Armis Centrix
Armis Centrix is a cyber exposure management platform that delivers real-time visibility, risk assessment, and proactive protection of an organization's entire digital attack surface. Powered by an AI-driven Asset Intelligence Engine, it continuously discovers, monitors, and secures every asset across complex environments, spanning IT, OT, IoT, and IoMT devices.
Through automated risk scoring, vulnerability detection, and dynamic network segmentation, Armis Centrix helps organizations minimize cyber risk, enforce security policies, and remediate threats before they impact business operations. This connector enables ingestion of compute assets and their associated security findings into the Qualys Enterprise TruRisk Platform, which uses that data for further correlation and processing.
Connector Details
Here is a comprehensive overview of what the Armis Centrix Connector supports.
|
Vendor |
Armis |
|
Product |
Armis Centrix |
|
Connector Category |
Assets & Assets + findings |
|
Asset Types Supported |
Host-Machine |
|
Finding Types Supported |
Vulnerabilities |
|
Supported Version & Type |
1.0.0 |
|
Integration Method |
API Integration (REST) |
|
Direction |
Unidirectional (Armis Centrix to Qualys) |
|
Incremental Sync (Delta) |
Supported (Asset-only connector) |
Connection Settings
User Roles and Permissions
The connector authenticates using a Secret Key generated from the Armis admin account. The account used must have read permissions to access device and vulnerability data via the Armis API.
To generate a Secret Key in Armis Centrix:
- Log in to your Armis instance here.
- Navigate to the Settings icon.
- Go to Medical Device Security Settings > API Management.
- Click Create Secret Key and copy the generated value.
Authentication Details
Provide the following credentials in the connector configuration screen:
| Name | Key | Type | Description |
|---|---|---|---|
| Base URL | baseURL |
String | Base URL of the Armis Centrix platform (for example, https://lab-qualys.armis.com) |
| Secret Key | client_secret |
String | API Secret Key generated from the Armis admin account. Follow the steps above to obtain the secret key. |
Connector Configuration
Basic Details
- Log in to Qualys ETM.
- Go to Connectors > Integration tab and locate the Armis Centrix Connector.
- Click Manage from the ellipses menu.
- Provide a Name and Description for the connector.
- Enter the Base URL and Secret Key in the authentication fields.
- Click Next to proceed to scheduling and profile options.
Schedule and Findings Selection
- Configure a Schedule: Single Occurrence or Recurring, with start and end dates/times.
- The Assets value is set to COMPUTE by default and cannot be changed.
- Select Vulnerability from the Findings dropdown to ingest assets with associated vulnerability data. If not selected, the connector imports assets only.
- Click Next to continue.
The following optional filters are available to scope the data imported by the connector:
- Site Name: Identifier of the site in which the device resides (for example, Pune-ICS-Lab).
- Boundary Name: Identifier of the boundary (for example, Corporate).
- Business Impact: Filter by business impact level (for example, High).
- Baseline Start From: Date from which data is fetched.
- Time Frame: Only devices active within the specified time frame are retrieved.
Mapping Details
Data Model
The Armis Centrix Connector provides out-of-the-box data model mappings for assets only, or assets with vulnerabilities. The default transformation map is applied during profile execution. View the models in ETM to review all supported fields.
Transform Maps
Default transform maps are provided. You can create or clone maps to customize field transformations.
- Click Create New to add a new transform map.
- Provide a Transform Map Name, select Source Data Model, and select Target Data Model.
- Save the map.
- Alternatively, use Clone from the quick menu to copy and adjust the default transform map.
Data Model Mapping - Asset Transformation
|
Source Field |
Target Field |
|---|---|
| id | asset.assetHeader.externalAssetId |
| id | asset.assetHeader.vendorAssetId |
| type | asset.assetHeader.assetTypeName |
| operatingSystem | asset.assetDetail.operatingSystem.name |
| operatingSystemVersion | asset.assetDetail.operatingSystem.version |
| ipAddresses[] | asset.assetDetail.network[].ipv4Addresses[ |
| macAddress | asset.assetDetail.network[].macAddress |
| firstSeen | sourceCreatedDate |
| lastSeen | sourceLastUpdatedDate |
| firstSeen | asset.assetDetail.openPorts[].firstFound |
| displayTitle | asset.assetDetail.hostname |
| displayTitle | asset.assetDetail.hostIdentity.hostname |
| displayTitle | asset.assetDetail.name |
| model | asset.assetDetail.hardware.model |
| manufacturer | asset.assetDetail.hardware.manufacturer |
| accessSwitch | asset.assetDetail.typedAttributes.& |
| boundaries | asset.assetDetail.typedAttributes.& |
| businessImpact | asset.assetDetail.typedAttributes.& |
| category | asset.assetDetail.typedAttributes.& |
| dataSources | asset.assetDetail.untypedAttributes.& |
| ipv6 | asset.assetDetail.untypedAttributes.& |
| purdueLevel | asset.assetDetail.typedAttributes.& |
| riskLevel | asset.assetDetail.typedAttributes.& |
| Sensor | asset.assetDetail.untypedAttributes.& |
| site | asset.assetDetail.untypedAttributes.& |
| tags | asset.assetDetail.untypedAttributes.& |
| tier | asset.assetDetail.typedAttributes.& |
| userIds | asset.assetDetail.untypedAttributes.& |
| visibility | asset.assetDetail.typedAttributes.& |
Data Model Mapping - Vulnerability Transformation
|
Source Field |
Target Field |
|---|---|
| vulnerabilities.data.sample[].description | findingGroup.findings[].description |
| vulnerabilities.data.sample[].status | findingGroup.findings[].findingStatus |
| vulnerabilities.data.sample[].cveUid | findingGroup.findings[].name |
| vulnerabilities.data.sample[]. confidenceLevel |
findingGroup.findings[].typeDetected |
| vulnerabilities.data.sample[].id | findingGroup.findings[].externalFindingId |
| vulnerabilities.data.sample[]. matchCriteriaString |
findingGroup.findings[].detectionResult |
| vulnerabilities.data.sample[]. cvssScore |
findingGroup.findings[].findingType.v ulnerability.cvss.cvss3Base |
| vulnerabilities.data.sample[].severity | findingGroup.findings[].severity |
| vulnerabilities.data.sample[].cveUid | findingGroup.findings[].findingType. vulnerability.cveId |
| vulnerabilities.data.sample[]. firstDetected |
findingGroup.findings[].firstFoundOn |
| vulnerabilities.data.sample[]. lastDetected |
findingGroup.findings[].lastFoundOn |
Identification Rules
Identification Rules are provided out-of-the-box by Qualys CSAM. They control how imported findings are matched and correlated to assets within ETM. Identification Rules apply only to Compute (Host) asset types. You may proceed without changes, but ensure at least one rule is active.
How Does a Connection Work?
The Armis Centrix Connector executes on schedule (or on-demand) based on the configured profile. On each run, the connector authenticates with the Armis Centrix REST API, retrieves device and vulnerability records, applies the selected transform map, and imports the data into ETM.
A successfully configured connector transitions through the following states:
- Registered: The connector is successfully created and registered to fetch data from Armis Centrix.
- Scheduled: The connector is scheduled to execute a connection with the vendor.
- Processing: A connection is executing and the connector is actively fetching asset and findings data.
- Processed: The connector has successfully fetched the assets and is completing the import of findings.
The Processed state indicates that the connector is successfully configured and the import is underway. This process may take up to 2 hours to complete.
API Endpoints
The connector uses the following Armis Centrix REST API endpoints to retrieve data:
| API Function | Endpoint | Notes |
|---|---|---|
| Get Devices | https://ic.armis.com/api/v1/device/_search |
Retrieves all device and asset records from Armis Centrix |
| Get CVEs | https://ic.armis.com/api/v1/cve/_search?null=null&length=10&from=0&category=Computers%27 |
Retrieves CVE vulnerability data associated with devices |
Viewing Assets and Findings in ETM
After a successful run, Armis Centrix assets and findings appear in ETM:
- Assets: Go to Inventory > Assets > Host. Filter with
tags.name:"Armis".
- Findings: Go to Risk Management > Findings > Vulnerability. Filter with
finding.vendorProductName:"Armis".
