Armis Centrix for IoT Security

Armis Centrix for IoT Security is a solution that discovers all devices in your environment—managed, unmanaged, OT, medical, and IoT—on or off your network and in your airspace, and identifies risks and attacks. Ingesting it in LogScale can help you visualize and correlate Armis with other sources like firewalls and network access controls.

The parser normalizes data to a common schema based on an OpenTelemetry standard. This schema allows you to search the data without knowing Armis' data specifically, and just knowing the common schema instead. It also allows you to combine the data more easily with other data sources which conform to the same schema.

Breaking Changes

This update includes parser changes, which means that data ingested after upgrade will not be backwards compatible with logs ingested with the previous version.

Updating to version 1.0.0 or newer will therefore result in issues with existing queries in for example dashboards or alerts created prior to this version.

See CrowdStrike Parsing Standard (CPS) for more details on the new parser schema.

Installing the Armis Centrix IoT Package in LogScale

Find the repository where you want to send the logs, or create a new one.

  1. Navigate to your repository in the LogScale interface, click Settings and then Packages on the left.

  2. Click Marketplace and install the LogScale package for Armis (i.e. armis/centrix-iot).

  3. When the package has finished installing, click Ingest tokens on the left (still under the Settings, see Ingest Tokens).

  4. In the right panel, click + Add Token to create a new token. Give the token an appropriate name (e.g.the name of the server and the name of the server the token is ingesting logs for), and assign the parser.

    Before leaving this page, view the ingest token and copy it to your clipboard — to save it temporarily elsewhere.

    Now that you have a repository set up in LogScale along with an ingest token you're ready to send logs to LogScale.

Configuring the LogScale Integration in the Armis Platform

To get logs from Armis Centrix IoT into LogScale, you must configure SIEM integration within the Armis Platform:

  1. Select LogScale HTTP/S as the Connection Type.

  2. Insert the LogScale ingest token as the LogScale Authentication Token. See Ingest Tokens which must be the token you assigned to the parser armis/centrix-iot

  3. Insert the LogScale FQDN or IP address (example: in the Address field.

  4. Verify that the message type is set to JSON.

Verify Data is Arriving in LogScale

Once you have completed the above steps the data should be arriving in your LogScale repository.

You can verify this by doing a simple search for #Vendor = "armis" | event.module = "centrix-iot" to see the CTD events.

Package Contents Explained

If you want to search using the original field names and values, you can access those in the fields whose names are prefixed with the word "Vendor". Fields which are not prefixed with "Vendor" are standard fields which are either based on the schema (e.g. source.ip) or on LogScale conventions (e.g. @rawstring).

The fields which the parser currently maps the data to, are chosen based on what seems the most relevant, and will potentially be expanded in the future. But the parser won't necessarily normalize every field that has potential to be normalized.

Event Categorisation

As part of the schema, events are categorized by different fields, including:

  • event.type

  • event.kind

event.type is an array, so needs to be searched like so:

array:contains("event.type[]", value="info")

This will find events where some event.type[n] field contains the value "info", regardless of what `n` is. Note that not all events will be categorized to this level of detail.

Normalized Fields

Some of the normalized fields being set by this parser include:

  • event.* (e.g. event.kind, event.module, event.type, event.reason )

  • ecs* (e.g. ecs.version )

  • Cps* (e.g. Cps.version )

  • observer.* (e.g. observer.type )