LogForge Logo LogForge
Home Vendors Search Download Login
Vendors Armis Security Armis Security Platform System Policy Violation Alert
Armis Security Logo

System Policy Violation Alert

Security policy breach detection and alerting

System policy violation alerts generated by the Armis Security Platform when devices violate configured security policies, including unauthorized device-to-device communications, protocol violations, and network boundary breaches

security policy-violation device-security network-security iot threat-detection compliance
JSON Format 36 Fields Medium Frequency Generator
Preview Sample View Schema

Overview

Armis Security Platform alerts generated when devices violate configured security policies, including workstation-to-workstation connections, unauthorized protocols, and boundary violations.

When Generated:

  • Device-to-device communication violates policy rules
  • Unauthorized protocol usage detected
  • Network boundary violations occur
  • SMB, RDP, SSH, or other lateral movement protocols used inappropriately
  • IoT or unmanaged devices communicate with restricted endpoints
  • Device risk levels exceed thresholds

Security Relevance:

High

Compliance:

NIST Cybersecurity Framework HIPAA (device security) PCI DSS (network segmentation) GDPR (data protection) SOC 2

Frequency Notes:

Policy violations occur regularly in enterprise environments, with higher frequency during business hours when device activity peaks. Frequency varies based on policy strictness and network complexity.

Resources

Tools

Generation Configuration

Base Frequency: 30 events/hour
Time Patterns:
business_hours night_hours weekend
Business Hours Multiplier: 2.5x
Night Hours Multiplier: 0.8x
Weekend Multiplier: 0.4x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name Type Required Format Description Example Possible Values
id
Source: random_int(1000000, 9999999)
 Integer Required Unique alert identifier assigned by Armis platform 1043631
type
Source: Static value
 String Required Alert type classification in Armis system SYSTEM_POLICY_VIOLATION
SYSTEM_POLICY_VIOLATION — Policy rule violation detected
THREAT_DETECTION — Security threat identified
ANOMALY_DETECTION — Behavioral anomaly detected
title
Source: random_choice(['WorkStation to Workstation SMB Connection', 'Unauthorized Device Access', ...])
 String Required Human-readable alert title describing the violation WorkStation to Workstation SMB Connection
policy
Source: Complex nested object with policy metadata
 Object Required Detailed policy information including rules, actions, owner, and configuration
policy.id
Source: random_int(10000, 99999)
 Integer Required Unique policy identifier 15244
policy.owner
Source: registry.get_random_user().email
 String Required Email address Email address of policy owner/creator security@company.com
policy.actionType
 String Required Severity level of alert action ALERT_HIGH
ALERT_CRITICAL — Critical severity alert
ALERT_HIGH — High severity alert
ALERT_MEDIUM — Medium severity alert
ALERT_LOW — Low severity alert
policy.rules
Source: Generated AQL rule syntax
 Object Required Policy rule definitions in Armis Query Language (AQL) {"and": ["endpointA:(device:(type:'Personal Computers')) protocol:SMB"]}
policy.labels
Source: random_choice([['threats', 'value_pack'], ['security', 'network'], ...])
 Array Optional Policy categorization labels ["threats", "value_pack"]
policy.timezone
Source: registry.get_organization_field('timezone')
 String Required IANA timezone identifier Timezone for policy evaluation America/Chicago
status
Source: random_choice(['UNHANDLED', 'IN_PROGRESS', 'RESOLVED', 'SUPPRESSED'])
 String Required Current alert handling status UNHANDLED
UNHANDLED — Alert has not been reviewed
IN_PROGRESS — Alert is being investigated
RESOLVED — Alert has been resolved
SUPPRESSED — Alert has been suppressed
content
Source: Generated markdown content with sensor information
 String Required Detailed alert description with recommended remediation actions in markdown format The Armis security platform has detected a violation...
sources
Source: Array of device objects with full metadata
 Array Required Source devices that initiated the policy violation
sources[].id
Source: random_int(100000, 999999)
 Integer Required Unique device identifier in Armis platform 756766
sources[].ip
Source: random_private_ip()
 String Optional IPv4 address IPv4 address of source device 10.113.4.81
sources[].ipv6
Source: fake.ipv6()
 String Optional IPv6 address IPv6 address of source device fe80::a5ea:1e79:5848:5df3
sources[].name
Source: registry.get_random_device().hostname
 String Required FQDN or hostname Hostname or device name ws-1hc3773.mclane.mclaneco.com
sources[].type
Source: random_choice(['PERSONAL_COMPUTER', 'SERVER', 'LAPTOP', 'WORKSTATION'])
 String Required Device type classification PERSONAL_COMPUTER
PERSONAL_COMPUTER — Desktop workstation
SERVER — Server device
LAPTOP — Mobile laptop
NETWORK_DEVICE — Network infrastructure
IoT_DEVICE — Internet of Things device
sources[].model
Source: random_choice(['OptiPlex', 'Latitude', 'ThinkPad', ...])
 String Optional Device hardware model OptiPlex
sources[].riskLevel
Source: random_int(1, 100)
 Integer Required Armis-calculated device risk score (1-100) 80
sources[].identifier
Source: fake.mac_address() | upper
 String Optional MAC address (uppercase, colon-separated) Device hardware identifier (typically MAC address) A4:BB:6D:51:45:55
sources[].dataSources
Source: random_choice of common integration sources
 Array Required List of data sources providing device information ["Active Directory", "CrowdStrike", "Microsoft Intune"]
sources[].boundaries
Source: Generated network boundary names
 Array Required Network boundaries/segments the device belongs to ["FS Charlotte - CE"]
sources[].site
Source: Object with name and location fields
 Object Required Physical site information for the device
sources[].sensor
Source: Object with sensor name and type
 Object Required Armis sensor that detected this device
severity
Source: random_choice(['HIGH', 'MEDIUM', 'CRITICAL', 'LOW'])
 String Required Alert severity level HIGH
CRITICAL — Critical severity requiring immediate attention
HIGH — High severity requiring prompt response
MEDIUM — Medium severity for review
LOW — Low severity informational
riskLevel
Source: random_int(1, 10)
 Integer Required Overall risk level of the alert (1-10) 9
timestamp
Source: now() | iso8601
 String Required ISO 8601 with timezone offset Alert generation timestamp 2025-12-20T20:26:27.348+00:00
activities
Source: Array of activity objects with violation details
 Array Required Network activities that triggered the policy violation
activities[].type
Source: Static value
 String Required Activity type classification NETWORK_POLICY_VIOLATION
activities[].decision_data
Source: Object with port, protocol, server_device_id, client_device_id
 Object Required Technical details of the violation (port, protocol, device IDs)
destinations
Source: Array of device objects (similar structure to sources)
 Array Required Destination devices involved in the policy violation
classification
Source: random_choice(['Security - Other', 'Security - Network', ...])
 String Required Security classification category Security - Other
relatedDevices
Source: Combined array of source and destination devices
 Array Required All devices involved in the alert (sources + destinations)
mitreAttackLabels
Source: Empty array (populated for specific threat types)
 Array Optional MITRE ATT&CK framework labels if applicable []
hostname
Source: registry.get_organization_field('domain') | sanitized
 String Required Organization hostname/domain identifier mclane

Details

36
Fields
Medium
Frequency
7
Tags
system_polic...
Event Type
Tags:
security policy-violation device-security network-security iot threat-detection compliance

Feedback

No ratings yet