Armorblox

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Armorblox Incidents

✅

armorblox_incidents

NDJSON

API

Armorblox Policies

armorblox_policies

NDJSON

API


Overview

imageArmorblox, now part of Cisco, is a cloud office security platform that protects enterprise communications across email, messaging, and file-sharing services using natural language understanding. The platform connects over APIs to analyze thousands of signals across identity, behavior, and language.

Integrating Armorblox into Hunters will allow the collection and ingestion of key data types into your datalake. Furthermore, alerts will be created over the logs, auto-investigated and correlated to other related signals.

Supported data types

Armorblox Incidents

Table name: armorblox_incidents

Incidents reported by Armorblox (more details here).

Armorblox Policies

Table name: armorblox_policies

The Policies used by Armorblox (more details here).

Send data to Hunters

Hunters support API collection for Armorblox logs.

To connect Armorblox logs:

  1. Gather the following details from Armorblox:

    • Tenant name (same as in your Armorblox domain name). Example - yourtenantname

    • API key. Click here to learn how to obtain the API key. Example - A1b2C3d4E5f6G7h8I9j0K1l2M3O4n5P6q7R8s9T0U1V=

  2. Complete the process on the Hunters platform, following this process.

Expected format

Armorblox Incidents sample

{"priority": "LOW", "tagged": false, "date": "2023-01-25T06:59:06Z", "users": [{"name": "Mahesh", "email": "mahesh@abc.com", "is_vip": false}, {"name": "And", "email": "and@abc.com", "is_vip": false}], "policy_names": ["Graymail"], "title": "High Quality Guest posting Websites!", "remediation_actions": ["QUARANTINE"], "resolution_state": "OPEN_INCIDENT_RESOLUTION_STATE", "object_type": "CONTENT_MAIL", "id": "26901", "research_status": "TRUE_POSITIVE", "remediated_by": "Armorblox", "app_name": "MICROSOFT_OUTLOOK", "external_users": [{"name": "Jam", "email": "jam@gmail.com", "is_vip": false}], "external_senders": ["jamesh260@gmail.com"], "folder_categories": ["UNCATEGORIZED"], "scl_score": -1, "incident_type": "THREAT_INCIDENT_TYPE", "engagements": {"fwd_mail_count": "0", "reply_mail_count": "0"}, "earliest_event_date": "2023-01-25T06:53:05Z", "original_sender_address": "jam@gmail.com"}

Armorblox Policies sample

{"id": "99", "name": "VIP Impersonation", "category": "Spear Phishing", "violations": "1", "action": "QUARANTINE", "priority": "HIGH", "affected_users": "11", "create_date": "2022-08-29T22:32:08.156605Z", "update_date": "2022-11-21T16:58:15.773887Z", "configs": [{"type": "EXEC_USERS_SETTINGS", "is_setup": true}], "app_name": "MICROSOFT_OUTLOOK", "is_enabled": true, "inbound_outbound_type": "INBOUND_THREAT"}