About the Illumio Technology Add-On for Splunk (TA-Illumio)
The Illumio Technology Add-On for Splunk (TA-Illumio) is a Splunk module that receives PCE data for Splunk and performs data normalization. TA-Illumio collects data from the PCE and enriches the data according to the Common Informational Model (CIM). CIM is the native data representation used by Splunk. Illumio data in CIM format can be used easily with Splunk applications such as Splunk Enterprise Security and Splunk App for PCI Compliance.
Data collection from the PCE is accomplished in two ways: through the Illumio ASP REST API and the Illumio PCE syslog.
The Adaptive Response Framework components that are used by Splunk Enterprise Security Suite are packaged with TA-Illumio.
Illumio ASP REST API
TA-Illumio pulls data using the Illumio ASP REST API. For data collection to work, you must set up the API configuration in TA-Illumio to use Data Input, also known as modular input. Data collected from API calls is used to create metadata for workloads, labels, and services. The API data is used to enrich syslog data, such as traffic flow summaries and auditable events.
The following Illumio ASP REST API endpoints are called:
GET /api/v2/orgs/1/workloads/
GET /api/v2/orgs/1/labels/
GET /api/v2/orgs/1/health/
GET /api/v2/product_version
GET /api/v2/orgs/1/sec_policy/draft/ip_lists
GET /api/v2/orgs/1/sec_policy/draft/services
Illumio PCE Syslog
TA-Illumio receives and processes messages directly from the PCE using the TCP configured in Data Input (modular input). The types of messages are:
Events, which are structured JSON messages that represent auditing information.
Traffic flow summaries, which are structured JSON messages that represent enriched traffic flows. Traffic flow summaries contain flows, Illumio labels, and other data about the flow.
PCE System Health messages in syslog format (key-value pairs).
Other syslog messages.