Skip to main content

Integrations

Workload Quarantine Action

Note

This information in this topic applies to Illumio Technology Add-On for Splunk version 4.0.1.

Illumio Technology Add-On for Splunk version 4.0.1 provides a scripted alert action to move a workload into a configured quarantine zone.

Important

You must first define the policy and labels for this quarantine zone on the PCE.

The action takes the following parameters:

  • workload_href: This is the PCE workload HREF of the workload to move into quarantine.

  • pce_fqdn: The PCE fully-qualified domain name.

  • org_id: This is the PCE organization ID. The value defaults to 1.

When triggered, the alert action script looks up the modular input matching the given pce_fqdn and org_id and uses the configured PCE connection details while updating the specified workload.

Important

For the action to run successfully, you must configure the API key for the input to have write permissions for workloads.

Run the Action Manually

Run this search query from the Splunk UI to quarantine the workload with the specified HREF:

| makeresults 1 | sendalert illumio_quarantine param.workload_href="/orgs/1/workloads/
00f13a7b-0386-4943-a96c-cfd71d4096dd" param.pce_fqdn="my.pce.com" param.org_id=1