Illumio App for Splunk

The Illumio App for Splunk integrates with the Illumio Policy Compute Engine (PCE) to provide security and operational insights into your Illumio-secured data center. The Illumio App for Splunk provides seven visibility dashboards. With east-west traffic visibility, staff can pinpoint potential attacks and identify compromised workloads with Security Operations dashboard. Using the PCE Operations dashboards admins get a single-pane-of-glass to monitor the health of all deployed and managed PCEs. The PCE Authentication Events allows admins to track PCE access. The Workload Operations and Workload Investigations dashboards provide visibility into VENs with details on workloads that potentially require manual intervention. The Traffic Explorer dashboard provides visualization of traffic flows. The Change Monitoring dashboard provides an easy way to view PCE creates, deletes, and updates. This app uses data input and CIM mapping provided by the Illumio TA for Splunk. Please install the Illumio TA for Splunk first. Note: The Illumio App for Splunk is shipped with Data Model Acceleration disabled, which you can enable to use the full range of the app's capabilities. See the app README for details. IMPORTANT: In v4.0, Syslog prefixes are stripped at index-time for JSON-formatted events. In addition, there are changes in the data schema. Due to these changes, the search-time extractions and transforms for version 4.0.0 are incompatible with data indexed by previous versions of the TA. See the Upgrade Instructions in the README for more detailed instructions to continue using data collected from an earlier version, and to reconfigure custom searches. Illumio App for Splunk compatibility: v4.0.1 - Splunk 9.1, 9.0, 8.2, 8.1 + PCE 21.5, 22.2, 22.5, 23.2 and SaaS v3.2.3 - Splunk 9.1, 9.0, 8.2, 8.1 + PCE 21.2, 21.5, 22.2, 22.5 and SaaS v3.2.0 - Splunk 9.1, 9.0, 8.2, 8.1, 8.0, 7.3 + PCE 18.3, 19.1, 19.3, 20.1, 21.2, 21.5