Use cases
Your guide to maximizing value from the Armis API
Note: The use cases below are built on API v3.
The following use cases are drawn from actual customer usage of the Armis API and highlight the sheer flexibility of our API. Developers are tackling a massive range of problems, writing custom connectors for everything from enterprise ITSM and unified communications platforms to highly specialized systems for digital kiosks, industrial OT controllers, and core data center infrastructure.
Think of these examples as a starting point. They demonstrate how you can leverage the API to extend the Armis platform, automate complex workflows, and solve unique problems that go far beyond our standard features. Let's dive in and see what's possible.
1. Data Enrichment & Context
This category addresses how to integrate your proprietary data with Armis, and how to extract and enrich contextual information for analysis and reporting.
| Core Function | Example Scenario |
|---|---|
| Adaptive Context Mapping | Instead of hardcoding field names, use the API to automatically discover all searchable metadata, including standard fields, custom properties, and integration-unique fields. This ensures your reporting remain accurate even as your environment and integrations evolve. |
| Workflow Asset Tagging | A repair management vendor leverages Custom Properties to programmatically classify devices into operational states (e.g., "In Repair"). This provides immediate, real-time status insights for every asset across the enterprise landscape. |
| Specialized Asset Enrichment | A global retail chain uses the API to pull unique data (e.g., software versions, last reboot times) from specialized kiosk management consoles to populate custom fields in Armis, centralizing data that typically lives in silos. |
| Large-Scale Data Retrieval | A major airline data team utilizes the API to export hundreds of thousands of device records. By leveraging pagination and optimized search queries, they handle massive datasets for long-term storage and trend analysis. |
| Data Synchronization | Programmatically pull normalized intelligence on Applications, Risk Factors, and Vulnerabilities into your SIEM or BI platform. This ensures all stakeholders are working from the same "definitive source of truth." |
| Device Retrieval | Programmatically retrieve key device data (like device_id and display) by filtering for specific identifiers (MAC, Serial Number) or by activity windows (e.g., assets seen within the last 24 hours). |
| Source Attribution & Auditing | A security analyst audits data quality by identifying exactly which source (e.g., Smart Active Querying vs. a third-party integration) reported a specific property. Filtering by data_source ensures the integrity of your asset intelligence. |
2. Operational Management & Control
This category focuses on programmatic control over your organizational structure and infrastructure across Armis Centrix™.
| Core Function | Example Scenario |
|---|---|
| Infrastructure Synchronization | A large university hospital needed to programmatically align Armis with their IPAM/DCIM source-of-truth. They wrote a script to replicate their exact physical and logical site hierarchy, ensuring structural context is always accurate for segmentation needs. |
| Hierarchy Setup | As a global organization with offices worldwide, you can automate the creation of distinct Sites in Armis (e.g., San Francisco, London), ensuring each corresponds to a physical location for a clear, contextual view of assets. |
| Network Segmentation | A global enterprise uses the API to programmatically create and manage Boundaries based on SSIDs, IP ranges, or device properties. This enables automated network segmentation for different asset types (e.g., IoT devices, corporate workstations, guest networks), ensuring proper isolation and visibility across diverse network environments. |
3. Infrastructure Deployment
This category focuses on automating the setup and scaling of the Armis platform itself, enabling rapid visibility across global environments.
| Core Function | Example Scenario |
|---|---|
| Automated Collector Deployment | A large enterprise with multiple data centers needed to deploy Armis collectors at scale. Instead of manual setup, they used the API to programmatically retrieve secure, pre-signed download URLs and unique image credentials for various platforms (OVA, VHDX, RPM). This enabled them to incorporate collector deployment directly into their CI/CD and infrastructure-as-code workflows for seamless, multi-site expansion. |
| Collector Monitoring & Management | An operations team managing collectors across global offices uses the API to monitor collector health, track software versions, and identify collectors that need updates. They built a dashboard that displays collector status, network configuration, and last-seen timestamps, enabling proactive maintenance and rapid troubleshooting. |
4. Security & Compliance Management
This category focuses on programmatic access to security alerts, policies, and compliance frameworks within Armis.
| Core Function | Example Scenario |
|---|---|
| Alert Retrieval & Enrichment | A security operations center (SOC) retrieves detailed alert information including severity, status, affected devices, and MITRE ATT&CK mappings. They use this data to enrich their SIEM platform and automate incident response workflows based on alert severity and business impact. |
| Threat Intelligence Integration | A threat intelligence team programmatically retrieves alerts with MITRE ATT&CK annotations to correlate Armis detections with external threat feeds. This enables them to identify attack campaigns and prioritize response based on known adversary tactics and techniques. |
| Automated Alert Triage | An enterprise security team builds an automated triage system that retrieves alerts by ID, evaluates their severity and business impact, and automatically creates tickets in their ITSM platform. High-severity alerts affecting critical devices trigger immediate escalation to on-call engineers. |
| Policy Auditing | A security compliance officer exports all security policies using the API to generate quarterly compliance reports. They analyze which policies are enabled, their severity levels, and associated MITRE ATT&CK techniques to demonstrate security control coverage to auditors. |
| MITRE ATT&CK Coverage Analysis | A security analyst programmatically retrieves all policies and filters those with MITRE ATT&CK labels to create a heat map showing which attack techniques are covered by active detection policies. This visualization helps identify gaps in threat detection coverage. |
| Policy Configuration Validation | Before a major security audit, an organization uses the API to validate that all required security policies (as defined in their security framework) are enabled and properly configured. They compare API responses against their policy baseline to identify any discrepancies. |
| SIEM Integration | A SOC team integrates alert and policy data into their SIEM platform, enabling correlation between Armis alerts and the specific policies that triggered them. This provides deeper context for security investigations and incident response. |
Our Roadmap: Continuous Improvement
The Armis Developer Portal evolves based on your needs. We continuously add new use cases, guides, and API endpoints driven by community feedback and business demand.
Don't see your use case here? Share it in the Community Discussions — your input shapes our roadmap.