Configure the Early Warning for Security Exposure Management integration

  • Release version: Australia
  • Updated June 23, 2026
  • 2 minutes to read
  • Install and configure the Early Warning for Security Exposure Management integration plugin to ingest threat intelligence and enrich your vulnerability database with pre-disclosure threat signals.

    Before you begin

    Before you begin:

    • Verify that Unified Security Exposure Management (Vulnerability Response v30.x) is installed and configured in your instance.
    • Verify that the Vulnerability Integration Framework plugin is activated.
    • Obtain Armis Early Warning feed credentials and verify access to the threat intelligence API.

    Role required: sn_sec_cvd.read: Viewing Early Warning for Security Exposure Management health/CVD records.

    Write access to sn_vul_ew_cvd_attributes table is not exposed to any user role; the integration manages these attributes internally.

    About this task

    By configuring the Early Warning for Security Exposure Management integration, you enable your vulnerability management system to access pre-disclosure threat intelligence, allowing your security team to prioritize and respond to high-risk vulnerabilities before public disclosure.

    Procedure

    1. Navigate to All and enter sn_sec_int_integration.LIST in the Filter Navigator.
    2. In the Third-party Integrations list, select Early Warning for Security Exposure Management.
    3. Select Integration Instances tab.
    4. Configure the integration parameters in the Integration Instance Parameters related tab.
      1. Select armis_api_url and enter the Armis API endpoint URL in the Value field.
      2. Select armis_api_key and enter the Armis authentication credentials in the Password value field.
    5. Verify that delta (incremental) ingestion is enabled.

      Delta ingestion processes only new or changed threat records, minimizing API calls and avoiding re-enrichment of unchanged records between runs.

    6. Select Save and Activate to enable the integration.

      The integration is now active and the framework will begin delta synchronization on the next scheduled run.

    7. Verify that the early warning flag (ew_exists) is visible in your CVDB list view and form pages.

      The list view column displays the enriched threat signal status for each CVE record. When you select a row, the CVE form opens.

    Result

    Your Early Warning for Security Exposure Management integration is now configured and active. The integration will:

    • Ingest pre-disclosure threat signals on a scheduled cadence.
    • Enrich matching CVDB records with threat intelligence attributes. See Libraries in the List view table in Security Exposure Management Workspace List view for more information.
    • Propagate early warning status to related vulnerability records.
    • Update risk scores to reflect early warning signals.

    What to do next

    After configuring the integration, consider the following next steps:

    • Configure risk rules to weight the early warning flag in your vulnerability risk calculation
    • Create custom Vulnerability Crisis Management (VCM) workflows to trigger on early warning CVEs.
    • Review and customize the Early Warning dashboard to fit your team's reporting needs.