icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Illumio App for Splunk
SHA256 checksum (illumio-app-for-splunk_321.tgz) 6e3330d4498b118905381c6140aa5dc7bbeb559a6a7b5aaf3678e8be561385dd SHA256 checksum (illumio-app-for-splunk_320.tgz) 81c7612b9b0f020b02f360b74a5680fc32473d96ae247bc4969d52b2a5586785 SHA256 checksum (illumio-app-for-splunk_310.tgz) 4632bc1b27d3eb65742292efd3807493e774fb0c6b071188f5798870e18d9b58 SHA256 checksum (illumio-app-for-splunk_300.tgz) 37ca9cd8f7c619479b0f9e7640ecc2fe70d92add9e527ad4f4506e6a2d0ac197 SHA256 checksum (illumio-app-for-splunk_230.tgz) 4171368dbdada95d37488ff1cf5a0045a0f10ecf62f0817a9fe6d5dfbbc8a92a SHA256 checksum (illumio-app-for-splunk_221.tgz) 0c59cd6aa64c9495dbc35b1698d2331893f64d3eb76db50c6a548cdd97b11359 SHA256 checksum (illumio-app-for-splunk_220.tgz) e160eee985bbfc55ed0c5e1d447516a03b7f1f163518f64b99b7cc97acae902b SHA256 checksum (illumio-app-for-splunk_210.tgz) ec12b9ef389c02bbe7917a12f4efecfc6cdb7107e743d7646c1f3031b9dd854d SHA256 checksum (illumio-app-for-splunk_201.tgz) cc1b55c524bd3e70b10c4d769ca514c5081f9c8b487f1bf5e303ab6f809e9a71 SHA256 checksum (illumio-app-for-splunk_200.tgz) 8b160251f5be552f7cf032ed0e232d3f1e5b39faf4867a8ced60152fed2a0b40 SHA256 checksum (illumio-app-for-splunk_112.tgz) 14feb1a41954cfa62791cfca6909feba365dd82c2890e1658b52cfb28703c36c SHA256 checksum (illumio-app-for-splunk_101.tgz) 8e0f6d633cf849a1478dc201aef15745bb3517bcc5ec2a725126b9b1016b2234 SHA256 checksum (illumio-app-for-splunk_100.tgz) 51fa0b1c47d7ef6a8fc52ae2431656d460a976ecf1fc8f6291232dae765f31d4
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Illumio App for Splunk

Splunk Cloud
Overview
Details
The Illumio App for Splunk integrates with the Illumio Policy Compute Engine (PCE) to provide security and operational insights into your Illumio secured data center.

The Illumio App for Splunk provides five visibility dashboards. With east-west traffic visibility, staff can pinpoint potential attacks and identify compromised workloads with Security Operations dashboard. Using the PCE Operations dashboard, admins get a single-pane-of-glass to monitor the health of all deployed and managed PCEs. The Workload Operations dashboard provides visibility into VENs with details on workloads that potentially require manual intervention. The Traffic Explorer dashboard provides visualization of traffic flows. The Change Monitoring dashboard provides an easy way to view PCE creates, deletes, and updates.

This app uses data input and CIM mapping provided by the Illumio TA for Splunk. Please install it first.

The Illumio App for Splunk compatibility matrix
Ver 1.X -> Splunk 6 and Splunk 7 + PCE ver 17.1, 17.2 and 17.3 and 18.1
Ver 2.X -> Splunk 7 + PCE ver 18.2 (with Events 2.0 syslog messages), PCE ver 18.3, PCE 19.1 and PCE 19.3
Ver 3.0/3.1 -> Splunk 7 and Splunk 8 + PCE ver 18.2 (with Events 2.0 syslog messages), PCE ver 18.3, PCE 19.1 and PCE 19.3
Ver 3.2 -> Splunk 7.3 and Splunk 8 + PCE ver (with Events 2.0 syslog messages), PCE ver 18.3, PCE 19.1 PCE 19.3, PCE 20.1, and PCE 21.2
Ver 3.2.1--> Splunk 8.1/8.2 and PCE ver 18.3, 19.1, 19.3, 20.1, 21.2, and SaaS PCE 21.5


Note: The Illumio App for Splunk is shipped with Data Model Acceleration disabled, which you can enable to use the full range of the app's capabilities.

OVERVIEW

  • The Illumio App for Splunk integrates with the Illumio Policy Compute Engine (PCE) to provide security and operational insights into your Illumio secured data center. A dashboard view displays an overview of the security posture of the data center.
  • With improved visibility of east-west traffic, Security Operations Center (SOC) staff can detect unauthorized activity and potential attacks from traffic blocked by Illumio segmentation policy on workloads in "Enforcement" mode
  • For CIM support, please install the Illumio Technology Add-On (TA) for Splunk available at https://splunkbase.splunk.com
  • Version: 3.2.1
  • Supported Splunk versions are 8.1.x and 8.2.x
  • Supported PCE Versions are 17.1, 17.2, 17.3, 18.1, 18.2.0, 18.2.x, 18.3, 19.1, 19.3, 18.2.0, 18.2.x, 18.3, 19.1, 19.3, 18.2.0*, 18.2.x, 18.3, 19.1, 19.3, 20.1 and 21.2.x.
  • Supported SaaS PCE Version is 21.5.3-3.

Prerequisites

  • TA-Illumio is required for field extractions and data collection.

Release Notes

  • Version 3.2.1

    • Improved support for SaaS PCE.
    • Fixed assorted dashboards reporting “0” traffic for SaaS PCE
  • Version 3.2.0

    • Added below dashboards:
      1) PCE Authentication Events
      2) Traffic Explorer
      3) Change Monitoring
    • Added below panels in PCE Operations (On-Prem Only) dashboard:
      1) Data Ingestion Volume In The Last Day
      2) Data Ingestion Volume In The Last 30 Days
    • Updated below panels in Workload Investigations dashboard.
      • Removed Traffic Events panel.
      • Added Active VEN, Suspended VEN, Stopped VEN, Policy Enforcement State and Policy Synchronization Status panels.
      • Added Status, Severity and Notification Type filter to the Audit Events panel.
    • Added "Unknown" option on "Security Operations" dashboard's "Traffic" filter.
    • Fixed disk latency issue in "PCE Operations (On-Prem Only)" dashboard's "Cluster Cores" Panel.
    • Bundled the jQuery3 in the app package.
    • Added "Supercluster Leader" filter to all dashboards.
    • Added "illumio_portscan_index" macro to summarize port scan data to custom index.
    • Modified "Illumio_Workload_Mapping" savedsearch so that it clears records older than 30 days in "illumio_workload_mapping_lookup" lookup.
  • Version 3.1.0

    • Added below panels in PCE Operations dashboard:
      1) VEN Heartbeat Latency
      2) VEN Policy Latency
      3) Collector Flow Rate
      4) Traffic Ingest Rate
      5) Policy Database Summary
      6) Disk Latency in Cluster Cores Section
    • Used Basesearch for panels in PCE operations dashboard to improve search performance.
  • Version 3.0.0

    • Splunk 8 Support.
    • Made App Python23 compatible.
    • Changed all queries to datamodel for sourcetype "illumio:pce".
    • Added label filters on Workload Investigation.
    • Added Allowed option on Security Operations.
  • Version: 2.3.0

    • Added Alert Configuration screen to create/update alert filters.
    • Workload Investigation: Added drilldown from panel Audit Events.
    • Added support of S3 collected data.
  • Version: 2.2.1

    • Fixed the bug with Quarantine workload from the drill-down of Firewall Tampering panel.
    • Panels using Syslog data, now use pce_fqdn field instead of fqdn field.
    • Auditable event count uses both system events and audit events.
    • In Workload Operations dashboard, changed default time range from 60 minutes to 72 hours.
    • Added 'PCE' column in the drill-down of Firewall Tampering panel.
    • Removed "Illumio_Host_PublicIP_Mapping" and "Illumio_PublicIP_Host_Mapping" saved searches as we are not using host field anymore inside "illumio_host_details_lookup".
  • Version: 2.2.0

    • Created new dashboard "Workload Investigation".
    • Created new panels "VEN Count", "VEN Event Count By Status", "Agent Event Count By EventType" and "Workload Event Count By EventType" in "Workload Operations" dashboard.
    • Modified panels "Managed VEN by Version", "Managed VEN by Mode" and "Managed VEN by Operating System" in "Workload Operations" dashboard.
    • Updated the logic of "Port Scan" panel.
    • Removed "dnslookup" custom command.
  • Version: 2.1.0

    • Added support of Illumio PCE 18.3.1, 19.1
    • Updated the search time of single value panels to last 60 minutes with trend line of 24 hours in Security Operations dashboard.
    • Fixed the bug related to "unknown" or "NULL" legend in "Top Workloads with" and "Managed VEN by Operating System" panels.
    • Fixed the bug related to label filter not considering label type while searching for traffic data in Security Operations dashboard.
  • Version: 2.0.2

    • Added support of Illumio PCE 18.2.1, 18.2.2, 18.2.3
  • Version: 2.0.1

    • Removed VEN Changes by Type panel from Workload Operations dashboard.
  • Version: 2.0.0

    • This version of App (2.0.0) is only compatible with Illumio PCE 18.2.0
    • This version of App (2.0.0) is not compatible with Illumio PCE 17.X

RECOMMENDED SYSTEM CONFIGURATION

  • Standard Splunk configuration of Search Head.

TOPOLOGY AND SETTING UP SPLUNK ENVIRONMENT

  • This app has been distributed in two parts.

    1) Add-on app, which listens for Syslog messages from Illumio PCE and collects Illumio metadata using REST API Calls.

    2) The main app for visualizing Illumio PCE data.

  • This App can be set up in two ways:

1) Standalone Mode:

Install the main app and Add-on app.

  • Here both the app resides on a single machine.
  • The main app uses the data collected by Add-on app and builds dashboard on it.

2) Distributed Environment:

a) With heavy forwarder

Install the main app and Add-on app on search head. Add-on app on heavy forwarder.

* Configure Add-on app on heavy forwarder.
* The main app on search head uses the received data and builds dashboards on it.

b) With Splunk Universal Forwarder

Install the main app and Add-on app on search head. Add-on app on universal forwarder and indexer.

1. Configure Splunk Universal Forwarder to collect data from Illumio Server.
    * Create TCP stanza in $SPLUNK_HOME/etc/system/local/inputs.conf file.
        ```
        [tcp://<PORT>]
        index=<INDEX-NAME>
        sourcetype=illumio:pce
        ```              
2. Configure the Splunk Universal Forwarder to send the data to Splunk Indexer.
    * Execute below command on SUF.
         * $SPLUNK_HOME/bin/splunk add forward­server <IP>:<PORT> (Splunk Indexer IP and Listening Port)

3. Configure Splunk Indexer to receive data from SUF.
    * Create below stanza in $SPLUNK_HOME/etc/system/local/inputs.conf file.
        ```
        [splunktcp://<PORT>]
        ```

INSTALLATION IN SPLUNK CLOUD

  • Same as on-premise setup.

INSTALLATION OF APP

  • This app can be installed through UI using "Manage Apps" or from the command line using the following command:
    sh $SPLUNK_HOME/bin/splunk install app $PATH_TO_SPL/IllumioAppforSplunk.spl/
  • User can directly extract SPL file into $SPLUNK_HOME/etc/apps/ folder.

UPGRADE

From v3.2.0 TO v3.2.1

  • User needs to rebuild the Data model after upgrading the app. Follow the REBUILDING DATA MODEL section.

NOTE: Only for SaaS PCE users:

  • If the user has configured the "Illumio_PCE_Health_Alert" alert under the "Alert Configuration" dashboard then the user needs to reconfigure it.

From v3.1.0 TO v3.2.0

  • User needs to rebuild the Data model after upgrading the app. Follow the REBUILDING DATA MODEL section.

From v3.0.0 TO v3.1.0

  • User needs to rebuild the Data model after upgrading the app. Follow the REBUILDING DATA MODEL section.

From v2.3.0 to v3.0.0

  • User needs to rebuild the Data model after upgrading the app. Follow the REBUILDING DATA MODEL section.

OPEN SOURCE COMPONENTS AND LICENSES

CUSTOM ROLE

  • We have added the custom role named "illumio_quarantine_workload". You have to assign this role to the user to allow him to mark any workload as Quarantine.

Alert Configuration

  • As part of release v2.3.0, we have added new Alert Configuration screen. User can create and update alert configuration rules for triggered alerts. User can also add/modify filters for specific alert. Below are the list of configuration screen for this feature.
    • PCE System Health Events: User can select the severity for a new system_health messages. Alerts will be triggered when the selected conditions will meet. We have option for selection of different severity like Warning, Error and Critical.
    • Rule Set Writing/Update: If the PCE generates create or update or delete event for specific RuleSet that has a scope contains specific labels for app, loc, env and also selected custom label.
    • Rule Writing Update: If the PCE generates create or update or delete event for specific Rule Providers or Consumers that include any services, iplists or all workloads.
    • Policy Provisioning: PCE generates a Policy Provision Event with number of online Workloads exceeding.
    • Workload Labeling: If the PCE generates create or update or delete event for specific workload with selected labels from the multiselect.

How to add actions in Alert after adding/updating the criteria from Alert Configuration screen

  • If you want to add email action for specific alert then follow below steps:
    • Go to Settings -> Searches, Reports, and Alerts
    • Select App as IllumioAppforSplunk from the dropdown.
    • Search for specific alert and click on Edit->Edit Alert under Actions section.
    • Scroll on the popup and find the Triggered Alerts section.
    • Click on Add Actions and select Send email alert.
    • Configure all parameters for email like To, Subject, Message etc.
    • User can include the filtered events in to PDF format.
    • Click on Save.

SAVED SEARCHES

This application contains following saved searches, which are used in the dashboards.

  • Illumio_Auditable_Events
    This saved search is used to fetch data for auditable data and populate "Auditable Events" panel in application dashboard.

  • Illumio_PortScan
    This saved search is used to fetch port scan data for Illumio_Portscan_Details saved search. This saved search saves data in summary index which increases the disk usage on the indexer but summary indexed data does not count against your total daily indexing volume.

  • Illumio_Firewall_Tempering
    This saved search is used to fetch firewall tempering data and populate "Firewall Tempering" panel in application dashboard.

  • Illumio_Workload_Mapping
    This saved search is used to populate "illumio_workload_mapping_lookup" lookup and clear the records older than 30 days.

  • Illumio_Portscan_Details
    This saved search is used to populate "illumio_portscan_details_lookup" lookup.

  • Illumio_Host_Details
    This saved search is used to populate "illumio_host_details_lookup" lookup.

  • Illumio_Host_PublicIP_Mapping
    This saved search is used to find a mapping between public IP and hostname of Illumio nodes.

  • Illumio_PublicIP_Host_Mapping
    This saved search is used to find hostname for specific public IP of Illumio nodes.

  • Illumio_Check_PCE_Collector_Data
    This schedule saved search checks if data is being received from the PCE. If no data is received in last five minutes it triggers an alert. By default, this saved search is in disabled mode.

  • Illumio_hostname_ip_mapping
    This saved search is used to populate "illumio_hostname_ip_mapping_lookup" lookup.

  • Illumio_Host_Details_S3
    This saved search is used to populate "illumio_host_details_lookup" lookup for S3 collected data.

  • Illumio_PCE_Health_Alert
    This saved search is used for PCE System Health Events screen filters.

  • Illumio_Rule_Update_Alert
    This saved search is used for Rule Writing Update screen filters.

  • Illumio_Policy_Provisioning_Alert
    This saved search is used for Policy Provisioning screen filters.

  • Illumio_Workload_Labeling_Alert
    This saved search is used for Workload Labeling screen filters.

DATA MODEL

  • The app consist of one data model "Illumio". The acceleration for the data model is disabled by default. If you want to improve the performance of dashboards then enable the data model acceleration.
  • The accelerated data models help in improving the performance of the dashboard but it increases the disk usage on the indexer.

DATA MODEL CONFIGURATION

  • The Data Model used in this application is not accelerated. Admin should manually accelerate the Data Model.
  • The Data Model used in this application should be accelerated with 1 week's period. Admin can enable/disable acceleration or change the acceleration period by the following steps:
    • On Splunk‚Äôs menu bar, Click on Settings -> Data models
    • From the list for Data models, click ‚ÄúEdit‚Äù in the "Action" column of the row for the Data model for which acceleration needs to be enabled or disabled.
    • From the list of actions select Edit Acceleration. This will display the pop-up menu for Edit Acceleration.
    • Check or uncheck Accelerate checkbox to "Enable" or "Disable" data model acceleration respectively.
    • If acceleration is enabled, select the summary range to specify acceleration period.
    • To save acceleration changes click on save button.

REBUILDING DATA MODEL

  • In case there is no need to use the already indexed accelerated Data Model, the Data Model can be configured to rebuild from scratch for the specified acceleration period. Data Model can be rebuilt by the following steps:
    • On Splunk‚Äôs menu bar, Click on Settings -> Data models.
    • From the list for Data models, expand the row by clicking ‚Äú>" arrow in the first column of the row for the Data model for which acceleration needs to be rebuild. This will display an extra Data Model information in "Acceleration" section.
    • From the "Acceleration" section click on "Rebuild" link.
    • Monitor the status of "Rebuild" in the field "Status" of "Acceleration" section. Reload the page to get latest rebuild status.

TROUBLESHOOTING

  • If dashboards are not getting populated:
    • Check "illumio_get_index" macro is updated if, you are using the custom index.
    • Check if the data model is accelerated or not.
    • Make sure you have data in given time range.
    • To check data is collected or not, run " illumio_get_index | stats count by sourcetype" query in the search.
    • Try expanding TimeRange.
    • Try "<instance_url>/<language>/_bump" endpoint to clear cache and load new static content.
  • If sankey diagram is not visualize in Traffic Explorer dashboard's "Communications Map between Labeled Workloads" panel:
  • If the user wants to summarize port scan data to some custom index then update the "illumio_portscan_index" macro as mentioned below:
    • index = <your_index>
  • If label filters (i.e. app, env and loc) are not populated:
    • Try to run the "Illumio_Workload_Mapping" saved search via expanding timerange.
    • Make sure that interval configuration for input is less than 24 hours.

Known Limitations

  • The following dashboards/panels may not be populated for the SaaS PCE data.
Dashboard Name Panel
PCE Operations (On-Prem Only) Cluster Status
PCE Operations (On-Prem Only) PCE Run Level
PCE Operations (On-Prem Only) PCE Service Status
PCE Operations (On-Prem Only) Policy Database Summary
PCE Operations (On-Prem Only) Cluster Cores
PCE Operations (On-Prem Only) VEN Panel(s)
PCE Operations (On-Prem Only) Type(s)

UNINSTALL APP

To uninstall an app, user can follow below steps: SSH to the Splunk instance -> Go to folder apps ($SPLUNK_HOME/etc/apps) -> Remove the IllumioAppforSplunk folder from apps directory -> Restart Splunk

EULA

SUPPORT

Copyright 2021 Illumio, Inc. All rights reserved.

Release Notes

Version 3.2.1
May 4, 2022
  • Version 3.2.1
    • Improved support for SaaS PCE.
    • Fixed assorted dashboards reporting “0” traffic for SaaS PCE
Version 3.2.0
Nov. 11, 2021
  • New dashboard: Traffic Explorer
  • New dashboard: Change Monitoring
  • Supercluster support
  • Presentation bug fixes--disk latency, event type, user/username, pce_fqdn
Version 3.1.0
July 18, 2020

Illumio App For Splunk v3.1.0
Added health metrics panels in PCE Operations dashboard
- VEN Heartbeat Latency
- VEN Policy Latency
- Collector Flow Rate
- Traffic Ingest Rate
- Policy Database Summary
- Disk Latency in Cluster Cores Section
Used Basesearch for panels in PCE operations dashboard to improve search performance

Version 3.0.0
Jan. 25, 2020

Splunk 8 Support
Made App Python23 compatible
Changed all queries to the data model for sourcetype illumio:pce
Added label filters on Workload Investigation
Added Allowed option on Security Operations

Version 2.3.0
Nov. 26, 2019

Added Alert Configuration screen to create/update alert filters
Added Alerts page to setup the configured alerts filters
Workload Investigation: Added drill down from panel Audit Events
Added support of S3 collected data

Version 2.2.1
Sept. 6, 2019

Fixed the bug with Quarantine workload from the drill-down of Firewall Tampering panel
Panels using Syslog data will now use pce_fqdn field instead of fqdn field
Auditable event count uses both system events and audit events
In the Workload Operations dashboard, modified default time range from 60 minutes to 72 hours
Added 'PCE' column in the drill-down of Firewall Tampering panel
Removed "Illumio_Host_PublicIP_Mapping" and "Illumio_PublicIP_Host_Mapping" saved searches as we are not using host field anymore inside "illumio_host_details_lookup"

Version 2.2.0
July 26, 2019

Created new dashboard "Workload Investigation"
Created new panels "VEN Count", "VEN Event Count By Status", "Agent Event Count By EventType" and "Workload Event Count By EventType" in "Workload Operations" dashboard
Modified panels "Managed VEN by Version", "Managed VEN by Mode" and "Managed VEN by Operating System" in "Workload Operations" dashboard
Updated the logic of "Port Scan" panel and its drill-down
Fixed issue with quarantining destination workload in port scan panel
Removed "dnslookup" custom command
Documented steps of configuration for SUF

Version 2.1.0
June 7, 2019

Certified Addon/App with Illumio v18.3.1 and v19.1
Added support of JSON data format for Illumio Cloud data
Added test script to check the connection with Illumio server
Updated the search time of single value panels to last 60 minutes with a trend line of 24 hours in Security Operations dashboard
Minor Bug Fixes in the panels "Top Workloads with" and "Managed VEN by Operating System"
Fixed the bug related to label filter not considering label type while searching for traffic data in Security Operations dashboard

Version 2.0.1
April 17, 2019

Removed VEN Changes by Type panel from Workload Operations

Version 2.0.0
Sept. 19, 2018

Support for PCE 18.1 and PCE 18.2.

Version 1.1.2
Dec. 2, 2017

Create an alert that gets triggered if there is no data for more than 5 minutes
New Dashboard - Workload Operations
New Dashboard - PCE Operations
Enhancement in the existing Security Operations Dashboard.
App Cert Compliance Changes
App Branding related changes
Support for PCE V17.2
Minor Bug Fixes

Version 1.0.1
Aug. 22, 2017
Version 1.0.0
July 27, 2017

The Illumio App for Splunk integrates with the Illumio Policy Compute Engine (PCE) to provide security and operational insights into your Illumio secured data center. A dashboard view displays an overview of the security posture of the data center.

Before installing this app, please install the Illumio Technology Add-On (TA) for Splunk available at https://splunkbase.splunk.com . The TA provides data inputs configuration and CIM mapping support.


Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.