Drift Detection
Drift Detection overview
Illumio Segmentation for the Cloud automatically monitors the state of security controls on your CSP for any changes.
For non-Illumio Segmentation for the Cloud-written rules in the security control, Drift Detection generates drift system events when rules are modified, added, or deleted from the security controls. Systems events will show drift to the security control.
In other words, any changes to customer-owned rules are considered to be drift.
Note
The feature is currently supported for the following:
AWS SGs, NACLs
Azure NSGs
Azure Firewalls
Drift Detection for Azure Firewalls is performed only for Illumio Segmentation for the Cloud-managed rule collection groups, rule collections, and rules.
Drift Detection vs. Tamper Protection
Drift Detection and Tamper Protection both alert you to changes made to security control rules. They address different scenarios:
Drift Detection displays system events on the Events page System Events tab if non-Illumio-written rules are modified, deleted, or added, but takes no action
Tamper Protection displays alerts on the Events page System Events tab if Illumio-written rules are modified or deleted, and automatically reinforces the original rule. See Tamper Protection.
Drift Detection example
In this example, assume you have an AWS SG and you recently created a rule for it in Illumio Segmentation for the Cloud. Suppose that you later add a customer-owned rule in the AWS console.
Drift Detection generates an event that makes note of this change. In the Events page System Events tab, use the filter to select Event Type: network_security.drift_addition. You would see an event message like this:
A new rule ExampleRule1 was added to ExampleSG
If you removed a customer-owned rule in the AWS console, that would also be considered drift. In the Events page System Events tab, use the filter to select Event Type: network_security.drift_removal. You would see an event message like this:
Rule ExampleRule1 from ExampleSG was removed