icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Illumio App for Splunk
SHA256 checksum (illumio-app-for-splunk_300.tgz) 37ca9cd8f7c619479b0f9e7640ecc2fe70d92add9e527ad4f4506e6a2d0ac197 SHA256 checksum (illumio-app-for-splunk_230.tgz) 4171368dbdada95d37488ff1cf5a0045a0f10ecf62f0817a9fe6d5dfbbc8a92a SHA256 checksum (illumio-app-for-splunk_221.tgz) 0c59cd6aa64c9495dbc35b1698d2331893f64d3eb76db50c6a548cdd97b11359 SHA256 checksum (illumio-app-for-splunk_220.tgz) e160eee985bbfc55ed0c5e1d447516a03b7f1f163518f64b99b7cc97acae902b SHA256 checksum (illumio-app-for-splunk_210.tgz) ec12b9ef389c02bbe7917a12f4efecfc6cdb7107e743d7646c1f3031b9dd854d SHA256 checksum (illumio-app-for-splunk_201.tgz) cc1b55c524bd3e70b10c4d769ca514c5081f9c8b487f1bf5e303ab6f809e9a71 SHA256 checksum (illumio-app-for-splunk_200.tgz) 8b160251f5be552f7cf032ed0e232d3f1e5b39faf4867a8ced60152fed2a0b40 SHA256 checksum (illumio-app-for-splunk_112.tgz) 14feb1a41954cfa62791cfca6909feba365dd82c2890e1658b52cfb28703c36c SHA256 checksum (illumio-app-for-splunk_101.tgz) 8e0f6d633cf849a1478dc201aef15745bb3517bcc5ec2a725126b9b1016b2234 SHA256 checksum (illumio-app-for-splunk_100.tgz) 51fa0b1c47d7ef6a8fc52ae2431656d460a976ecf1fc8f6291232dae765f31d4
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Illumio App for Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
The Illumio App for Splunk integrates with the Illumio Policy Compute Engine (PCE) to provide security and operational insights into your Illumio secured data center.

The Illumio App for Splunk provides three visibility dashboards. With east-west traffic visibility, staff can pinpoint potential attacks and identify compromised workloads with Security Operations dashboard. Using the PCE Operations dashboard, admins get a single-pane-of-glass to monitor the health of all deployed and managed PCEs. The Workload Operations dashboard provides visibility into VENs with details on workloads that potentially require manual intervention.

This app uses data input and CIM mapping provided by the Illumio TA for Splunk. Please install it first.

The Illumio App for Splunk compatibility matrix
Ver 1.X -> Splunk 6 and Splunk 7 + PCE ver 17.1, 17.2 and 17.3 and 18.1
Ver 2.X -> Splunk 7 + PCE ver 18.2 (with Events 2.0 syslog messages), PCE ver 18.3, PCE 19.1 and PCE 19.3
Ver 3.X -> Splunk 7 and Splunk 8 + PCE ver 18.2 (with Events 2.0 syslog messages), PCE ver 18.3, PCE 19.1 and PCE 19.3


Note: The Illumio App for Splunk is shipped with Data Model Acceleration disabled, which you can enable to use the full range of the app's capabilities.

OVERVIEW

The Illumio App for Splunk integrates with the Illumio Policy Compute Engine (PCE) to provide security and operational insights into your Illumio secured data center. A dashboard view displays an overview of the security posture of the data center.

With improved visibility of east-west traffic, Security Operations Center (SOC) staff can detect unauthorized activity and potential attacks from traffic blocked by Illumio segmentation policy on workloads in "Enforcement" mode. Additionally, the Illumio App for Splunk provides visibility into potentially blocked traffic for workloads in "Test" mode. SOC staff can quickly pinpoint potential attacks and identify workloads with a significant number of blocked flows. Using the PCE Operations dashboard admins get a single-pane-of-glass to monitor the health of all deployed and managed PCEs while the Workload Operations dashboard provides visibility into VENS with details on workloads that were taken offline or suspended, and potentially require manual intervention.

For CIM support, please install the Illumio Technology Add-On (TA) for Splunk available at https://splunkbase.splunk.com

REQUIREMENTS

  • Splunk version >= 6.5
  • App Version 1.X is compatible with Illumio PCE version 17.1, 17.2, 17.3 and 18.1
  • App Version 2.X is compatible with Illumio PCE version 18.2, 18.3, 19.1 and 19.3
  • This application should be installed on Search Head.

RECOMMENDED SYSTEM CONFIGURATION

  • Standard Splunk configuration of Search Head.

TOPOLOGY AND SETTING UP SPLUNK ENVIRONMENT

  • This app has been distributed in two parts.

    1) Add-on app (TA), which listens for Syslog messages from Illumio PCE and collects Illumio metadata using REST API Calls.

    2) The main app for visualizing Illumio PCE data.

  • This App can be set up in two ways:

1) Standalone Mode:

Install the main app and Add-on (TA).

  • Here both the app and TA reside on a single machine.
  • The main app uses the data collected by TA and builds dashboard on it

2) Distributed Environment:

Install the main app and TA on search head. Additionally, install TA on heavy forwarder and Indexer.
Note: If using Universal Forwarder, only syslog data is collected and API calls will not be made to the PCE. The App will not work without the data collected by API calls.

A detailed document for installation is available.

  • Configure Add-on app on forwarder.
  • The main app on search head uses the received data and builds dashboards on it.

INSTALLATION IN SPLUNK CLOUD

  • Same as on-premise setup.

INSTALLATION OF APP

  • This app can be installed through UI using "Manage Apps" or from the command line using the following command:
    sh $SPLUNK_HOME/bin/splunk install app $PATH_TO_SPL/IllumioAppforSplunk.spl/
  • User can directly extract SPL file into $SPLUNK_HOME/etc/apps/ folder.

EULA

SUPPORT

OPEN SOURCE COMPONENTS AND LICENSES

SAVEDSEARCHES

This application contains following seven saved searches, which are used in the dashboard. Out of these two are accelerated saved searches. Accelerated saved search provides better performance but consumes more memory on disk.

  • Illumio_Auditable_Events
    This saved search is used to fetch data for auditable data and populate "Auditable Events" panel in application dashboard. It's an accelerated search.

  • Illumio_PortScan
    This saved search is used to fetch port scan data for Illumio_Portscan_Details saved search. This saved search saves data in summary index which increases the disk usage on the indexer but summary indexed data does not count against your total daily indexing volume.

  • Illumio_Firewall_Tempering
    This saved search is used to fetch firewall tempering data and populate "Firewall Tempering" panel in application dashboard. It's an accelerated search.

  • Illumio_Services - Lookup Gen
    This saved search is used to populate "illumio_services_lookup" lookup

  • Illumio_Workload_Mapping
    This saved search is used to populate "illumio_workload_mapping_lookup" lookup

  • Illumio_Portscan_Details
    This saved search is used to populate "illumio_portscan_details_lookup" lookup

  • Illumio_Host_Details
    This saved search is used to populate "illumio_host_details_lookup" lookup

DATAMODEL

  • This app consist of one data model "Illumio" in accelerated mode for seven days. This helps in improving the performance of the dashboard but it increases the disk usage on the indexer.

Copyright 2015-2019 Illumio Inc.

Release Notes

Version 3.0.0
Jan. 25, 2020

Splunk 8 Support
Made App Python23 compatible
Changed all queries to the data model for sourcetype illumio:pce
Added label filters on Workload Investigation
Added Allowed option on Security Operations

Version 2.3.0
Nov. 26, 2019

Added Alert Configuration screen to create/update alert filters
Added Alerts page to setup the configured alerts filters
Workload Investigation: Added drill down from panel Audit Events
Added support of S3 collected data

Version 2.2.1
Sept. 6, 2019

Fixed the bug with Quarantine workload from the drill-down of Firewall Tampering panel
Panels using Syslog data will now use pce_fqdn field instead of fqdn field
Auditable event count uses both system events and audit events
In the Workload Operations dashboard, modified default time range from 60 minutes to 72 hours
Added 'PCE' column in the drill-down of Firewall Tampering panel
Removed "Illumio_Host_PublicIP_Mapping" and "Illumio_PublicIP_Host_Mapping" saved searches as we are not using host field anymore inside "illumio_host_details_lookup"

Version 2.2.0
July 26, 2019

Created new dashboard "Workload Investigation"
Created new panels "VEN Count", "VEN Event Count By Status", "Agent Event Count By EventType" and "Workload Event Count By EventType" in "Workload Operations" dashboard
Modified panels "Managed VEN by Version", "Managed VEN by Mode" and "Managed VEN by Operating System" in "Workload Operations" dashboard
Updated the logic of "Port Scan" panel and its drill-down
Fixed issue with quarantining destination workload in port scan panel
Removed "dnslookup" custom command
Documented steps of configuration for SUF

Version 2.1.0
June 7, 2019

Certified Addon/App with Illumio v18.3.1 and v19.1
Added support of JSON data format for Illumio Cloud data
Added test script to check the connection with Illumio server
Updated the search time of single value panels to last 60 minutes with a trend line of 24 hours in Security Operations dashboard
Minor Bug Fixes in the panels "Top Workloads with" and "Managed VEN by Operating System"
Fixed the bug related to label filter not considering label type while searching for traffic data in Security Operations dashboard

Version 2.0.1
April 17, 2019

Removed VEN Changes by Type panel from Workload Operations

Version 2.0.0
Sept. 19, 2018

Support for PCE 18.1 and PCE 18.2.

Version 1.1.2
Dec. 2, 2017

Create an alert that gets triggered if there is no data for more than 5 minutes
New Dashboard - Workload Operations
New Dashboard - PCE Operations
Enhancement in the existing Security Operations Dashboard.
App Cert Compliance Changes
App Branding related changes
Support for PCE V17.2
Minor Bug Fixes

Version 1.0.1
Aug. 22, 2017

Version 1.0.0
July 27, 2017

The Illumio App for Splunk integrates with the Illumio Policy Compute Engine (PCE) to provide security and operational insights into your Illumio secured data center. A dashboard view displays an overview of the security posture of the data center.

Before installing this app, please install the Illumio Technology Add-On (TA) for Splunk available at https://splunkbase.splunk.com . The TA provides data inputs configuration and CIM mapping support.

98
Installs
651
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.