Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
Armorblox Incidents | ✅ | armorblox_incidents | NDJSON | API | |||
Armorblox Policies | armorblox_policies | NDJSON | API |
Overview
Armorblox, now part of Cisco, is a cloud office security platform that protects enterprise communications across email, messaging, and file-sharing services using natural language understanding. The platform connects over APIs to analyze thousands of signals across identity, behavior, and language.
Integrating Armorblox into Hunters will allow the collection and ingestion of key data types into your datalake. Furthermore, alerts will be created over the logs, auto-investigated and correlated to other related signals.
Supported data types
Armorblox Incidents
Table name: armorblox_incidents
Incidents reported by Armorblox (more details here).
Armorblox Policies
Table name: armorblox_policies
The Policies used by Armorblox (more details here).
Send data to Hunters
Hunters support API collection for Armorblox logs.
To connect Armorblox logs:
Gather the following details from Armorblox:
Tenant name (same as in your Armorblox domain name). Example -
yourtenantname
API key. Click here to learn how to obtain the API key. Example -
A1b2C3d4E5f6G7h8I9j0K1l2M3O4n5P6q7R8s9T0U1V=
Complete the process on the Hunters platform, following this process.
Expected format
Armorblox Incidents sample
{"priority": "LOW", "tagged": false, "date": "2023-01-25T06:59:06Z", "users": [{"name": "Mahesh", "email": "mahesh@abc.com", "is_vip": false}, {"name": "And", "email": "and@abc.com", "is_vip": false}], "policy_names": ["Graymail"], "title": "High Quality Guest posting Websites!", "remediation_actions": ["QUARANTINE"], "resolution_state": "OPEN_INCIDENT_RESOLUTION_STATE", "object_type": "CONTENT_MAIL", "id": "26901", "research_status": "TRUE_POSITIVE", "remediated_by": "Armorblox", "app_name": "MICROSOFT_OUTLOOK", "external_users": [{"name": "Jam", "email": "jam@gmail.com", "is_vip": false}], "external_senders": ["jamesh260@gmail.com"], "folder_categories": ["UNCATEGORIZED"], "scl_score": -1, "incident_type": "THREAT_INCIDENT_TYPE", "engagements": {"fwd_mail_count": "0", "reply_mail_count": "0"}, "earliest_event_date": "2023-01-25T06:53:05Z", "original_sender_address": "jam@gmail.com"}
Armorblox Policies sample
{"id": "99", "name": "VIP Impersonation", "category": "Spear Phishing", "violations": "1", "action": "QUARANTINE", "priority": "HIGH", "affected_users": "11", "create_date": "2022-08-29T22:32:08.156605Z", "update_date": "2022-11-21T16:58:15.773887Z", "configs": [{"type": "EXEC_USERS_SETTINGS", "is_setup": true}], "app_name": "MICROSOFT_OUTLOOK", "is_enabled": true, "inbound_outbound_type": "INBOUND_THREAT"}