Skip to main content

Integrations

Illumio On-Premises PCE Support for Microsoft Sentinel

Illumio Sentinel Solution can now receive events from the Illumio On-Premises PCE. All of the Illumio Sentinel Integration features, such as Analytics Rules and Workbooks, now support On-Premises PCE events.

Note

Illumio On-Premises PCE version 24.2.10 and later is supported.

Configure the Illumio On-Premises PCE to Forward Events to Illumio Sentinel Solution

Use the following procedure to configure the On-Premises PCE to forward events to Illumio Sentinel Solution.

  1. Navigate to Sentinel > Content Hub > Install Syslog solution.

  2. After you have installed Syslog solution, install the Syslog via AMA data connector.

  3. Use one of the following options to forward events:

    • Set up a virtual machine in Azure (Windows or Linux) to collect events and forward them to Sentinel.

    • Set up a system outside of the Azure environment to collect events and forward them to Sentinel.

  4. For Virtual Machines, set up an outside Azure environment: Install and Manage the Azure Monitor Agent.

  5. While you configure Syslog via AMA, select Create a data collection rule. You must create a data collection rule that is separate from the one that you created for the SaaS PCE. After you have created the rule, you can select the VM to collect the events from if the VM is within the Azure environment.

    syslog_via_ama.png

  6. After you create the data collection rule, run the script shown in the preceding image on the VM.

  7. Make sure that the data collection rule and the VM are in the same region (such as us-west-2).

Next, you need to configure the PCE.

Configure the PCE for the Illumio Sentinel Solution

  • Within the PCE, navigate to Event Settings.

event_settings.png

  1. Select Add > Add Repository.

  2. Input the IP address of the VM and specify the port as 514 TCP.

  3. If TLS is enabled, make sure to upload the trusted CA bundle and save the setting. If the PCE can communicate with the VM, then you have successfully saved the setting.

  4. Log into the VM using a secure connection and check /var/log/syslog/<appropriate directory for your OS> to see the events that the PCE is forwarding.

  5. Next, make sure that the data collection rule has a virtual machine selected under Resources and that Linux Syslog is a data source:

    dcr_on-prem_data_sources.png
    dcr_on-prem_resources.png

  6. After you configure event forwarding to Syslog via AMA, do the following:

    1. Navigate to Sentinel > Logs.

    2. Run the following query:

      Syslog
| where SyslogMessage has 'illumio_pce/agent'

Syslog
| where SyslogMessage has 'illumio_pce/collector'

Note

Version 3.4.0 includes two new parsers, IllumioSyslogAuditEvents and IllumioSyslogNetworkTrafficEvents. These parsers are part of workspace functions.

About the Illumio OnPrem Health Workbook

This workbook provides a summary of the PCE's health. It also contains sections about Disk Latency, Traffic Ingestion Stats, VEN Heartbeat Stats, VEN Policy Stats, Traffic Database Summary, and Policy Database Summary, as shown in the following figure:

illumio_on-prem_health_workbook.png

The workbook uses a function app to make HTTP requests to the PCE, so configure the workbooks to invoke a custom HTTP endpoint:

  1. Open the OnPrem Health workbook and click Edit next to the Illumio Health parameter.

  2. Select the Illumio_Health parameter and click the edit (pencil) icon.

    custom_http_endpoint.png

  3. Edit the Custom Endpoint Query URL to point to the HTTP trigger in the function app that has been deployed:

    1. Navigate to the function app and select OnPremHealthFunctionApp.

    2. Select Get Function App, copy the URL, and replace the value in the URL field for Custom Endpoint Query.

      Every time the workbook refreshes or reloads, it will invoke the HTTP trigger function and make the API call to pull the Illumio_Health information from the PCE.

The Illumio OnPrem Health workbook provides a summary of the health of the PCE. It also contains sections for Disk Latency, Traffic Ingestion Stats, VEN Heartbeat Stats, VEN Policy Stats, Traffic Database Summary, and Policy Database Summary sections.

ven_heartbeat_stats.png
traffic-ingestion-stats.png
node_status.png

All workbooks now include a drop-down list to select which PCE you want to load the stats for.

illumio_workload_stats_workbook_upgradeonlysentinel.png

A hidden parameter has also been added to each workbook to help you decide which table should be parsed for events at runtime.

hidden_parameter.png

Changes to the Function App

To add context to the PCE, add the following environment variables to the function app:

ONPREM_API_KEY
ONPREM_API_SECRET
ONPREM_PCE_FQDN
ONPREM_PCE_ORGID
ONPREM_PCE_PORT
Ex:
ONPREM_API_KEY: <api_>
ONPREM_API_SECRET: <secret>
ONPREM_PCE_FQDN: <devtest0.ilabs.io>
ONPREM_PCE_ORGID: 1ONPREM_PCE_PORT: 443

Note that each workbook now has a selector for PCE FQDN. For example, if you have an On-Premises PCE and a SaaS PCE, you can use either PCE instance to view stats. The logic for choosing the relevant PCE is fetched from the Illumio_Workloads_Summarized_API_CL custom table. The TimedApiFunctionApp updates this table every hour. If this table is empty and you want to see the workbooks right away, you can force the function to run manually to update the table. After that, the workbook widgets should display data.

Changes to Analytics Rules

As of version 3.4.0, each Analytics Rule can query both syslog and custom tables for events and then raise incidents.

query_for_events_.png