Illumio Core REST API in 23.2.0
The Illumio Core REST API v2 has changed in 23.2 in the following ways.
In release 23.2 0, most of the new APIs are introduced to power the Ransomware Dashboard. These new ransomware APIs together with some changed APIs are collected under the heading APIs for Ransomware.
Note
This document combines API changes for releases 23.2.0 and 23.1.0, which was not provided for customers.
APIs for Ransomware Protection
Ransomware Protection Dashboard
New APIs introduced to power the Ransomware Protection Dashboard are:
APIs in this release that have been changed to work with the Ransomware Protection Dashboard:
The Ransomware Dashboard image and quick description are available in Ransomware Dashboard.
For more detailed description see the Visualization Guide, Ransomware Dashboard and the API Guide, Ransomware APIs.
reports/risk_summary_get
Security administrators use this API to view how many workloads are ransomware protection ready and then assess the degree of protection in their whole system. This schema supplies the required information to run the Ransomware Dashboard:
Number of total workloads
Number of protected workloads
Number of risky ports by the severity of their risk exposure (low, medium, high, and critical)
Workload protection by the port type (admin and legacy)
Ransomware protection coverage percent
Date when the status was last updated
Sample Response for reports/risk_summary_get
{
"ransomware":{
"num_total_workloads":98,
"num_protected_workloads":22,
"workload_protection_by_severity":{
"low":{
"protected_workload_count":2,
"unprotected_workload_count":8
},
"medium":{
"protected_workload_count":3,
"unprotected_workload_count":6
},
"high":{
"protected_workload_count":2,
"unprotected_workload_count":8
},
"critical":{
"protected_workload_count":3,
"unprotected_workload_count":6
}
},
"workload_protection_by_port_type":{
"admin":{
"protected_workload_count":2,
"unprotected_workload_count":8
},
"legacy":{
"protected_workload_count":3,
"unprotected_workload_count":6
}
},
"ransomware_protection_coverage_percent":56,
"last_updated_at":"2023-01-21 23:32:42.679673"
}
}num_protected_unprotected_ports
This schema is referenced from reports_risk_summary_get.schema.json to supply the number of protected and unprotected ports for a specified risk level:
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"required": [
"num_protected_ports",
"num_unprotected_ports"
],
"properties": {
"num_protected_ports": {
"description": "Number of protected ports for this risk
level, across all protection ready workloads",
"type": "integer"
},
"num_unprotected_ports": {
"description": "Number of unprotected ports for this risk
level, across all protection ready workloads",
"type": "integer"
}
}
}reports_time_series_statistics_post
This schema supplies the granularity of the time series data.
The API reports_time_series_statistics_post includes the property num_managed_workloads, which is requested by the payload. The resolution might be day, week, month, and quarter, which defines what the UI will show.
The default value is "day".
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "array",
items": {
"type": "object",
"required": [
"property"
],
"properties": {
"property": {
"description": "The property for which time series data
is requested.",
"type": "string",
"enum": [
"num_managed_workloads"
]
},
"resolution": {
"type": "string",
"description": "The granularity for the time series data.
E.g. day, week, month, quarter",
"enum": [
"day",
"week",
"month",
"quarter"
],
"default": "day"
},
"max_results": {
"type": "integer",
"default": 5
}
}
}
}reports_time_series_statistics_post_response
This API specifies the time series data about the protected workloads, such as the start and end date of the protection period.
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "array",
"items": {
"type": "object",
"required": [
"property",
"time_series"
],
"properties": {
"property": {
"description": "The property for which data has been
requested.",
"type": "string"
},
"time_series": {
"type": "array",
"items": {
"type": "object",
"required": [
"start_date",
"end_date"
],
"properties": {
"start_date": {
"description": "The start date of the time period.",
"type": "string",
"format": "date-time"
},
"end_date": {
"description": "The end date of the time period.",
"type": "string",
"format": "date-time"
},
"count": {
"description": "The integer count on the end date
of this period.",
"type": "integer"
},
"unit": {
"description": "The unit of the value returned.",
"type": "string"
}
}
}
}Sample Requst Body for reports_time_series_statistics_post_response
[
{
"property": "num_managed_workloads",
"resolution": "week",
"max_results": 4
}
]Response for reports_time_series_statistics_post_response
A week starts Monday and ends Sunday and the VEN count is from Sunday of that week. The last week could be a partial week hence the count will be of the last day.
The last month could be a partial month, and hence the count will be from the last day.
Workloads APIs Changed for Ransomware
workloads_get
This Public Stable API was changed to support the Ransomware Dashboard in the following way:
One new object was added:
risk_summary, which explains the risk summary for the workload. This object includes a required objectransomware, which supplies these properties:workload_exposure_severityransomware_protection_percentlast_updated_at
{
"properties": {
"risk_summary": {
"description": "Risk Summary for this workload",
"type": "object",
"required": [
"ransomware"
],
"properties": {
"ransomware": {
"type": [
"object",
"null"
],
"required": [
"workload_exposure_severity",
"ransomware_protection_percent",
"last_updated_at"
],
"properties": {
"workload_exposure_severity": {
"description": "Exposure severity of the workload",
"type": "string"
},
"ransomware_protection_percent": {
"description": "Ransomware protection percentage
for this workload",
"type": "number"
},
"last_updated_at": {
"description": "The time at which the ransomware
stats are last computed at",
"type": "string",
"format": "date-time"
}
}
}
}workloads_risk_details_get
This API, which supplies the risk details, you can see in action on the Workloads page, tab Ransomware Protection.
In addition to the organization admin, the users who have access to the workload can view the ransomware protection details for that workload, or how many risky ports are protected and how many risky ports are not protected.
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"risk_details": {
"type": "object",
"required": [
"ransomware"
],
"ransomware": {
"type": [
"object",
"null"
],
"properties": {
"details": {
"type": "array",
"items": {
"$ref": "workload_ransomware_services.schema.json"
}
},
"last_updated_at": {
"description": "The time at which the protection stats
were last computed at",
"type": "string",
"format": "date-time"
}
}
}Sample Response for workloads_risk_details_get
{
"risk_details":{
"ransomware":{
"services":[
{
"href":"/api/v2/orgs/8/workloads/23131cf5-1d70-42de-9242-39055338d0ef",
"name":"SSH",
"port":22,
"protocol":17,
"severity":"low",
"port_status":"listening",
"protection_state":"unprotected",
"active_policy":"allowed",
"draft_policy":"blocked",
"recommendation":"add_boundary"
},
{
"href":"/api/v2/orgs/8/workloads/23131cf5-1d70-42de-9242-39055338d0ef",
"name":"SSH",
"port":22,
"protocol":6,
"severity":"high",
"port_status":"listening",
"protection_state":"protected",
"active_policy":"allowed",
"draft_policy":"blocked",
"recommendation":"has_draft_policy_needs_provisioning"
}
],
"last_updated_at":"2023-01-21 23:32:42.679673"
}
}
}The full response looks as follows:
[
{
"property":"num_managed_workloads",
"time_series":[
{
"start_date":"2022-10-31",
"end_date":"2022-11-2",
"count":120
},
{
"start_date":"2022-10-24",
"end_date":"2022-10-30",
"count":115
},
{
"start_date":"2022-10-17",
"end_date":"2022-10-23",
"count":110
},
{
"start_date":"2022-10-10",
"end_date":"2022-10-16",
"count":100
}
]
}
]workload_ransomware_services
This schema is referenced from workloads_risk_details_get to supply the required service data:
Service location and name
Service Port and Protocol
Severity and Protection state of this service
Status of the port on the workload
Active and Draft policy that allies to the Port
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"required": [
"href",
"port",
"protocol",
"severity",
"port_status",
"protection_state",
"active_policy",
"draft_policy"
],
"properties": {
"href": {
"description": "Reference of the service",
"type": "string"
},
"name": {
"description": "Name of the service",
"type": "string"
},
"port": {
"description": "Port Number",
"type": "integer",
"minimum": 0,
"maximum": 65535
},
"proto": {
"description": "Protocol Number",
"type": "integer"
},
"severity": {
"description": "Severity of this service",
"type": "string",
"enum": [
"low",
"medium",
"high",
"critical"
]
},
"category": {
"description": "Category of this service",
"type": "string",
"enum": [
"admin",
"legacy"
]
},
"port_status": {
"description": "Status of the port on the workload",
"type": "string",
"enum":
"listening",
"inactive"
]
},
"protection_state": {
"description": "Protection state of this service",
"type": "string",
"enum": [
"unprotected",
"protected_open",
"protected_closed"
]
},
"active_policy": {
"description": "Active Policy that applies to this port",
"type": "string",
"enum": [
"allowed",
"allowed_across_boundary",
"blocked_by_boundary",
"blocked_no_rule"
]
},
"draft_policy": {
"description": "Draft Policy that applies to this port",
"type": "string",
"enum": [
"allowed",
"allowed_across_boundary",
"blocked_by_boundary",
"blocked_no_rule"
]
},
"recommendation": {
"description": "Recommendation for this port based on enforcement
state, allow and deny rules and active/draft rule",
"type": "string",
"enum": [
"add_boundary",
"has_draft_policy_needs_provisioning"
]
}
}
}Settings APIs Changed for Ransomware
settings_get
This Public Stable API was changed to include a new property num_assets_requiring_ransomware_protection.
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"href": {
"description": "Org Setting URI",
"type": "string",
"format": "uri"
},
"num_assets_requiring_ransomware_protection": {
"description": "number of assets that need ransomware
protection for this org",
"type": [
"integer",
"null"
]
},
======================================settings_put
This Public Stable API was changed to include a new property num_assets_requiring_ransomware_protection, which provides a number of assets that need ransomware protection in a specific organization. Number of assets is between one and 9999999 .
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"additionalProperties": false,
"properties": {
"num_assets_requiring_ransomware_protection": {
"description": "number of assets that need
ransomware protection for this org",
"type": "integer",
"minimum": 1,
"maximum": 9999999
===================================Security Policy Changed for Ransomware
sec_policy_services_post
sec_policy_services_put
sec_policy_services_get
These APIs have been changed as follows:
The new object risk_details was added and supplies the same data as the previously deleted three properties: ransomware_category, ransomware_severity, and ransomware_os_platforms.
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"additionalProperties": false,
"required": [
"name"
],
"properties": {
"name": {
"description": "Name (does not need to be unique)",
"type": "string"
},
"description": {
"description": "Description",
"type": "string"
},
"risk_details": {
"type": "object",
"properties": {
"ransomware": {
"type": "object",
"properties": {
"category": {
"description": "Categorization based on Admin
or Legacy port used in the service",
"type": "string",
"enum": [
"admin",
"legacy"
]
},
"severity": {
"description": "Severity of this service",
"type": "string",
"enum": [
"low",
"medium",
"high",
"critical"
]
},
"os_platforms": {
"description": "Operating system for this
ransomware service",
"type": "array",
"minItems": 1,
"items": {
"type": "string",
"enum": [
"windows",
"linux"
]
}
}
}
}
}
},
==============================================These Security Policy APIs are explained in the topic Services
VEN APIs
New VEN APIs
The new common schema release_ven_types is introduced to show ven_types for each release and to filter releases by ven_type.
Previously, the ven_type was not stored for the release, and database records looked as follows:
Release 22.5 : Distribution CentOS
Release 22.5.1: Distribution MacOS
Release 22.5.1: Distribution Windows
With the property ven_type added, the database records are expanded with an additional ven_types column:
Release 22.5; Distribution CentOS;
ven_types:server + endpointRelease 22.5; Distribution MacOS;
ven_types:server + endpointRelease 22.5.1; Distribution Windows;
ven_types:server + endpoint
Note that in release 22.5.1 the code supports the type server+endpont. However, Centos (Linux) supports a server-only VEN image, MasOS supports endpoint-only image, and Windows supports both server and endpoint.Gne actiual dictribution looks as follows:
Release 22.5; Distribution CentOS;
ven_types:server + endpointRelease 22.5; Distribution MacOS;
ven_types:endpointRelease 22.5.1; Distribution Windows;
ven_types:server + endpoint
When a user opens the list of release images via the UI and looks for the type server + endpoint, only the Windows image will show up as the complete match.
To fix this issue, the ven_type is now based on release and distribution:
All releases before 21.2.2 were just
server(there was no endpoint)Any release with 22.3.x was
endpoint(there was no server)Any other releases were
server + endpoint, but instead of settingserver + endpointto all the images (database records), theven_typesare set in a way that is specific for the Os.
common release_ven_types
{
"$schema": "http://json-schema.org/draft-04/schema#",
"description": "Supported ven types in this release",
"type": "array",
"items": {
"type": "string",
"enum": ["server", "endpoint"]
}
}The schema release_ven_types is referenced from the APIs software_ven_releases_get and software_ven_releases_images_get, which have been updated and changed for this release:
software_ven_releases_get
{
"properties": {
"ven_types": {
"$ref": "../common/release_ven_types.schema.json"
}
}
}The API software_ven_releases_get shows the VEN releases available to the org, one per VEN version, along with some metadata such as whether it is the default version, whether that release supports servers and/or endpoints, and so on. The list of images is longer than the list of releases, and multiple images belong to the same release version.
One new property was added:
default_release_ven_types: The type of the release marked as default
{
"properties": {
"default_release_ven_types": {
"type": "array",
"items": {
"type": "string",
"description": "The type of the release marked as default"
}
}
}
}software_ven_releases_images_get
{
"items": {
"properties": {
"ven_types": {
"$ref": "../common/release_ven_types.schema.json"
}
}
}
}The API software_ven_releases_images_get shows the full list of VEN images. There is one image for each supported Linux distribution (such as RHEL, Ubuntu), plus images for Windows and macOS.
VEN API Changes
vens_get
This API has several changes:
These two new properties were added:
upgrade_expires_at: Time (rfc3339 timestamp) at which the PCE stops attempting VEN upgradeupgrade_target_version: Software release to which to upgrade
{
"properties": {
"upgrade_expires_at": {
"description": "The time (rfc3339 timestamp) at which the
PCE stops attempting VEN upgrade",
"type": [
"string",
"null"
],
"format": "date-time"
},
"upgrade_target_version": {
"description": "The software release to upgrade to.",
"type": [
"string",
"null"
]
}
}
}hostnameis now requiredType
nullwas added to string/object for the following properties:name,description,hostname,uid,os_id,os_detail,os_platform,active_pce_fqdn,target_pce_fqdn,public_ip,security_policy_applied_at,container_cluster,secure_connect,security_policy_received_at,last_goodbye_at, andcontainer_clusterThese properties have been added:
instance_id,data_center,data_center_zone,service_principal_name,security_policy_sync_stateThe property
minItemswas removed
vens_upgrade_put
One new property was added:
upgrade_timeout_seconds: Number of seconds during which the PCE tries to trigger the agent upgrade
{
"properties": {
"upgrade_timeout_seconds": {
"description": "Number of seconds during which the PCE
tries to trigger the agent upgrade.",
"type": "integer",
"minimum": 900,
"maximum": 15552000
}
}
}common software_ven_default_release
This is a new API that supplies the VEN bundle release, including the VEN UTI associated with the release and the VEN type property (type of the release marked as default).
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"required": [
"href",
"ven_type" ],
"description": "The ven bundle release with the ven type property",
"additionalProperties": false,
"properties": {
"href": {
"description": "URI associated to this release",
"type": "string"
},
"ven_type": {
"type": "string",
"description": "The type of the release marked as default",
"enum": [
"server",
"endpoint"
]
}
}
}Endpoint Offline Timer
The Endpoint Offline Timer was introduced to overcome the 24-hour limitation that was hard-coded for endpoints heart beating.
If the endpoints did not heartbeat for 24 hours, they were marked as being offline and the endpoint timer was hard coded to 24 hours. However, the 24-hour limit was found to be limiting and was now adjusted to allow for endpoint mobility and usability.
The following APIs have been changed:
GET /api/v2/orgs/:xorg_id/settings/workloads: Added properties to reflect the endpoint timeout values: disconnect,PUT /api/v2/orgs/:xorg_id/settings/workloads: Updated the endpoint offline, heartbeat, and disconnect and quarantine warning timeout values
The three workload timeout setting fields have been updated:
workload_disconnected_timeout_seconds: Timer setting triggered if the server or endpoint has not heart beaten to the PCE.workload_goodbye_timeout_seconds: Timer setting triggered if the server or endpoint operation is performed (stop, disable, ...)workload_disconnected_notification_seconds: Time period to wait with no heartbeat before a warning is emitted.
The fourth field use for timeout settings is named ven_uninstall_timeout_hours and was available before. It defines the period (in hours) to wait before uninstalling a VEN.
The updated workload settings fields reference the following schemas:
workload_disconnected_timeout_seconds : is referencingsettings_workload_detailed.schema.jsonworkload_goodbye_timeout_seconds: is referencingsettings_workload_detailed.schema.jsonworkload_disconnected_notification_seconds: is referencingsettings_workload_notifications.schema.jsonven_uninstall_timeout_hours: is referencing the old common schemasettings_workload.schema.json
More about the updated schemas:
settings_workload_notifications
This schema file now has an additional property ven_type to support the ven type by the referenced timeout fields.
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "array",
"items": {
"type": "object",
"additionalPropertes": false,
"required": [
"scope",
"warning"
],
"properties": {
"scope": {
"$ref": "labels.schema.json"
},
"warning": {
"description": "Workload disconnect warning timeout",
"type": "integer",
"minimum": -1,
"maximum": 2147483647
},
"ven_type": {
"description": "The ven type that this property is applicable to",
"type": [
"string",
"null"
],
"enum": [
"server",
"endpoint"
]
}
}
},
"uniqueitems": true
}settings_workload_detailed
The new schema settings_workload_detailed is expanded from the previous schema settings_workload so that additional information about the ven_type was added.
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"required": [
"scope",
"value"
],
"properties": {
"scope": {
"$ref": "labels.schema.json"
},
"value": {
"description": "Property value associated with the scope",
"type": "integer",
"minimum": -1,
"maximum": 2147483647
},
"ven_type": {
"description": "The ven type that this property is applicable to",
"type": [
"string",
"null"
],"enum": [
"server",
"endpoint",
null
]
}
}
},
"uniqueItems": true
}To ensure backend compatibility, the new field ven_type is specified as optional. If it is missing in the request, the parameter is considered as being of a server type.
Examples
The example below represents the complete JSON string returned by the GET /api/v2/orgs/:xorg_id/settings/workloads request:
{
"href": "/orgs/1/settings/workloads",
"workload_disconnected_timeout_seconds": [
{
"scope": [],
"value": 10800,
"ven_type": "server"
},
{
"scope": [],
"value": 3600,
"ven_type": "endpoint"
},
],
"workload_goodbye_timeout_seconds": [
{
"scope": [],
"value": 12000,
"ven_type": "server"
},
{
"scope": [],
"value": 7200,
"ven_type": "endpoint"
}
],
"workload_disconnected_notification_seconds": [
{
{
"scope": [],
"info": 1800,
"warning": 3600,
"error": 5400,
"ven_type": "server
},
{
"scope": [],
"info": 1801,
"warning": 3602,
"error": 5403,
"ven_type": "server
}
}
],
"ven_uninstall_timeout_hours": [
{
"scope": [],
"value"=>300
}
]
}In the following example, all four workload timeout setting properties are set via the PUT /api/v2/orgs/:xorg_id/settings/workloads request:
{
"workload_disconnected_timeout_seconds": [
{
"scope": [],
"value": 10800,
"ven_type": "server"
},
{
"scope": [],
"value": 3600,
"ven_type": "endpoint"
},
],
"workload_goodbye_timeout_seconds": [
{
"scope": [],
"value": 12000,
"ven_type": "server"
},
{
"scope": [],
"value": 7200,
"ven_type": "endpoint"
}
],
"workload_disconnected_notification_seconds": [
{
{
"scope": [],
"info": 1800,
"warning": 3600,
"error": 5400,
"ven_type": "server"
},
{
"scope": [],
"info": 1801,
"warning": 3602,
"error": 5403,
"ven_type": "endpoint"
}
}
],
"ven_uninstall_timeout_hours": [
{
"scope": [],
"value"=>300
}
]
}Other Changed APIs
common label_mappings
Kubelink reports all label mappings to the PCE through the endpoint.
PUT /api/v1/:org_id/:container_cluster_uuid/label_mappings
When there is more than one LabelMap defined in the cluster, Kubelink will combine all labelMaps together.
When Kubelink detects duplicate entries or other validation errors, it will put the offending CRD into an error state. In reality, we will recommend that customers always create only one labelMap per cluster.
Container Workload Profiles
container_clusters_container_workload_profiles_update_put
This API is different from container_clusters_container_workload_profiles_put in the following way:
the deprecated property
assign_labelsis removedthe new property
container_workload_profilesis added and gives a list of container workload profiles HREFs and Container Workload Profile URIs.The property
namewas removed was removed
common resource_condition
In this common schema, the name of the property error was changed into err.
Settings Traffic collector
The Settings Traffic Collector APIs have been changed to support more granular filters, for endpoints in particular.
There are three updated APIs in this group:
settings_traffic_collector_get
settings_traffic_collector_put
settings_traffic_collector_post
Two new properties have been added to all of them:
data_source: Flow summary data sourcenetwork: Flow summary network
For settings_traffic_collector_put and settings_traffic_collector_post, these properties contain additional definitions for their type.
Pairing Profiles
pairing_profiles_get
pairing_profiles_post
Fot these API, a new property can be listed or created: ven_type.
Workloads Interfaces
workloads_interfaces_get
For this API, the following changes have been made:
Two required properties were removed:
ip_versionandnetwork_idOne required property was added:
networkFor this property, type
nullwas added fornetwork_detection_modeandfriendly_name
Other property changes:
Property
hrefwas addedType
nullwas added forlink_state,cidr_block, anddefault_gateway_address
workloads_interfaces_network
For this API, a new property name was added to describe the name of the network.
workloads_with_ven_put
For this API, the property type null was added.
Deprecated APIs
common pairing_profile_ven_type
Deprecation announcement for the option specified_during_activation.
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "string",
"description": "Type of VEN that this pairing profile will enforce.
specified_during_activation option is deprecated and will be removed
in the next API version.",
"enum": ["specified_during_activation", "server", "endpoint"]
}