Skip to main content

Integrations

Prerequisites for the Illumio Sentinel Solution

These are the prerequisites for installing and using the Illumio Sentinel Solution.

  1. An AWS S3 Bucket and SQS

    • If Illumio provides an S3 bucket, contact Illumio for AWS credentials and the SQS URL.

    • Configure an AWS SQS for the S3 bucket, which is set up to receive events from PCE. If you provide the S3 bucket, you must deploy it with the following CloudFormation template: Use the AWS CloudFormation Template. For more information about configuring S3 buckets, see Configuring a bucket for notifications.

    • Ensure that you have AWS credentials and an SQS URL.

  2. Configure PCE Events to forward them to the S3 bucket.

    • For On-Premises PCE, configure using the UI: Syslog Forwarding.

    • For SaaS users, open a ticket with Illumio Support to configure Event forwarding.

    Contact Illumio to get the PCE API username and secret, PCE FQDN, and org ID or access the PCE UI and generate an API key.

  3. Obtain the PCE FQDN, org ID, API username, and Client Secret.

  4. A resource group to host all Azure objects. See Use the Azure portal and Azure Resource Manager to manage resource groups.

  5. A Log Analytics workspace. See Create a Log Analytics workspace.

    Define a Log Analytics workspace in Azure and deploy Sentinel in that workspace.

  6. A Microsoft Entra application

    Define an AAD application to authenticate the Logs Ingestion API. See Create a Microsoft Entra application for information about how to deploy an AAD application. 

  7. Privileges to create all the resources. See Microsoft Entra built-in roles. Users who deploy this solution in Azure either need to have owner rights or to be contributors with the Role-Based Access Control Administrator and Application Developer roles for Microsoft Entra.

Use the AWS CloudFormation Template

Use the following AWS CloudFormation template to set up the AWS S3 bucket objects.

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Flow log bucket",
  "Parameters": {
    "Bucketname": {
      "Type": "String"
    },
    "Externalid": {
      "Type": "String",
      "Default": "528298"
    }
  },
  "Resources": {
    "FlowbucketAwsS3Bucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": {
          "Ref": "Bucketname"
        }
      }
    },
    "IllumioFlowLogsAwsIamRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": "illumio-flow-logs",
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": {
            "Effect": "Allow",
            "Principal": {
              "AWS": "857003445768"
            },
            "Action": [
              "sts:AssumeRole"
            ],
            "Condition": {
              "StringEquals": {
                "Sts:ExternalId": {
                  "Ref": "Externalid"
                }
              }
            }
          }
        },
        "Policies": [
          {
            "PolicyName": "can-see-bucket",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": {
                "Effect": "Allow",
                "Sid": "illumioCanSeeBucket",
                "Action": [
                  "s3:ListBucket",
                  "s3:ListBucketVersions"
                ],
                "Resource": {
                  "Fn::Join": [
                    "",
                    [
                      "arn:aws:s3:::",
                      {
                        "Ref": "Bucketname"
                      }
                    ]
                  ]
                }
              }
            }
          },
          {
            "PolicyName": "can-use-bucket",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": {
                "Effect": "Allow",
                "Sid": "illumioCanPutAndGet",
                "Action": [
                  "s3:PutObject",
                  "s3:GetObject"
                ],
                "Resource": {
                  "Fn::Join": [
                    "",
                    [
                      "arn:aws:s3:::",
                      {
                        "Ref": "Bucketname"
                      },
                      "/*"
                    ]
                  ]
                }
              }
            }
          }
        ]
      }
    }
  }
}

Use the following procedure:

  1. Save the template to a .JSON file, such as illumio-flow-logs-template.json

  2. From the AWS Console > CloudFormation Services page, select Stacks, and note the current region because the AWS S3 bucket will be created in that region.

  3. Select Create Stack and then select With new resources (standard).

  4. Select template is ready, upload the .JSON file that you created, and click Next.

  5. Enter a name for the stack, such as illumio-flow-logs-s3-bucket-and-role.

  6. Enter a bucket name. This name must be unique among all of the other S3 buckets in that region for all AWS customers. If it is not, the stack creation will fail with the "Bucketname already exists" error message.

  7. Enter an external ID. See the following article for information about how and why to use an external ID: How to Use External ID When Granting Access to Your AWS Resources.

  8. Keep the default options for Configure stack options, and click Next.

  9. Review your configuration, check the acknowledgment, and click Submit.

    The bucket will be created along with a role called illumio-flow-logs with the appropriate permissions for the provided Illumio AWS account. You must also create a role for your SIEM to read objects from the bucket.