About the Illumio Technology Add-On for Splunk
The Illuimo Technology Add-On for Splunk (TA) pulls data into Splunk and performs data normalization and enrichment. Illumio event fields are aliased and transformed to be compatible with the Common Information Model (CIM) and used with other Splunk products and add-ons.
The Illumio TA defines a custom Illumio modular input that can be configured on a standalone Splunk instance or Heavy Forwarder to retrieve data from the PCE. See Configure the Illumio Technology Add-On for Splunk.
The TA receives data from the Illumio Policy Compute Engine (PCE) in two forms:
Metadata pulled by the Illumio modular input from the PCE REST APIs
The Illumio modular input pulls Illumio object metadata and status information from the PCE over HTTPS. The input calls the following endpoints:
/api/v2/health
/api/v2/orgs/<org_id>/workload_settings (used to verify the org ID when validating the PCE connection configuration)
/api/v2/orgs/<org_id>/labels
/api/v2/orgs/<org_id>/workloads
/api/v2/orgs/<org_id>/sec_policy/active/ip_lists
/api/v2/orgs/<org_id>/sec_policy/active/services
/api/v2/orgs/<org_id>/sec_policy/active/rule_sets
Syslog events forwarded directly from the PCE (on-prem) or pulled using a third-party add-on as described in the document (SaaS)
Sourcetypes
The Illumio modular input writes to a user-configured Splunk index and predefined sourcetypes:
Sourcetype | Description |
|---|---|
illumio:pce | Contains PCE auditable events written to Syslog. |
illumio:pce:health | Contains PCE system health events. |
illumio:pce:collector | Contains PCE network traffic flow events. |
Distributed Splunk Architecture
Install the Illumio Technology Add-On for Splunk on each tier of a distributed Splunk installation. For more information, see the Splunk documentation on where to install add-ons.
Heavy Forwarder: Configure Illumio modular input instances and TCP receivers to retrieve PCE data and forward it to the indexer/indexer cluster.
Indexer: Install on the indexer/indexer cluster to perform index-time filtering and transformations, including stripping the Syslog prefix for JSON-formatted events.
Search head: Install on the search head/search head cluster to perform search-time transformations such as lookups, field extractions, and field aliasing.
Field Extractions
The custom Illumio sourcetypes define field extractions to enhance event data at search time. Extractions and aliases modify field names and values for CIM compatibility as shown in the following table.
Sourcetype | CIM Data Model | Tags | CIM Field | Illumio Field |
|---|---|---|---|---|
illumio:pce | Authentication | authentication | action | "success" or "failure" |
app | "illumio_pce" | |||
src | action.src_ip | |||
user | resource.user.username OR notifications.info.*user.username | |||
src_user | created_by.user.username | |||
All Change | change | change_type | same as object_category | |
dest | pce_fqdn | |||
dest_host | pce_fqdn | |||
object | object name or value | |||
object_category | object type (such as workload or rule_set) | |||
object_id | object HREF | |||
src | action.src_ip | |||
status | status | |||
user | created_by.user.username | |||
user_name | alias for user | |||
vendor_product | "illumio:pce" | |||
src_user | created_by.user.username | |||
Network Changes | change network | action | "modified" | |
Auditing Changes | change audit | action | "created", "updated", or "deleted" | |
Account Management | change account | action | "created", "updated", "deleted", or "modified" | |
user | resource.user.username OR notifications.info.*user.username | |||
illumio:pce:collector | Network Traffic | network communicate | action | "allowed", "potentially-blocked", "blocked", or "unknown" |
app | "illumio_pce" | |||
bytes | tbi + tbo | |||
bytes_in | tbi | |||
bytes_out | tbo | |||
dest | dst_ip | |||
dest_ip | dst_ip | |||
dest_host | dst_hostname | |||
dest_port | dst_port | |||
direction | "inbound", "outbound", or "unknown" | |||
dvc | pce_fqdn | |||
protocol_version | version | |||
src | src_ip | |||
src_ip | src_ip | |||
src_host | src_hostname | |||
transport | proto | |||
user | un | |||
vendor_product | "illumio:pce" |
Workload Quarantine Action
The Illumio Technology Add-On for Splunk provides a scripted alert action to move a workload into a configured quarantine zone. You must first define the policy and labels for this quarantine zone on the PCE.
The action takes the following parameters:
workload_href - PCE workload HREF of the workload to move into quarantine.
pce_fqdn - PCE fully qualified domain name.
org_id - PCE organization ID. Defaults to 1.
When triggered, the alert action script looks up the modular input matching the given pce_fqdn and org_id and uses the configured PCE connection details when updating the specified workload.
Note
For the action to run successfully, the API key configured for the input must have write permission for workloads.
Manually Trigger Quarantine
The following search can be run from the Splunk UI to quarantine the workload with the specified HREF:
| makeresults 1 | sendalert illumio_quarantine param.workload_href="/orgs/1/workloads /00f13a7b-0386-4943-a96c-cfd71d4096dd" param.pce_fqdn="my.pce.com" param.org_id=1