Illumio Core REST API in 23.5.0

The Illumio Core REST API v2 has changed in 23.5 in the following ways.

New APIs

There are two new APIs in this release:

reports_risk_summary_ransomware_timeseries_statistics_post

This new Public Experimental API is used to show the new time series data:

Number of managed workloads
Percent of the ransomware protection coverage
Number of workloads by exposure

Data is presented with the granularity of day, week, month, and quarter, where the default is day.

workloads/bulk_import

This new API is used to update workloads using a CSV file, and the only allowed input type is 'text/csv'.

We recommend users to export a CSV file from the workloads page before they use this import function, so that they can just modify the CSV file they exported with the labels they would like to assign to the workloads.

PUT /api/v2/orgs/:xorg_id/workloads/bulk_import?delete_token
If the value in the CSVfile for the label_dimension is the same as the delete token passed in the request, the label in that label dimension will be deleted for the workload. When users use CSV to update workload labels, they can pass in the delete token in the request to specify the labels to be deleted.
PUT /api/v2/orgs/:xorg_id/workloads/bulk_import?create_labels=true/false (default is false)
Provides an option in the CSV labels update to create new labels if they don't exist. If the option is false, rows with non-existent labels will be skipped entirely.
PUT /api/v2/orgs/:xorg_id/workloads/bulk_import?dry_run=true/false (default is false)
If users set this parameter to be true, the API will only return the potential changes and error tokens without making actual changes to the workloads.

common kubernetes_workloads_metadata

The new common schema kubernetes_workloads_metadata is referenced from kubernetes_workload_get.

It provides Kubernetes properties such as labels, annotations, and external service's UID.

{
	"$schema": "http://json-schema.org/draft-04/schema#",
	"description": "k8s object metadata",
	"additionalProperties": false,
	"type": "object",
	"properties": {
	"labels": {
	   "description": "k8s key/value pairs attached to object that 
            specify identifying attributes",
	   "type": "object"
           },
	"annotations": {
	   "description": "k8s key/value pairs representing arbitrary 
             non-identifying metadata of object",
	   "type": "object"
	   },
	"external_service_uid": {
	   "description": "k8s object uid of external traffic service 
             (NodePort or LoadBalancer)",
	    "type": "string"
          }
     }
}

Exposure and Authorization Changes

Network Enforcement Nodes Changes

Some existing Experimental APIs have been changed to facilitate creation of fully scripted integrations of endpoint management systems with the PCE using the Network Enforcement Nodes (NEN) Switch integration capabilities.

The default authorization for all Network Devices and Network Enforcement Nodes is "Global Administrator" and "Global Organization Owner".

In this release, additional authorizations have been extended as listed below:

API	Exposure Change	New Authorization Change
`network_device_config`	YES	NO
`network_device_get`	YES	NO
`network_device_network_endpoint_get`	YES	NO
`network_devices_enforcement_instructions_applied_post`	YES	"Global Policy Object Provisioner" and " Ruleset Provisioner"
`network_devices_enforcement_instructions_request_post`	YES	"Global Policy Object Provisioner" and " Ruleset Provisioner"
`network_devices_get`	YES	"Global Policy Object Provisioner", "Global Read Only", "Limited Ruleset Manager", "Ruleset Provisioner", "Ruleset Viewer", "Workload Manager"
`network_devices_multi_enforcement_instructions_applied_post`	YES	"Global Policy Object Provisioner" and " Ruleset Provisioner"
`network_devices_multi_enforcement_instructions_request_post`	YES	"Global Policy Object Provisioner" and " Ruleset Provisioner"
`network_devices_network_endpoints_get`	YES	NO
`network_devices_network_endpoints_post`	YES	"Workload Manager"
`network_devices_network_endpoints_put`	YES	"Workload Manager"
`network_devices_put`	YES	"Workload Manager"
`network_endpoint_config`	YES	NO
`network_enforcement_node_get`	YES	NO
`network_enforcement_nodes_get`	YES	"Full Ruleset Manager", "Global Policy Object Provisioner", "Global Read Only", "Limited Ruleset Manager", "Ruleset Provisioner", "Ruleset Viewer", "Workload Manager"
`network_enforcement_nodes_network_devices_post`	YES	"Workload Manager"
`network_enforcement_nodes_put`	YES	NO

Other Exposure Changes

supported_devices

API being made available to integrators.

Changed APIs

Ransomware Dashboard API Changes

In this release, these ransomware-connected APIs have been changed:

reports_risk_summary_get

This API was changed so that the property risky_ports_by_category was added to support the widget "Risky ports by type" in the UI.

"risky_ports_by_category": {
	  "description": "Risky ports by Port type",
	  "type": "object",
	   "properties": {
		"admin": {
			"$ref": "num_protected_unprotected_ports.schema.json"
		},
		"legacy": {
			"$ref": "num_protected_unprotected_ports.schema.json"
		}
	}
}

reports_time_series_statistics_post

This API was changed so that besides the number of Managed Workloads, the following two other properties were added:

ransomware_protection_coverage_percent: Percent of the ransomware protection coverage
num_workloads_by_exposure: Number of workloads by exposure

Data is presented with the granularity of day, week, month, and quarter, where the default is day.

{
	"$schema": "http://json-schema.org/draft-04/schema#",
	"type": "array",
	"items": {
	   "type": "object",
	   "required": [
		"property"
		],
	   "properties": {
		"property": {
		   "description": "The property for which time series 
                     data is requested.",
		   "type": "string",
		   "enum": [
		   "num_managed_workloads",
		   "ransomware_protection_coverage_percent",
		   "num_workloads_by_exposure"
		   ]
		},

reports_time_series_statistics_post_response

Previously, the schema contained the integer count on the end date of the counted period. This item was removed:

"count": {
	   "description": "The integer count on the end 
              date of this period.",
	   "type": "integer"
	   },
	"unit": {
	   "description": "The unit of the value returned.",
	   "type": "string"        
          },

This API now gives the percentage of the end date of the counted period.

This API is now referencing the schema num_workloads_by_exposure_time_series.

 "data": {
   "oneOf": [
   {
	"$ref": "../../../agent/schema/v2/num_workloads_by_
           exposure_time_series.schema.json"
   },
   {
	"count": {
		"description": "The integer count on the 
                  end date of this period.",
		"type": "integer"
		}
	},
	{
	"percentage": {
		"description": "The percentage on the end 
                  date of this period.",
		"type": "number",
		"minumum": 0,
		"maximum": 100
		}
	}
]

workload_ransomware_services

This schema is referenced from workloads_risk_details_get to supply the required service data:

Service location and name
Service Port and Protocol
Severity and Protection state of this service
Status of the port on the workload
Active and Draft policy that allies to the Port

In release 23.5, additional information about the operating systems has been added for the ransomware service: Windows and Linux.

{
	"properties": {
	    "os_platforms": {
		"description": "Operating system for this ransomware service",
		"type": "array",
		"minItems": 1,
		"items": {
		    "type": "string",
		    "enum": [
		    "windows",
		    "linux"
		]
	    }
	}
    }
}

Other API Changes

sec_policy_rule_coverage_post_response

In this API, a new array rule_edges was added, which provides a list with a placeholder for each requested source and destination pair.

The previous object rules is replaced with a reference to "$ref": "#/definitions/rule_href_mapping", and the previous array edges is replaced with a reference to "$ref": "#/definitions/rule_edges".

"rule_edges": {
	"type": "array",
	"description": "A list with a placeholder for each requested 
           source and destination pair",
	"items": {
	   "type": "array",
	   "description": "A list with with a placeholder for 
            each requested service 
                         (per source and destination pair)",
	"items": {
	   "type": "array",
	   "description": "A list of indexes of matching rules 
                         (for each service per source and 
                           destination pair)",
	"items": {
	   "type": "string",
	   "pattern": "^[0-9]+$"
	   }
     }
}

optional_features_put

In 23.5, This API was changed so that an optional feature flag for Windows outbound process was added: windows_outbound_process_enforcement.

	"properties": {
		"name": {
		"description": "Name of the feature",
		"type": "string",
		"enum": [
			"ip_forwarding_firewall_setting",
			"ui_analytics",
			"illumination_classic",
			"ransomware_readiness_dashboard",
			"per_rule_flow_log_setting",
			"lightning_default",
			"collector_scanner_filters",
			"corporate_ips_groups",
			"labels_editing_warning_for_enforcement_mode",
			"label_based_network_detection",
			"cloudsecure_enabled",
			"windows_outbound_process_enforcement"
		]
	    },

This feature flag can be enabled or disabled using the following CURL command:

curl -u ${your_api_key}: ${your_api_secret} -H "Content-Type: application/json" -X PUT -d '[{"name":"windows_outbound_process_enforcement","enabled":true}]' https://${your_pce_server}:8443/api/v2/orgs/${your_ord_id}/optional_features

where you can define the part of the command: "enabled":true or "enabled":false.

kubernetes_workloads_get

For this API, these changes have been made:

two arrays have been removed, k8s_labels and sk8s_annotation, and replaced with the property metadata

	"metadata": {
		"$ref": "
		../common/kubernetes_workloads_
                   metadata.schema.json"

HREF description has been changed from URI of the container workload, to URI of the kubernetes workload.

Illumio Core What's New and Release Notes for 23.5