ "prev": 1,
+ "results": [
+ {
+ "affectedDevicesCount": 7,
+ "attackComplexity": "Low",
+ "attackVector": "Network",
+ "availabilityImpact": "High",
+ "avmRating": null,
+ "avmRatingManualChangeReason": null,
+ "avmRatingManualChangedBy": "",
+ "avmRatingManualUpdateTime": null,
+ "botnets": null,
+ "cisaDueDate": null,
+ "commonName": null,
+ "confidentialityImpact": "High",
+ "cveUid": "CVE-2023-40455",
+ "cvssScore": 10,
+ "cvssScoreV4": null,
+ "description": "A permissions issue was addressed with additional restrictions.",
+ "epssPercentile": 0.57,
+ "epssScore": 0.00392,
+ "exploitabilityScore": 3.9,
+ "firstDetected": "2025-04-03T09:18:32.504555+00:00",
+ "firstReferencePublishDate": null,
+ "firstWeaponizedReferencePublishDate": null,
+ "hasRansomware": null,
+ "hasRemediationInfo": "No",
+ "id": "CVE-2023-40455",
+ "impactScore": 6,
+ "integrityImpact": "High",
+ "isWeaponized": null,
+ "lastDetected": "2025-04-03T13:08:51.667361+00:00",
+ "latestExploitUpdate": null,
+ "numOfExploits": 0,
+ "numberOfThreatActors": 0,
+ "privilegesRequired": "None",
+ "publishedDate": "2023-09-27T15:19:18.590000+00:00",
+ "reportedByGoogleZeroDays": null,
+ "scope": "Changed",
+ "score": 10,
+ "severity": "Critical",
+ "status": "Open",
+ "threatActors": null,
+ "threatTags": null,
+ "type": "OS",
+ "userInteraction": "None"
+ }
+ ],
+ "total": 3
+ },
+ "success": true
+ }
+ `}}
+ - path: /api/v1/search/
+ methods: ['GET']
+ query_params:
+ aql: "{aql:.*}"
+ length: 1
+ orderBy: lastDetected
+ from: null
+ request_headers:
+ Authorization:
+ - "XXXX"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "data": {
+ "count": 1,
+ "next": 1,
+ "prev": null,
+ "results": [
+ {
+ "affectedDevicesCount": 13,
+ "attackComplexity": "Low",
+ "attackVector": "Network",
+ "availabilityImpact": "High",
+ "avmRating": null,
+ "avmRatingManualChangeReason": null,
+ "avmRatingManualChangedBy": "",
+ "avmRatingManualUpdateTime": null,
+ "botnets": null,
+ "cisaDueDate": null,
+ "commonName": null,
+ "confidentialityImpact": "High",
+ "cveUid": "CVE-2024-44148",
+ "cvssScore": 10,
+ "cvssScoreV4": null,
+ "description": "This issue was addressed with improved validation of file attributes.",
+ "epssPercentile": 0.31,
+ "epssScore": 0.00139,
+ "exploitabilityScore": 3.9,
+ "firstDetected": "2025-04-03T09:18:31.915543+00:00",
+ "firstReferencePublishDate": null,
+ "firstWeaponizedReferencePublishDate": null,
+ "hasRansomware": null,
+ "hasRemediationInfo": "No",
+ "id": "CVE-2024-44148",
+ "impactScore": 6,
+ "integrityImpact": "High",
+ "isWeaponized": null,
+ "lastDetected": "2025-04-03T10:38:59.372389+00:00",
+ "latestExploitUpdate": null,
+ "numOfExploits": 0,
+ "numberOfThreatActors": 0,
+ "privilegesRequired": "None",
+ "publishedDate": "2024-09-17T00:15:50.617000+00:00",
+ "reportedByGoogleZeroDays": null,
+ "scope": "Changed",
+ "score": 10,
+ "severity": "Critical",
+ "status": "Open",
+ "threatActors": null,
+ "threatTags": null,
+ "type": "OS",
+ "userInteraction": "None"
+ }
+ ],
+ "total": 3
+ },
+ "success": true
+ }
+ `}}
+ - path: /api/v1/vulnerability-match/
+ methods: ['GET']
+ query_params:
+ length: "{length:.*}"
+ vulnerability_ids: CVE-2024-44148
+ from: null
+ request_headers:
+ Authorization:
+ - "XXXX"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "data": {
+ "paging": {
+ "from": 0,
+ "length": 1,
+ "next": null,
+ "prev": null,
+ "to": 1,
+ "total": 1
+ },
+ "sample": [
+ {
+ "advisoryId": null,
+ "avmRating": null,
+ "confidenceLevel": "High",
+ "confidenceLevelDescription": null,
+ "cveUid": "CVE-2024-44148",
+ "deviceId": 109,
+ "firstDetected": "2025-04-03T10:38:59.297015+00:00",
+ "hasRemediationInfo": "No",
+ "lastDetected": "2025-04-03T10:38:59.297015+00:00",
+ "matchCriteriaString": "OS",
+ "recommendedSteps": null,
+ "remediationTypes": null,
+ "status": "Open",
+ "statusChangeReason": null,
+ "statusSource": "Discovered by Armis"
+ }
+ ]
+ },
+ "success": true
+ }
+ `}}
+ - path: /api/v1/vulnerability-match/
+ methods: ['GET']
+ query_params:
+ length: "{length:.*}"
+ vulnerability_ids: CVE-2024-44146
+ from: null
+ request_headers:
+ Authorization:
+ - "XXXX"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "data": {
+ "paging": {
+ "from": 0,
+ "length": 1,
+ "next": null,
+ "prev": null,
+ "to": 1,
+ "total": 1
+ },
+ "sample": [
+ {
+ "advisoryId": null,
+ "avmRating": null,
+ "confidenceLevel": "High",
+ "confidenceLevelDescription": null,
+ "cveUid": "CVE-2024-44146",
+ "deviceId": 109,
+ "firstDetected": "2025-04-03T10:38:59.297015+00:00",
+ "hasRemediationInfo": "No",
+ "lastDetected": "2025-04-03T10:38:59.297015+00:00",
+ "matchCriteriaString": "OS",
+ "recommendedSteps": null,
+ "remediationTypes": null,
+ "status": "Open",
+ "statusChangeReason": null,
+ "statusSource": "Discovered by Armis"
+ }
+ ]
+ },
+ "success": true
+ }
+ `}}
+ - path: /api/v1/vulnerability-match/
+ methods: ['GET']
+ query_params:
+ length: "{length:.*}"
+ vulnerability_ids: CVE-2023-40455
+ from: null
+ request_headers:
+ Authorization:
+ - "XXXX"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "data": {
+ "paging": {
+ "from": 0,
+ "length": 1,
+ "next": null,
+ "prev": null,
+ "to": 1,
+ "total": 1
+ },
+ "sample": [
+ {
+ "advisoryId": null,
+ "avmRating": null,
+ "confidenceLevel": "High",
+ "confidenceLevelDescription": null,
+ "cveUid": "CVE-2023-40455",
+ "deviceId": 109,
+ "firstDetected": "2025-04-03T10:38:59.297015+00:00",
+ "hasRemediationInfo": "No",
+ "lastDetected": "2025-04-03T10:38:59.297015+00:00",
+ "matchCriteriaString": "OS",
+ "recommendedSteps": null,
+ "remediationTypes": null,
+ "status": "Open",
+ "statusChangeReason": null,
+ "statusSource": "Discovered by Armis"
+ }
+ ]
+ },
+ "success": true
+ }
+ `}}
diff --git a/packages/armis/changelog.yml b/packages/armis/changelog.yml
new file mode 100644
index 00000000000..ea2aa5e7929
--- /dev/null
+++ b/packages/armis/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: 0.1.0
+ changes:
+ - description: Initial release.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/13429
diff --git a/packages/armis/data_stream/alert/_dev/test/pipeline/test-alert.log b/packages/armis/data_stream/alert/_dev/test/pipeline/test-alert.log
new file mode 100644
index 00000000000..3606461f226
--- /dev/null
+++ b/packages/armis/data_stream/alert/_dev/test/pipeline/test-alert.log
@@ -0,0 +1,2 @@
+{"activityUUIDs":["ec44388f-9530-4ca3-9781-8029905776ef","0b0900f0-b118-4892-86a3-c06f42f848f3"],"affectedDevicesCount":2,"alertId":71,"classification":"Security - Other","connectionIds":["conn-12345","conn-67890"],"description":"The Armis security platform has detected a violation of a policy and generated an alert.","destinationEndpoints":["device-abc","server-xyz"],"deviceIds":[19,469],"lastAlertUpdateTime":"2025-03-29T02:50:06.124100+00:00","mitreAttackLabels":"T1046 - Network Service Scanning","policyId":345,"policyLabels":["Network Anomaly Detection","Threat Detection"],"policyTitle":"Unusual Network Scanning Activity","severity":"Critical","sourceEndpoints":["laptop-001","iot-device-007"],"status":"Unhandled","statusChangeTime":"2025-03-29T02:50:06.124100+00:00","time":"2025-03-29T02:50:06.124100+00:00","title":"[Threat] Heavy Port Scan in Network","type":"System Policy Violation"}
+{"activityUUIDs":["f63f0d20-5642-4631-a8a6-d8f8be63b1d4","2a76b04d-4470-4484-a3c6-6f2fbe96ba09","99a8bf84-dddb-437e-b53b-1d2eba754d24"],"affectedDevicesCount":1,"alertId":70,"classification":"Security - Other","connectionIds":["conn-98765"],"description":"Mitre Tactic: Command and Control. Compromised systems will attempt to establish communication with their C2 systems.","destinationEndpoints":["server-malicious","cloud-service-x"],"deviceIds":[534],"lastAlertUpdateTime":"2025-03-29T02:50:06.124100+00:00","mitreAttackLabels":"T1071 - Application Layer Protocol","policyId":678,"policyLabels":"C2 Communication Detection","policyTitle":"Suspicious Command and Control Communication","severity":"Critical","sourceEndpoints":["workstation-22"],"status":"Unhandled","statusChangeTime":"2025-03-29T02:50:06.124100+00:00","time":"2025-03-29T02:50:06.124100+00:00","title":"Communication to a suspicious host","type":"System Policy Violation"}
diff --git a/packages/armis/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json b/packages/armis/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
new file mode 100644
index 00000000000..cb71d61e840
--- /dev/null
+++ b/packages/armis/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
@@ -0,0 +1,155 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-03-29T02:50:06.124Z",
+ "armis": {
+ "alert": {
+ "activity_uuids": [
+ "ec44388f-9530-4ca3-9781-8029905776ef",
+ "0b0900f0-b118-4892-86a3-c06f42f848f3"
+ ],
+ "affected_devices_count": 2,
+ "alert_id": "71",
+ "classification": "Security - Other",
+ "connection_ids": [
+ "conn-12345",
+ "conn-67890"
+ ],
+ "description": "The Armis security platform has detected a violation of a policy and generated an alert.",
+ "destination_endpoints": [
+ "device-abc",
+ "server-xyz"
+ ],
+ "device_ids": [
+ "19",
+ "469"
+ ],
+ "friendly_name": "Unusual Network Scanning Activity",
+ "last_alert_update_time": "2025-03-29T02:50:06.124Z",
+ "mitre_attack_labels": "T1046 - Network Service Scanning",
+ "policy_id": "345",
+ "policy_labels": [
+ "Network Anomaly Detection",
+ "Threat Detection"
+ ],
+ "policy_title": "Unusual Network Scanning Activity",
+ "severity": "Critical",
+ "source_endpoints": [
+ "laptop-001",
+ "iot-device-007"
+ ],
+ "status": "Unhandled",
+ "status_change_time": "2025-03-29T02:50:06.124Z",
+ "time": "2025-03-29T02:50:06.124Z",
+ "title": "[Threat] Heavy Port Scan in Network",
+ "type": "System Policy Violation"
+ }
+ },
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "id": "71",
+ "kind": "alert",
+ "original": "{\"activityUUIDs\":[\"ec44388f-9530-4ca3-9781-8029905776ef\",\"0b0900f0-b118-4892-86a3-c06f42f848f3\"],\"affectedDevicesCount\":2,\"alertId\":71,\"classification\":\"Security - Other\",\"connectionIds\":[\"conn-12345\",\"conn-67890\"],\"description\":\"The Armis security platform has detected a violation of a policy and generated an alert.\",\"destinationEndpoints\":[\"device-abc\",\"server-xyz\"],\"deviceIds\":[19,469],\"lastAlertUpdateTime\":\"2025-03-29T02:50:06.124100+00:00\",\"mitreAttackLabels\":\"T1046 - Network Service Scanning\",\"policyId\":345,\"policyLabels\":[\"Network Anomaly Detection\",\"Threat Detection\"],\"policyTitle\":\"Unusual Network Scanning Activity\",\"severity\":\"Critical\",\"sourceEndpoints\":[\"laptop-001\",\"iot-device-007\"],\"status\":\"Unhandled\",\"statusChangeTime\":\"2025-03-29T02:50:06.124100+00:00\",\"time\":\"2025-03-29T02:50:06.124100+00:00\",\"title\":\"[Threat] Heavy Port Scan in Network\",\"type\":\"System Policy Violation\"}",
+ "severity": 99
+ },
+ "host": {
+ "id": [
+ "19",
+ "469"
+ ]
+ },
+ "message": "The Armis security platform has detected a violation of a policy and generated an alert.",
+ "observer": {
+ "product": "Asset Management and Security",
+ "vendor": "Armis"
+ },
+ "related": {
+ "hosts": [
+ "19",
+ "469"
+ ]
+ },
+ "rule": {
+ "id": "345",
+ "name": "Unusual Network Scanning Activity"
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "@timestamp": "2025-03-29T02:50:06.124Z",
+ "armis": {
+ "alert": {
+ "activity_uuids": [
+ "f63f0d20-5642-4631-a8a6-d8f8be63b1d4",
+ "2a76b04d-4470-4484-a3c6-6f2fbe96ba09",
+ "99a8bf84-dddb-437e-b53b-1d2eba754d24"
+ ],
+ "affected_devices_count": 1,
+ "alert_id": "70",
+ "classification": "Security - Other",
+ "connection_ids": [
+ "conn-98765"
+ ],
+ "description": "Mitre Tactic: Command and Control. Compromised systems will attempt to establish communication with their C2 systems.",
+ "destination_endpoints": [
+ "server-malicious",
+ "cloud-service-x"
+ ],
+ "device_ids": [
+ "534"
+ ],
+ "friendly_name": "Suspicious Command and Control Communication",
+ "last_alert_update_time": "2025-03-29T02:50:06.124Z",
+ "mitre_attack_labels": "T1071 - Application Layer Protocol",
+ "policy_id": "678",
+ "policy_labels": "C2 Communication Detection",
+ "policy_title": "Suspicious Command and Control Communication",
+ "severity": "Critical",
+ "source_endpoints": [
+ "workstation-22"
+ ],
+ "status": "Unhandled",
+ "status_change_time": "2025-03-29T02:50:06.124Z",
+ "time": "2025-03-29T02:50:06.124Z",
+ "title": "Communication to a suspicious host",
+ "type": "System Policy Violation"
+ }
+ },
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "id": "70",
+ "kind": "alert",
+ "original": "{\"activityUUIDs\":[\"f63f0d20-5642-4631-a8a6-d8f8be63b1d4\",\"2a76b04d-4470-4484-a3c6-6f2fbe96ba09\",\"99a8bf84-dddb-437e-b53b-1d2eba754d24\"],\"affectedDevicesCount\":1,\"alertId\":70,\"classification\":\"Security - Other\",\"connectionIds\":[\"conn-98765\"],\"description\":\"Mitre Tactic: Command and Control. Compromised systems will attempt to establish communication with their C2 systems.\",\"destinationEndpoints\":[\"server-malicious\",\"cloud-service-x\"],\"deviceIds\":[534],\"lastAlertUpdateTime\":\"2025-03-29T02:50:06.124100+00:00\",\"mitreAttackLabels\":\"T1071 - Application Layer Protocol\",\"policyId\":678,\"policyLabels\":\"C2 Communication Detection\",\"policyTitle\":\"Suspicious Command and Control Communication\",\"severity\":\"Critical\",\"sourceEndpoints\":[\"workstation-22\"],\"status\":\"Unhandled\",\"statusChangeTime\":\"2025-03-29T02:50:06.124100+00:00\",\"time\":\"2025-03-29T02:50:06.124100+00:00\",\"title\":\"Communication to a suspicious host\",\"type\":\"System Policy Violation\"}",
+ "severity": 99
+ },
+ "host": {
+ "id": [
+ "534"
+ ]
+ },
+ "message": "Mitre Tactic: Command and Control. Compromised systems will attempt to establish communication with their C2 systems.",
+ "observer": {
+ "product": "Asset Management and Security",
+ "vendor": "Armis"
+ },
+ "related": {
+ "hosts": [
+ "534"
+ ]
+ },
+ "rule": {
+ "id": "678",
+ "name": "Suspicious Command and Control Communication"
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ]
+ }
+ ]
+}
diff --git a/packages/armis/data_stream/alert/_dev/test/pipeline/test-common-config.yml b/packages/armis/data_stream/alert/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..37e8fa225fd
--- /dev/null
+++ b/packages/armis/data_stream/alert/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,3 @@
+fields:
+ tags:
+ - preserve_duplicate_custom_fields
diff --git a/packages/armis/data_stream/alert/_dev/test/system/test-default-config.yml b/packages/armis/data_stream/alert/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..c52472f5121
--- /dev/null
+++ b/packages/armis/data_stream/alert/_dev/test/system/test-default-config.yml
@@ -0,0 +1,14 @@
+input: cel
+service: armis
+vars:
+ url: http://{{Hostname}}:{{Port}}
+ secret_key: xxxx
+data_stream:
+ vars:
+ interval: 5m
+ initial_interval: 24h
+ page_size: 1
+ preserve_original_event: true
+ preserve_duplicate_custom_fields: true
+assert:
+ hit_count: 3
diff --git a/packages/armis/data_stream/alert/agent/stream/cel.yml.hbs b/packages/armis/data_stream/alert/agent/stream/cel.yml.hbs
new file mode 100755
index 00000000000..c7a156b33ee
--- /dev/null
+++ b/packages/armis/data_stream/alert/agent/stream/cel.yml.hbs
@@ -0,0 +1,146 @@
+config_version: 2
+interval: {{interval}}
+resource.tracer:
+ enabled: {{enable_request_tracer}}
+ filename: "../../logs/cel/http-request-trace-*.ndjson"
+ maxbackups: 5
+{{#if proxy_url}}
+resource.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+resource.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+resource.timeout: {{http_client_timeout}}
+{{/if}}
+resource.url: {{url}}
+state:
+ initial_interval: {{initial_interval}}
+ page_size: {{page_size}}
+ secret_key: {{secret_key}}
+redact:
+ fields:
+ - secret_key
+ - access_token
+program: |
+ (
+ state.?is_token_valid.orValue(false) ?
+ state
+ :
+ state.with(
+ post_request(
+ state.url.trim_right("/") + "/api/v1/access_token/", "application/json", {
+ "secret_key": state.secret_key
+ }.encode_json()
+ ).do_request().as(resp, resp.StatusCode == 200 ?
+ resp.Body.decode_json().as(body, {
+ "access_token": body.data.access_token,
+ "is_token_valid": true
+ })
+ :
+ {
+ "events": {
+ "error": {
+ "code": string(resp.StatusCode),
+ "id": string(resp.Status),
+ "message": "POST: "+ state.url.trim_right("/") + "/api/v1/access_token/" + (
+ size(resp.Body) != 0 ?
+ string(resp.Body)
+ :
+ string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+ ),
+ },
+ },
+ "is_token_valid": false,
+ "want_more": false
+ }
+ )
+ )
+ ).as(state,
+ state.?want_more.orValue(false) ?
+ state
+ :
+ state.with({
+ "start_time": state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format("2006-01-02T15:04:05")),
+ })
+ ).as(state,
+ !state.?is_token_valid.orValue(false) ?
+ state
+ :
+ state.with(
+ request(
+ "GET",
+ state.url.trim_right("/") + "/api/v1/search/?" + {
+ "length": [string(state.page_size)],
+ "orderBy": ["statusChangeTime"],
+ "aql": ["in:alerts statusChangeTime:" + '"' + string((now - state.start_time.parse_time("2006-01-02T15:04:05")).getSeconds()) + " Seconds" + '"'],
+ ?"from": has(state.offset) && state.offset != null ? optional.of([string(state.offset)]) : optional.none(),
+ }.format_query()
+ ).with({
+ "Header":{
+ "Authorization": [state.access_token],
+ }
+ }).do_request().as(resp, resp.StatusCode == 200 ?
+ resp.Body.decode_json().as(body, {
+ "events" : body.?data.results.orValue([]).map(e,
+ {
+ "message": e.encode_json()
+ }
+ ),
+ "is_token_valid": true,
+ "offset":body.?data.next.orValue(null),
+ "cursor": {
+ ?"last_timestamp": (has(body.?data.results) && size(body.data.results) > 0) ?
+ optional.of(body.data.results.map(e, e.time).map(t, timestamp(t)).max().format("2006-01-02T15:04:05"))
+ :
+ state.?cursor.last_timestamp,
+ },
+ "want_more": body.data.next != null,
+ })
+ :
+ resp.StatusCode == 401 ?
+ // Armis doesn't support multiple sessions per token; generate a new token on 401 (expired).
+ {
+ "events": [{"message":"retry"}],
+ "is_token_valid": false,
+ "offset": has(state.offset) && state.offset != null ? state.offset : 0,
+ "want_more": true,
+ }
+ :
+ {
+ "events": {
+ "error": {
+ "code": string(resp.StatusCode),
+ "id": string(resp.Status),
+ "message": "GET: "+ state.url.trim_right("/") + "/api/v1/search/?aql=in:alerts" + (
+ size(resp.Body) != 0 ?
+ string(resp.Body)
+ :
+ string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+ ),
+ },
+ },
+ "is_token_valid": false,
+ "offset": 0,
+ "want_more": false,
+ }
+ )
+ )
+ )
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+ - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/armis/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/armis/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 00000000000..84ea5095540
--- /dev/null
+++ b/packages/armis/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,329 @@
+---
+description: Pipeline for processing alert logs.
+processors:
+ - set:
+ field: ecs.version
+ tag: set_ecs_version
+ value: 8.17.0
+ - fail:
+ tag: data_collection_error
+ if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null
+ message: error message set and no data to process.
+ - drop:
+ if: ctx.message == 'retry'
+ tag: drop_retry_events
+ - rename:
+ field: message
+ tag: rename_message_to_event_original
+ target_field: event.original
+ ignore_missing: true
+ description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.
+ if: ctx.event?.original == null
+ - remove:
+ field: message
+ tag: remove_message
+ ignore_missing: true
+ description: The `message` field is no longer required if the document has an `event.original` field.
+ if: ctx.event?.original != null
+ - json:
+ field: event.original
+ tag: json_event_original
+ target_field: json
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - fingerprint:
+ fields:
+ - json.time
+ - json.alertId
+ tag: fingerprint_alert
+ target_field: _id
+ ignore_missing: true
+ - set:
+ field: event.kind
+ tag: set_event_kind_to_alert
+ value: alert
+ - set:
+ field: observer.vendor
+ tag: set_observer_vendor
+ value: Armis
+ - set:
+ field: observer.product
+ tag: set_observer_product
+ value: Asset Management and Security
+ - rename:
+ field: json.activityUUIDs
+ tag: rename_activityUUIDs
+ target_field: armis.alert.activity_uuids
+ ignore_missing: true
+ - convert:
+ field: json.affectedDevicesCount
+ tag: convert_affectedDevicesCount_to_long
+ target_field: armis.alert.affected_devices_count
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.alertId
+ tag: convert_alertId_to_string
+ target_field: armis.alert.alert_id
+ type: string
+ ignore_missing: true
+ - set:
+ field: event.id
+ tag: set_event_id_from_alert_alert_id
+ copy_from: armis.alert.alert_id
+ ignore_empty_value: true
+ - rename:
+ field: json.classification
+ tag: rename_classification
+ target_field: armis.alert.classification
+ ignore_missing: true
+ - rename:
+ field: json.connectionIds
+ tag: rename_connectionIds
+ target_field: armis.alert.connection_ids
+ ignore_missing: true
+ - rename:
+ field: json.description
+ tag: rename_description
+ target_field: armis.alert.description
+ ignore_missing: true
+ - set:
+ field: message
+ tag: set_message_from_alert_description
+ copy_from: armis.alert.description
+ ignore_empty_value: true
+ - rename:
+ field: json.destinationEndpoints
+ tag: rename_destinationEndpoints
+ target_field: armis.alert.destination_endpoints
+ ignore_missing: true
+ - convert:
+ field: json.deviceIds
+ tag: convert_deviceIds_to_string
+ target_field: armis.alert.device_ids
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: armis.alert.device_ids
+ tag: foreach_deviceIds
+ if: ctx.armis?.alert?.device_ids instanceof List
+ processor:
+ append:
+ field: host.id
+ tag: append_deviceIds_into_host_id
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - foreach:
+ field: armis.alert.device_ids
+ tag: foreach_deviceIds
+ if: ctx.armis?.alert?.device_ids instanceof List
+ processor:
+ append:
+ field: related.hosts
+ tag: append_deviceIds_into_related_hosts
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - date:
+ field: json.lastAlertUpdateTime
+ tag: date_lastAlertUpdateTime
+ target_field: armis.alert.last_alert_update_time
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ if: ctx.json?.lastAlertUpdateTime != null && ctx.json.lastAlertUpdateTime != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.mitreAttackLabels
+ tag: rename_mitreAttackLabels
+ target_field: armis.alert.mitre_attack_labels
+ ignore_missing: true
+ - append:
+ field: threat.technique.name
+ tag: append_mitre_attack_labels_into_threat_technique_name
+ value: '{{{armis.alert.mitre_attack_labels}}}'
+ allow_duplicates: false
+ if: ctx.armis?.alert?.mitre_attack_labels instanceof List
+ - convert:
+ field: json.policyId
+ tag: convert_policyId_to_string
+ target_field: armis.alert.policy_id
+ type: string
+ ignore_missing: true
+ - set:
+ field: rule.id
+ tag: set_rule_id_from_alert_policy_id
+ copy_from: armis.alert.policy_id
+ ignore_empty_value: true
+ - rename:
+ field: json.policyLabels
+ tag: rename_policyLabels
+ target_field: armis.alert.policy_labels
+ ignore_missing: true
+ - rename:
+ field: json.policyTitle
+ tag: rename_policyTitle
+ target_field: armis.alert.policy_title
+ ignore_missing: true
+ - set:
+ field: rule.name
+ tag: set_rule_name_from_alert_policy_title
+ copy_from: armis.alert.policy_title
+ ignore_empty_value: true
+ - set:
+ field: armis.alert.friendly_name
+ tag: set_armis_alert_friendly_name_from_alert_policy_title
+ copy_from: armis.alert.policy_title
+ ignore_empty_value: true
+ - rename:
+ field: json.severity
+ tag: rename_severity
+ target_field: armis.alert.severity
+ ignore_missing: true
+ - script:
+ lang: painless
+ description: Script to set event.severity.
+ tag: set_event_severity
+ if: ctx.armis?.alert?.severity instanceof String
+ source: |-
+ String severity = ctx.armis.alert.severity;
+ if (severity.equalsIgnoreCase("low")) {
+ ctx.event.severity = 21;
+ } else if (severity.equalsIgnoreCase("medium")) {
+ ctx.event.severity = 47;
+ } else if (severity.equalsIgnoreCase("high")) {
+ ctx.event.severity = 73;
+ } else if (severity.equalsIgnoreCase("critical")) {
+ ctx.event.severity = 99;
+ }
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.sourceEndpoints
+ tag: rename_sourceEndpoints
+ target_field: armis.alert.source_endpoints
+ ignore_missing: true
+ - rename:
+ field: json.status
+ tag: rename_status
+ target_field: armis.alert.status
+ ignore_missing: true
+ - date:
+ field: json.statusChangeTime
+ tag: date_statusChangeTime
+ target_field: armis.alert.status_change_time
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ if: ctx.json?.statusChangeTime != null && ctx.json.statusChangeTime != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: '@timestamp'
+ tag: set_@timestamp_from_status_change_time
+ copy_from: armis.alert.status_change_time
+ ignore_empty_value: true
+ - date:
+ field: json.time
+ tag: date_time
+ target_field: armis.alert.time
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ if: ctx.json?.time != null && ctx.json.time != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.title
+ tag: rename_title
+ target_field: armis.alert.title
+ ignore_missing: true
+ - rename:
+ field: json.type
+ tag: rename_type
+ target_field: armis.alert.type
+ ignore_missing: true
+ - remove:
+ field:
+ - armis.alert.alert_id
+ - armis.alert.device_ids
+ - armis.alert.description
+ - armis.alert.policy_id
+ - armis.alert.policy_title
+ - armis.alert.status_change_time
+ - armis.alert.mitre_attack_labels
+ tag: remove_custom_duplicate_fields
+ ignore_missing: true
+ if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields')
+ - remove:
+ field: json
+ tag: remove_json
+ ignore_missing: true
+ - script:
+ description: This script processor iterates over the whole document to remove fields with null values.
+ tag: script_to_drop_null_values
+ lang: painless
+ source: |
+ void handleMap(Map map) {
+ map.values().removeIf(v -> {
+ if (v instanceof Map) {
+ handleMap(v);
+ } else if (v instanceof List) {
+ handleList(v);
+ }
+ return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+ });
+ }
+ void handleList(List list) {
+ list.removeIf(v -> {
+ if (v instanceof Map) {
+ handleMap(v);
+ } else if (v instanceof List) {
+ handleList(v);
+ }
+ return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+ });
+ }
+ handleMap(ctx);
+ - set:
+ field: event.kind
+ tag: set_pipeline_error_into_event_kind
+ value: pipeline_error
+ if: ctx.error?.message != null
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
+ if: ctx.error?.message != null
+on_failure:
+ - append:
+ field: error.message
+ value: >-
+ Processor '{{{ _ingest.on_failure_processor_type }}}'
+ {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+ {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+ - set:
+ field: event.kind
+ tag: set_pipeline_error_to_event_kind
+ value: pipeline_error
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
diff --git a/packages/armis/data_stream/alert/fields/base-fields.yml b/packages/armis/data_stream/alert/fields/base-fields.yml
new file mode 100644
index 00000000000..3b3e2e07c40
--- /dev/null
+++ b/packages/armis/data_stream/alert/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module.
+ value: armis
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: armis.alert
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/armis/data_stream/alert/fields/beats.yml b/packages/armis/data_stream/alert/fields/beats.yml
new file mode 100644
index 00000000000..4084f1dc7f5
--- /dev/null
+++ b/packages/armis/data_stream/alert/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+ type: keyword
+ description: Type of filebeat input.
+- name: log.offset
+ type: long
+ description: Log offset.
diff --git a/packages/armis/data_stream/alert/fields/fields.yml b/packages/armis/data_stream/alert/fields/fields.yml
new file mode 100644
index 00000000000..d97fa17bbfd
--- /dev/null
+++ b/packages/armis/data_stream/alert/fields/fields.yml
@@ -0,0 +1,48 @@
+- name: armis
+ type: group
+ fields:
+ - name: alert
+ type: group
+ fields:
+ - name: activity_uuids
+ type: keyword
+ - name: affected_devices_count
+ type: long
+ - name: alert_id
+ type: keyword
+ - name: classification
+ type: keyword
+ - name: connection_ids
+ type: keyword
+ - name: description
+ type: keyword
+ - name: destination_endpoints
+ type: keyword
+ - name: device_ids
+ type: keyword
+ - name: friendly_name
+ type: keyword
+ - name: last_alert_update_time
+ type: date
+ - name: mitre_attack_labels
+ type: keyword
+ - name: policy_id
+ type: keyword
+ - name: policy_labels
+ type: keyword
+ - name: policy_title
+ type: keyword
+ - name: severity
+ type: keyword
+ - name: source_endpoints
+ type: keyword
+ - name: status
+ type: keyword
+ - name: status_change_time
+ type: date
+ - name: time
+ type: date
+ - name: title
+ type: keyword
+ - name: type
+ type: keyword
diff --git a/packages/armis/data_stream/alert/manifest.yml b/packages/armis/data_stream/alert/manifest.yml
new file mode 100644
index 00000000000..194ce389679
--- /dev/null
+++ b/packages/armis/data_stream/alert/manifest.yml
@@ -0,0 +1,79 @@
+title: Alert
+type: logs
+streams:
+ - input: cel
+ title: Alert Logs
+ description: Collecting Alert logs via API.
+ template_path: cel.yml.hbs
+ vars:
+ - name: initial_interval
+ type: text
+ title: Initial Interval
+ multi: false
+ required: true
+ show_user: true
+ default: 24h
+ description: How far back to pull the Alert logs from Armis API. Supported units for this parameter are h/m/s.
+ - name: interval
+ type: text
+ title: Interval
+ description: Duration between requests to the Armis API. Supported units for this parameter are h/m/s.
+ default: 5m
+ multi: false
+ required: true
+ show_user: true
+ - name: page_size
+ type: text
+ title: Page Size
+ multi: false
+ required: true
+ show_user: false
+ description: Page size for the response of the Armis API.
+ default: 2000
+ - name: http_client_timeout
+ type: text
+ title: HTTP Client Timeout
+ description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.
+ multi: false
+ required: true
+ show_user: false
+ default: 30s
+ - name: enable_request_tracer
+ type: bool
+ title: Enable request tracing
+ multi: false
+ required: false
+ show_user: false
+ description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - armis-alert
+ - name: preserve_original_event
+ required: false
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: preserve_duplicate_custom_fields
+ required: false
+ show_user: false
+ title: Preserve duplicate custom fields
+ description: Preserve armis.alert fields that were copied to Elastic Common Schema (ECS) fields.
+ type: bool
+ multi: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.
diff --git a/packages/armis/data_stream/alert/sample_event.json b/packages/armis/data_stream/alert/sample_event.json
new file mode 100644
index 00000000000..c9214b5c3ee
--- /dev/null
+++ b/packages/armis/data_stream/alert/sample_event.json
@@ -0,0 +1,76 @@
+{
+ "@timestamp": "2025-03-29T00:12:57.306Z",
+ "agent": {
+ "ephemeral_id": "1fff435b-9a03-41de-9746-3d507c0467bb",
+ "id": "f5180424-1abc-450a-b868-5e1d827954a5",
+ "name": "elastic-agent-93160",
+ "type": "filebeat",
+ "version": "8.18.0"
+ },
+ "armis": {
+ "alert": {
+ "activity_uuids": [
+ "6f3d6d3a-6732-44cc-9d63-10a38277fb15"
+ ],
+ "affected_devices_count": 1,
+ "alert_id": "61",
+ "classification": "Security - Other",
+ "description": "The Armis security platform has detected a violation of a policy and generated an alert.",
+ "device_ids": [
+ "854"
+ ],
+ "severity": "Critical",
+ "status": "Unhandled",
+ "status_change_time": "2025-03-29T00:12:57.306Z",
+ "time": "2025-03-29T00:12:57.306Z",
+ "title": "[Risk] Device Susceptible to Ransomware",
+ "type": "System Policy Violation"
+ }
+ },
+ "data_stream": {
+ "dataset": "armis.alert",
+ "namespace": "39244",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "elastic_agent": {
+ "id": "f5180424-1abc-450a-b868-5e1d827954a5",
+ "snapshot": false,
+ "version": "8.18.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "dataset": "armis.alert",
+ "id": "61",
+ "ingested": "2025-05-12T05:22:20Z",
+ "kind": "alert",
+ "original": "{\"activityUUIDs\":[\"6f3d6d3a-6732-44cc-9d63-10a38277fb15\"],\"affectedDevicesCount\":1,\"alertId\":61,\"classification\":\"Security - Other\",\"connectionIds\":[],\"description\":\"The Armis security platform has detected a violation of a policy and generated an alert.\",\"destinationEndpoints\":[],\"deviceIds\":[854],\"lastAlertUpdateTime\":null,\"mitreAttackLabels\":null,\"policyId\":null,\"policyLabels\":null,\"policyTitle\":null,\"severity\":\"Critical\",\"sourceEndpoints\":[],\"status\":\"Unhandled\",\"statusChangeTime\":\"2025-03-29T00:12:57.306928+00:00\",\"time\":\"2025-03-29T00:12:57.306928+00:00\",\"title\":\"[Risk] Device Susceptible to Ransomware\",\"type\":\"System Policy Violation\"}",
+ "severity": 99
+ },
+ "host": {
+ "id": [
+ "854"
+ ]
+ },
+ "input": {
+ "type": "cel"
+ },
+ "message": "The Armis security platform has detected a violation of a policy and generated an alert.",
+ "observer": {
+ "product": "Asset Management and Security",
+ "vendor": "Armis"
+ },
+ "related": {
+ "hosts": [
+ "854"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields",
+ "forwarded",
+ "armis-alert"
+ ]
+}
diff --git a/packages/armis/data_stream/device/_dev/test/pipeline/test-common-config.yml b/packages/armis/data_stream/device/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..37e8fa225fd
--- /dev/null
+++ b/packages/armis/data_stream/device/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,3 @@
+fields:
+ tags:
+ - preserve_duplicate_custom_fields
diff --git a/packages/armis/data_stream/device/_dev/test/pipeline/test-device.log b/packages/armis/data_stream/device/_dev/test/pipeline/test-device.log
new file mode 100644
index 00000000000..364c8871b9d
--- /dev/null
+++ b/packages/armis/data_stream/device/_dev/test/pipeline/test-device.log
@@ -0,0 +1,2 @@
+{"accessSwitch":"test Enterprise","boundaries":"Corporate, Guest","businessImpact":"Unassigned","category":"Computers","customProperties":{},"dataSources":[{"firstSeen":"2024-09-13T18:16:00.620093+00:00","instances":[{"firstSeen":"2024-09-13T18:16:00.620093+00:00","lastSeen":"2024-12-07T13:53:32.184177+00:00","name":"test"}],"lastSeen":"2024-12-07T13:53:32.184177+00:00","name":"test","types":["Vulnerability Management"]}],"displayTitle":"49f9ef97_1b8","firstSeen":"2024-09-11T01:13:13.620093+00:00","id":469,"ipAddress":"175.16.199.0","ipv6":["::ffff:175.16.199.0"],"lastSeen":"2025-03-29T02:02:09.124100+00:00","macAddress":"46:A7:4B:5D:B0:76","manufacturer":"test","model":"test","name":"49f9ef97_1b8","names":"49f9ef97_1b8","operatingSystem":"Windows","operatingSystemVersion":"Server 2016 Standard","protections":[{"creationTime":"Tue, 18 Feb 2025 00:29:19 GMT","deviceId":469,"lastSeenTime":"Tue, 18 Feb 2025 00:29:19 GMT","protectionName":"test"}],"purdueLevel":4,"riskLevel":80,"sensor":{"name":"test","type":"test Controller"},"site":{"location":"Geneva","name":"Geneva Enterprise"},"tags":["Misconfigurations"],"type":"Servers","typeEnum":"SERVER","userIds":[5],"visibility":"Full"}
+{"accessSwitch":"test Enterprise","boundaries":"Corporate","businessImpact":"Unassigned","category":"Computers","customProperties":{},"dataSources":[{"firstSeen":"2024-11-09T17:03:12.124100+00:00","instances":[{"firstSeen":"2024-11-09T17:03:12.124100+00:00","lastSeen":"2025-03-29T03:50:06.124100+00:00","name":"test Enforcement"}],"lastSeen":"2025-03-29T03:50:06.124100+00:00","name":"test","types":["Vulnerability Management"]}],"displayTitle":"000000731194pc.corporate.acme.com","firstSeen":"2025-03-21T16:59:58.360310+00:00","id":1176,"ipAddress":"216.160.83.56","ipv6":["::ffff:216.160.83.56"],"lastSeen":"2025-03-29T22:50:07.124100+00:00","macAddress":"50:76:AF:D3:3F:AB","manufacturer":"test manufacturer","model":"test model","name":"test name","names":"test names","operatingSystem":"Windows","operatingSystemVersion":"10","protections":[{"creationTime":"Tue, 18 Feb 2025 00:29:19 GMT","deviceId":260,"lastSeenTime":"Tue, 18 Feb 2025 00:29:19 GMT","protectionName":"test"}],"purdueLevel":4,"riskLevel":80,"sensor":{"name":"test Enterprise","type":"Access Switch"},"site":{"location":"Test","name":"Test Enterprise"},"tags":["Critical Vulnerabilities"],"type":"Laptops","typeEnum":"LAPTOP","userIds":[4],"visibility":"Full"}
diff --git a/packages/armis/data_stream/device/_dev/test/pipeline/test-device.log-expected.json b/packages/armis/data_stream/device/_dev/test/pipeline/test-device.log-expected.json
new file mode 100644
index 00000000000..8a6c04fbc48
--- /dev/null
+++ b/packages/armis/data_stream/device/_dev/test/pipeline/test-device.log-expected.json
@@ -0,0 +1,284 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-03-29T02:02:09.124Z",
+ "armis": {
+ "device": {
+ "access_switch": "test Enterprise",
+ "boundaries": "Corporate, Guest",
+ "business_impact": "Unassigned",
+ "category": "Computers",
+ "data_sources": [
+ {
+ "first_seen": "2024-09-13T18:16:00.620Z",
+ "instances": [
+ {
+ "first_seen": "2024-09-13T18:16:00.620Z",
+ "last_seen": "2024-12-07T13:53:32.184Z",
+ "name": "test"
+ }
+ ],
+ "last_seen": "2024-12-07T13:53:32.184Z",
+ "name": "test",
+ "types": [
+ "Vulnerability Management"
+ ]
+ }
+ ],
+ "display_title": "49f9ef97_1b8",
+ "first_seen": "2024-09-11T01:13:13.620Z",
+ "id": "469",
+ "ip_address": [
+ "175.16.199.0"
+ ],
+ "ip_v6": [
+ "::ffff:175.16.199.0"
+ ],
+ "last_seen": "2025-03-29T02:02:09.124Z",
+ "mac_address": [
+ "46:A7:4B:5D:B0:76"
+ ],
+ "manufacturer": "test",
+ "model": "test",
+ "name": "49f9ef97_1b8",
+ "names": [
+ "49f9ef97_1b8"
+ ],
+ "operating_system": "Windows",
+ "operating_system_version": "Server 2016 Standard",
+ "protections": [
+ {
+ "creation_time": "2025-02-18T00:29:19.000Z",
+ "device_id": "469",
+ "last_seen_time": "2025-02-18T00:29:19.000Z",
+ "protection_name": "test"
+ }
+ ],
+ "purdue_level": 4.0,
+ "risk_level": 80,
+ "sensor": {
+ "name": "test",
+ "type": "test Controller"
+ },
+ "site": {
+ "location": "Geneva",
+ "name": "Geneva Enterprise"
+ },
+ "tags": [
+ "Misconfigurations"
+ ],
+ "type": "Servers",
+ "type_enum": "SERVER",
+ "user_ids": [
+ "5"
+ ],
+ "visibility": "Full"
+ }
+ },
+ "device": {
+ "manufacturer": "test",
+ "model": {
+ "name": "test"
+ }
+ },
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "category": [
+ "host"
+ ],
+ "kind": "event",
+ "original": "{\"accessSwitch\":\"test Enterprise\",\"boundaries\":\"Corporate, Guest\",\"businessImpact\":\"Unassigned\",\"category\":\"Computers\",\"customProperties\":{},\"dataSources\":[{\"firstSeen\":\"2024-09-13T18:16:00.620093+00:00\",\"instances\":[{\"firstSeen\":\"2024-09-13T18:16:00.620093+00:00\",\"lastSeen\":\"2024-12-07T13:53:32.184177+00:00\",\"name\":\"test\"}],\"lastSeen\":\"2024-12-07T13:53:32.184177+00:00\",\"name\":\"test\",\"types\":[\"Vulnerability Management\"]}],\"displayTitle\":\"49f9ef97_1b8\",\"firstSeen\":\"2024-09-11T01:13:13.620093+00:00\",\"id\":469,\"ipAddress\":\"175.16.199.0\",\"ipv6\":[\"::ffff:175.16.199.0\"],\"lastSeen\":\"2025-03-29T02:02:09.124100+00:00\",\"macAddress\":\"46:A7:4B:5D:B0:76\",\"manufacturer\":\"test\",\"model\":\"test\",\"name\":\"49f9ef97_1b8\",\"names\":\"49f9ef97_1b8\",\"operatingSystem\":\"Windows\",\"operatingSystemVersion\":\"Server 2016 Standard\",\"protections\":[{\"creationTime\":\"Tue, 18 Feb 2025 00:29:19 GMT\",\"deviceId\":469,\"lastSeenTime\":\"Tue, 18 Feb 2025 00:29:19 GMT\",\"protectionName\":\"test\"}],\"purdueLevel\":4,\"riskLevel\":80,\"sensor\":{\"name\":\"test\",\"type\":\"test Controller\"},\"site\":{\"location\":\"Geneva\",\"name\":\"Geneva Enterprise\"},\"tags\":[\"Misconfigurations\"],\"type\":\"Servers\",\"typeEnum\":\"SERVER\",\"userIds\":[5],\"visibility\":\"Full\"}",
+ "start": "2024-09-11T01:13:13.620Z",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "id": "469",
+ "ip": [
+ "175.16.199.0"
+ ],
+ "mac": [
+ "46-A7-4B-5D-B0-76"
+ ],
+ "name": [
+ "49f9ef97_1b8"
+ ],
+ "os": {
+ "family": "windows",
+ "version": "Server 2016 Standard"
+ },
+ "risk": {
+ "static_score": 80.0
+ },
+ "type": "Computers"
+ },
+ "observer": {
+ "product": "Asset Management and Security",
+ "vendor": "Armis"
+ },
+ "related": {
+ "hosts": [
+ "49f9ef97_1b8"
+ ],
+ "ip": [
+ "175.16.199.0",
+ "::ffff:175.16.199.0"
+ ],
+ "user": [
+ "5"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "id": [
+ "5"
+ ]
+ }
+ },
+ {
+ "@timestamp": "2025-03-29T22:50:07.124Z",
+ "armis": {
+ "device": {
+ "access_switch": "test Enterprise",
+ "boundaries": "Corporate",
+ "business_impact": "Unassigned",
+ "category": "Computers",
+ "data_sources": [
+ {
+ "first_seen": "2024-11-09T17:03:12.124Z",
+ "instances": [
+ {
+ "first_seen": "2024-11-09T17:03:12.124Z",
+ "last_seen": "2025-03-29T03:50:06.124Z",
+ "name": "test Enforcement"
+ }
+ ],
+ "last_seen": "2025-03-29T03:50:06.124Z",
+ "name": "test",
+ "types": [
+ "Vulnerability Management"
+ ]
+ }
+ ],
+ "display_title": "000000731194pc.corporate.acme.com",
+ "first_seen": "2025-03-21T16:59:58.360Z",
+ "id": "1176",
+ "ip_address": [
+ "216.160.83.56"
+ ],
+ "ip_v6": [
+ "::ffff:216.160.83.56"
+ ],
+ "last_seen": "2025-03-29T22:50:07.124Z",
+ "mac_address": [
+ "50:76:AF:D3:3F:AB"
+ ],
+ "manufacturer": "test manufacturer",
+ "model": "test model",
+ "name": "test name",
+ "names": [
+ "test names"
+ ],
+ "operating_system": "Windows",
+ "operating_system_version": "10",
+ "protections": [
+ {
+ "creation_time": "2025-02-18T00:29:19.000Z",
+ "device_id": "260",
+ "last_seen_time": "2025-02-18T00:29:19.000Z",
+ "protection_name": "test"
+ }
+ ],
+ "purdue_level": 4.0,
+ "risk_level": 80,
+ "sensor": {
+ "name": "test Enterprise",
+ "type": "Access Switch"
+ },
+ "site": {
+ "location": "Test",
+ "name": "Test Enterprise"
+ },
+ "tags": [
+ "Critical Vulnerabilities"
+ ],
+ "type": "Laptops",
+ "type_enum": "LAPTOP",
+ "user_ids": [
+ "4"
+ ],
+ "visibility": "Full"
+ }
+ },
+ "device": {
+ "manufacturer": "test manufacturer",
+ "model": {
+ "name": "test model"
+ }
+ },
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "category": [
+ "host"
+ ],
+ "kind": "event",
+ "original": "{\"accessSwitch\":\"test Enterprise\",\"boundaries\":\"Corporate\",\"businessImpact\":\"Unassigned\",\"category\":\"Computers\",\"customProperties\":{},\"dataSources\":[{\"firstSeen\":\"2024-11-09T17:03:12.124100+00:00\",\"instances\":[{\"firstSeen\":\"2024-11-09T17:03:12.124100+00:00\",\"lastSeen\":\"2025-03-29T03:50:06.124100+00:00\",\"name\":\"test Enforcement\"}],\"lastSeen\":\"2025-03-29T03:50:06.124100+00:00\",\"name\":\"test\",\"types\":[\"Vulnerability Management\"]}],\"displayTitle\":\"000000731194pc.corporate.acme.com\",\"firstSeen\":\"2025-03-21T16:59:58.360310+00:00\",\"id\":1176,\"ipAddress\":\"216.160.83.56\",\"ipv6\":[\"::ffff:216.160.83.56\"],\"lastSeen\":\"2025-03-29T22:50:07.124100+00:00\",\"macAddress\":\"50:76:AF:D3:3F:AB\",\"manufacturer\":\"test manufacturer\",\"model\":\"test model\",\"name\":\"test name\",\"names\":\"test names\",\"operatingSystem\":\"Windows\",\"operatingSystemVersion\":\"10\",\"protections\":[{\"creationTime\":\"Tue, 18 Feb 2025 00:29:19 GMT\",\"deviceId\":260,\"lastSeenTime\":\"Tue, 18 Feb 2025 00:29:19 GMT\",\"protectionName\":\"test\"}],\"purdueLevel\":4,\"riskLevel\":80,\"sensor\":{\"name\":\"test Enterprise\",\"type\":\"Access Switch\"},\"site\":{\"location\":\"Test\",\"name\":\"Test Enterprise\"},\"tags\":[\"Critical Vulnerabilities\"],\"type\":\"Laptops\",\"typeEnum\":\"LAPTOP\",\"userIds\":[4],\"visibility\":\"Full\"}",
+ "start": "2025-03-21T16:59:58.360Z",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "id": "1176",
+ "ip": [
+ "216.160.83.56"
+ ],
+ "mac": [
+ "50-76-AF-D3-3F-AB"
+ ],
+ "name": [
+ "test names"
+ ],
+ "os": {
+ "family": "windows",
+ "version": "10"
+ },
+ "risk": {
+ "static_score": 80.0
+ },
+ "type": "Computers"
+ },
+ "observer": {
+ "product": "Asset Management and Security",
+ "vendor": "Armis"
+ },
+ "related": {
+ "hosts": [
+ "test names"
+ ],
+ "ip": [
+ "216.160.83.56",
+ "::ffff:216.160.83.56"
+ ],
+ "user": [
+ "4"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "id": [
+ "4"
+ ]
+ }
+ }
+ ]
+}
diff --git a/packages/armis/data_stream/device/_dev/test/system/test-default-config.yml b/packages/armis/data_stream/device/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..c52472f5121
--- /dev/null
+++ b/packages/armis/data_stream/device/_dev/test/system/test-default-config.yml
@@ -0,0 +1,14 @@
+input: cel
+service: armis
+vars:
+ url: http://{{Hostname}}:{{Port}}
+ secret_key: xxxx
+data_stream:
+ vars:
+ interval: 5m
+ initial_interval: 24h
+ page_size: 1
+ preserve_original_event: true
+ preserve_duplicate_custom_fields: true
+assert:
+ hit_count: 3
diff --git a/packages/armis/data_stream/device/agent/stream/cel.yml.hbs b/packages/armis/data_stream/device/agent/stream/cel.yml.hbs
new file mode 100755
index 00000000000..c1741588580
--- /dev/null
+++ b/packages/armis/data_stream/device/agent/stream/cel.yml.hbs
@@ -0,0 +1,146 @@
+config_version: 2
+interval: {{interval}}
+resource.tracer:
+ enabled: {{enable_request_tracer}}
+ filename: "../../logs/cel/http-request-trace-*.ndjson"
+ maxbackups: 5
+{{#if proxy_url}}
+resource.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+resource.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+resource.timeout: {{http_client_timeout}}
+{{/if}}
+resource.url: {{url}}
+state:
+ initial_interval: {{initial_interval}}
+ page_size: {{page_size}}
+ secret_key: {{secret_key}}
+redact:
+ fields:
+ - secret_key
+ - access_token
+program: |
+ (
+ state.?is_token_valid.orValue(false) ?
+ state
+ :
+ state.with(
+ post_request(
+ state.url.trim_right("/") + "/api/v1/access_token/", "application/json", {
+ "secret_key": state.secret_key
+ }.encode_json()
+ ).do_request().as(resp, resp.StatusCode == 200 ?
+ resp.Body.decode_json().as(body, {
+ "access_token": body.data.access_token,
+ "is_token_valid": true
+ })
+ :
+ {
+ "events": {
+ "error": {
+ "code": string(resp.StatusCode),
+ "id": string(resp.Status),
+ "message": "POST: "+ state.url.trim_right("/") + "/api/v1/access_token/" + (
+ size(resp.Body) != 0 ?
+ string(resp.Body)
+ :
+ string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+ ),
+ },
+ },
+ "is_token_valid": false,
+ "want_more": false
+ }
+ )
+ )
+ ).as(state,
+ state.?want_more.orValue(false) ?
+ state
+ :
+ state.with({
+ "start_time": state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format("2006-01-02T15:04:05")),
+ })
+ ).as(state,
+ !state.?is_token_valid.orValue(false) ?
+ state
+ :
+ state.with(
+ request(
+ "GET",
+ state.url.trim_right("/") + "/api/v1/search/?" + {
+ "length": [string(state.page_size)],
+ "orderBy": ["lastSeen"],
+ ?"from": has(state.offset) && state.offset != null ? optional.of([string(state.offset)]) : optional.none(),
+ "aql": ["in:devices " + "after:" + state.start_time]
+ }.format_query()
+ ).with({
+ "Header":{
+ "Authorization": [state.access_token],
+ }
+ }).do_request().as(resp, resp.StatusCode == 200 ?
+ resp.Body.decode_json().as(body, {
+ "events" : body.?data.results.orValue([]).map(e,
+ {
+ "message": e.encode_json()
+ }
+ ),
+ "is_token_valid": true,
+ "offset":body.?data.next.orValue(null),
+ "cursor": {
+ ?"last_timestamp": (has(body.?data.results) && size(body.data.results) > 0) ?
+ optional.of(body.data.results.map(e, e.lastSeen).map(t, timestamp(t)).max().format("2006-01-02T15:04:05"))
+ :
+ state.?cursor.last_timestamp,
+ },
+ "want_more": body.data.next != null,
+ })
+ :
+ resp.StatusCode == 401 ?
+ // Armis doesn't support multiple sessions per token; generate a new token on 401 (expired).
+ {
+ "events": [{"message":"retry"}],
+ "is_token_valid": false,
+ "offset": has(state.offset) && state.offset != null ? state.offset : 0,
+ "want_more": true,
+ }
+ :
+ {
+ "events": {
+ "error": {
+ "code": string(resp.StatusCode),
+ "id": string(resp.Status),
+ "message": "GET: "+ state.url.trim_right("/") + "/api/v1/search/?aql=in:devices" + (
+ size(resp.Body) != 0 ?
+ string(resp.Body)
+ :
+ string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+ ),
+ },
+ },
+ "is_token_valid": false,
+ "offset": 0,
+ "want_more": false,
+ }
+ )
+ )
+ )
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+ - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/armis/data_stream/device/elasticsearch/ingest_pipeline/default.yml b/packages/armis/data_stream/device/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..93fa6c5efeb
--- /dev/null
+++ b/packages/armis/data_stream/device/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,707 @@
+---
+description: Pipeline for processing Device logs.
+processors:
+ - set:
+ field: ecs.version
+ tag: set_ecs_version
+ value: 8.17.0
+ - fail:
+ tag: data_collection_error
+ if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null
+ message: error message set and no data to process.
+ - drop:
+ if: ctx.message == 'retry'
+ tag: drop_retry_events
+ - rename:
+ field: message
+ tag: rename_message_to_event_original
+ target_field: event.original
+ ignore_missing: true
+ description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.
+ if: ctx.event?.original == null
+ - remove:
+ field: message
+ tag: remove_message
+ ignore_missing: true
+ description: The `message` field is no longer required if the document has an `event.original` field.
+ if: ctx.event?.original != null
+ - json:
+ field: event.original
+ tag: json_event_original
+ target_field: json
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - fingerprint:
+ fields:
+ - json.lastSeen
+ - json.id
+ tag: fingerprint_device
+ target_field: _id
+ ignore_missing: true
+ - set:
+ field: event.kind
+ tag: set_event_kind_to_event
+ value: event
+ - append:
+ field: event.type
+ tag: append_event_type
+ value: info
+ - append:
+ field: event.category
+ tag: append_event_category
+ value: host
+ - set:
+ field: observer.vendor
+ tag: set_observer_vendor
+ value: Armis
+ - set:
+ field: observer.product
+ tag: set_observer_product
+ value: Asset Management and Security
+ - rename:
+ field: json.accessSwitch
+ tag: rename_accessSwitch
+ target_field: armis.device.access_switch
+ ignore_missing: true
+ - rename:
+ field: json.boundaries
+ tag: rename_boundaries
+ target_field: armis.device.boundaries
+ ignore_missing: true
+ - rename:
+ field: json.businessImpact
+ tag: rename_businessImpact
+ target_field: armis.device.business_impact
+ ignore_missing: true
+ - rename:
+ field: json.category
+ tag: rename_category
+ target_field: armis.device.category
+ ignore_missing: true
+ - set:
+ field: host.type
+ tag: set_event_start_from_device_first_seen
+ copy_from: armis.device.category
+ ignore_empty_value: true
+ - rename:
+ field: json.customProperties
+ tag: rename_customProperties
+ target_field: armis.device.custom_properties
+ ignore_missing: true
+ - foreach:
+ field: json.dataSources
+ tag: foreach_dataSources
+ if: ctx.json?.dataSources instanceof List
+ processor:
+ date:
+ field: _ingest._value.firstSeen
+ tag: date_dataSources_firstSeen
+ target_field: _ingest._value.first_seen
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ on_failure:
+ - remove:
+ field: _ingest._value.firstSeen
+ ignore_missing: true
+ - foreach:
+ field: json.dataSources
+ tag: foreach_dataSources
+ if: ctx.json?.dataSources instanceof List
+ processor:
+ foreach:
+ field: _ingest._value.instances
+ ignore_failure: true
+ processor:
+ date:
+ field: _ingest._value.firstSeen
+ tag: date_dataSources_instances_firstSeen
+ target_field: _ingest._value.first_seen
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ on_failure:
+ - remove:
+ field: _ingest._value.firstSeen
+ ignore_missing: true
+ - foreach:
+ field: json.dataSources
+ tag: foreach_dataSources
+ if: ctx.json?.dataSources instanceof List
+ processor:
+ foreach:
+ field: _ingest._value.instances
+ ignore_failure: true
+ processor:
+ date:
+ field: _ingest._value.lastSeen
+ tag: date_dataSources_instances_lastSeen
+ target_field: _ingest._value.last_seen
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ on_failure:
+ - remove:
+ field: _ingest._value.lastSeen
+ ignore_missing: true
+ - foreach:
+ field: json.dataSources
+ tag: foreach_dataSources
+ if: ctx.json?.dataSources instanceof List
+ processor:
+ date:
+ field: _ingest._value.lastSeen
+ tag: date_dataSources_lastSeen
+ target_field: _ingest._value.last_seen
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ on_failure:
+ - remove:
+ field: _ingest._value.lastSeen
+ ignore_missing: true
+ - foreach:
+ field: json.dataSources
+ tag: foreach_dataSources
+ if: ctx.json?.dataSources instanceof List
+ processor:
+ foreach:
+ field: _ingest._value.instances
+ ignore_failure: true
+ processor:
+ remove:
+ field:
+ - _ingest._value.firstSeen
+ - _ingest._value.lastSeen
+ tag: remove_dataSources_instances
+ ignore_missing: true
+ - foreach:
+ field: json.dataSources
+ tag: foreach_dataSources
+ if: ctx.json?.dataSources instanceof List
+ processor:
+ remove:
+ field:
+ - _ingest._value.firstSeen
+ - _ingest._value.lastSeen
+ tag: remove_dataSources
+ ignore_missing: true
+ - rename:
+ field: json.dataSources
+ tag: rename_dataSources
+ target_field: armis.device.data_sources
+ ignore_missing: true
+ - rename:
+ field: json.displayTitle
+ tag: rename_displayTitle
+ target_field: armis.device.display_title
+ ignore_missing: true
+ - date:
+ field: json.firstSeen
+ tag: date_firstSeen
+ target_field: armis.device.first_seen
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ if: ctx.json?.firstSeen != null && ctx.json.firstSeen != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.start
+ tag: set_event_start_from_device_first_seen
+ copy_from: armis.device.first_seen
+ ignore_empty_value: true
+ - convert:
+ field: json.id
+ tag: convert_id_to_string
+ target_field: armis.device.id
+ type: string
+ ignore_missing: true
+ - set:
+ field: host.id
+ tag: set_host_id_from_device_id
+ copy_from: armis.device.id
+ ignore_empty_value: true
+ - split:
+ field: json.ipAddress
+ separator: ', '
+ tag: split_ipAddress
+ target_field: armis.device.ip_address
+ ignore_missing: true
+ if: ctx.json?.ipAddress instanceof String && ctx.json.ipAddress != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: armis.device.ip_address
+ tag: foreach_armis_device_ip_address
+ if: ctx.armis?.device?.ip_address instanceof List
+ processor:
+ convert:
+ field: _ingest._value
+ tag: convert_ip_address_to_ip
+ type: ip
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: armis.device.ip_address
+ tag: foreach_armis_device_ip_address
+ if: ctx.armis?.device?.ip_address instanceof List
+ processor:
+ append:
+ field: host.ip
+ tag: append_armis_device_ip_address_into_host_ip
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - foreach:
+ field: armis.device.ip_address
+ tag: foreach_armis_device_ip_address
+ if: ctx.armis?.device?.ip_address instanceof List
+ processor:
+ append:
+ field: related.ip
+ tag: append_armis_device_ip_address_into_related_ip
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - foreach:
+ field: json.ipv6
+ tag: foreach_ipv6
+ if: ctx.json?.ipv6 instanceof List
+ processor:
+ convert:
+ field: _ingest._value
+ tag: convert_ipv6_to_ip
+ type: ip
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: _ingest._value
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.ipv6
+ tag: rename_ipv6
+ target_field: armis.device.ip_v6
+ ignore_missing: true
+ - foreach:
+ field: armis.device.ip_v6
+ tag: foreach_armis_device_ip_v6
+ if: ctx.armis?.device?.ip_v6 instanceof List
+ processor:
+ append:
+ field: related.ip
+ tag: append_armis_device_user_ids_into_related_ip
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - date:
+ field: json.lastSeen
+ tag: date_lastSeen
+ target_field: armis.device.last_seen
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ if: ctx.json?.lastSeen != null && ctx.json.lastSeen != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: '@timestamp'
+ tag: set_@timestamp_from_device_last_seen
+ copy_from: armis.device.last_seen
+ ignore_empty_value: true
+ - split:
+ field: json.macAddress
+ separator: ', '
+ tag: split_mac_address
+ target_field: armis.device.mac_address
+ ignore_missing: true
+ if: ctx.json?.macAddress instanceof String && ctx.json.macAddress != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: armis.device.mac_address
+ if: ctx.armis?.device?.mac_address instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: host.mac
+ tag: append_armis_device_mac_address_into_host_mac
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - foreach:
+ field: host.mac
+ if: ctx.host?.mac instanceof List
+ ignore_failure: true
+ processor:
+ gsub:
+ field: _ingest._value
+ tag: gsub_host_mac_for_each_mac
+ pattern: ':'
+ replacement: '-'
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: host.mac
+ if: ctx.host?.mac instanceof List
+ ignore_failure: true
+ processor:
+ uppercase:
+ field: _ingest._value
+ tag: uppercase_host_mac_for_each_mac
+ ignore_missing: true
+ - rename:
+ field: json.manufacturer
+ tag: rename_manufacturer
+ target_field: armis.device.manufacturer
+ ignore_missing: true
+ - set:
+ field: device.manufacturer
+ tag: set_device_manufacturer_from_device_manufacturer
+ copy_from: armis.device.manufacturer
+ ignore_empty_value: true
+ - rename:
+ field: json.model
+ tag: rename_model
+ target_field: armis.device.model
+ ignore_missing: true
+ - set:
+ field: device.model.name
+ tag: set_device_model_name_from_device_model
+ copy_from: armis.device.model
+ ignore_empty_value: true
+ - rename:
+ field: json.name
+ tag: rename_name
+ target_field: armis.device.name
+ ignore_missing: true
+ - split:
+ field: json.names
+ separator: ','
+ tag: split_names
+ target_field: armis.device.names
+ ignore_missing: true
+ if: ctx.json?.names instanceof String && ctx.json.names != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - foreach:
+ field: armis.device.names
+ if: ctx.armis?.device?.names instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: host.name
+ tag: append_armis_device_names_into_host_name
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - foreach:
+ field: host.name
+ tag: foreach_host_name
+ if: ctx.host?.name instanceof List
+ processor:
+ lowercase:
+ field: _ingest._value
+ tag: lowercase_host_name
+ ignore_missing: true
+ - foreach:
+ field: host.name
+ if: ctx.host?.name instanceof List
+ ignore_failure: true
+ processor:
+ append:
+ field: related.hosts
+ tag: append_host_name_into_related_hosts
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - rename:
+ field: json.operatingSystem
+ tag: rename_operatingSystem
+ target_field: armis.device.operating_system
+ ignore_missing: true
+ - set:
+ field: host.os.family
+ tag: set_host_os_family_from_device_operating_system
+ copy_from: armis.device.operating_system
+ ignore_empty_value: true
+ - lowercase:
+ field: host.os.family
+ tag: lowercase_host_os_family
+ ignore_missing: true
+ - rename:
+ field: json.operatingSystemVersion
+ tag: rename_operatingSystemVersion
+ target_field: armis.device.operating_system_version
+ ignore_missing: true
+ - set:
+ field: host.os.version
+ tag: set_host_os_version_from_device_operating_system_version
+ copy_from: armis.device.operating_system_version
+ ignore_empty_value: true
+ - foreach:
+ field: json.protections
+ tag: foreach_json_protections
+ if: ctx.json?.protections instanceof List
+ processor:
+ date:
+ field: _ingest._value.creationTime
+ tag: date_protections_creationTime
+ target_field: _ingest._value.creation_time
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ on_failure:
+ - remove:
+ field: _ingest._value.creationTime
+ ignore_missing: true
+ - foreach:
+ field: json.protections
+ tag: foreach_json_protections
+ if: ctx.json?.protections instanceof List
+ processor:
+ convert:
+ field: _ingest._value.deviceId
+ tag: convert_deviceIds_to_string
+ target_field: _ingest._value.device_id
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: json.protections
+ tag: foreach_json_protections
+ if: ctx.json?.protections instanceof List
+ processor:
+ date:
+ field: _ingest._value.lastSeenTime
+ tag: date_protections_lastSeenTime
+ target_field: _ingest._value.last_seen_time
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ on_failure:
+ - remove:
+ field: _ingest._value.lastSeenTime
+ ignore_missing: true
+ - foreach:
+ field: json.protections
+ if: ctx.json?.protections instanceof List
+ processor:
+ rename:
+ field: _ingest._value.protectionName
+ tag: rename_protections_protectionName
+ target_field: _ingest._value.protection_name
+ ignore_missing: true
+ - foreach:
+ field: json.protections
+ if: ctx.json?.protections instanceof List
+ processor:
+ remove:
+ field:
+ - _ingest._value.creationTime
+ - _ingest._value.lastSeenTime
+ - _ingest._value.deviceId
+ tag: remove_protections
+ ignore_missing: true
+ - rename:
+ field: json.protections
+ tag: rename_protections
+ target_field: armis.device.protections
+ ignore_missing: true
+ - convert:
+ field: json.purdueLevel
+ tag: convert_purdueLevel_to_double
+ target_field: armis.device.purdue_level
+ type: double
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.riskLevel
+ tag: convert_riskLevel_to_long
+ target_field: armis.device.risk_level
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: host.risk.static_score
+ tag: set_host_risk_static_score_from_device_risk_level
+ copy_from: armis.device.risk_level
+ ignore_empty_value: true
+ - convert:
+ field: host.risk.static_score
+ tag: convert_armis_device_risk_level_to_double
+ type: double
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.sensor.name
+ tag: rename_sensor_name
+ target_field: armis.device.sensor.name
+ ignore_missing: true
+ - rename:
+ field: json.sensor.type
+ tag: rename_sensor_type
+ target_field: armis.device.sensor.type
+ ignore_missing: true
+ - rename:
+ field: json.site.location
+ tag: rename_site_location
+ target_field: armis.device.site.location
+ ignore_missing: true
+ - rename:
+ field: json.site.name
+ tag: rename_site_name
+ target_field: armis.device.site.name
+ ignore_missing: true
+ - rename:
+ field: json.tags
+ tag: rename_tags
+ target_field: armis.device.tags
+ ignore_missing: true
+ - rename:
+ field: json.type
+ tag: rename_type
+ target_field: armis.device.type
+ ignore_missing: true
+ - rename:
+ field: json.typeEnum
+ tag: rename_typeEnum
+ target_field: armis.device.type_enum
+ ignore_missing: true
+ - convert:
+ field: json.userIds
+ tag: convert_userIds
+ target_field: armis.device.user_ids
+ type: string
+ ignore_missing: true
+ - foreach:
+ field: armis.device.user_ids
+ tag: foreach_armis_device_user_ids
+ if: ctx.armis?.device?.user_ids instanceof List
+ processor:
+ append:
+ field: user.id
+ tag: append_armis_device_user_ids_into_user_id
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - foreach:
+ field: armis.device.user_ids
+ tag: foreach_armis_device_user_ids
+ if: ctx.armis?.device?.user_ids instanceof List
+ processor:
+ append:
+ field: related.user
+ tag: append_armis_device_user_ids_into_related_user
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - rename:
+ field: json.visibility
+ tag: rename_visibility
+ target_field: armis.device.visibility
+ ignore_missing: true
+ - remove:
+ field:
+ - armis.device.first_seen
+ - armis.device.id
+ - armis.device.ip_address
+ - armis.device.last_seen
+ - armis.device.mac_address
+ - armis.device.manufacturer
+ - armis.device.names
+ - armis.device.model
+ - armis.device.operating_system_version
+ - armis.device.user_ids
+ - armis.device.category
+ - armis.device.operating_system
+ tag: remove_custom_duplicate_fields
+ ignore_missing: true
+ if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields')
+ - remove:
+ field: json
+ tag: remove_json
+ ignore_missing: true
+ - script:
+ description: This script processor iterates over the whole document to remove fields with null values.
+ tag: script_to_drop_null_values
+ lang: painless
+ source: |
+ void handleMap(Map map) {
+ map.values().removeIf(v -> {
+ if (v instanceof Map) {
+ handleMap(v);
+ } else if (v instanceof List) {
+ handleList(v);
+ }
+ return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+ });
+ }
+ void handleList(List list) {
+ list.removeIf(v -> {
+ if (v instanceof Map) {
+ handleMap(v);
+ } else if (v instanceof List) {
+ handleList(v);
+ }
+ return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+ });
+ }
+ handleMap(ctx);
+ - set:
+ field: event.kind
+ tag: set_pipeline_error_into_event_kind
+ value: pipeline_error
+ if: ctx.error?.message != null
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
+ if: ctx.error?.message != null
+on_failure:
+ - append:
+ field: error.message
+ value: >-
+ Processor '{{{ _ingest.on_failure_processor_type }}}'
+ {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+ {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+ - set:
+ field: event.kind
+ tag: set_pipeline_error_to_event_kind
+ value: pipeline_error
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
diff --git a/packages/armis/data_stream/device/fields/base-fields.yml b/packages/armis/data_stream/device/fields/base-fields.yml
new file mode 100644
index 00000000000..9e654ca994f
--- /dev/null
+++ b/packages/armis/data_stream/device/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module.
+ value: armis
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: armis.device
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/armis/data_stream/device/fields/beats.yml b/packages/armis/data_stream/device/fields/beats.yml
new file mode 100644
index 00000000000..4084f1dc7f5
--- /dev/null
+++ b/packages/armis/data_stream/device/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+ type: keyword
+ description: Type of filebeat input.
+- name: log.offset
+ type: long
+ description: Log offset.
diff --git a/packages/armis/data_stream/device/fields/fields.yml b/packages/armis/data_stream/device/fields/fields.yml
new file mode 100644
index 00000000000..bf2072017fa
--- /dev/null
+++ b/packages/armis/data_stream/device/fields/fields.yml
@@ -0,0 +1,101 @@
+- name: armis
+ type: group
+ fields:
+ - name: device
+ type: group
+ fields:
+ - name: access_switch
+ type: keyword
+ - name: boundaries
+ type: keyword
+ - name: business_impact
+ type: keyword
+ - name: category
+ type: keyword
+ - name: custom_properties
+ type: flattened
+ - name: data_sources
+ type: group
+ fields:
+ - name: first_seen
+ type: date
+ - name: instances
+ type: group
+ fields:
+ - name: first_seen
+ type: date
+ - name: last_seen
+ type: date
+ - name: name
+ type: keyword
+ - name: last_seen
+ type: date
+ - name: name
+ type: keyword
+ - name: types
+ type: keyword
+ - name: display_title
+ type: keyword
+ - name: first_seen
+ type: date
+ - name: id
+ type: keyword
+ - name: ip_address
+ type: ip
+ - name: ip_v6
+ type: ip
+ - name: last_seen
+ type: date
+ - name: mac_address
+ type: keyword
+ - name: manufacturer
+ type: keyword
+ - name: model
+ type: keyword
+ - name: name
+ type: keyword
+ - name: names
+ type: keyword
+ - name: operating_system
+ type: keyword
+ - name: operating_system_version
+ type: keyword
+ - name: protections
+ type: group
+ fields:
+ - name: creation_time
+ type: date
+ - name: device_id
+ type: keyword
+ - name: last_seen_time
+ type: date
+ - name: protection_name
+ type: keyword
+ - name: purdue_level
+ type: double
+ - name: risk_level
+ type: long
+ - name: sensor
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ - name: type
+ type: keyword
+ - name: site
+ type: group
+ fields:
+ - name: location
+ type: keyword
+ - name: name
+ type: keyword
+ - name: tags
+ type: keyword
+ - name: type
+ type: keyword
+ - name: type_enum
+ type: keyword
+ - name: user_ids
+ type: keyword
+ - name: visibility
+ type: keyword
diff --git a/packages/armis/data_stream/device/fields/is-transform-source-true.yml b/packages/armis/data_stream/device/fields/is-transform-source-true.yml
new file mode 100644
index 00000000000..fd4766eacd5
--- /dev/null
+++ b/packages/armis/data_stream/device/fields/is-transform-source-true.yml
@@ -0,0 +1,4 @@
+- name: labels.is_transform_source
+ type: constant_keyword
+ description: Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering.
+ value: "true"
diff --git a/packages/armis/data_stream/device/manifest.yml b/packages/armis/data_stream/device/manifest.yml
new file mode 100644
index 00000000000..d878d34d395
--- /dev/null
+++ b/packages/armis/data_stream/device/manifest.yml
@@ -0,0 +1,79 @@
+title: Device
+type: logs
+streams:
+ - input: cel
+ title: Device Logs
+ description: Collecting Device logs via API.
+ template_path: cel.yml.hbs
+ vars:
+ - name: initial_interval
+ type: text
+ title: Initial Interval
+ multi: false
+ required: true
+ show_user: true
+ default: 24h
+ description: How far back to pull the Device logs from Armis API. Supported units for this parameter are h/m/s.
+ - name: interval
+ type: text
+ title: Interval
+ description: Duration between requests to the Armis API. Supported units for this parameter are h/m/s.
+ default: 5m
+ multi: false
+ required: true
+ show_user: true
+ - name: page_size
+ type: text
+ title: Page Size
+ multi: false
+ required: true
+ show_user: false
+ description: Page size for the response of the Armis API.
+ default: 2000
+ - name: http_client_timeout
+ type: text
+ title: HTTP Client Timeout
+ description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.
+ multi: false
+ required: true
+ show_user: false
+ default: 30s
+ - name: enable_request_tracer
+ type: bool
+ title: Enable request tracing
+ multi: false
+ required: false
+ show_user: false
+ description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - armis-device
+ - name: preserve_original_event
+ required: false
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: preserve_duplicate_custom_fields
+ required: false
+ show_user: false
+ title: Preserve duplicate custom fields
+ description: Preserve armis.device fields that were copied to Elastic Common Schema (ECS) fields.
+ type: bool
+ multi: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.
diff --git a/packages/armis/data_stream/device/sample_event.json b/packages/armis/data_stream/device/sample_event.json
new file mode 100644
index 00000000000..d58f2351d5f
--- /dev/null
+++ b/packages/armis/data_stream/device/sample_event.json
@@ -0,0 +1,136 @@
+{
+ "@timestamp": "2025-03-29T10:43:55.988Z",
+ "agent": {
+ "ephemeral_id": "676dc7fa-df27-437e-9899-f13552edfd88",
+ "id": "63e7f8d1-3918-497a-848c-69ef5495d29e",
+ "name": "elastic-agent-92930",
+ "type": "filebeat",
+ "version": "8.18.0"
+ },
+ "armis": {
+ "device": {
+ "boundaries": "Corporate",
+ "business_impact": "Unassigned",
+ "category": "Network Equipment",
+ "data_sources": [
+ {
+ "first_seen": "2024-10-09T05:09:02.988Z",
+ "last_seen": "2025-03-29T10:43:55.988Z",
+ "name": "Knowledge Base",
+ "types": [
+ "Traffic Inspection",
+ "Data Analysis"
+ ]
+ }
+ ],
+ "display_title": "Test",
+ "first_seen": "2024-10-09T05:09:02.988Z",
+ "id": "1154",
+ "ip_address": [
+ "89.160.20.128"
+ ],
+ "last_seen": "2025-03-29T10:43:55.988Z",
+ "mac_address": [
+ "50:76:AF:D3:3F:AB"
+ ],
+ "manufacturer": "Test Manufacturer",
+ "model": "Test Model",
+ "name": "Test Name",
+ "names": [
+ "Test Names"
+ ],
+ "operating_system": "Windows",
+ "operating_system_version": "Server 2016",
+ "purdue_level": 4,
+ "risk_level": 10,
+ "sensor": {
+ "name": "test Enterprise",
+ "type": "test LAN Controller"
+ },
+ "site": {
+ "location": "Zurich",
+ "name": "Zurich Enterprise"
+ },
+ "tags": [
+ "Misconfigurations"
+ ],
+ "type": "Switches",
+ "type_enum": "SWITCH",
+ "visibility": "Full"
+ }
+ },
+ "data_stream": {
+ "dataset": "armis.device",
+ "namespace": "52873",
+ "type": "logs"
+ },
+ "device": {
+ "manufacturer": "Test Manufacturer",
+ "model": {
+ "name": "Test Model"
+ }
+ },
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "elastic_agent": {
+ "id": "63e7f8d1-3918-497a-848c-69ef5495d29e",
+ "snapshot": false,
+ "version": "8.18.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "host"
+ ],
+ "dataset": "armis.device",
+ "ingested": "2025-05-12T05:23:05Z",
+ "kind": "event",
+ "original": "{\"accessSwitch\":null,\"boundaries\":\"Corporate\",\"businessImpact\":\"Unassigned\",\"category\":\"Network Equipment\",\"customProperties\":{},\"dataSources\":[{\"firstSeen\":\"2024-10-09T05:09:02.988081+00:00\",\"instances\":[],\"lastSeen\":\"2025-03-29T10:43:55.988081+00:00\",\"name\":\"Knowledge Base\",\"types\":[\"Traffic Inspection\",\"Data Analysis\"]}],\"displayTitle\":\"Test\",\"firstSeen\":\"2024-10-09T05:09:02.988081+00:00\",\"id\":1154,\"ipAddress\":\"89.160.20.128\",\"ipv6\":[],\"lastSeen\":\"2025-03-29T10:43:55.988081+00:00\",\"macAddress\":\"50:76:AF:D3:3F:AB\",\"manufacturer\":\"Test Manufacturer\",\"model\":\"Test Model\",\"name\":\"Test Name\",\"names\":\"Test Names\",\"operatingSystem\":\"Windows\",\"operatingSystemVersion\":\"Server 2016\",\"protections\":[],\"purdueLevel\":4,\"riskLevel\":10,\"sensor\":{\"name\":\"test Enterprise\",\"type\":\"test LAN Controller\"},\"site\":{\"location\":\"Zurich\",\"name\":\"Zurich Enterprise\"},\"tags\":[\"Misconfigurations\"],\"type\":\"Switches\",\"typeEnum\":\"SWITCH\",\"userIds\":[],\"visibility\":\"Full\"}",
+ "start": "2024-10-09T05:09:02.988Z",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "id": "1154",
+ "ip": [
+ "89.160.20.128"
+ ],
+ "mac": [
+ "50-76-AF-D3-3F-AB"
+ ],
+ "name": [
+ "test names"
+ ],
+ "os": {
+ "family": "windows",
+ "version": "Server 2016"
+ },
+ "risk": {
+ "static_score": 10
+ },
+ "type": "Network Equipment"
+ },
+ "input": {
+ "type": "cel"
+ },
+ "observer": {
+ "product": "Asset Management and Security",
+ "vendor": "Armis"
+ },
+ "related": {
+ "hosts": [
+ "test names"
+ ],
+ "ip": [
+ "89.160.20.128"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields",
+ "forwarded",
+ "armis-device"
+ ]
+}
diff --git a/packages/armis/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml b/packages/armis/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..37e8fa225fd
--- /dev/null
+++ b/packages/armis/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,3 @@
+fields:
+ tags:
+ - preserve_duplicate_custom_fields
diff --git a/packages/armis/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log b/packages/armis/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log
new file mode 100644
index 00000000000..05a14289f03
--- /dev/null
+++ b/packages/armis/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log
@@ -0,0 +1,2 @@
+{"affectedDevicesCount":7,"attackComplexity":"Medium","attackVector":"Remote","availabilityImpact":"High","avmRating":"CRITICAL","avmRatingManualChangeReason":"Revised due to increased exploit activity","avmRatingManualChangedBy":"security_admin","avmRatingManualUpdateTime":"2025-03-30T12:45:00.000000+00:00","botnets":["Mirai","Mozi","Enemybot"],"cisaDueDate":"2023-06-01T00:00:00.000000+00:00","commonName":"test","confidentialityImpact":"High","cveUid":"CVE-2021-45046","cvssScore":9.8,"cvssScoreV4":"cvss_score1","description":"An advanced exploit of the vulnerability.","epssPercentile":98.5,"epssScore":0.92,"exploitabilityScore":9.5,"firstDetected":"2025-03-25T14:30:00.123456+00:00","firstReferencePublishDate":"2021-12-10T00:00:00.000000+00:00","firstWeaponizedReferencePublishDate":"2021-12-18T00:00:00.000000+00:00","hasRansomware":true,"hasRemediationInfo":"Yes","id":"CVE-2021-45046","impactScore":9.7,"integrityImpact":"Moderate","isWeaponized":true,"lastDetected":"2025-03-29T20:15:45.678901+00:00","latestExploitUpdate":"2025-03-31T08:00:00.000000+00:00","numOfExploits":45,"numberOfThreatActors":9,"privilegesRequired":"Low","publishedDate":"2021-12-15T16:00:00.000000+00:00","reportedByGoogleZeroDays":true,"scope":"Unchanged","score":9.8,"severity":"Critical","status":"Active","threatActors":["APT28"],"threatTags":["Ransomware"],"type":"Vulnerability","userInteraction":"Required","vulnerability_match":{"advisoryId":"ADV-2025-0013","avmRating":"CRITICAL","confidenceLevel":"High","confidenceLevelDescription":"Based on active exploitation and vendor confirmation","cveUid":"CVE-2021-45046","deviceId":640,"firstDetected":"2025-03-25T10:59:59.486176+00:00","hasRemediationInfo":"No","lastDetected":"2025-03-28T19:59:59.486176+00:00","matchCriteriaString":"tes","recommendedSteps":"Update to the latest available OS version as per vendor recommendations.","remediationTypes":"Patch Available","status":"Open","statusChangeReason":"New detection of vulnerability on device","statusSource":"Discovered by Armis"}}
+{"affectedDevicesCount":1,"attackComplexity":"Low","attackVector":"Network","availabilityImpact":"High","avmRating":"CRITICAL","avmRatingManualChangeReason":"Automated risk assessment based on exploit trends","avmRatingManualChangedBy":"security_admin","avmRatingManualUpdateTime":"2025-03-28T15:45:00+00:00","botnets":["Qakbot"],"cisaDueDate":"2023-05-02T00:00:00+00:00","commonName":"Test Vulnerability","confidentialityImpact":"High","cveUid":"CVE-2022-32845","cvssScore":10,"cvssScoreV4":"cvssScore","description":"This issue was addressed with improved checks","epssPercentile":0.39,"epssScore":0.00197,"exploitabilityScore":3.9,"firstDetected":"2025-03-29T12:05:02.676531+00:00","firstReferencePublishDate":"2024-05-03T02:23:01+00:00","firstWeaponizedReferencePublishDate":"2024-06-15T10:30:00+00:00","hasRansomware":false,"hasRemediationInfo":"Yes","id":"CVE-2022-32845","impactScore":6,"integrityImpact":"High","isWeaponized":true,"lastDetected":"2025-03-29T12:05:02.676531+00:00","latestExploitUpdate":"2025-03-16T19:34:21+00:00","numOfExploits":1,"numberOfThreatActors":3,"privilegesRequired":"None","publishedDate":"2022-09-23T19:15:13.573000+00:00","reportedByGoogleZeroDays":true,"scope":"Changed","score":10,"severity":"Critical","status":"Open","threatActors":["test28"],"threatTags":["zero-day"],"type":"OS","userInteraction":"None","vulnerability_match":{"advisoryId":"ADV-2025-0012","avmRating":"Critical","confidenceLevel":"High","confidenceLevelDescription":"Based on active exploitation and vendor confirmation","cveUid":"CVE-2022-32845","deviceId":270,"firstDetected":"2025-03-29T12:05:02+00:00","hasRemediationInfo":"No","lastDetected":"2025-03-29T12:05:02+00:00","matchCriteriaString":"OS","recommendedSteps":"Update to the latest available OS version as per vendor recommendations.","remediationTypes":"Patch Available","status":"Open","statusChangeReason":"New detection of vulnerability on device","statusSource":"Discovered by Armis"}}
diff --git a/packages/armis/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json b/packages/armis/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json
new file mode 100644
index 00000000000..518a6c0718f
--- /dev/null
+++ b/packages/armis/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json
@@ -0,0 +1,262 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-03-28T19:59:59.486Z",
+ "armis": {
+ "vulnerability": {
+ "affected_devices_count": 7,
+ "attack_complexity": "Medium",
+ "attack_vector": "Remote",
+ "availability_impact": "High",
+ "avm_rating": "CRITICAL",
+ "avm_rating_manual_change_reason": "Revised due to increased exploit activity",
+ "avm_rating_manual_changed_by": "security_admin",
+ "avm_rating_manual_update_time": "2025-03-30T12:45:00.000Z",
+ "botnets": [
+ "Mirai",
+ "Mozi",
+ "Enemybot"
+ ],
+ "cisa_due_date": "2023-06-01T00:00:00.000Z",
+ "common_name": "test",
+ "confidentiality_impact": "High",
+ "cve_uid": "CVE-2021-45046",
+ "cvss_score": 9.8,
+ "cvss_score_v4": "cvss_score1",
+ "description": "An advanced exploit of the vulnerability.",
+ "epss_percentile": 98.5,
+ "epss_score": 0.92,
+ "exploitability_score": 9.5,
+ "first_detected": "2025-03-25T14:30:00.123Z",
+ "first_reference_publish_date": "2021-12-10T00:00:00.000Z",
+ "first_weaponized_reference_publish_date": "2021-12-18T00:00:00.000Z",
+ "has_ransomware": true,
+ "has_remediation_info": "Yes",
+ "id": "CVE-2021-45046",
+ "impact_score": 9.7,
+ "integrity_impact": "Moderate",
+ "is_weaponized": true,
+ "last_detected": "2025-03-29T20:15:45.678Z",
+ "latest_exploit_update": "2025-03-31T08:00:00.000Z",
+ "num_of_exploits": 45,
+ "number_of_threat_actors": 9,
+ "privileges_required": "Low",
+ "published_date": "2021-12-15T16:00:00.000Z",
+ "reported_by_google_zero_days": true,
+ "scope": "Unchanged",
+ "score": 9.8,
+ "severity": "Critical",
+ "status": "Active",
+ "threat_actors": [
+ "APT28"
+ ],
+ "threat_tags": [
+ "Ransomware"
+ ],
+ "type": "Vulnerability",
+ "user_interaction": "Required",
+ "vulnerability_match": {
+ "advisory_id": "ADV-2025-0013",
+ "avm_rating": "CRITICAL",
+ "confidence_level": "High",
+ "confidence_level_description": "Based on active exploitation and vendor confirmation",
+ "cve_uid": "CVE-2021-45046",
+ "device_id": "640",
+ "first_detected": "2025-03-25T10:59:59.486Z",
+ "has_remediation_info": "No",
+ "last_detected": "2025-03-28T19:59:59.486Z",
+ "match_criteria_string": "tes",
+ "recommended_steps": "Update to the latest available OS version as per vendor recommendations.",
+ "remediation_types": "Patch Available",
+ "status": "Open",
+ "status_change_reason": "New detection of vulnerability on device",
+ "status_source": "Discovered by Armis"
+ }
+ }
+ },
+ "device": {
+ "id": "640"
+ },
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "category": [
+ "vulnerability"
+ ],
+ "kind": "event",
+ "original": "{\"affectedDevicesCount\":7,\"attackComplexity\":\"Medium\",\"attackVector\":\"Remote\",\"availabilityImpact\":\"High\",\"avmRating\":\"CRITICAL\",\"avmRatingManualChangeReason\":\"Revised due to increased exploit activity\",\"avmRatingManualChangedBy\":\"security_admin\",\"avmRatingManualUpdateTime\":\"2025-03-30T12:45:00.000000+00:00\",\"botnets\":[\"Mirai\",\"Mozi\",\"Enemybot\"],\"cisaDueDate\":\"2023-06-01T00:00:00.000000+00:00\",\"commonName\":\"test\",\"confidentialityImpact\":\"High\",\"cveUid\":\"CVE-2021-45046\",\"cvssScore\":9.8,\"cvssScoreV4\":\"cvss_score1\",\"description\":\"An advanced exploit of the vulnerability.\",\"epssPercentile\":98.5,\"epssScore\":0.92,\"exploitabilityScore\":9.5,\"firstDetected\":\"2025-03-25T14:30:00.123456+00:00\",\"firstReferencePublishDate\":\"2021-12-10T00:00:00.000000+00:00\",\"firstWeaponizedReferencePublishDate\":\"2021-12-18T00:00:00.000000+00:00\",\"hasRansomware\":true,\"hasRemediationInfo\":\"Yes\",\"id\":\"CVE-2021-45046\",\"impactScore\":9.7,\"integrityImpact\":\"Moderate\",\"isWeaponized\":true,\"lastDetected\":\"2025-03-29T20:15:45.678901+00:00\",\"latestExploitUpdate\":\"2025-03-31T08:00:00.000000+00:00\",\"numOfExploits\":45,\"numberOfThreatActors\":9,\"privilegesRequired\":\"Low\",\"publishedDate\":\"2021-12-15T16:00:00.000000+00:00\",\"reportedByGoogleZeroDays\":true,\"scope\":\"Unchanged\",\"score\":9.8,\"severity\":\"Critical\",\"status\":\"Active\",\"threatActors\":[\"APT28\"],\"threatTags\":[\"Ransomware\"],\"type\":\"Vulnerability\",\"userInteraction\":\"Required\",\"vulnerability_match\":{\"advisoryId\":\"ADV-2025-0013\",\"avmRating\":\"CRITICAL\",\"confidenceLevel\":\"High\",\"confidenceLevelDescription\":\"Based on active exploitation and vendor confirmation\",\"cveUid\":\"CVE-2021-45046\",\"deviceId\":640,\"firstDetected\":\"2025-03-25T10:59:59.486176+00:00\",\"hasRemediationInfo\":\"No\",\"lastDetected\":\"2025-03-28T19:59:59.486176+00:00\",\"matchCriteriaString\":\"tes\",\"recommendedSteps\":\"Update to the latest available OS version as per vendor recommendations.\",\"remediationTypes\":\"Patch Available\",\"status\":\"Open\",\"statusChangeReason\":\"New detection of vulnerability on device\",\"statusSource\":\"Discovered by Armis\"}}",
+ "start": "2025-03-25T14:30:00.123Z",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "id": "640"
+ },
+ "message": "An advanced exploit of the vulnerability.",
+ "observer": {
+ "product": "Asset Management and Security",
+ "vendor": "Armis"
+ },
+ "related": {
+ "hosts": [
+ "640"
+ ],
+ "user": [
+ "security_admin"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "threat": {
+ "indicator": {
+ "last_seen": "2025-03-28T19:59:59.486Z"
+ }
+ },
+ "user": {
+ "name": "security_admin"
+ },
+ "vulnerability": {
+ "category": [
+ "Remote"
+ ],
+ "description": "An advanced exploit of the vulnerability.",
+ "id": "CVE-2021-45046",
+ "scanner": {
+ "vendor": "Armis"
+ },
+ "severity": "Critical"
+ }
+ },
+ {
+ "@timestamp": "2025-03-29T12:05:02.000Z",
+ "armis": {
+ "vulnerability": {
+ "affected_devices_count": 1,
+ "attack_complexity": "Low",
+ "attack_vector": "Network",
+ "availability_impact": "High",
+ "avm_rating": "CRITICAL",
+ "avm_rating_manual_change_reason": "Automated risk assessment based on exploit trends",
+ "avm_rating_manual_changed_by": "security_admin",
+ "avm_rating_manual_update_time": "2025-03-28T15:45:00.000Z",
+ "botnets": [
+ "Qakbot"
+ ],
+ "cisa_due_date": "2023-05-02T00:00:00.000Z",
+ "common_name": "Test Vulnerability",
+ "confidentiality_impact": "High",
+ "cve_uid": "CVE-2022-32845",
+ "cvss_score": 10.0,
+ "cvss_score_v4": "cvssScore",
+ "description": "This issue was addressed with improved checks",
+ "epss_percentile": 0.39,
+ "epss_score": 0.00197,
+ "exploitability_score": 3.9,
+ "first_detected": "2025-03-29T12:05:02.676Z",
+ "first_reference_publish_date": "2024-05-03T02:23:01.000Z",
+ "first_weaponized_reference_publish_date": "2024-06-15T10:30:00.000Z",
+ "has_ransomware": false,
+ "has_remediation_info": "Yes",
+ "id": "CVE-2022-32845",
+ "impact_score": 6.0,
+ "integrity_impact": "High",
+ "is_weaponized": true,
+ "last_detected": "2025-03-29T12:05:02.676Z",
+ "latest_exploit_update": "2025-03-16T19:34:21.000Z",
+ "num_of_exploits": 1,
+ "number_of_threat_actors": 3,
+ "privileges_required": "None",
+ "published_date": "2022-09-23T19:15:13.573Z",
+ "reported_by_google_zero_days": true,
+ "scope": "Changed",
+ "score": 10.0,
+ "severity": "Critical",
+ "status": "Open",
+ "threat_actors": [
+ "test28"
+ ],
+ "threat_tags": [
+ "zero-day"
+ ],
+ "type": "OS",
+ "user_interaction": "None",
+ "vulnerability_match": {
+ "advisory_id": "ADV-2025-0012",
+ "avm_rating": "Critical",
+ "confidence_level": "High",
+ "confidence_level_description": "Based on active exploitation and vendor confirmation",
+ "cve_uid": "CVE-2022-32845",
+ "device_id": "270",
+ "first_detected": "2025-03-29T12:05:02.000Z",
+ "has_remediation_info": "No",
+ "last_detected": "2025-03-29T12:05:02.000Z",
+ "match_criteria_string": "OS",
+ "recommended_steps": "Update to the latest available OS version as per vendor recommendations.",
+ "remediation_types": "Patch Available",
+ "status": "Open",
+ "status_change_reason": "New detection of vulnerability on device",
+ "status_source": "Discovered by Armis"
+ }
+ }
+ },
+ "device": {
+ "id": "270"
+ },
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "category": [
+ "vulnerability"
+ ],
+ "kind": "event",
+ "original": "{\"affectedDevicesCount\":1,\"attackComplexity\":\"Low\",\"attackVector\":\"Network\",\"availabilityImpact\":\"High\",\"avmRating\":\"CRITICAL\",\"avmRatingManualChangeReason\":\"Automated risk assessment based on exploit trends\",\"avmRatingManualChangedBy\":\"security_admin\",\"avmRatingManualUpdateTime\":\"2025-03-28T15:45:00+00:00\",\"botnets\":[\"Qakbot\"],\"cisaDueDate\":\"2023-05-02T00:00:00+00:00\",\"commonName\":\"Test Vulnerability\",\"confidentialityImpact\":\"High\",\"cveUid\":\"CVE-2022-32845\",\"cvssScore\":10,\"cvssScoreV4\":\"cvssScore\",\"description\":\"This issue was addressed with improved checks\",\"epssPercentile\":0.39,\"epssScore\":0.00197,\"exploitabilityScore\":3.9,\"firstDetected\":\"2025-03-29T12:05:02.676531+00:00\",\"firstReferencePublishDate\":\"2024-05-03T02:23:01+00:00\",\"firstWeaponizedReferencePublishDate\":\"2024-06-15T10:30:00+00:00\",\"hasRansomware\":false,\"hasRemediationInfo\":\"Yes\",\"id\":\"CVE-2022-32845\",\"impactScore\":6,\"integrityImpact\":\"High\",\"isWeaponized\":true,\"lastDetected\":\"2025-03-29T12:05:02.676531+00:00\",\"latestExploitUpdate\":\"2025-03-16T19:34:21+00:00\",\"numOfExploits\":1,\"numberOfThreatActors\":3,\"privilegesRequired\":\"None\",\"publishedDate\":\"2022-09-23T19:15:13.573000+00:00\",\"reportedByGoogleZeroDays\":true,\"scope\":\"Changed\",\"score\":10,\"severity\":\"Critical\",\"status\":\"Open\",\"threatActors\":[\"test28\"],\"threatTags\":[\"zero-day\"],\"type\":\"OS\",\"userInteraction\":\"None\",\"vulnerability_match\":{\"advisoryId\":\"ADV-2025-0012\",\"avmRating\":\"Critical\",\"confidenceLevel\":\"High\",\"confidenceLevelDescription\":\"Based on active exploitation and vendor confirmation\",\"cveUid\":\"CVE-2022-32845\",\"deviceId\":270,\"firstDetected\":\"2025-03-29T12:05:02+00:00\",\"hasRemediationInfo\":\"No\",\"lastDetected\":\"2025-03-29T12:05:02+00:00\",\"matchCriteriaString\":\"OS\",\"recommendedSteps\":\"Update to the latest available OS version as per vendor recommendations.\",\"remediationTypes\":\"Patch Available\",\"status\":\"Open\",\"statusChangeReason\":\"New detection of vulnerability on device\",\"statusSource\":\"Discovered by Armis\"}}",
+ "start": "2025-03-29T12:05:02.676Z",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "id": "270"
+ },
+ "message": "This issue was addressed with improved checks",
+ "observer": {
+ "product": "Asset Management and Security",
+ "vendor": "Armis"
+ },
+ "related": {
+ "hosts": [
+ "270"
+ ],
+ "user": [
+ "security_admin"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "threat": {
+ "indicator": {
+ "last_seen": "2025-03-29T12:05:02.000Z"
+ }
+ },
+ "user": {
+ "name": "security_admin"
+ },
+ "vulnerability": {
+ "category": [
+ "Network"
+ ],
+ "description": "This issue was addressed with improved checks",
+ "id": "CVE-2022-32845",
+ "scanner": {
+ "vendor": "Armis"
+ },
+ "severity": "Critical"
+ }
+ }
+ ]
+}
diff --git a/packages/armis/data_stream/vulnerability/_dev/test/system/test-default-config.yml b/packages/armis/data_stream/vulnerability/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..c52472f5121
--- /dev/null
+++ b/packages/armis/data_stream/vulnerability/_dev/test/system/test-default-config.yml
@@ -0,0 +1,14 @@
+input: cel
+service: armis
+vars:
+ url: http://{{Hostname}}:{{Port}}
+ secret_key: xxxx
+data_stream:
+ vars:
+ interval: 5m
+ initial_interval: 24h
+ page_size: 1
+ preserve_original_event: true
+ preserve_duplicate_custom_fields: true
+assert:
+ hit_count: 3
diff --git a/packages/armis/data_stream/vulnerability/agent/stream/cel.yml.hbs b/packages/armis/data_stream/vulnerability/agent/stream/cel.yml.hbs
new file mode 100755
index 00000000000..cbf12c5f855
--- /dev/null
+++ b/packages/armis/data_stream/vulnerability/agent/stream/cel.yml.hbs
@@ -0,0 +1,241 @@
+config_version: 2
+interval: {{interval}}
+resource.tracer:
+ enabled: {{enable_request_tracer}}
+ filename: "../../logs/cel/http-request-trace-*.ndjson"
+ maxbackups: 5
+{{#if proxy_url}}
+resource.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+resource.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+resource.timeout: {{http_client_timeout}}
+{{/if}}
+resource.url: {{url}}
+state:
+ initial_interval: {{initial_interval}}
+ page_size: {{page_size}}
+ secret_key: {{secret_key}}
+redact:
+ fields:
+ - secret_key
+ - access_token
+program: |
+ (
+ state.?is_token_valid.orValue(false) ?
+ state
+ :
+ state.with(
+ post_request(
+ state.url.trim_right("/") + "/api/v1/access_token/", "application/json", {
+ "secret_key": state.secret_key
+ }.encode_json()
+ ).do_request().as(resp, resp.StatusCode == 200 ?
+ resp.Body.decode_json().as(body, {
+ "access_token": body.data.access_token,
+ "is_token_valid": true
+ })
+ :
+ {
+ "events": {
+ "error": {
+ "code": string(resp.StatusCode),
+ "id": string(resp.Status),
+ "message": "POST: " + state.url.trim_right("/") + "/api/v1/access_token/" +(
+ size(resp.Body) != 0 ?
+ string(resp.Body)
+ :
+ string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+ ),
+ },
+ },
+ "parent_offset": 0,
+ "child_offset": 0,
+ "vuln_dict": {},
+ "is_token_valid": false,
+ "want_more": false
+ }
+ )
+ )
+ ).as(state,
+ state.?want_more.orValue(false) ?
+ state
+ :
+ state.with({
+ "start_time": state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format("2006-01-02T15:04:05"))
+ })
+ ).as(state,
+ !state.?is_token_valid.orValue(false) ?
+ state
+ :
+ (has(state.vuln_dict) && size(state.vuln_dict) > 0) ?
+ state
+ :
+ state.with(
+ request(
+ "GET",
+ state.url.trim_right("/") + "/api/v1/search/?" + {
+ "length": [string(state.page_size)],
+ "orderBy": ["lastDetected"],
+ "aql": ["in:vulnerabilities lastDetected:" + '"' + string((now - state.start_time.parse_time("2006-01-02T15:04:05")).getSeconds()) + " Seconds" + '"'],
+ ?"from": has(state.parent_offset) && state.parent_offset != null ? optional.of([string(state.parent_offset)]) : optional.none(),
+ }.format_query()
+ ).with({
+ "Header": {
+ "Authorization": [state.access_token],
+ }
+ }).do_request().as(resp, resp.StatusCode == 200 ?
+ resp.Body.decode_json().as(body, {
+ "vuln_dict": (
+ has(body.?data.results) && size(body.data.results) > 0 ?
+ zip(body.data.results.collate("id"),body.data.results)
+ :
+ {}
+ ),
+ "is_token_valid": true,
+ "parent_offset": body.?data.next.orValue(null),
+ "want_more": true,
+ "is_last_page": body.data.next == null
+ })
+ :
+ resp.StatusCode == 401 ?
+ // Armis doesn't support multiple sessions per token; generate a new token on 401 (expired).
+ {
+ "events": [{"message":"retry"}],
+ "parent_offset": has(state.parent_offset) && state.parent_offset != null ? state.parent_offset : 0,
+ "child_offset": has(state.child_offset) && state.child_offset != null ? state.child_offset : 0,
+ "vuln_dict": has(state.vuln_dict) ? state.vuln_dict : {},
+ "is_token_valid": false,
+ "want_more": true
+ }
+ :
+ {
+ "events": {
+ "error": {
+ "code": string(resp.StatusCode),
+ "id": string(resp.Status),
+ "message": "GET: " + state.url.trim_right("/") + "/api/v1/search/?aql=in:vulnerabilities" +(
+ size(resp.Body) != 0 ?
+ string(resp.Body)
+ :
+ string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+ ),
+ },
+ },
+ "parent_offset": 0,
+ "child_offset": 0,
+ "vuln_dict": {},
+ "is_token_valid": false,
+ "want_more": false
+ }
+ )
+ )
+ ).as(state,
+ !state.?is_token_valid.orValue(false) ?
+ state
+ :
+ state.with(
+ (has(state.vuln_dict) && size(state.vuln_dict) > 0) ?
+ request(
+ "GET",
+ state.url.trim_right("/") + "/api/v1/vulnerability-match/?" + {
+ "vulnerability_ids": [state.vuln_dict.keys().join(",")],
+ "length": ["10000"],
+ ?"from": has(state.child_offset) && state.child_offset != null ? optional.of([string(state.child_offset)]) : optional.none(),
+ }.format_query()
+ ).with({
+ "Header":{
+ "Authorization": [state.access_token],
+ }
+ }).do_request().as(resp, resp.StatusCode == 200 ?
+ resp.Body.decode_json().as(body,{
+ "events": body.?data.sample.orValue([]).map(child_data,
+ {
+ "message": state.vuln_dict[child_data.cveUid].with({
+ "vulnerability_match":child_data
+ }).encode_json()
+ }
+ ).flatten(),
+ "is_token_valid": true,
+ "parent_offset": state.parent_offset,
+ "cursor": {
+ ?"last_timestamp": state.vuln_dict.values()[size(state.vuln_dict.values())-1].lastDetected != null && (has(body.?data.paging.next) && body.data.paging.next == null) ?
+ (has(state.?cursor.last_timestamp) ?
+ optional.of(
+ max([
+ state.cursor.last_timestamp.parse_time("2006-01-02T15:04:05"),
+ timestamp(state.vuln_dict.values()[size(state.vuln_dict.values())-1].lastDetected )
+ ]).format("2006-01-02T15:04:05")
+ )
+ :
+ optional.of(timestamp(state.vuln_dict.values()[size(state.vuln_dict.values())-1].lastDetected ).format("2006-01-02T15:04:05"))
+ )
+ :
+ state.?cursor.last_timestamp
+ },
+ "child_offset": body.?data.paging.next.orValue(null),
+ "vuln_dict": (has(body.?data.paging.next) && body.data.paging.next != null) ? state.vuln_dict : {},
+ "want_more": !state.?is_last_page.orValue(false) || (has(body.?data.paging.next) && body.data.paging.next != null),
+ })
+ :
+ resp.StatusCode == 401 ?
+ // Armis doesn't support multiple sessions per token; generate a new token on 401 (expired).
+ {
+ "events": [{"message":"retry"}],
+ "is_token_valid": false,
+ "parent_offset": has(state.parent_offset) && state.parent_offset != null ? state.parent_offset : 0,
+ "child_offset": has(state.child_offset) && state.child_offset != null ? state.child_offset : 0,
+ "vuln_dict": state.vuln_dict,
+ "want_more": true
+ }
+ :
+ {
+ "events": {
+ "error": {
+ "code": string(resp.StatusCode),
+ "id": string(resp.Status),
+ "message": "GET: " + state.url.trim_right("/") + "/api/v1/vulnerability-match" +(
+ size(resp.Body) != 0 ?
+ string(resp.Body)
+ :
+ string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+ ),
+ },
+ },
+ "parent_offset": 0,
+ "child_offset": 0,
+ "vuln_dict": {},
+ "is_token_valid": false,
+ "want_more": false
+ }
+ )
+ :
+ {
+ "events": [],
+ "is_token_valid": false,
+ "parent_offset": 0,
+ "child_offset": 0,
+ "vuln_dict": {},
+ "want_more": false
+ }
+ )
+ )
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+ - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/armis/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/armis/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 00000000000..5089b1aae7c
--- /dev/null
+++ b/packages/armis/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,635 @@
+---
+description: Pipeline for processing Vulnerability logs.
+processors:
+ - set:
+ field: ecs.version
+ tag: set_ecs_version
+ value: 8.17.0
+ - fail:
+ tag: data_collection_error
+ if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null
+ message: error message set and no data to process.
+ - drop:
+ if: ctx.message == 'retry'
+ tag: drop_retry_events
+ - rename:
+ field: message
+ tag: rename_message_to_event_original
+ target_field: event.original
+ ignore_missing: true
+ description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.
+ if: ctx.event?.original == null
+ - remove:
+ field: message
+ tag: remove_message
+ ignore_missing: true
+ description: The `message` field is no longer required if the document has an `event.original` field.
+ if: ctx.event?.original != null
+ - json:
+ field: event.original
+ tag: json_event_original
+ target_field: json
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - fingerprint:
+ fields:
+ - json.id
+ - json.lastDetected
+ - json.vulnerability_match.deviceId
+ - json.vulnerability_match.lastDetected
+ tag: fingerprint_device
+ target_field: _id
+ ignore_missing: true
+ - set:
+ field: event.kind
+ tag: set_event_kind_to_event
+ value: event
+ - append:
+ field: event.type
+ tag: append_event_type
+ value: info
+ - append:
+ field: event.category
+ tag: append_event_category
+ value: vulnerability
+ - set:
+ field: vulnerability.scanner.vendor
+ tag: set_vulnerability_scanner_vendor
+ value: Armis
+ - set:
+ field: observer.vendor
+ tag: set_observer_vendor
+ value: Armis
+ - set:
+ field: observer.product
+ tag: set_observer_product
+ value: Asset Management and Security
+ - convert:
+ field: json.affectedDevicesCount
+ tag: convert_affectedDevicesCount_to_long
+ target_field: armis.vulnerability.affected_devices_count
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.attackComplexity
+ tag: rename_attackComplexity
+ target_field: armis.vulnerability.attack_complexity
+ ignore_missing: true
+ - rename:
+ field: json.attackVector
+ tag: rename_attackVector
+ target_field: armis.vulnerability.attack_vector
+ ignore_missing: true
+ - append:
+ field: vulnerability.category
+ tag: append_vulnerability_category
+ value: '{{{armis.vulnerability.attack_vector}}}'
+ allow_duplicates: false
+ if: ctx.armis.vulnerability.attack_vector != null
+ - rename:
+ field: json.availabilityImpact
+ tag: rename_availabilityImpact
+ target_field: armis.vulnerability.availability_impact
+ ignore_missing: true
+ - rename:
+ field: json.avmRating
+ tag: rename_avmRating
+ target_field: armis.vulnerability.avm_rating
+ ignore_missing: true
+ - rename:
+ field: json.avmRatingManualChangeReason
+ tag: rename_avmRatingManualChangeReason
+ target_field: armis.vulnerability.avm_rating_manual_change_reason
+ ignore_missing: true
+ - rename:
+ field: json.avmRatingManualChangedBy
+ tag: rename_avmRatingManualChangedBy
+ target_field: armis.vulnerability.avm_rating_manual_changed_by
+ ignore_missing: true
+ - set:
+ field: user.name
+ tag: set_user_name_from_vulnerability_avm_rating_manual_changed_by
+ copy_from: armis.vulnerability.avm_rating_manual_changed_by
+ ignore_empty_value: true
+ - append:
+ field: related.user
+ tag: append_related_user
+ value: '{{{armis.vulnerability.avm_rating_manual_changed_by}}}'
+ allow_duplicates: false
+ if: ctx.armis.vulnerability.avm_rating_manual_changed_by != null
+ - date:
+ field: json.avmRatingManualUpdateTime
+ tag: date_avmRatingManualUpdateTime
+ target_field: armis.vulnerability.avm_rating_manual_update_time
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ if: ctx.json?.avmRatingManualUpdateTime != null && ctx.json.avmRatingManualUpdateTime != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.botnets
+ tag: rename_botnets
+ target_field: armis.vulnerability.botnets
+ ignore_missing: true
+ - date:
+ field: json.cisaDueDate
+ tag: date_cisaDueDate
+ target_field: armis.vulnerability.cisa_due_date
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ if: ctx.json?.cisaDueDate != null && ctx.json.cisaDueDate != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.commonName
+ tag: rename_commonName
+ target_field: armis.vulnerability.common_name
+ ignore_missing: true
+ - rename:
+ field: json.confidentialityImpact
+ tag: rename_confidentialityImpact
+ target_field: armis.vulnerability.confidentiality_impact
+ ignore_missing: true
+ - rename:
+ field: json.cveUid
+ tag: rename_cveUid
+ target_field: armis.vulnerability.cve_uid
+ ignore_missing: true
+ - convert:
+ field: json.cvssScore
+ tag: convert_cvssScore_to_double
+ target_field: armis.vulnerability.cvss_score
+ type: double
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.cvssScoreV4
+ tag: rename_cvssScoreV4
+ target_field: armis.vulnerability.cvss_score_v4
+ ignore_missing: true
+ - rename:
+ field: json.description
+ tag: rename_description
+ target_field: armis.vulnerability.description
+ ignore_missing: true
+ - set:
+ field: message
+ tag: set_message_from_vulnerability_description
+ copy_from: armis.vulnerability.description
+ ignore_empty_value: true
+ - set:
+ field: vulnerability.description
+ tag: set_vulnerability_description
+ copy_from: armis.vulnerability.description
+ ignore_empty_value: true
+ - convert:
+ field: json.epssPercentile
+ tag: convert_epssPercentile_to_double
+ target_field: armis.vulnerability.epss_percentile
+ type: double
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.epssScore
+ tag: convert_epssScore_to_double
+ target_field: armis.vulnerability.epss_score
+ type: double
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.exploitabilityScore
+ tag: convert_exploitabilityScore_to_double
+ target_field: armis.vulnerability.exploitability_score
+ type: double
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: json.firstDetected
+ tag: date_firstDetected
+ target_field: armis.vulnerability.first_detected
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ if: ctx.json?.firstDetected != null && ctx.json.firstDetected != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: event.start
+ tag: set_event_start_from_vulnerability_first_detected
+ copy_from: armis.vulnerability.first_detected
+ ignore_empty_value: true
+ - date:
+ field: json.firstReferencePublishDate
+ tag: date_firstReferencePublishDate
+ target_field: armis.vulnerability.first_reference_publish_date
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ if: ctx.json?.firstReferencePublishDate != null && ctx.json.firstReferencePublishDate != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: json.firstWeaponizedReferencePublishDate
+ tag: date_firstWeaponizedReferencePublishDate
+ target_field: armis.vulnerability.first_weaponized_reference_publish_date
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ if: ctx.json?.firstWeaponizedReferencePublishDate != null && ctx.json.firstWeaponizedReferencePublishDate != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.hasRansomware
+ tag: convert_hasRansomware_to_boolean
+ target_field: armis.vulnerability.has_ransomware
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.hasRemediationInfo
+ tag: rename_hasRemediationInfo
+ target_field: armis.vulnerability.has_remediation_info
+ ignore_missing: true
+ - rename:
+ field: json.id
+ tag: rename_id
+ target_field: armis.vulnerability.id
+ ignore_missing: true
+ - set:
+ field: vulnerability.id
+ tag: set_vulnerability_id_from_vulnerability_id
+ copy_from: armis.vulnerability.id
+ ignore_empty_value: true
+ - convert:
+ field: json.impactScore
+ tag: convert_impactScore_to_double
+ target_field: armis.vulnerability.impact_score
+ type: double
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.integrityImpact
+ tag: rename_integrityImpact
+ target_field: armis.vulnerability.integrity_impact
+ ignore_missing: true
+ - convert:
+ field: json.isWeaponized
+ tag: convert_isWeaponized_to_boolean
+ target_field: armis.vulnerability.is_weaponized
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: json.lastDetected
+ tag: date_lastDetected
+ target_field: armis.vulnerability.last_detected
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ if: ctx.json?.lastDetected != null && ctx.json.lastDetected != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - date:
+ field: json.latestExploitUpdate
+ tag: date_latestExploitUpdate
+ target_field: armis.vulnerability.latest_exploit_update
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ if: ctx.json?.latestExploitUpdate != null && ctx.json.latestExploitUpdate != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.numOfExploits
+ tag: convert_numOfExploits_to_long
+ target_field: armis.vulnerability.num_of_exploits
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.numberOfThreatActors
+ tag: convert_numberOfThreatActors_to_long
+ target_field: armis.vulnerability.number_of_threat_actors
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.privilegesRequired
+ tag: rename_privilegesRequired
+ target_field: armis.vulnerability.privileges_required
+ ignore_missing: true
+ - date:
+ field: json.publishedDate
+ tag: date_publishedDate
+ target_field: armis.vulnerability.published_date
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ if: ctx.json?.publishedDate != null && ctx.json.publishedDate != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: json.reportedByGoogleZeroDays
+ tag: convert_reportedByGoogleZeroDays_to_boolean
+ target_field: armis.vulnerability.reported_by_google_zero_days
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.scope
+ tag: rename_scope
+ target_field: armis.vulnerability.scope
+ ignore_missing: true
+ - convert:
+ field: json.score
+ tag: convert_score_to_double
+ target_field: armis.vulnerability.score
+ type: double
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.severity
+ tag: rename_severity
+ target_field: armis.vulnerability.severity
+ ignore_missing: true
+ - set:
+ field: vulnerability.severity
+ tag: set_vulnerability_severity_from_severity
+ copy_from: armis.vulnerability.severity
+ ignore_empty_value: true
+ - rename:
+ field: json.status
+ tag: rename_status
+ target_field: armis.vulnerability.status
+ ignore_missing: true
+ - rename:
+ field: json.threatActors
+ tag: rename_threatActors
+ target_field: armis.vulnerability.threat_actors
+ ignore_missing: true
+ - rename:
+ field: json.threatTags
+ tag: rename_threatTags
+ target_field: armis.vulnerability.threat_tags
+ ignore_missing: true
+ - rename:
+ field: json.type
+ tag: rename_type
+ target_field: armis.vulnerability.type
+ ignore_missing: true
+ - rename:
+ field: json.userInteraction
+ tag: rename_userInteraction
+ target_field: armis.vulnerability.user_interaction
+ ignore_missing: true
+ - rename:
+ field: json.vulnerability_match.advisoryId
+ tag: rename_vulnerability_match_advisoryId
+ target_field: armis.vulnerability.vulnerability_match.advisory_id
+ ignore_missing: true
+ - rename:
+ field: json.vulnerability_match.avmRating
+ tag: rename_vulnerability_match_avmRating
+ target_field: armis.vulnerability.vulnerability_match.avm_rating
+ ignore_missing: true
+ - rename:
+ field: json.vulnerability_match.confidenceLevel
+ tag: rename_vulnerability_match_confidenceLevel
+ target_field: armis.vulnerability.vulnerability_match.confidence_level
+ ignore_missing: true
+ - rename:
+ field: json.vulnerability_match.confidenceLevelDescription
+ tag: rename_vulnerability_match_confidenceLevelDescription
+ target_field: armis.vulnerability.vulnerability_match.confidence_level_description
+ ignore_missing: true
+ - rename:
+ field: json.vulnerability_match.cveUid
+ tag: rename_vulnerability_match_cveUid
+ target_field: armis.vulnerability.vulnerability_match.cve_uid
+ ignore_missing: true
+ - convert:
+ field: json.vulnerability_match.deviceId
+ tag: convert_vulnerability_match_deviceId
+ target_field: armis.vulnerability.vulnerability_match.device_id
+ type: string
+ ignore_missing: true
+ - set:
+ field: host.id
+ tag: set_host.id_id_from_vulnerability_vulnerability_match_device_id
+ copy_from: armis.vulnerability.vulnerability_match.device_id
+ ignore_empty_value: true
+ - set:
+ field: device.id
+ tag: set_device_id_from_vulnerability_vulnerability_match_device_id
+ copy_from: armis.vulnerability.vulnerability_match.device_id
+ ignore_empty_value: true
+ - append:
+ field: related.hosts
+ tag: append_related_host_from_vulnerability_vulnerability_match_device_id
+ value: '{{{armis.vulnerability.vulnerability_match.device_id}}}'
+ allow_duplicates: false
+ if: ctx.armis.vulnerability.vulnerability_match.device_id != null
+ - date:
+ field: json.vulnerability_match.firstDetected
+ tag: date_vulnerability_match_firstDetected
+ target_field: armis.vulnerability.vulnerability_match.first_detected
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ if: ctx.json?.vulnerability_match?.firstDetected != null && ctx.json.vulnerability_match.firstDetected != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - rename:
+ field: json.vulnerability_match.hasRemediationInfo
+ tag: rename_vulnerability_match_hasRemediationInfo
+ target_field: armis.vulnerability.vulnerability_match.has_remediation_info
+ ignore_missing: true
+ - date:
+ field: json.vulnerability_match.lastDetected
+ tag: date_vulnerability_match_lastDetected
+ target_field: armis.vulnerability.vulnerability_match.last_detected
+ formats:
+ - yyyy-MM-dd'T'HH:mm:ss.SSSSSSXXXXX
+ - EEE, dd MMM yyyy HH:mm:ss z
+ - ISO8601
+ if: ctx.json?.vulnerability_match?.lastDetected != null && ctx.json.vulnerability_match.lastDetected != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: threat.indicator.last_seen
+ tag: set_threat_indicator_last_seen_from_vulnerability_vulnerability_match_last_detected
+ copy_from: armis.vulnerability.vulnerability_match.last_detected
+ ignore_empty_value: true
+ - set:
+ field: '@timestamp'
+ tag: set_timestamp_from_vulnerability_vulnerability_match_last_detected
+ copy_from: armis.vulnerability.vulnerability_match.last_detected
+ ignore_empty_value: true
+ - rename:
+ field: json.vulnerability_match.matchCriteriaString
+ tag: rename_vulnerability_match_matchCriteriaString
+ target_field: armis.vulnerability.vulnerability_match.match_criteria_string
+ ignore_missing: true
+ - rename:
+ field: json.vulnerability_match.recommendedSteps
+ tag: rename_vulnerability_match_recommendedSteps
+ target_field: armis.vulnerability.vulnerability_match.recommended_steps
+ ignore_missing: true
+ - rename:
+ field: json.vulnerability_match.remediationTypes
+ tag: rename_vulnerability_match_remediationTypes
+ target_field: armis.vulnerability.vulnerability_match.remediation_types
+ ignore_missing: true
+ - rename:
+ field: json.vulnerability_match.status
+ tag: rename_vulnerability_match_status
+ target_field: armis.vulnerability.vulnerability_match.status
+ ignore_missing: true
+ - rename:
+ field: json.vulnerability_match.statusChangeReason
+ tag: rename_vulnerability_match_statusChangeReason
+ target_field: armis.vulnerability.vulnerability_match.status_change_reason
+ ignore_missing: true
+ - rename:
+ field: json.vulnerability_match.statusSource
+ tag: rename_vulnerability_match_statusSource
+ target_field: armis.vulnerability.vulnerability_match.status_source
+ ignore_missing: true
+ - remove:
+ field:
+ - armis.vulnerability.avm_rating_manual_changed_by
+ - armis.vulnerability.description
+ - armis.vulnerability.first_detected
+ - armis.vulnerability.id
+ - armis.vulnerability.vulnerability_match.device_id
+ - armis.vulnerability.attack_vector
+ - armis.vulnerability.severity
+ - armis.vulnerability.vulnerability_match.last_detected
+ tag: remove_custom_duplicate_fields
+ ignore_missing: true
+ if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields')
+ - remove:
+ field: json
+ tag: remove_json
+ ignore_missing: true
+ - script:
+ description: This script processor iterates over the whole document to remove fields with null values.
+ tag: script_to_drop_null_values
+ lang: painless
+ source: |
+ void handleMap(Map map) {
+ map.values().removeIf(v -> {
+ if (v instanceof Map) {
+ handleMap(v);
+ } else if (v instanceof List) {
+ handleList(v);
+ }
+ return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+ });
+ }
+ void handleList(List list) {
+ list.removeIf(v -> {
+ if (v instanceof Map) {
+ handleMap(v);
+ } else if (v instanceof List) {
+ handleList(v);
+ }
+ return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+ });
+ }
+ handleMap(ctx);
+ - set:
+ field: event.kind
+ tag: set_pipeline_error_into_event_kind
+ value: pipeline_error
+ if: ctx.error?.message != null
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
+ if: ctx.error?.message != null
+on_failure:
+ - append:
+ field: error.message
+ value: >-
+ Processor '{{{ _ingest.on_failure_processor_type }}}'
+ {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+ {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+ - set:
+ field: event.kind
+ tag: set_pipeline_error_to_event_kind
+ value: pipeline_error
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
diff --git a/packages/armis/data_stream/vulnerability/fields/base-fields.yml b/packages/armis/data_stream/vulnerability/fields/base-fields.yml
new file mode 100644
index 00000000000..5586ba5d5a6
--- /dev/null
+++ b/packages/armis/data_stream/vulnerability/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module.
+ value: armis
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: armis.vulnerability
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/armis/data_stream/vulnerability/fields/beats.yml b/packages/armis/data_stream/vulnerability/fields/beats.yml
new file mode 100644
index 00000000000..4084f1dc7f5
--- /dev/null
+++ b/packages/armis/data_stream/vulnerability/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+ type: keyword
+ description: Type of filebeat input.
+- name: log.offset
+ type: long
+ description: Log offset.
diff --git a/packages/armis/data_stream/vulnerability/fields/fields.yml b/packages/armis/data_stream/vulnerability/fields/fields.yml
new file mode 100644
index 00000000000..2cc5fcba637
--- /dev/null
+++ b/packages/armis/data_stream/vulnerability/fields/fields.yml
@@ -0,0 +1,125 @@
+- name: armis
+ type: group
+ fields:
+ - name: vulnerability
+ type: group
+ fields:
+ - name: affected_devices_count
+ type: long
+ - name: attack_complexity
+ type: keyword
+ - name: attack_vector
+ type: keyword
+ - name: availability_impact
+ type: keyword
+ - name: avm_rating
+ type: keyword
+ - name: avm_rating_manual_change_reason
+ type: keyword
+ - name: avm_rating_manual_changed_by
+ type: keyword
+ - name: avm_rating_manual_update_time
+ type: date
+ - name: botnets
+ type: keyword
+ - name: cisa_due_date
+ type: date
+ - name: common_name
+ type: keyword
+ - name: confidentiality_impact
+ type: keyword
+ - name: cve_uid
+ type: keyword
+ - name: cvss_score
+ type: double
+ - name: cvss_score_v4
+ type: keyword
+ - name: description
+ type: keyword
+ - name: epss_percentile
+ type: double
+ - name: epss_score
+ type: double
+ - name: exploitability_score
+ type: double
+ - name: first_detected
+ type: date
+ - name: first_reference_publish_date
+ type: date
+ - name: first_weaponized_reference_publish_date
+ type: date
+ - name: has_ransomware
+ type: boolean
+ - name: has_remediation_info
+ type: keyword
+ - name: id
+ type: keyword
+ - name: impact_score
+ type: double
+ - name: integrity_impact
+ type: keyword
+ - name: is_weaponized
+ type: boolean
+ - name: last_detected
+ type: date
+ - name: latest_exploit_update
+ type: date
+ - name: num_of_exploits
+ type: long
+ - name: number_of_threat_actors
+ type: long
+ - name: privileges_required
+ type: keyword
+ - name: published_date
+ type: date
+ - name: reported_by_google_zero_days
+ type: boolean
+ - name: scope
+ type: keyword
+ - name: score
+ type: double
+ - name: severity
+ type: keyword
+ - name: status
+ type: keyword
+ - name: threat_actors
+ type: keyword
+ - name: threat_tags
+ type: keyword
+ - name: type
+ type: keyword
+ - name: user_interaction
+ type: keyword
+ - name: vulnerability_match
+ type: group
+ fields:
+ - name: advisory_id
+ type: keyword
+ - name: avm_rating
+ type: keyword
+ - name: confidence_level
+ type: keyword
+ - name: confidence_level_description
+ type: keyword
+ - name: cve_uid
+ type: keyword
+ - name: device_id
+ type: keyword
+ - name: first_detected
+ type: date
+ - name: has_remediation_info
+ type: keyword
+ - name: last_detected
+ type: date
+ - name: match_criteria_string
+ type: keyword
+ - name: recommended_steps
+ type: keyword
+ - name: remediation_types
+ type: keyword
+ - name: status
+ type: keyword
+ - name: status_change_reason
+ type: keyword
+ - name: status_source
+ type: keyword
diff --git a/packages/armis/data_stream/vulnerability/fields/is-transform-source-true.yml b/packages/armis/data_stream/vulnerability/fields/is-transform-source-true.yml
new file mode 100644
index 00000000000..fd4766eacd5
--- /dev/null
+++ b/packages/armis/data_stream/vulnerability/fields/is-transform-source-true.yml
@@ -0,0 +1,4 @@
+- name: labels.is_transform_source
+ type: constant_keyword
+ description: Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering.
+ value: "true"
diff --git a/packages/armis/data_stream/vulnerability/manifest.yml b/packages/armis/data_stream/vulnerability/manifest.yml
new file mode 100755
index 00000000000..e8539512d12
--- /dev/null
+++ b/packages/armis/data_stream/vulnerability/manifest.yml
@@ -0,0 +1,79 @@
+title: Vulnerability
+type: logs
+streams:
+ - input: cel
+ title: Vulnerability Logs
+ description: Collect Vulnerability logs via API.
+ template_path: cel.yml.hbs
+ vars:
+ - name: initial_interval
+ type: text
+ title: Initial Interval
+ multi: false
+ required: true
+ show_user: true
+ default: 24h
+ description: How far back to pull the Vulnerability logs from Armis API. Supported units for this parameter are h/m/s.
+ - name: interval
+ type: text
+ title: Interval
+ description: Duration between requests to the Armis API. Supported units for this parameter are h/m/s.
+ default: 5m
+ multi: false
+ required: true
+ show_user: true
+ - name: page_size
+ type: text
+ title: Page Size
+ multi: false
+ required: true
+ show_user: false
+ description: Page size for the response of the Armis API.
+ default: 89
+ - name: http_client_timeout
+ type: text
+ title: HTTP Client Timeout
+ description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.
+ multi: false
+ required: true
+ show_user: false
+ default: 30s
+ - name: enable_request_tracer
+ type: bool
+ title: Enable request tracing
+ multi: false
+ required: false
+ show_user: false
+ description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - armis-vulnerability
+ - name: preserve_original_event
+ required: false
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: preserve_duplicate_custom_fields
+ required: false
+ show_user: false
+ title: Preserve duplicate custom fields
+ description: Preserve armis.vulnerability fields that were copied to Elastic Common Schema (ECS) fields.
+ type: bool
+ multi: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.
diff --git a/packages/armis/data_stream/vulnerability/sample_event.json b/packages/armis/data_stream/vulnerability/sample_event.json
new file mode 100644
index 00000000000..0d527ab2d51
--- /dev/null
+++ b/packages/armis/data_stream/vulnerability/sample_event.json
@@ -0,0 +1,120 @@
+{
+ "@timestamp": "2025-04-03T10:38:59.297Z",
+ "agent": {
+ "ephemeral_id": "677824d1-81dc-4c34-80be-8f709b7d5e60",
+ "id": "6cc04d8c-ce57-40f8-bd48-c44a580b1b91",
+ "name": "elastic-agent-94040",
+ "type": "filebeat",
+ "version": "8.18.0"
+ },
+ "armis": {
+ "vulnerability": {
+ "affected_devices_count": 13,
+ "attack_complexity": "Low",
+ "attack_vector": "Network",
+ "availability_impact": "High",
+ "confidentiality_impact": "High",
+ "cve_uid": "CVE-2024-44148",
+ "cvss_score": 10,
+ "description": "This issue was addressed with improved validation of file attributes.",
+ "epss_percentile": 0.31,
+ "epss_score": 0.00139,
+ "exploitability_score": 3.9,
+ "first_detected": "2025-04-03T09:18:31.915Z",
+ "has_remediation_info": "No",
+ "id": "CVE-2024-44148",
+ "impact_score": 6,
+ "integrity_impact": "High",
+ "last_detected": "2025-04-03T10:38:59.372Z",
+ "num_of_exploits": 0,
+ "number_of_threat_actors": 0,
+ "privileges_required": "None",
+ "published_date": "2024-09-17T00:15:50.617Z",
+ "scope": "Changed",
+ "score": 10,
+ "severity": "Critical",
+ "status": "Open",
+ "type": "OS",
+ "user_interaction": "None",
+ "vulnerability_match": {
+ "confidence_level": "High",
+ "cve_uid": "CVE-2024-44148",
+ "device_id": "109",
+ "first_detected": "2025-04-03T10:38:59.297Z",
+ "has_remediation_info": "No",
+ "last_detected": "2025-04-03T10:38:59.297Z",
+ "match_criteria_string": "OS",
+ "status": "Open",
+ "status_source": "Discovered by Armis"
+ }
+ }
+ },
+ "data_stream": {
+ "dataset": "armis.vulnerability",
+ "namespace": "94964",
+ "type": "logs"
+ },
+ "device": {
+ "id": "109"
+ },
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "elastic_agent": {
+ "id": "6cc04d8c-ce57-40f8-bd48-c44a580b1b91",
+ "snapshot": false,
+ "version": "8.18.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "vulnerability"
+ ],
+ "dataset": "armis.vulnerability",
+ "ingested": "2025-05-12T05:23:54Z",
+ "kind": "event",
+ "original": "{\"affectedDevicesCount\":13,\"attackComplexity\":\"Low\",\"attackVector\":\"Network\",\"availabilityImpact\":\"High\",\"avmRating\":null,\"avmRatingManualChangeReason\":null,\"avmRatingManualChangedBy\":\"\",\"avmRatingManualUpdateTime\":null,\"botnets\":null,\"cisaDueDate\":null,\"commonName\":null,\"confidentialityImpact\":\"High\",\"cveUid\":\"CVE-2024-44148\",\"cvssScore\":10,\"cvssScoreV4\":null,\"description\":\"This issue was addressed with improved validation of file attributes.\",\"epssPercentile\":0.31,\"epssScore\":0.00139,\"exploitabilityScore\":3.9,\"firstDetected\":\"2025-04-03T09:18:31.915543+00:00\",\"firstReferencePublishDate\":null,\"firstWeaponizedReferencePublishDate\":null,\"hasRansomware\":null,\"hasRemediationInfo\":\"No\",\"id\":\"CVE-2024-44148\",\"impactScore\":6,\"integrityImpact\":\"High\",\"isWeaponized\":null,\"lastDetected\":\"2025-04-03T10:38:59.372389+00:00\",\"latestExploitUpdate\":null,\"numOfExploits\":0,\"numberOfThreatActors\":0,\"privilegesRequired\":\"None\",\"publishedDate\":\"2024-09-17T00:15:50.617000+00:00\",\"reportedByGoogleZeroDays\":null,\"scope\":\"Changed\",\"score\":10,\"severity\":\"Critical\",\"status\":\"Open\",\"threatActors\":null,\"threatTags\":null,\"type\":\"OS\",\"userInteraction\":\"None\",\"vulnerability_match\":{\"advisoryId\":null,\"avmRating\":null,\"confidenceLevel\":\"High\",\"confidenceLevelDescription\":null,\"cveUid\":\"CVE-2024-44148\",\"deviceId\":109,\"firstDetected\":\"2025-04-03T10:38:59.297015+00:00\",\"hasRemediationInfo\":\"No\",\"lastDetected\":\"2025-04-03T10:38:59.297015+00:00\",\"matchCriteriaString\":\"OS\",\"recommendedSteps\":null,\"remediationTypes\":null,\"status\":\"Open\",\"statusChangeReason\":null,\"statusSource\":\"Discovered by Armis\"}}",
+ "start": "2025-04-03T09:18:31.915Z",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "id": "109"
+ },
+ "input": {
+ "type": "cel"
+ },
+ "message": "This issue was addressed with improved validation of file attributes.",
+ "observer": {
+ "product": "Asset Management and Security",
+ "vendor": "Armis"
+ },
+ "related": {
+ "hosts": [
+ "109"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields",
+ "forwarded",
+ "armis-vulnerability"
+ ],
+ "threat": {
+ "indicator": {
+ "last_seen": "2025-04-03T10:38:59.297Z"
+ }
+ },
+ "vulnerability": {
+ "category": [
+ "Network"
+ ],
+ "description": "This issue was addressed with improved validation of file attributes.",
+ "id": "CVE-2024-44148",
+ "scanner": {
+ "vendor": "Armis"
+ },
+ "severity": "Critical"
+ }
+}
diff --git a/packages/armis/docs/README.md b/packages/armis/docs/README.md
new file mode 100644
index 00000000000..81704588504
--- /dev/null
+++ b/packages/armis/docs/README.md
@@ -0,0 +1,628 @@
+# Armis
+
+[Armis](https://www.armis.com/) is an enterprise-class security platform designed to provide visibility and protection for managed, unmanaged, and IoT devices. It enables organizations to detect threats, manage vulnerabilities, and enforce security policies across their network.
+
+Use this integration to collect and parse data from your Armis instance.
+
+## Compatibility
+
+This module has been tested against the Armis API version **v1**.
+
+## Data Streams
+
+The Armis integration collects three types of logs.
+
+- **Devices** : Fetches the latest updates for all devices monitored by Armis.
+- **Alerts** : Gathers alerts associated with all devices monitored by Armis.
+- **Vulnerabilities** : Retrieves detected vulnerabilities and possible mitigation steps across all devices monitored by Armis.
+
+**Note** :
+
+1. The **vulnerability data stream** retrieves information by first fetching vulnerabilities and then identifying the devices where these vulnerabilities were detected, using a chained call between the vulnerability search and vulnerability match endpoints.
+
+## Requirements
+
+### Agentless Enabled Integration
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
+### Agent Based Installation
+- Elastic Agent must be installed
+- You can install only one Elastic Agent per host.
+- Elastic Agent is required to stream data from the GCP Pub/Sub or REST API and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+#### Installing and managing an Elastic Agent:
+
+You have a few options for installing and managing an Elastic Agent:
+
+#### Install a Fleet-managed Elastic Agent (recommended):
+
+With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.
+
+#### Install Elastic Agent in standalone mode (advanced users):
+
+With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.
+
+#### Install Elastic Agent in a containerized environment:
+
+You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry and we provide deployment manifests for running on Kubernetes.
+
+There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).
+
+## Setup
+
+### To collect logs through REST API, follow the below steps:
+
+1. Log in to your Armis portal.
+2. Navigate to the **Settings** tab.
+3. Select **Asset Management & Security**.
+4. Go to **API Management** and generate a **Secret Key**.
+
+### Enabling the integration in Elastic:
+
+1. In Kibana navigate to Management > Integrations.
+2. In "Search for integrations" top bar, search for `Armis`.
+3. Select the "Armis" integration from the search results.
+4. Select "Add Armis" to add the integration.
+5. Add all the required integration configuration parameters, including the URL, Secret Key to enable data collection.
+6. Select "Save and continue" to save the integration.
+
+## Limitations
+
+1. In the **vulnerability data stream**, our filtering mechanism for the **vulnerability search API** relies specifically on the `lastDetected` field. This means that when a user takes action on a vulnerability and `lastDetected` updates, only then will the event for that vulnerability be retrieved. Initially, we assumed this field would always have a value and could be used as a cursor timestamp for fetching data between intervals. However, due to inconsistencies in the API response, we observed cases where `lastDetected` is `null`.
+
+## Troubleshooting
+
+- If you are seeing below mentioned errors in the **vulnerability data stream**, try reducing the page size in your request.
+
+ **Common errors:**
+ - `502 Bad Gateway`
+ - `414 Request-URI Too Large`
+
+- If you are encountering issues in the **alert data stream**, particularly during the initial data fetch, try reducing the initial interval.
+
+ **Example error:**
+ - `The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.`
+
+## Logs reference
+
+### Alert
+
+This is the `alert` dataset.
+
+#### Example
+
+An example event for `alert` looks as following:
+
+An example event for `alert` looks as following:
+
+```json
+{
+ "@timestamp": "2025-03-29T00:12:57.306Z",
+ "agent": {
+ "ephemeral_id": "1fff435b-9a03-41de-9746-3d507c0467bb",
+ "id": "f5180424-1abc-450a-b868-5e1d827954a5",
+ "name": "elastic-agent-93160",
+ "type": "filebeat",
+ "version": "8.18.0"
+ },
+ "armis": {
+ "alert": {
+ "activity_uuids": [
+ "6f3d6d3a-6732-44cc-9d63-10a38277fb15"
+ ],
+ "affected_devices_count": 1,
+ "alert_id": "61",
+ "classification": "Security - Other",
+ "description": "The Armis security platform has detected a violation of a policy and generated an alert.",
+ "device_ids": [
+ "854"
+ ],
+ "severity": "Critical",
+ "status": "Unhandled",
+ "status_change_time": "2025-03-29T00:12:57.306Z",
+ "time": "2025-03-29T00:12:57.306Z",
+ "title": "[Risk] Device Susceptible to Ransomware",
+ "type": "System Policy Violation"
+ }
+ },
+ "data_stream": {
+ "dataset": "armis.alert",
+ "namespace": "39244",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "elastic_agent": {
+ "id": "f5180424-1abc-450a-b868-5e1d827954a5",
+ "snapshot": false,
+ "version": "8.18.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "dataset": "armis.alert",
+ "id": "61",
+ "ingested": "2025-05-12T05:22:20Z",
+ "kind": "alert",
+ "original": "{\"activityUUIDs\":[\"6f3d6d3a-6732-44cc-9d63-10a38277fb15\"],\"affectedDevicesCount\":1,\"alertId\":61,\"classification\":\"Security - Other\",\"connectionIds\":[],\"description\":\"The Armis security platform has detected a violation of a policy and generated an alert.\",\"destinationEndpoints\":[],\"deviceIds\":[854],\"lastAlertUpdateTime\":null,\"mitreAttackLabels\":null,\"policyId\":null,\"policyLabels\":null,\"policyTitle\":null,\"severity\":\"Critical\",\"sourceEndpoints\":[],\"status\":\"Unhandled\",\"statusChangeTime\":\"2025-03-29T00:12:57.306928+00:00\",\"time\":\"2025-03-29T00:12:57.306928+00:00\",\"title\":\"[Risk] Device Susceptible to Ransomware\",\"type\":\"System Policy Violation\"}",
+ "severity": 99
+ },
+ "host": {
+ "id": [
+ "854"
+ ]
+ },
+ "input": {
+ "type": "cel"
+ },
+ "message": "The Armis security platform has detected a violation of a policy and generated an alert.",
+ "observer": {
+ "product": "Asset Management and Security",
+ "vendor": "Armis"
+ },
+ "related": {
+ "hosts": [
+ "854"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields",
+ "forwarded",
+ "armis-alert"
+ ]
+}
+```
+
+#### Exported fields
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| armis.alert.activity_uuids | | keyword |
+| armis.alert.affected_devices_count | | long |
+| armis.alert.alert_id | | keyword |
+| armis.alert.classification | | keyword |
+| armis.alert.connection_ids | | keyword |
+| armis.alert.description | | keyword |
+| armis.alert.destination_endpoints | | keyword |
+| armis.alert.device_ids | | keyword |
+| armis.alert.friendly_name | | keyword |
+| armis.alert.last_alert_update_time | | date |
+| armis.alert.mitre_attack_labels | | keyword |
+| armis.alert.policy_id | | keyword |
+| armis.alert.policy_labels | | keyword |
+| armis.alert.policy_title | | keyword |
+| armis.alert.severity | | keyword |
+| armis.alert.source_endpoints | | keyword |
+| armis.alert.status | | keyword |
+| armis.alert.status_change_time | | date |
+| armis.alert.time | | date |
+| armis.alert.title | | keyword |
+| armis.alert.type | | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| event.dataset | Event dataset. | constant_keyword |
+| event.module | Event module. | constant_keyword |
+| input.type | Type of filebeat input. | keyword |
+| log.offset | Log offset. | long |
+
+
+### Device
+
+This is the `device` dataset.
+
+#### Example
+
+An example event for `device` looks as following:
+
+An example event for `device` looks as following:
+
+```json
+{
+ "@timestamp": "2025-03-29T10:43:55.988Z",
+ "agent": {
+ "ephemeral_id": "676dc7fa-df27-437e-9899-f13552edfd88",
+ "id": "63e7f8d1-3918-497a-848c-69ef5495d29e",
+ "name": "elastic-agent-92930",
+ "type": "filebeat",
+ "version": "8.18.0"
+ },
+ "armis": {
+ "device": {
+ "boundaries": "Corporate",
+ "business_impact": "Unassigned",
+ "category": "Network Equipment",
+ "data_sources": [
+ {
+ "first_seen": "2024-10-09T05:09:02.988Z",
+ "last_seen": "2025-03-29T10:43:55.988Z",
+ "name": "Knowledge Base",
+ "types": [
+ "Traffic Inspection",
+ "Data Analysis"
+ ]
+ }
+ ],
+ "display_title": "Test",
+ "first_seen": "2024-10-09T05:09:02.988Z",
+ "id": "1154",
+ "ip_address": [
+ "89.160.20.128"
+ ],
+ "last_seen": "2025-03-29T10:43:55.988Z",
+ "mac_address": [
+ "50:76:AF:D3:3F:AB"
+ ],
+ "manufacturer": "Test Manufacturer",
+ "model": "Test Model",
+ "name": "Test Name",
+ "names": [
+ "Test Names"
+ ],
+ "operating_system": "Windows",
+ "operating_system_version": "Server 2016",
+ "purdue_level": 4,
+ "risk_level": 10,
+ "sensor": {
+ "name": "test Enterprise",
+ "type": "test LAN Controller"
+ },
+ "site": {
+ "location": "Zurich",
+ "name": "Zurich Enterprise"
+ },
+ "tags": [
+ "Misconfigurations"
+ ],
+ "type": "Switches",
+ "type_enum": "SWITCH",
+ "visibility": "Full"
+ }
+ },
+ "data_stream": {
+ "dataset": "armis.device",
+ "namespace": "52873",
+ "type": "logs"
+ },
+ "device": {
+ "manufacturer": "Test Manufacturer",
+ "model": {
+ "name": "Test Model"
+ }
+ },
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "elastic_agent": {
+ "id": "63e7f8d1-3918-497a-848c-69ef5495d29e",
+ "snapshot": false,
+ "version": "8.18.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "host"
+ ],
+ "dataset": "armis.device",
+ "ingested": "2025-05-12T05:23:05Z",
+ "kind": "event",
+ "original": "{\"accessSwitch\":null,\"boundaries\":\"Corporate\",\"businessImpact\":\"Unassigned\",\"category\":\"Network Equipment\",\"customProperties\":{},\"dataSources\":[{\"firstSeen\":\"2024-10-09T05:09:02.988081+00:00\",\"instances\":[],\"lastSeen\":\"2025-03-29T10:43:55.988081+00:00\",\"name\":\"Knowledge Base\",\"types\":[\"Traffic Inspection\",\"Data Analysis\"]}],\"displayTitle\":\"Test\",\"firstSeen\":\"2024-10-09T05:09:02.988081+00:00\",\"id\":1154,\"ipAddress\":\"89.160.20.128\",\"ipv6\":[],\"lastSeen\":\"2025-03-29T10:43:55.988081+00:00\",\"macAddress\":\"50:76:AF:D3:3F:AB\",\"manufacturer\":\"Test Manufacturer\",\"model\":\"Test Model\",\"name\":\"Test Name\",\"names\":\"Test Names\",\"operatingSystem\":\"Windows\",\"operatingSystemVersion\":\"Server 2016\",\"protections\":[],\"purdueLevel\":4,\"riskLevel\":10,\"sensor\":{\"name\":\"test Enterprise\",\"type\":\"test LAN Controller\"},\"site\":{\"location\":\"Zurich\",\"name\":\"Zurich Enterprise\"},\"tags\":[\"Misconfigurations\"],\"type\":\"Switches\",\"typeEnum\":\"SWITCH\",\"userIds\":[],\"visibility\":\"Full\"}",
+ "start": "2024-10-09T05:09:02.988Z",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "id": "1154",
+ "ip": [
+ "89.160.20.128"
+ ],
+ "mac": [
+ "50-76-AF-D3-3F-AB"
+ ],
+ "name": [
+ "test names"
+ ],
+ "os": {
+ "family": "windows",
+ "version": "Server 2016"
+ },
+ "risk": {
+ "static_score": 10
+ },
+ "type": "Network Equipment"
+ },
+ "input": {
+ "type": "cel"
+ },
+ "observer": {
+ "product": "Asset Management and Security",
+ "vendor": "Armis"
+ },
+ "related": {
+ "hosts": [
+ "test names"
+ ],
+ "ip": [
+ "89.160.20.128"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields",
+ "forwarded",
+ "armis-device"
+ ]
+}
+```
+
+#### Exported fields
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| armis.device.access_switch | | keyword |
+| armis.device.boundaries | | keyword |
+| armis.device.business_impact | | keyword |
+| armis.device.category | | keyword |
+| armis.device.custom_properties | | flattened |
+| armis.device.data_sources.first_seen | | date |
+| armis.device.data_sources.instances.first_seen | | date |
+| armis.device.data_sources.instances.last_seen | | date |
+| armis.device.data_sources.instances.name | | keyword |
+| armis.device.data_sources.last_seen | | date |
+| armis.device.data_sources.name | | keyword |
+| armis.device.data_sources.types | | keyword |
+| armis.device.display_title | | keyword |
+| armis.device.first_seen | | date |
+| armis.device.id | | keyword |
+| armis.device.ip_address | | ip |
+| armis.device.ip_v6 | | ip |
+| armis.device.last_seen | | date |
+| armis.device.mac_address | | keyword |
+| armis.device.manufacturer | | keyword |
+| armis.device.model | | keyword |
+| armis.device.name | | keyword |
+| armis.device.names | | keyword |
+| armis.device.operating_system | | keyword |
+| armis.device.operating_system_version | | keyword |
+| armis.device.protections.creation_time | | date |
+| armis.device.protections.device_id | | keyword |
+| armis.device.protections.last_seen_time | | date |
+| armis.device.protections.protection_name | | keyword |
+| armis.device.purdue_level | | double |
+| armis.device.risk_level | | long |
+| armis.device.sensor.name | | keyword |
+| armis.device.sensor.type | | keyword |
+| armis.device.site.location | | keyword |
+| armis.device.site.name | | keyword |
+| armis.device.tags | | keyword |
+| armis.device.type | | keyword |
+| armis.device.type_enum | | keyword |
+| armis.device.user_ids | | keyword |
+| armis.device.visibility | | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| event.dataset | Event dataset. | constant_keyword |
+| event.module | Event module. | constant_keyword |
+| input.type | Type of filebeat input. | keyword |
+| labels.is_transform_source | Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering. | constant_keyword |
+| log.offset | Log offset. | long |
+
+
+### Vulnerability
+
+This is the `vulnerability` dataset.
+
+#### Example
+
+An example event for `vulnerability` looks as following:
+
+An example event for `vulnerability` looks as following:
+
+```json
+{
+ "@timestamp": "2025-04-03T10:38:59.297Z",
+ "agent": {
+ "ephemeral_id": "677824d1-81dc-4c34-80be-8f709b7d5e60",
+ "id": "6cc04d8c-ce57-40f8-bd48-c44a580b1b91",
+ "name": "elastic-agent-94040",
+ "type": "filebeat",
+ "version": "8.18.0"
+ },
+ "armis": {
+ "vulnerability": {
+ "affected_devices_count": 13,
+ "attack_complexity": "Low",
+ "attack_vector": "Network",
+ "availability_impact": "High",
+ "confidentiality_impact": "High",
+ "cve_uid": "CVE-2024-44148",
+ "cvss_score": 10,
+ "description": "This issue was addressed with improved validation of file attributes.",
+ "epss_percentile": 0.31,
+ "epss_score": 0.00139,
+ "exploitability_score": 3.9,
+ "first_detected": "2025-04-03T09:18:31.915Z",
+ "has_remediation_info": "No",
+ "id": "CVE-2024-44148",
+ "impact_score": 6,
+ "integrity_impact": "High",
+ "last_detected": "2025-04-03T10:38:59.372Z",
+ "num_of_exploits": 0,
+ "number_of_threat_actors": 0,
+ "privileges_required": "None",
+ "published_date": "2024-09-17T00:15:50.617Z",
+ "scope": "Changed",
+ "score": 10,
+ "severity": "Critical",
+ "status": "Open",
+ "type": "OS",
+ "user_interaction": "None",
+ "vulnerability_match": {
+ "confidence_level": "High",
+ "cve_uid": "CVE-2024-44148",
+ "device_id": "109",
+ "first_detected": "2025-04-03T10:38:59.297Z",
+ "has_remediation_info": "No",
+ "last_detected": "2025-04-03T10:38:59.297Z",
+ "match_criteria_string": "OS",
+ "status": "Open",
+ "status_source": "Discovered by Armis"
+ }
+ }
+ },
+ "data_stream": {
+ "dataset": "armis.vulnerability",
+ "namespace": "94964",
+ "type": "logs"
+ },
+ "device": {
+ "id": "109"
+ },
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "elastic_agent": {
+ "id": "6cc04d8c-ce57-40f8-bd48-c44a580b1b91",
+ "snapshot": false,
+ "version": "8.18.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "vulnerability"
+ ],
+ "dataset": "armis.vulnerability",
+ "ingested": "2025-05-12T05:23:54Z",
+ "kind": "event",
+ "original": "{\"affectedDevicesCount\":13,\"attackComplexity\":\"Low\",\"attackVector\":\"Network\",\"availabilityImpact\":\"High\",\"avmRating\":null,\"avmRatingManualChangeReason\":null,\"avmRatingManualChangedBy\":\"\",\"avmRatingManualUpdateTime\":null,\"botnets\":null,\"cisaDueDate\":null,\"commonName\":null,\"confidentialityImpact\":\"High\",\"cveUid\":\"CVE-2024-44148\",\"cvssScore\":10,\"cvssScoreV4\":null,\"description\":\"This issue was addressed with improved validation of file attributes.\",\"epssPercentile\":0.31,\"epssScore\":0.00139,\"exploitabilityScore\":3.9,\"firstDetected\":\"2025-04-03T09:18:31.915543+00:00\",\"firstReferencePublishDate\":null,\"firstWeaponizedReferencePublishDate\":null,\"hasRansomware\":null,\"hasRemediationInfo\":\"No\",\"id\":\"CVE-2024-44148\",\"impactScore\":6,\"integrityImpact\":\"High\",\"isWeaponized\":null,\"lastDetected\":\"2025-04-03T10:38:59.372389+00:00\",\"latestExploitUpdate\":null,\"numOfExploits\":0,\"numberOfThreatActors\":0,\"privilegesRequired\":\"None\",\"publishedDate\":\"2024-09-17T00:15:50.617000+00:00\",\"reportedByGoogleZeroDays\":null,\"scope\":\"Changed\",\"score\":10,\"severity\":\"Critical\",\"status\":\"Open\",\"threatActors\":null,\"threatTags\":null,\"type\":\"OS\",\"userInteraction\":\"None\",\"vulnerability_match\":{\"advisoryId\":null,\"avmRating\":null,\"confidenceLevel\":\"High\",\"confidenceLevelDescription\":null,\"cveUid\":\"CVE-2024-44148\",\"deviceId\":109,\"firstDetected\":\"2025-04-03T10:38:59.297015+00:00\",\"hasRemediationInfo\":\"No\",\"lastDetected\":\"2025-04-03T10:38:59.297015+00:00\",\"matchCriteriaString\":\"OS\",\"recommendedSteps\":null,\"remediationTypes\":null,\"status\":\"Open\",\"statusChangeReason\":null,\"statusSource\":\"Discovered by Armis\"}}",
+ "start": "2025-04-03T09:18:31.915Z",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "id": "109"
+ },
+ "input": {
+ "type": "cel"
+ },
+ "message": "This issue was addressed with improved validation of file attributes.",
+ "observer": {
+ "product": "Asset Management and Security",
+ "vendor": "Armis"
+ },
+ "related": {
+ "hosts": [
+ "109"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields",
+ "forwarded",
+ "armis-vulnerability"
+ ],
+ "threat": {
+ "indicator": {
+ "last_seen": "2025-04-03T10:38:59.297Z"
+ }
+ },
+ "vulnerability": {
+ "category": [
+ "Network"
+ ],
+ "description": "This issue was addressed with improved validation of file attributes.",
+ "id": "CVE-2024-44148",
+ "scanner": {
+ "vendor": "Armis"
+ },
+ "severity": "Critical"
+ }
+}
+```
+
+#### Exported fields
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| armis.vulnerability.affected_devices_count | | long |
+| armis.vulnerability.attack_complexity | | keyword |
+| armis.vulnerability.attack_vector | | keyword |
+| armis.vulnerability.availability_impact | | keyword |
+| armis.vulnerability.avm_rating | | keyword |
+| armis.vulnerability.avm_rating_manual_change_reason | | keyword |
+| armis.vulnerability.avm_rating_manual_changed_by | | keyword |
+| armis.vulnerability.avm_rating_manual_update_time | | date |
+| armis.vulnerability.botnets | | keyword |
+| armis.vulnerability.cisa_due_date | | date |
+| armis.vulnerability.common_name | | keyword |
+| armis.vulnerability.confidentiality_impact | | keyword |
+| armis.vulnerability.cve_uid | | keyword |
+| armis.vulnerability.cvss_score | | double |
+| armis.vulnerability.cvss_score_v4 | | keyword |
+| armis.vulnerability.description | | keyword |
+| armis.vulnerability.epss_percentile | | double |
+| armis.vulnerability.epss_score | | double |
+| armis.vulnerability.exploitability_score | | double |
+| armis.vulnerability.first_detected | | date |
+| armis.vulnerability.first_reference_publish_date | | date |
+| armis.vulnerability.first_weaponized_reference_publish_date | | date |
+| armis.vulnerability.has_ransomware | | boolean |
+| armis.vulnerability.has_remediation_info | | keyword |
+| armis.vulnerability.id | | keyword |
+| armis.vulnerability.impact_score | | double |
+| armis.vulnerability.integrity_impact | | keyword |
+| armis.vulnerability.is_weaponized | | boolean |
+| armis.vulnerability.last_detected | | date |
+| armis.vulnerability.latest_exploit_update | | date |
+| armis.vulnerability.num_of_exploits | | long |
+| armis.vulnerability.number_of_threat_actors | | long |
+| armis.vulnerability.privileges_required | | keyword |
+| armis.vulnerability.published_date | | date |
+| armis.vulnerability.reported_by_google_zero_days | | boolean |
+| armis.vulnerability.scope | | keyword |
+| armis.vulnerability.score | | double |
+| armis.vulnerability.severity | | keyword |
+| armis.vulnerability.status | | keyword |
+| armis.vulnerability.threat_actors | | keyword |
+| armis.vulnerability.threat_tags | | keyword |
+| armis.vulnerability.type | | keyword |
+| armis.vulnerability.user_interaction | | keyword |
+| armis.vulnerability.vulnerability_match.advisory_id | | keyword |
+| armis.vulnerability.vulnerability_match.avm_rating | | keyword |
+| armis.vulnerability.vulnerability_match.confidence_level | | keyword |
+| armis.vulnerability.vulnerability_match.confidence_level_description | | keyword |
+| armis.vulnerability.vulnerability_match.cve_uid | | keyword |
+| armis.vulnerability.vulnerability_match.device_id | | keyword |
+| armis.vulnerability.vulnerability_match.first_detected | | date |
+| armis.vulnerability.vulnerability_match.has_remediation_info | | keyword |
+| armis.vulnerability.vulnerability_match.last_detected | | date |
+| armis.vulnerability.vulnerability_match.match_criteria_string | | keyword |
+| armis.vulnerability.vulnerability_match.recommended_steps | | keyword |
+| armis.vulnerability.vulnerability_match.remediation_types | | keyword |
+| armis.vulnerability.vulnerability_match.status | | keyword |
+| armis.vulnerability.vulnerability_match.status_change_reason | | keyword |
+| armis.vulnerability.vulnerability_match.status_source | | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| event.dataset | Event dataset. | constant_keyword |
+| event.module | Event module. | constant_keyword |
+| input.type | Type of filebeat input. | keyword |
+| labels.is_transform_source | Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering. | constant_keyword |
+| log.offset | Log offset. | long |
+
diff --git a/packages/armis/elasticsearch/transform/latest_device/fields/base-fields.yml b/packages/armis/elasticsearch/transform/latest_device/fields/base-fields.yml
new file mode 100644
index 00000000000..9e654ca994f
--- /dev/null
+++ b/packages/armis/elasticsearch/transform/latest_device/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module.
+ value: armis
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: armis.device
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/armis/elasticsearch/transform/latest_device/fields/beats.yml b/packages/armis/elasticsearch/transform/latest_device/fields/beats.yml
new file mode 100644
index 00000000000..4084f1dc7f5
--- /dev/null
+++ b/packages/armis/elasticsearch/transform/latest_device/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+ type: keyword
+ description: Type of filebeat input.
+- name: log.offset
+ type: long
+ description: Log offset.
diff --git a/packages/armis/elasticsearch/transform/latest_device/fields/ecs.yml b/packages/armis/elasticsearch/transform/latest_device/fields/ecs.yml
new file mode 100644
index 00000000000..bd0e415490d
--- /dev/null
+++ b/packages/armis/elasticsearch/transform/latest_device/fields/ecs.yml
@@ -0,0 +1,40 @@
+- external: ecs
+ name: device.manufacturer
+- external: ecs
+ name: device.model.name
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: event.category
+- external: ecs
+ name: event.kind
+- external: ecs
+ name: event.start
+- external: ecs
+ name: event.type
+- external: ecs
+ name: host.id
+- external: ecs
+ name: host.ip
+- external: ecs
+ name: host.mac
+- external: ecs
+ name: host.name
+- external: ecs
+ name: host.os.family
+- external: ecs
+ name: host.os.version
+- external: ecs
+ name: host.risk.static_score
+- external: ecs
+ name: host.type
+- external: ecs
+ name: observer.vendor
+- external: ecs
+ name: observer.product
+- external: ecs
+ name: related.ip
+- external: ecs
+ name: related.user
+- external: ecs
+ name: user.id
diff --git a/packages/armis/elasticsearch/transform/latest_device/fields/fields.yml b/packages/armis/elasticsearch/transform/latest_device/fields/fields.yml
new file mode 100644
index 00000000000..bf2072017fa
--- /dev/null
+++ b/packages/armis/elasticsearch/transform/latest_device/fields/fields.yml
@@ -0,0 +1,101 @@
+- name: armis
+ type: group
+ fields:
+ - name: device
+ type: group
+ fields:
+ - name: access_switch
+ type: keyword
+ - name: boundaries
+ type: keyword
+ - name: business_impact
+ type: keyword
+ - name: category
+ type: keyword
+ - name: custom_properties
+ type: flattened
+ - name: data_sources
+ type: group
+ fields:
+ - name: first_seen
+ type: date
+ - name: instances
+ type: group
+ fields:
+ - name: first_seen
+ type: date
+ - name: last_seen
+ type: date
+ - name: name
+ type: keyword
+ - name: last_seen
+ type: date
+ - name: name
+ type: keyword
+ - name: types
+ type: keyword
+ - name: display_title
+ type: keyword
+ - name: first_seen
+ type: date
+ - name: id
+ type: keyword
+ - name: ip_address
+ type: ip
+ - name: ip_v6
+ type: ip
+ - name: last_seen
+ type: date
+ - name: mac_address
+ type: keyword
+ - name: manufacturer
+ type: keyword
+ - name: model
+ type: keyword
+ - name: name
+ type: keyword
+ - name: names
+ type: keyword
+ - name: operating_system
+ type: keyword
+ - name: operating_system_version
+ type: keyword
+ - name: protections
+ type: group
+ fields:
+ - name: creation_time
+ type: date
+ - name: device_id
+ type: keyword
+ - name: last_seen_time
+ type: date
+ - name: protection_name
+ type: keyword
+ - name: purdue_level
+ type: double
+ - name: risk_level
+ type: long
+ - name: sensor
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ - name: type
+ type: keyword
+ - name: site
+ type: group
+ fields:
+ - name: location
+ type: keyword
+ - name: name
+ type: keyword
+ - name: tags
+ type: keyword
+ - name: type
+ type: keyword
+ - name: type_enum
+ type: keyword
+ - name: user_ids
+ type: keyword
+ - name: visibility
+ type: keyword
diff --git a/packages/armis/elasticsearch/transform/latest_device/fields/is-transform-source-false.yml b/packages/armis/elasticsearch/transform/latest_device/fields/is-transform-source-false.yml
new file mode 100644
index 00000000000..490a079e7a7
--- /dev/null
+++ b/packages/armis/elasticsearch/transform/latest_device/fields/is-transform-source-false.yml
@@ -0,0 +1,4 @@
+- name: labels.is_transform_source
+ type: constant_keyword
+ description: Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering.
+ value: "false"
diff --git a/packages/armis/elasticsearch/transform/latest_device/manifest.yml b/packages/armis/elasticsearch/transform/latest_device/manifest.yml
new file mode 100644
index 00000000000..24e9e926793
--- /dev/null
+++ b/packages/armis/elasticsearch/transform/latest_device/manifest.yml
@@ -0,0 +1,11 @@
+start: true
+destination_index_template:
+ mappings:
+ dynamic: true
+ dynamic_templates:
+ - strings_as_keyword:
+ match_mapping_type: string
+ mapping:
+ ignore_above: 1024
+ type: keyword
+ date_detection: true
diff --git a/packages/armis/elasticsearch/transform/latest_device/transform.yml b/packages/armis/elasticsearch/transform/latest_device/transform.yml
new file mode 100644
index 00000000000..fb5105f7c31
--- /dev/null
+++ b/packages/armis/elasticsearch/transform/latest_device/transform.yml
@@ -0,0 +1,33 @@
+# Use of "*" to use all namespaces defined.
+source:
+ index:
+ - "logs-armis.device-*"
+dest:
+ index: "logs-armis_latest.dest_device-1"
+ aliases:
+ - alias: "logs-armis_latest.device"
+ move_on_creation: true
+latest:
+ unique_key:
+ - event.dataset
+ - host.id
+ sort: "@timestamp"
+description: >-
+ Latest Devices from Armis. As devices get updated, this transform stores only the latest state of each device inside the destination index. Thus the transform's destination index contains only the latest state of the device.
+frequency: 30s
+settings:
+ # This is required to prevent the transform from clobbering the Fleet-managed mappings.
+ deduce_mappings: false
+ unattended: true
+sync:
+ time:
+ field: "event.ingested"
+ # Updated to 120s because of refresh delay in Serverless. With default 60s,
+ # sometimes transform wouldn't process all documents.
+ delay: 120s
+_meta:
+ managed: false
+ # Bump this version to delete, reinstall, and restart the transform during
+ # package installation.
+ fleet_transform_version: 1.0.0
+ run_as_kibana_system: false
diff --git a/packages/armis/img/armis-alerts.png b/packages/armis/img/armis-alerts.png
new file mode 100644
index 00000000000..d73e51b30f9
Binary files /dev/null and b/packages/armis/img/armis-alerts.png differ
diff --git a/packages/armis/img/armis-devices.png b/packages/armis/img/armis-devices.png
new file mode 100644
index 00000000000..2d13d4c6938
Binary files /dev/null and b/packages/armis/img/armis-devices.png differ
diff --git a/packages/armis/img/armis-logo.svg b/packages/armis/img/armis-logo.svg
new file mode 100644
index 00000000000..41706794e7d
--- /dev/null
+++ b/packages/armis/img/armis-logo.svg
@@ -0,0 +1,56 @@
+
+
+
diff --git a/packages/armis/img/armis-vulnerabilities.png b/packages/armis/img/armis-vulnerabilities.png
new file mode 100644
index 00000000000..54a8b8b00b7
Binary files /dev/null and b/packages/armis/img/armis-vulnerabilities.png differ
diff --git a/packages/armis/kibana/dashboard/armis-68592f5a-9c7b-4398-a723-510d5e48a8b1.json b/packages/armis/kibana/dashboard/armis-68592f5a-9c7b-4398-a723-510d5e48a8b1.json
new file mode 100644
index 00000000000..fe07bf22f3a
--- /dev/null
+++ b/packages/armis/kibana/dashboard/armis-68592f5a-9c7b-4398-a723-510d5e48a8b1.json
@@ -0,0 +1,2018 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": {
+ "ignoreFilters": false,
+ "ignoreQuery": false,
+ "ignoreTimerange": false,
+ "ignoreValidations": false
+ },
+ "panelsJSON": {
+ "52da4a7c-b635-450d-9567-4a044487a445": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "armis.vulnerability.attack_complexity",
+ "id": "52da4a7c-b635-450d-9567-4a044487a445",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Attack Complexity"
+ },
+ "grow": true,
+ "order": 0,
+ "type": "optionsListControl",
+ "width": "medium"
+ },
+ "6e234ea1-d3cc-4dc2-b6de-162ced43c5d5": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "armis.vulnerability.type",
+ "id": "6e234ea1-d3cc-4dc2-b6de-162ced43c5d5",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Type"
+ },
+ "grow": true,
+ "order": 4,
+ "type": "optionsListControl",
+ "width": "medium"
+ },
+ "72db3051-2237-4e85-999a-81a7527fb829": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "vulnerability.severity",
+ "id": "72db3051-2237-4e85-999a-81a7527fb829",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Severity"
+ },
+ "grow": true,
+ "order": 5,
+ "type": "optionsListControl",
+ "width": "medium"
+ },
+ "b546cc73-623c-467b-82d0-245de258671c": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "armis.vulnerability.integrity_impact",
+ "id": "b546cc73-623c-467b-82d0-245de258671c",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Integrity Impact"
+ },
+ "grow": true,
+ "order": 2,
+ "type": "optionsListControl",
+ "width": "medium"
+ },
+ "d3ebf517-4d95-4ab2-9618-2997b75626ce": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "armis.vulnerability.status",
+ "id": "d3ebf517-4d95-4ab2-9618-2997b75626ce",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Status"
+ },
+ "grow": true,
+ "order": 3,
+ "type": "optionsListControl",
+ "width": "medium"
+ },
+ "d67526b0-897a-46e2-a396-f079840c941b": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "armis.vulnerability.availability_impact",
+ "id": "d67526b0-897a-46e2-a396-f079840c941b",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Availability Impact"
+ },
+ "grow": true,
+ "order": 1,
+ "type": "optionsListControl",
+ "width": "medium"
+ }
+ },
+ "showApplySelections": false
+ },
+ "description": "This dashboard shows Vulnerabilities logs collected by the Armis integration.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "armis.vulnerability"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "armis.vulnerability"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "id": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "**Navigation**\n\n**Armis**\n\n- [Alerts](#/dashboard/armis-8a59c91d-69fd-4cf4-ab75-e9205ecbd095)\n- [Devices](#/dashboard/armis-f988ffbb-80b9-42c2-8009-bbcc59d33347)\n- **Vulnerabilities**\n\n**Overview**\n\nThis dashboard provides insights into vulnerabilities, allowing users to monitor security risks effectively. It includes a Control Panel for filtering by attack complexity, availability impact, integrity impact, status, and type. It displays total vulnerabilities, total threat actors, and total affected devices, along with key visualizations such as top 10 users, top 10 threat actors, vulnerabilities over last detected by severity. It also offers breakdown of vulnerabilities by attack complexity, status, type, confidentiality impact, availability impact, user interaction and scope. A detailed essential vulnerability information, enabling deeper investigation.\n\n[**Integrations Page**](/app/integrations/detail/armis/overview)",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 23,
+ "i": "7591e61c-8c55-4f9d-9aad-8c233dbfe1a4",
+ "w": 18,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "7591e61c-8c55-4f9d-9aad-8c233dbfe1a4",
+ "title": "Table of Content",
+ "type": "visualization"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-726f054d-d73d-4d78-a0bb-dcdfa3a0e84b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "726f054d-d73d-4d78-a0bb-dcdfa3a0e84b": {
+ "columnOrder": [
+ "0fc4b588-0433-4e00-b59e-2b5bd2c1ac0b"
+ ],
+ "columns": {
+ "0fc4b588-0433-4e00-b59e-2b5bd2c1ac0b": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Total Vulnerabilities",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "vulnerability.id"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "726f054d-d73d-4d78-a0bb-dcdfa3a0e84b",
+ "layerType": "data",
+ "metricAccessor": "0fc4b588-0433-4e00-b59e-2b5bd2c1ac0b"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 12,
+ "i": "4041b01a-6e4b-4efd-b496-5c8de4bb391e",
+ "w": 12,
+ "x": 18,
+ "y": 0
+ },
+ "panelIndex": "4041b01a-6e4b-4efd-b496-5c8de4bb391e",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-bf536f6d-2870-4feb-9059-bacc93c71d39",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "bf536f6d-2870-4feb-9059-bacc93c71d39": {
+ "columnOrder": [
+ "49cf9cdf-554d-478c-b3d9-f6339b369c00"
+ ],
+ "columns": {
+ "49cf9cdf-554d-478c-b3d9-f6339b369c00": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Total Affected Devices",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "host.id"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "bf536f6d-2870-4feb-9059-bacc93c71d39",
+ "layerType": "data",
+ "metricAccessor": "49cf9cdf-554d-478c-b3d9-f6339b369c00"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 6,
+ "i": "8e096782-9acf-42dc-a22b-e724b11a1f9a",
+ "w": 18,
+ "x": 30,
+ "y": 0
+ },
+ "panelIndex": "8e096782-9acf-42dc-a22b-e724b11a1f9a",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-58777e46-da26-4abf-8130-1a2df1f8144c",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "58777e46-da26-4abf-8130-1a2df1f8144c": {
+ "columnOrder": [
+ "67defae9-301f-4b71-9a67-bf83e90b2bdd"
+ ],
+ "columns": {
+ "67defae9-301f-4b71-9a67-bf83e90b2bdd": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Total Threat Actors",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "armis.vulnerability.threat_actors"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "58777e46-da26-4abf-8130-1a2df1f8144c",
+ "layerType": "data",
+ "metricAccessor": "67defae9-301f-4b71-9a67-bf83e90b2bdd"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 6,
+ "i": "df3f5930-63b3-4726-875e-ed50afbe2709",
+ "w": 18,
+ "x": 30,
+ "y": 6
+ },
+ "panelIndex": "df3f5930-63b3-4726-875e-ed50afbe2709",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-2408e2c8-f65f-4c1c-a853-4e3870cfc009",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "2408e2c8-f65f-4c1c-a853-4e3870cfc009": {
+ "columnOrder": [
+ "f002109e-5f75-4762-8e73-05aab29a20a1",
+ "83e92bf4-151a-475a-9715-f42a2897f817",
+ "84eb7ec3-8f69-4ebc-8e26-791feb5ea216"
+ ],
+ "columns": {
+ "83e92bf4-151a-475a-9715-f42a2897f817": {
+ "customLabel": true,
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "Vulnerability Last Detected",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "armis.vulnerability.last_detected"
+ },
+ "84eb7ec3-8f69-4ebc-8e26-791feb5ea216": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "vulnerability.id"
+ },
+ "f002109e-5f75-4762-8e73-05aab29a20a1": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Severity",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "84eb7ec3-8f69-4ebc-8e26-791feb5ea216",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "vulnerability.severity"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "84eb7ec3-8f69-4ebc-8e26-791feb5ea216"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "2408e2c8-f65f-4c1c-a853-4e3870cfc009",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "splitAccessor": "f002109e-5f75-4762-8e73-05aab29a20a1",
+ "xAccessor": "83e92bf4-151a-475a-9715-f42a2897f817"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 11,
+ "i": "3a24ecf9-e21e-474b-a603-0286be40c20b",
+ "w": 30,
+ "x": 18,
+ "y": 12
+ },
+ "panelIndex": "3a24ecf9-e21e-474b-a603-0286be40c20b",
+ "title": "Vulnerabilities over Last Detected by Severity [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-5e0af95b-27a6-41aa-91bf-1d5cf6f4b892",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "5e0af95b-27a6-41aa-91bf-1d5cf6f4b892": {
+ "columnOrder": [
+ "0e2e7022-9195-4fdd-b630-d747c652b48b",
+ "7b53343f-1ae4-4130-85f8-ae89d61abe2c"
+ ],
+ "columns": {
+ "0e2e7022-9195-4fdd-b630-d747c652b48b": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Attack Complexity",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "7b53343f-1ae4-4130-85f8-ae89d61abe2c",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "armis.vulnerability.attack_complexity"
+ },
+ "7b53343f-1ae4-4130-85f8-ae89d61abe2c": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "vulnerability.id"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "5e0af95b-27a6-41aa-91bf-1d5cf6f4b892",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "7b53343f-1ae4-4130-85f8-ae89d61abe2c"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "0e2e7022-9195-4fdd-b630-d747c652b48b"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "ea3dea8b-d8e2-427f-915c-9d710e2c05bb",
+ "w": 24,
+ "x": 0,
+ "y": 23
+ },
+ "panelIndex": "ea3dea8b-d8e2-427f-915c-9d710e2c05bb",
+ "title": "Vulnerabilities by Attack Complexity [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-500dad65-a743-4183-92d6-68f369f1c73a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "500dad65-a743-4183-92d6-68f369f1c73a": {
+ "columnOrder": [
+ "1142b645-87d9-45af-87bd-e976245c3a0e",
+ "06e6a0fe-68bc-4a4e-818b-5a4bcd50feec"
+ ],
+ "columns": {
+ "06e6a0fe-68bc-4a4e-818b-5a4bcd50feec": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "vulnerability.id"
+ },
+ "1142b645-87d9-45af-87bd-e976245c3a0e": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Confidentiality Impact",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "06e6a0fe-68bc-4a4e-818b-5a4bcd50feec",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "armis.vulnerability.confidentiality_impact"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "500dad65-a743-4183-92d6-68f369f1c73a",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "06e6a0fe-68bc-4a4e-818b-5a4bcd50feec"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "1142b645-87d9-45af-87bd-e976245c3a0e"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "544b580f-7564-4d9e-8a23-42935f5c77cb",
+ "w": 24,
+ "x": 24,
+ "y": 23
+ },
+ "panelIndex": "544b580f-7564-4d9e-8a23-42935f5c77cb",
+ "title": "Vulnerabilities by Confidentiality Impact [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-4abbb045-343e-4cd8-9e63-c1bdee1a8547",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "4abbb045-343e-4cd8-9e63-c1bdee1a8547": {
+ "columnOrder": [
+ "f7af5c26-effe-4721-b493-003da9755ab5",
+ "5d9648de-6918-466a-8ec3-c046f9d3a749"
+ ],
+ "columns": {
+ "5d9648de-6918-466a-8ec3-c046f9d3a749": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "vulnerability.id"
+ },
+ "f7af5c26-effe-4721-b493-003da9755ab5": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "5d9648de-6918-466a-8ec3-c046f9d3a749",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "armis.vulnerability.type"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "4abbb045-343e-4cd8-9e63-c1bdee1a8547",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "5d9648de-6918-466a-8ec3-c046f9d3a749"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "f7af5c26-effe-4721-b493-003da9755ab5"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "20783847-a6f8-42d6-8146-9104ed669a02",
+ "w": 24,
+ "x": 0,
+ "y": 38
+ },
+ "panelIndex": "20783847-a6f8-42d6-8146-9104ed669a02",
+ "title": "Vulnerabilities by Type [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-335a8bfa-2df1-4730-9686-3337f5be5276",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "335a8bfa-2df1-4730-9686-3337f5be5276": {
+ "columnOrder": [
+ "6068e49a-963a-46b3-8502-6818d20738c4",
+ "e1e6f34f-2ee2-4bff-834c-7e4f4c92840e"
+ ],
+ "columns": {
+ "6068e49a-963a-46b3-8502-6818d20738c4": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Availability Impact",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "e1e6f34f-2ee2-4bff-834c-7e4f4c92840e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "armis.vulnerability.availability_impact"
+ },
+ "e1e6f34f-2ee2-4bff-834c-7e4f4c92840e": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "vulnerability.id"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "335a8bfa-2df1-4730-9686-3337f5be5276",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "e1e6f34f-2ee2-4bff-834c-7e4f4c92840e"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "6068e49a-963a-46b3-8502-6818d20738c4"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "754c8138-c534-4740-82fc-ef45d0129b96",
+ "w": 24,
+ "x": 24,
+ "y": 38
+ },
+ "panelIndex": "754c8138-c534-4740-82fc-ef45d0129b96",
+ "title": "Vulnerabilities by Availability Impact [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-1acc399d-1588-4fd9-abea-624987dda8ea",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "1acc399d-1588-4fd9-abea-624987dda8ea": {
+ "columnOrder": [
+ "5dfb0d4d-b072-485b-a47d-b5c24841b7dd",
+ "1813025b-6caa-43ea-8e2a-2e7f0d33f5ce"
+ ],
+ "columns": {
+ "1813025b-6caa-43ea-8e2a-2e7f0d33f5ce": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "vulnerability.id"
+ },
+ "5dfb0d4d-b072-485b-a47d-b5c24841b7dd": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Status",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "1813025b-6caa-43ea-8e2a-2e7f0d33f5ce",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "armis.vulnerability.status"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "1acc399d-1588-4fd9-abea-624987dda8ea",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "1813025b-6caa-43ea-8e2a-2e7f0d33f5ce"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "5dfb0d4d-b072-485b-a47d-b5c24841b7dd"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "be300acb-58ee-4d86-a2be-79b3c805eb3e",
+ "w": 24,
+ "x": 0,
+ "y": 53
+ },
+ "panelIndex": "be300acb-58ee-4d86-a2be-79b3c805eb3e",
+ "title": "Vulnerabilities by Status [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-d4d4fffe-d68a-43f3-a805-696374a6fd3d",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "d4d4fffe-d68a-43f3-a805-696374a6fd3d": {
+ "columnOrder": [
+ "31a86088-557d-4de1-8959-681198e7a57f",
+ "93078d1a-c6ab-4bcc-98ec-1ef12f40ff25"
+ ],
+ "columns": {
+ "31a86088-557d-4de1-8959-681198e7a57f": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User Interaction",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "93078d1a-c6ab-4bcc-98ec-1ef12f40ff25",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "armis.vulnerability.user_interaction"
+ },
+ "93078d1a-c6ab-4bcc-98ec-1ef12f40ff25": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "vulnerability.id"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "93078d1a-c6ab-4bcc-98ec-1ef12f40ff25"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "d4d4fffe-d68a-43f3-a805-696374a6fd3d",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal_stacked",
+ "showGridlines": false,
+ "xAccessor": "31a86088-557d-4de1-8959-681198e7a57f"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "07e4c439-efc6-4a04-8918-26594f250f19",
+ "w": 24,
+ "x": 24,
+ "y": 53
+ },
+ "panelIndex": "07e4c439-efc6-4a04-8918-26594f250f19",
+ "title": "Vulnerabilities by User Interaction [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-27b3cd9e-aa59-4743-946c-0b89dd0877eb",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "27b3cd9e-aa59-4743-946c-0b89dd0877eb": {
+ "columnOrder": [
+ "6bd5a605-b3e8-4a21-bd3d-58bdb39b1aeb",
+ "584bec0e-14db-4b32-b511-970e5b1d842b"
+ ],
+ "columns": {
+ "584bec0e-14db-4b32-b511-970e5b1d842b": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "vulnerability.id"
+ },
+ "6bd5a605-b3e8-4a21-bd3d-58bdb39b1aeb": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Scope",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "584bec0e-14db-4b32-b511-970e5b1d842b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "armis.vulnerability.scope"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "584bec0e-14db-4b32-b511-970e5b1d842b"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "27b3cd9e-aa59-4743-946c-0b89dd0877eb",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal_stacked",
+ "showGridlines": false,
+ "xAccessor": "6bd5a605-b3e8-4a21-bd3d-58bdb39b1aeb"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "f9abc45f-d604-4424-9ecd-430a01ad442e",
+ "w": 24,
+ "x": 0,
+ "y": 68
+ },
+ "panelIndex": "f9abc45f-d604-4424-9ecd-430a01ad442e",
+ "title": "Vulnerabilities by Scope [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-61ebb31c-aacb-4a91-959c-9e7ced1b9003",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "61ebb31c-aacb-4a91-959c-9e7ced1b9003": {
+ "columnOrder": [
+ "3d98dc35-277b-4f39-a4c6-06a730a81735",
+ "95a39395-81e8-43d2-92fb-9409ca631aee"
+ ],
+ "columns": {
+ "3d98dc35-277b-4f39-a4c6-06a730a81735": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "95a39395-81e8-43d2-92fb-9409ca631aee",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ },
+ "95a39395-81e8-43d2-92fb-9409ca631aee": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "vulnerability.id"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "3d98dc35-277b-4f39-a4c6-06a730a81735"
+ },
+ {
+ "columnId": "95a39395-81e8-43d2-92fb-9409ca631aee"
+ }
+ ],
+ "layerId": "61ebb31c-aacb-4a91-959c-9e7ced1b9003",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "29ae1214-cc78-4264-a6d3-df385732c2a7",
+ "w": 24,
+ "x": 24,
+ "y": 68
+ },
+ "panelIndex": "29ae1214-cc78-4264-a6d3-df385732c2a7",
+ "title": "Top 10 User with Highest Vulnerabilities [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-812fb59c-cecd-4c2a-b691-4ff957dfc8dc",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "812fb59c-cecd-4c2a-b691-4ff957dfc8dc": {
+ "columnOrder": [
+ "3f7ea294-55e8-4686-86d8-952c22bcba59",
+ "f2dc0d18-2a8b-49b3-9265-39dc70732c36"
+ ],
+ "columns": {
+ "3f7ea294-55e8-4686-86d8-952c22bcba59": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Threat Actor",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "f2dc0d18-2a8b-49b3-9265-39dc70732c36",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "armis.vulnerability.threat_actors"
+ },
+ "f2dc0d18-2a8b-49b3-9265-39dc70732c36": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "vulnerability.id"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "3f7ea294-55e8-4686-86d8-952c22bcba59"
+ },
+ {
+ "columnId": "f2dc0d18-2a8b-49b3-9265-39dc70732c36"
+ }
+ ],
+ "layerId": "812fb59c-cecd-4c2a-b691-4ff957dfc8dc",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 16,
+ "i": "4b042bfe-7820-4232-be43-961a8b1c83f1",
+ "w": 48,
+ "x": 0,
+ "y": 83
+ },
+ "panelIndex": "4b042bfe-7820-4232-be43-961a8b1c83f1",
+ "title": "Top 10 Threat Actor with Highest Vulnerabilities [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 21,
+ "i": "3d38e8cd-465c-4b53-a1a4-a4e040950c28",
+ "w": 48,
+ "x": 0,
+ "y": 99
+ },
+ "panelIndex": "3d38e8cd-465c-4b53-a1a4-a4e040950c28",
+ "panelRefName": "panel_3d38e8cd-465c-4b53-a1a4-a4e040950c28",
+ "title": "Vulnerabilities Essential Details [Logs Armis]",
+ "type": "search"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs Armis] Vulnerabilities",
+ "version": 3
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-04-10T09:05:14.914Z",
+ "id": "armis-68592f5a-9c7b-4398-a723-510d5e48a8b1",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4041b01a-6e4b-4efd-b496-5c8de4bb391e:indexpattern-datasource-layer-726f054d-d73d-4d78-a0bb-dcdfa3a0e84b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8e096782-9acf-42dc-a22b-e724b11a1f9a:indexpattern-datasource-layer-bf536f6d-2870-4feb-9059-bacc93c71d39",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "df3f5930-63b3-4726-875e-ed50afbe2709:indexpattern-datasource-layer-58777e46-da26-4abf-8130-1a2df1f8144c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3a24ecf9-e21e-474b-a603-0286be40c20b:indexpattern-datasource-layer-2408e2c8-f65f-4c1c-a853-4e3870cfc009",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ea3dea8b-d8e2-427f-915c-9d710e2c05bb:indexpattern-datasource-layer-5e0af95b-27a6-41aa-91bf-1d5cf6f4b892",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "544b580f-7564-4d9e-8a23-42935f5c77cb:indexpattern-datasource-layer-500dad65-a743-4183-92d6-68f369f1c73a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "20783847-a6f8-42d6-8146-9104ed669a02:indexpattern-datasource-layer-4abbb045-343e-4cd8-9e63-c1bdee1a8547",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "754c8138-c534-4740-82fc-ef45d0129b96:indexpattern-datasource-layer-335a8bfa-2df1-4730-9686-3337f5be5276",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "be300acb-58ee-4d86-a2be-79b3c805eb3e:indexpattern-datasource-layer-1acc399d-1588-4fd9-abea-624987dda8ea",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "07e4c439-efc6-4a04-8918-26594f250f19:indexpattern-datasource-layer-d4d4fffe-d68a-43f3-a805-696374a6fd3d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f9abc45f-d604-4424-9ecd-430a01ad442e:indexpattern-datasource-layer-27b3cd9e-aa59-4743-946c-0b89dd0877eb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "29ae1214-cc78-4264-a6d3-df385732c2a7:indexpattern-datasource-layer-61ebb31c-aacb-4a91-959c-9e7ced1b9003",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4b042bfe-7820-4232-be43-961a8b1c83f1:indexpattern-datasource-layer-812fb59c-cecd-4c2a-b691-4ff957dfc8dc",
+ "type": "index-pattern"
+ },
+ {
+ "id": "armis-0d7ec13b-880a-4fcc-8ff2-1af9cfd7cb31",
+ "name": "3d38e8cd-465c-4b53-a1a4-a4e040950c28:panel_3d38e8cd-465c-4b53-a1a4-a4e040950c28",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_faddc7b3-8e2a-4d51-a75c-33a482d2648c:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_a6e0b5e2-a715-4715-aa19-4f7d9c529694:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_d0806491-b510-4c17-ab5a-489b52223aa6:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_aa3291fc-98ee-40d4-88d2-e3e9f616980b:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_ccf2f65f-738e-40b6-9c06-2379eec8f138:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_44e92146-b0f3-4ce3-bf49-352b117506b1:optionsListDataView",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "typeMigrationVersion": "10.2.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/armis/kibana/dashboard/armis-8a59c91d-69fd-4cf4-ab75-e9205ecbd095.json b/packages/armis/kibana/dashboard/armis-8a59c91d-69fd-4cf4-ab75-e9205ecbd095.json
new file mode 100644
index 00000000000..f6f221d97f2
--- /dev/null
+++ b/packages/armis/kibana/dashboard/armis-8a59c91d-69fd-4cf4-ab75-e9205ecbd095.json
@@ -0,0 +1,1070 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": {
+ "ignoreFilters": false,
+ "ignoreQuery": false,
+ "ignoreTimerange": false,
+ "ignoreValidations": false
+ },
+ "panelsJSON": {
+ "7cde8bb4-37ec-4d29-af68-0440eccdcb4e": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "event.severity",
+ "id": "7cde8bb4-37ec-4d29-af68-0440eccdcb4e",
+ "step": 1,
+ "title": "Severity"
+ },
+ "grow": true,
+ "order": 0,
+ "type": "rangeSliderControl",
+ "width": "medium"
+ },
+ "f71fbc6b-c7f7-4e91-8634-fee83cb566f3": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "armis.alert.status",
+ "id": "f71fbc6b-c7f7-4e91-8634-fee83cb566f3",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Status"
+ },
+ "grow": true,
+ "order": 1,
+ "type": "optionsListControl",
+ "width": "medium"
+ }
+ },
+ "showApplySelections": false
+ },
+ "description": "This dashboard shows Alert logs collected by the Armis integration.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "armis.alert"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "armis.alert"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "id": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "**Navigation**\n\n**Armis**\n\n- **Alerts**\n- [Devices](#/dashboard/armis-f988ffbb-80b9-42c2-8009-bbcc59d33347)\n- [Vulnerabilities](#/dashboard/armis-68592f5a-9c7b-4398-a723-510d5e48a8b1)\n\n**Overview**\n\nThis dashboard provides insights into alert events, allowing users to monitor security incidents effectively. It includes a Control Panel for filtering by severity and status, displays total alerts and total affected devices, and offers various visualizations such as alerts by rule name, severity, title, and status. It also tracks alerts over time, with a detailed essential alert information, enabling deeper investigation.\n\n[**Integrations Page**](/app/integrations/detail/armis/overview)",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 26,
+ "i": "c691b558-25f8-4bee-9355-b8277d5ff84a",
+ "w": 11,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "c691b558-25f8-4bee-9355-b8277d5ff84a",
+ "title": "Table of Content",
+ "type": "visualization"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-e9c7ef4f-3878-42c9-abda-4ad383261ba3",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "e9c7ef4f-3878-42c9-abda-4ad383261ba3": {
+ "columnOrder": [
+ "6743c517-3b2a-4fa7-b6c5-700a69597b48"
+ ],
+ "columns": {
+ "6743c517-3b2a-4fa7-b6c5-700a69597b48": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Total Alerts",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "event.id"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "e9c7ef4f-3878-42c9-abda-4ad383261ba3",
+ "layerType": "data",
+ "metricAccessor": "6743c517-3b2a-4fa7-b6c5-700a69597b48"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 6,
+ "i": "41fd4b13-2b4e-45c4-a50e-b2621d33a397",
+ "w": 13,
+ "x": 11,
+ "y": 0
+ },
+ "panelIndex": "41fd4b13-2b4e-45c4-a50e-b2621d33a397",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-9421128b-0d05-4c99-97b9-23144714e9e6",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "9421128b-0d05-4c99-97b9-23144714e9e6": {
+ "columnOrder": [
+ "b33ef7bf-6ab1-4679-b7a2-433393f8a306",
+ "290eddb1-4b74-433c-adf1-21d4a1193e08"
+ ],
+ "columns": {
+ "290eddb1-4b74-433c-adf1-21d4a1193e08": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "event.id"
+ },
+ "b33ef7bf-6ab1-4679-b7a2-433393f8a306": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Severity",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "290eddb1-4b74-433c-adf1-21d4a1193e08",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "armis.alert.severity"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "9421128b-0d05-4c99-97b9-23144714e9e6",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "290eddb1-4b74-433c-adf1-21d4a1193e08"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "b33ef7bf-6ab1-4679-b7a2-433393f8a306"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 13,
+ "i": "23f66e79-114b-42de-a5e8-3147ad5360e4",
+ "w": 24,
+ "x": 24,
+ "y": 0
+ },
+ "panelIndex": "23f66e79-114b-42de-a5e8-3147ad5360e4",
+ "title": "Alerts by Severity [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-14e7b010-857d-41a2-82ae-6e09b3c57416",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "14e7b010-857d-41a2-82ae-6e09b3c57416": {
+ "columnOrder": [
+ "2449445a-c3e1-4613-b856-24abc958ab24"
+ ],
+ "columns": {
+ "2449445a-c3e1-4613-b856-24abc958ab24": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Total Affected Devices",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "host.id"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "14e7b010-857d-41a2-82ae-6e09b3c57416",
+ "layerType": "data",
+ "metricAccessor": "2449445a-c3e1-4613-b856-24abc958ab24"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 7,
+ "i": "c8f408c1-a3f0-4213-b9f7-dc3215dc4f76",
+ "w": 13,
+ "x": 11,
+ "y": 6
+ },
+ "panelIndex": "c8f408c1-a3f0-4213-b9f7-dc3215dc4f76",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-db50cb97-f522-49d7-9eb2-4386897a68be",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "db50cb97-f522-49d7-9eb2-4386897a68be": {
+ "columnOrder": [
+ "62726a42-245a-47f3-b94c-61edb5058c7a",
+ "3d171f69-af91-4d27-97fb-b6f3ffcf3e1e"
+ ],
+ "columns": {
+ "3d171f69-af91-4d27-97fb-b6f3ffcf3e1e": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "event.id"
+ },
+ "62726a42-245a-47f3-b94c-61edb5058c7a": {
+ "customLabel": true,
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "Timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "3d171f69-af91-4d27-97fb-b6f3ffcf3e1e"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "db50cb97-f522-49d7-9eb2-4386897a68be",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "xAccessor": "62726a42-245a-47f3-b94c-61edb5058c7a"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 13,
+ "i": "d71f56a3-dff2-4f44-b098-3dbb5d9d29d9",
+ "w": 37,
+ "x": 11,
+ "y": 13
+ },
+ "panelIndex": "d71f56a3-dff2-4f44-b098-3dbb5d9d29d9",
+ "title": "Alerts over Time [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-afd630b0-4fb7-421d-9823-cf927e2aef2d",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "afd630b0-4fb7-421d-9823-cf927e2aef2d": {
+ "columnOrder": [
+ "881c4707-6344-46df-8d96-337415c27501",
+ "ac9e9217-8fe2-4479-930b-b79ccc9cf4c9"
+ ],
+ "columns": {
+ "881c4707-6344-46df-8d96-337415c27501": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Rule Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "ac9e9217-8fe2-4479-930b-b79ccc9cf4c9",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "rule.name"
+ },
+ "ac9e9217-8fe2-4479-930b-b79ccc9cf4c9": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "event.id"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "afd630b0-4fb7-421d-9823-cf927e2aef2d",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "ac9e9217-8fe2-4479-930b-b79ccc9cf4c9"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "881c4707-6344-46df-8d96-337415c27501"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "925c5a4a-8ef0-4b76-80ea-50e6d276bb81",
+ "w": 24,
+ "x": 0,
+ "y": 26
+ },
+ "panelIndex": "925c5a4a-8ef0-4b76-80ea-50e6d276bb81",
+ "title": "Alerts by Rule Name [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-4e50c12c-2a35-4243-877b-ea0b63ee8415",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "4e50c12c-2a35-4243-877b-ea0b63ee8415": {
+ "columnOrder": [
+ "0903f426-e185-44d0-9eaa-7ec5e2f37090",
+ "5cf70582-5c7c-4c24-81d0-0ea863487bb0"
+ ],
+ "columns": {
+ "0903f426-e185-44d0-9eaa-7ec5e2f37090": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Status",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "5cf70582-5c7c-4c24-81d0-0ea863487bb0",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "armis.alert.status"
+ },
+ "5cf70582-5c7c-4c24-81d0-0ea863487bb0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "event.id"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "4e50c12c-2a35-4243-877b-ea0b63ee8415",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "5cf70582-5c7c-4c24-81d0-0ea863487bb0"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "0903f426-e185-44d0-9eaa-7ec5e2f37090"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "e025f636-bc91-47e4-9be3-dfac10bfa685",
+ "w": 24,
+ "x": 24,
+ "y": 26
+ },
+ "panelIndex": "e025f636-bc91-47e4-9be3-dfac10bfa685",
+ "title": "Alerts by Status [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-150119b9-7d3f-4a2b-b87b-de9e661b9fe2",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "150119b9-7d3f-4a2b-b87b-de9e661b9fe2": {
+ "columnOrder": [
+ "fd6e4485-e53d-4f9b-84e5-34a8ccfec785",
+ "2ee20f25-1426-4877-b6fe-902a64635fbe"
+ ],
+ "columns": {
+ "2ee20f25-1426-4877-b6fe-902a64635fbe": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "event.id"
+ },
+ "fd6e4485-e53d-4f9b-84e5-34a8ccfec785": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Title",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "2ee20f25-1426-4877-b6fe-902a64635fbe",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "armis.alert.title"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "fd6e4485-e53d-4f9b-84e5-34a8ccfec785"
+ },
+ {
+ "columnId": "2ee20f25-1426-4877-b6fe-902a64635fbe"
+ }
+ ],
+ "layerId": "150119b9-7d3f-4a2b-b87b-de9e661b9fe2",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 16,
+ "i": "366927f7-26db-4c4b-a292-d2c4096b8500",
+ "w": 48,
+ "x": 0,
+ "y": 41
+ },
+ "panelIndex": "366927f7-26db-4c4b-a292-d2c4096b8500",
+ "title": "Top 10 Title [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 24,
+ "i": "fd34960a-f779-4562-b677-c0b7eca478e5",
+ "w": 48,
+ "x": 0,
+ "y": 57
+ },
+ "panelIndex": "fd34960a-f779-4562-b677-c0b7eca478e5",
+ "panelRefName": "panel_fd34960a-f779-4562-b677-c0b7eca478e5",
+ "title": "Alerts Essential Details [Logs Armis]",
+ "type": "search"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs Armis] Alerts",
+ "version": 3
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-04-04T09:23:07.526Z",
+ "id": "armis-8a59c91d-69fd-4cf4-ab75-e9205ecbd095",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "41fd4b13-2b4e-45c4-a50e-b2621d33a397:indexpattern-datasource-layer-e9c7ef4f-3878-42c9-abda-4ad383261ba3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "23f66e79-114b-42de-a5e8-3147ad5360e4:indexpattern-datasource-layer-9421128b-0d05-4c99-97b9-23144714e9e6",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c8f408c1-a3f0-4213-b9f7-dc3215dc4f76:indexpattern-datasource-layer-14e7b010-857d-41a2-82ae-6e09b3c57416",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d71f56a3-dff2-4f44-b098-3dbb5d9d29d9:indexpattern-datasource-layer-db50cb97-f522-49d7-9eb2-4386897a68be",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "925c5a4a-8ef0-4b76-80ea-50e6d276bb81:indexpattern-datasource-layer-afd630b0-4fb7-421d-9823-cf927e2aef2d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e025f636-bc91-47e4-9be3-dfac10bfa685:indexpattern-datasource-layer-4e50c12c-2a35-4243-877b-ea0b63ee8415",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "366927f7-26db-4c4b-a292-d2c4096b8500:indexpattern-datasource-layer-150119b9-7d3f-4a2b-b87b-de9e661b9fe2",
+ "type": "index-pattern"
+ },
+ {
+ "id": "armis-4f132e91-3d6d-4e05-b67a-f00b2e87b95d",
+ "name": "fd34960a-f779-4562-b677-c0b7eca478e5:panel_fd34960a-f779-4562-b677-c0b7eca478e5",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_7e9c55a5-0ba5-464e-94ef-2c2ae49e0d5b:rangeSliderDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_5780f20f-a180-4683-bcce-ae751258b5ca:optionsListDataView",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "typeMigrationVersion": "10.2.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/armis/kibana/dashboard/armis-f988ffbb-80b9-42c2-8009-bbcc59d33347.json b/packages/armis/kibana/dashboard/armis-f988ffbb-80b9-42c2-8009-bbcc59d33347.json
new file mode 100644
index 00000000000..7662d6716b3
--- /dev/null
+++ b/packages/armis/kibana/dashboard/armis-f988ffbb-80b9-42c2-8009-bbcc59d33347.json
@@ -0,0 +1,1655 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": {
+ "ignoreFilters": false,
+ "ignoreQuery": false,
+ "ignoreTimerange": false,
+ "ignoreValidations": false
+ },
+ "panelsJSON": {
+ "28e4b1e8-2fe5-4af5-8abe-f5b7c410428f": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "host.os.family",
+ "id": "28e4b1e8-2fe5-4af5-8abe-f5b7c410428f",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Operating System"
+ },
+ "grow": true,
+ "order": 3,
+ "type": "optionsListControl",
+ "width": "medium"
+ },
+ "52887cc1-0185-4feb-be5e-a2a9b13a7392": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "device.manufacturer",
+ "id": "52887cc1-0185-4feb-be5e-a2a9b13a7392",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Manufacturer"
+ },
+ "grow": true,
+ "order": 2,
+ "type": "optionsListControl",
+ "width": "medium"
+ },
+ "78a71ef7-e158-4fd2-92cf-6f5c1d1157cc": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "armis.device.site.location",
+ "id": "78a71ef7-e158-4fd2-92cf-6f5c1d1157cc",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Site Location"
+ },
+ "grow": true,
+ "order": 5,
+ "type": "optionsListControl",
+ "width": "medium"
+ },
+ "8c08f9e9-dfc0-4c44-8234-bec6282d0f59": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "host.type",
+ "id": "8c08f9e9-dfc0-4c44-8234-bec6282d0f59",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Category"
+ },
+ "grow": true,
+ "order": 1,
+ "type": "optionsListControl",
+ "width": "medium"
+ },
+ "d709e3ac-ce03-41df-91a6-d8fd9b882ad8": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "armis.device.type",
+ "id": "d709e3ac-ce03-41df-91a6-d8fd9b882ad8",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Type"
+ },
+ "grow": true,
+ "order": 6,
+ "type": "optionsListControl",
+ "width": "medium"
+ },
+ "d7621d10-2834-4f27-b2ea-92b3c1ad7658": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "armis.device.business_impact",
+ "id": "d7621d10-2834-4f27-b2ea-92b3c1ad7658",
+ "searchTechnique": "prefix",
+ "selectedOptions": [],
+ "sort": {
+ "by": "_count",
+ "direction": "desc"
+ },
+ "title": "Business Impact"
+ },
+ "grow": true,
+ "order": 0,
+ "type": "optionsListControl",
+ "width": "medium"
+ },
+ "dbfcf6e0-8cac-4f2c-8697-69cbcaef001f": {
+ "explicitInput": {
+ "dataViewId": "logs-*",
+ "fieldName": "host.risk.static_score",
+ "id": "dbfcf6e0-8cac-4f2c-8697-69cbcaef001f",
+ "step": 1,
+ "title": "Risk Level"
+ },
+ "grow": true,
+ "order": 4,
+ "type": "rangeSliderControl",
+ "width": "medium"
+ }
+ },
+ "showApplySelections": false
+ },
+ "description": "This dashboard shows Devices logs collected by the Armis integration.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "armis.device"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "armis.device"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "labels.is_transform_source",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "labels.is_transform_source",
+ "negate": false,
+ "params": {
+ "query": "false"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "labels.is_transform_source": "false"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "id": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "**Navigation**\n\n**Armis**\n\n- [Alerts](#/dashboard/armis-8a59c91d-69fd-4cf4-ab75-e9205ecbd095)\n- **Devices**\n- [Vulnerabilities](#/dashboard/armis-68592f5a-9c7b-4398-a723-510d5e48a8b1)\n\n**Overview**\n\nThis dashboard provides insights into devices, allowing users to monitor asset distribution and risk levels effectively. It includes a Control Panel for filtering by business impact, category, manufacturer, operating system, risk level, site location, and type. It displays total devices and offers various visualizations such as devices by risk level, category, type, operating system, site location, business impact, and manufacturer. It also tracks devices over time, highlights the top 10 host IPs, while a detailed essential device information, enabling deeper investigation.\n\n[**Integrations Page**](/app/integrations/detail/armis/overview)",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 27,
+ "i": "6d7ca3bc-d5b3-4854-80c0-ec192712243b",
+ "w": 16,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "6d7ca3bc-d5b3-4854-80c0-ec192712243b",
+ "title": "Table of Content",
+ "type": "visualization"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-b6d0cf87-1ed3-4759-b4b0-b0377abc942a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "b6d0cf87-1ed3-4759-b4b0-b0377abc942a": {
+ "columnOrder": [
+ "91024980-6bf4-4251-8964-2786ae592237"
+ ],
+ "columns": {
+ "91024980-6bf4-4251-8964-2786ae592237": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Total Devices",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "host.id"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "b6d0cf87-1ed3-4759-b4b0-b0377abc942a",
+ "layerType": "data",
+ "metricAccessor": "91024980-6bf4-4251-8964-2786ae592237"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 13,
+ "i": "4d13c4e2-ad84-45ff-a824-832c268c93ad",
+ "w": 10,
+ "x": 16,
+ "y": 0
+ },
+ "panelIndex": "4d13c4e2-ad84-45ff-a824-832c268c93ad",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-469f2ff4-c345-4431-b714-640b68e48880",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "469f2ff4-c345-4431-b714-640b68e48880": {
+ "columnOrder": [
+ "6b9a4113-d06f-4f13-8397-9a1dbc363e1d",
+ "3f6f77c4-ab41-457d-a85a-abec2727afc5"
+ ],
+ "columns": {
+ "3f6f77c4-ab41-457d-a85a-abec2727afc5": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "host.id"
+ },
+ "6b9a4113-d06f-4f13-8397-9a1dbc363e1d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Operating System",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "3f6f77c4-ab41-457d-a85a-abec2727afc5",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "host.os.family"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "469f2ff4-c345-4431-b714-640b68e48880",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "3f6f77c4-ab41-457d-a85a-abec2727afc5"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "6b9a4113-d06f-4f13-8397-9a1dbc363e1d"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 13,
+ "i": "852578ac-49e4-47e3-9705-d51f4b0a9bb7",
+ "w": 22,
+ "x": 26,
+ "y": 0
+ },
+ "panelIndex": "852578ac-49e4-47e3-9705-d51f4b0a9bb7",
+ "title": "Devices by Operating System [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-8d2cb092-2b6b-461d-9f57-6239927a0b7a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "8d2cb092-2b6b-461d-9f57-6239927a0b7a": {
+ "columnOrder": [
+ "3c2f2800-0391-4766-84d8-ff42388da60c",
+ "312fcd32-6e11-4ec0-9240-526b89a2e6a4"
+ ],
+ "columns": {
+ "312fcd32-6e11-4ec0-9240-526b89a2e6a4": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "host.id"
+ },
+ "3c2f2800-0391-4766-84d8-ff42388da60c": {
+ "customLabel": true,
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "Timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "312fcd32-6e11-4ec0-9240-526b89a2e6a4"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "8d2cb092-2b6b-461d-9f57-6239927a0b7a",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "xAccessor": "3c2f2800-0391-4766-84d8-ff42388da60c"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "line",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 14,
+ "i": "357c1343-0756-40e8-88ec-b2eb66b387bc",
+ "w": 32,
+ "x": 16,
+ "y": 13
+ },
+ "panelIndex": "357c1343-0756-40e8-88ec-b2eb66b387bc",
+ "title": "Devices over Time [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-619fe2af-7afa-4d8d-968a-af6166200537",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "619fe2af-7afa-4d8d-968a-af6166200537": {
+ "columnOrder": [
+ "f83a9e0d-026a-4436-b95c-63fb04911d34",
+ "b2d4b868-8323-45aa-955f-b6eaa4de88fa"
+ ],
+ "columns": {
+ "b2d4b868-8323-45aa-955f-b6eaa4de88fa": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "host.id"
+ },
+ "f83a9e0d-026a-4436-b95c-63fb04911d34": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Category",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "b2d4b868-8323-45aa-955f-b6eaa4de88fa",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "host.type"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "b2d4b868-8323-45aa-955f-b6eaa4de88fa"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "619fe2af-7afa-4d8d-968a-af6166200537",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal_stacked",
+ "showGridlines": false,
+ "xAccessor": "f83a9e0d-026a-4436-b95c-63fb04911d34"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "37c60e7d-9486-4032-a950-8da2920a2684",
+ "w": 24,
+ "x": 0,
+ "y": 27
+ },
+ "panelIndex": "37c60e7d-9486-4032-a950-8da2920a2684",
+ "title": "Devices by Category [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-9eb1b659-9b6c-4b75-bbd5-e3387fe50bcd",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "9eb1b659-9b6c-4b75-bbd5-e3387fe50bcd": {
+ "columnOrder": [
+ "c4d4ab55-0b0a-4d4e-a432-62be68f1a509",
+ "142a795e-cb0a-4ac1-8808-747f3f106a8c"
+ ],
+ "columns": {
+ "142a795e-cb0a-4ac1-8808-747f3f106a8c": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "host.id"
+ },
+ "c4d4ab55-0b0a-4d4e-a432-62be68f1a509": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Business Impact",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "142a795e-cb0a-4ac1-8808-747f3f106a8c",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "armis.device.business_impact"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "9eb1b659-9b6c-4b75-bbd5-e3387fe50bcd",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "142a795e-cb0a-4ac1-8808-747f3f106a8c"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "c4d4ab55-0b0a-4d4e-a432-62be68f1a509"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "b46f3e15-3f3a-4747-8d58-58a90cf9c224",
+ "w": 24,
+ "x": 24,
+ "y": 27
+ },
+ "panelIndex": "b46f3e15-3f3a-4747-8d58-58a90cf9c224",
+ "title": "Devices by Business Impact [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-1490da33-f987-49f5-81f6-20397ba5eb6d",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "1490da33-f987-49f5-81f6-20397ba5eb6d": {
+ "columnOrder": [
+ "7317f6a0-da1e-4770-b52b-928113f90aab",
+ "38c2193a-8fb4-4c1e-89e6-283b65587023"
+ ],
+ "columns": {
+ "38c2193a-8fb4-4c1e-89e6-283b65587023": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "host.id"
+ },
+ "7317f6a0-da1e-4770-b52b-928113f90aab": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Manufacturer",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": false,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "38c2193a-8fb4-4c1e-89e6-283b65587023",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "device.manufacturer"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "38c2193a-8fb4-4c1e-89e6-283b65587023"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "1490da33-f987-49f5-81f6-20397ba5eb6d",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal_stacked",
+ "showGridlines": false,
+ "xAccessor": "7317f6a0-da1e-4770-b52b-928113f90aab"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "3eecb95f-f20b-4066-8899-a011bdd50084",
+ "w": 24,
+ "x": 0,
+ "y": 42
+ },
+ "panelIndex": "3eecb95f-f20b-4066-8899-a011bdd50084",
+ "title": "Devices by Manufacturer [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-911241c3-3bb1-47fd-af88-0c343ee9908f",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "911241c3-3bb1-47fd-af88-0c343ee9908f": {
+ "columnOrder": [
+ "3937637e-b43b-435d-93a4-5a1f632db957",
+ "059319b4-0fb4-4c9b-a592-39a4de47f1c1"
+ ],
+ "columns": {
+ "059319b4-0fb4-4c9b-a592-39a4de47f1c1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "host.id"
+ },
+ "3937637e-b43b-435d-93a4-5a1f632db957": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "059319b4-0fb4-4c9b-a592-39a4de47f1c1",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "armis.device.type"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "059319b4-0fb4-4c9b-a592-39a4de47f1c1"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "911241c3-3bb1-47fd-af88-0c343ee9908f",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal_stacked",
+ "showGridlines": false,
+ "xAccessor": "3937637e-b43b-435d-93a4-5a1f632db957"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "dc68e670-8db3-4fe4-b0ca-3f422e81dbcf",
+ "w": 24,
+ "x": 24,
+ "y": 42
+ },
+ "panelIndex": "dc68e670-8db3-4fe4-b0ca-3f422e81dbcf",
+ "title": "Devices by Type [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-3731d06d-d64c-4ff2-b4e7-998f752d83c8",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "3731d06d-d64c-4ff2-b4e7-998f752d83c8": {
+ "columnOrder": [
+ "f60a147d-3f91-49ee-a28c-8b233a4310e5",
+ "da41a0ac-506c-4c7c-97c7-fa57d77e4ab2"
+ ],
+ "columns": {
+ "da41a0ac-506c-4c7c-97c7-fa57d77e4ab2": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "host.id"
+ },
+ "f60a147d-3f91-49ee-a28c-8b233a4310e5": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Site Location",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "da41a0ac-506c-4c7c-97c7-fa57d77e4ab2",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "armis.device.site.location"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "da41a0ac-506c-4c7c-97c7-fa57d77e4ab2"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "3731d06d-d64c-4ff2-b4e7-998f752d83c8",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal_stacked",
+ "showGridlines": false,
+ "xAccessor": "f60a147d-3f91-49ee-a28c-8b233a4310e5"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 16,
+ "i": "51be0062-9e49-4cd1-861c-6d85b2c3f81c",
+ "w": 24,
+ "x": 0,
+ "y": 57
+ },
+ "panelIndex": "51be0062-9e49-4cd1-861c-6d85b2c3f81c",
+ "title": "Devices by Site Location [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-554cf124-cfdf-44e5-a7f8-9d8c78fe6b39",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "554cf124-cfdf-44e5-a7f8-9d8c78fe6b39": {
+ "columnOrder": [
+ "a2aa7908-62bd-43da-97e2-79750cd1d57d",
+ "a19fce9a-f6fe-4668-84b0-d2ec0691785e"
+ ],
+ "columns": {
+ "a19fce9a-f6fe-4668-84b0-d2ec0691785e": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "unique_count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "host.id"
+ },
+ "a2aa7908-62bd-43da-97e2-79750cd1d57d": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "Host IP",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "a19fce9a-f6fe-4668-84b0-d2ec0691785e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "host.ip"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "a2aa7908-62bd-43da-97e2-79750cd1d57d"
+ },
+ {
+ "columnId": "a19fce9a-f6fe-4668-84b0-d2ec0691785e"
+ }
+ ],
+ "layerId": "554cf124-cfdf-44e5-a7f8-9d8c78fe6b39",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 16,
+ "i": "2ee7c799-b3dc-4627-a6d1-4d05dd46e811",
+ "w": 24,
+ "x": 24,
+ "y": 57
+ },
+ "panelIndex": "2ee7c799-b3dc-4627-a6d1-4d05dd46e811",
+ "title": "Top 10 Host IP [Logs Armis]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 20,
+ "i": "e2748c13-fabb-4dd4-9b08-41afe8c4aec7",
+ "w": 48,
+ "x": 0,
+ "y": 73
+ },
+ "panelIndex": "e2748c13-fabb-4dd4-9b08-41afe8c4aec7",
+ "panelRefName": "panel_e2748c13-fabb-4dd4-9b08-41afe8c4aec7",
+ "title": "Device Essential Details [Logs Armis]",
+ "type": "search"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs Armis] Devices",
+ "version": 3
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-04-10T04:53:39.390Z",
+ "id": "armis-f988ffbb-80b9-42c2-8009-bbcc59d33347",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4d13c4e2-ad84-45ff-a824-832c268c93ad:indexpattern-datasource-layer-b6d0cf87-1ed3-4759-b4b0-b0377abc942a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "852578ac-49e4-47e3-9705-d51f4b0a9bb7:indexpattern-datasource-layer-469f2ff4-c345-4431-b714-640b68e48880",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "357c1343-0756-40e8-88ec-b2eb66b387bc:indexpattern-datasource-layer-8d2cb092-2b6b-461d-9f57-6239927a0b7a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "37c60e7d-9486-4032-a950-8da2920a2684:indexpattern-datasource-layer-619fe2af-7afa-4d8d-968a-af6166200537",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b46f3e15-3f3a-4747-8d58-58a90cf9c224:indexpattern-datasource-layer-9eb1b659-9b6c-4b75-bbd5-e3387fe50bcd",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3eecb95f-f20b-4066-8899-a011bdd50084:indexpattern-datasource-layer-1490da33-f987-49f5-81f6-20397ba5eb6d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "dc68e670-8db3-4fe4-b0ca-3f422e81dbcf:indexpattern-datasource-layer-911241c3-3bb1-47fd-af88-0c343ee9908f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "51be0062-9e49-4cd1-861c-6d85b2c3f81c:indexpattern-datasource-layer-3731d06d-d64c-4ff2-b4e7-998f752d83c8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2ee7c799-b3dc-4627-a6d1-4d05dd46e811:indexpattern-datasource-layer-554cf124-cfdf-44e5-a7f8-9d8c78fe6b39",
+ "type": "index-pattern"
+ },
+ {
+ "id": "armis-b7925646-4f62-4db4-8779-8d9202575fdd",
+ "name": "e2748c13-fabb-4dd4-9b08-41afe8c4aec7:panel_e2748c13-fabb-4dd4-9b08-41afe8c4aec7",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_f8ba2e93-3213-45f7-9b91-ef45dbf0d632:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_157a660a-288b-4d70-89c9-1748cd0c6330:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_ec101cc3-eca4-49b3-8ff0-101ce32e263f:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_f2161f8c-a59a-4bf6-b047-4e88deb18bcd:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_6f10c5a7-e0a1-41c1-a2e7-670e2ecc9485:rangeSliderDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_74befe0e-dcef-4449-a4e1-577a6d5a67ff:optionsListDataView",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "controlGroup_ea5b1507-f872-4b37-97be-c02d6c5c146f:optionsListDataView",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "typeMigrationVersion": "10.2.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/armis/kibana/search/armis-0d7ec13b-880a-4fcc-8ff2-1af9cfd7cb31.json b/packages/armis/kibana/search/armis-0d7ec13b-880a-4fcc-8ff2-1af9cfd7cb31.json
new file mode 100644
index 00000000000..f0b37802798
--- /dev/null
+++ b/packages/armis/kibana/search/armis-0d7ec13b-880a-4fcc-8ff2-1af9cfd7cb31.json
@@ -0,0 +1,79 @@
+{
+ "attributes": {
+ "columns": [
+ "vulnerability.id",
+ "host.id",
+ "vulnerability.severity",
+ "armis.vulnerability.vulnerability_match.confidence_level",
+ "armis.vulnerability.number_of_threat_actors",
+ "armis.vulnerability.confidentiality_impact",
+ "armis.vulnerability.availability_impact",
+ "message"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "armis.vulnerability"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "armis.vulnerability"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Vulnerabilities Essential Details [Logs Armis]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-04-10T09:07:13.119Z",
+ "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0",
+ "id": "armis-0d7ec13b-880a-4fcc-8ff2-1af9cfd7cb31",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/armis/kibana/search/armis-4f132e91-3d6d-4e05-b67a-f00b2e87b95d.json b/packages/armis/kibana/search/armis-4f132e91-3d6d-4e05-b67a-f00b2e87b95d.json
new file mode 100644
index 00000000000..535907eacf9
--- /dev/null
+++ b/packages/armis/kibana/search/armis-4f132e91-3d6d-4e05-b67a-f00b2e87b95d.json
@@ -0,0 +1,74 @@
+{
+ "attributes": {
+ "columns": [
+ "event.id",
+ "armis.alert.title",
+ "armis.alert.type",
+ "event.severity",
+ "message"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "armis.alert"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "armis.alert"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Alerts Essential Details [Logs Armis]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-04-04T09:19:20.368Z",
+ "id": "armis-4f132e91-3d6d-4e05-b67a-f00b2e87b95d",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/armis/kibana/search/armis-b7925646-4f62-4db4-8779-8d9202575fdd.json b/packages/armis/kibana/search/armis-b7925646-4f62-4db4-8779-8d9202575fdd.json
new file mode 100644
index 00000000000..a1d459fa36a
--- /dev/null
+++ b/packages/armis/kibana/search/armis-b7925646-4f62-4db4-8779-8d9202575fdd.json
@@ -0,0 +1,105 @@
+{
+ "attributes": {
+ "columns": [
+ "host.id",
+ "device.manufacturer",
+ "device.model.name",
+ "host.risk.static_score",
+ "host.os.family",
+ "armis.device.site.name",
+ "armis.device.type",
+ "armis.device.business_impact",
+ "host.type"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "armis.device"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "armis.device"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "labels.is_transform_source",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "labels.is_transform_source",
+ "negate": false,
+ "params": {
+ "query": "false"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "labels.is_transform_source": "false"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Device Essential Details [Logs Armis]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-04-04T09:19:20.368Z",
+ "id": "armis-b7925646-4f62-4db4-8779-8d9202575fdd",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/armis/manifest.yml b/packages/armis/manifest.yml
new file mode 100644
index 00000000000..e4d9fc2a2c2
--- /dev/null
+++ b/packages/armis/manifest.yml
@@ -0,0 +1,102 @@
+format_version: 3.3.2
+name: armis
+title: Armis
+version: 0.1.0
+description: Collect logs from Armis with Elastic Agent.
+type: integration
+categories:
+ - security
+conditions:
+ kibana:
+ version: "^8.18.0 || ^9.0.0"
+ elastic:
+ subscription: "basic"
+screenshots:
+ - src: /img/armis-alerts.png
+ title: Alerts Dashboard
+ size: 600x600
+ type: image/png
+ - src: /img/armis-devices.png
+ title: Devices Dashboard
+ size: 600x600
+ type: image/png
+ - src: /img/armis-vulnerabilities.png
+ title: Vulnerabilities Dashboard
+ size: 600x600
+ type: image/png
+icons:
+ - src: /img/armis-logo.svg
+ title: Armis logo
+ size: 32x32
+ type: image/svg+xml
+policy_templates:
+ - name: armis
+ title: Armis logs
+ description: Collect Armis logs.
+ deployment_modes:
+ default:
+ enabled: true
+ agentless:
+ enabled: true
+ organization: security
+ division: engineering
+ team: security-service-integrations
+ inputs:
+ - type: cel
+ title: Collect Armis logs via API
+ description: Collecting Armis logs via API.
+ vars:
+ - name: url
+ type: url
+ title: URL
+ description: Base URL of the Armis API.
+ multi: false
+ required: true
+ show_user: false
+ - name: secret_key
+ type: password
+ title: Secret Key
+ description: Secret Key of Armis.
+ multi: false
+ required: true
+ show_user: true
+ secret: true
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ multi: false
+ required: false
+ show_user: false
+ description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #certificate_authorities:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+ # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+ # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+ # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+ # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+ # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+ # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+ # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+ # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+ # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+ # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+ # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+ # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+ # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+ # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+ # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+ # sxSmbIUfc2SGJGCJD4I=
+ # -----END CERTIFICATE-----
+owner:
+ github: elastic/security-service-integrations
+ type: elastic
diff --git a/packages/armis/validation.yml b/packages/armis/validation.yml
new file mode 100644
index 00000000000..1189aa63c89
--- /dev/null
+++ b/packages/armis/validation.yml
@@ -0,0 +1,3 @@
+errors:
+ exclude_checks:
+ - SVR00004 # References in dashboards.