Skip to main content

Integrations

Application Functionality

This section provides information about data collection, logs, and visualizations in the Illumio Application for QRadar.

Data Collection

The application has two sources for receiving data:

  • API

  • Syslog Port

From the API, the application fetches labels and stores them in a reference table. The data is used to populate the label filters on the dashboards. The application uses Asynchronous Label REST API calls to get data from the Illumio PCE server. These REST API calls are made from Python scripts in the application, which are run on a schedule you can define.

QRadar parses the data it receives from the application using a suitable log source. The log source is made up of two components:

  • APIs

  • Protocols

APIs in the Log Source

These APIs are used to fetch label data:

●        Asynchronous Labels API: https://<PCE_URL_DOMAIN>/api/v2/orgs/<ORG_ID>/labels. It fetches labels from each PCE that is configured and enabled at that instance.
●       Labels Location API: https://<PCE_URL_DOMAIN>/api/v2/orgs/<ORG_ID>/jobs/<LOCATION>

Note

PCE API version 2 is used to implement the Asynchronous Labels API.

This is an example response from the Asynchronous Labels API. It returns two role labels, "Web" and "Database":

[{

"href": "/orgs/1/labels/1", "key":
"role",

"value": "Web",

"created_at": "2017-04-12T22:02:02.953Z",
"updated_at": "2017-04-12T22:02:02.953Z",

"created_by": {

"href":
"/users/0"

},

"updated_by": {

"href":
"/users/0"

}

}, {

"href": "/orgs/1/labels/2", "key":
"role",

"value": "Database",

"created_at": "2017-04-12T22:02:02.960Z",
"updated_at": "2017-04-12T22:02:02.960Z",

"created_by": {

"href":
"/users/0"

},

"updated_by":{

After the application gets the lists of labels using the Asynchronous Labels API, it saves the response in QRadar's Reference table in the following format:

{
"https://<hostname>:8443/orgs/1/labels/1": {
"updated_by": "{u'href': u'/users/0'}",
"created_at": "1502975663000",

"updated_at": "1502975663000",
"created_by": "{u'href': u'/users/0'}", "href":
"/orgs/1/labels/1",

"value": "Web",

"key":
"role"

},

"https://<hostname>:8443/orgs/1/labels/2": {
"updated_by": "{u'href': u'/users/0'}",
"created_at": "1502975663000",

"updated_at": "1502975663000",
"created_by": "{u'href': u'/users/0'}", "href":
"/orgs/1/labels/2",

The primary key is https://<hostname>:8443/orgs/1/labels/1, which is the combination of the PCE link (hostname and port) and the href of the particular label. This primary key provides a unique identifier in the "labels" reference table for each PCE configured.  

The created_at and updated_at timestamps are stored in epoch format, as QRadar requires.

Protocol in Log Source

The protocol defines how data is communicated to QRadar. Data is forwarded to the Syslog port of QRadar from the PCE.