Illumio adaptive microsegmentation technology is quickly becoming a foundational part of the security stack and an essential tool to protect applications running in data center and cloud environments. As we see customers roll out the Illumio Adaptive Security Platform (ASP) to protect more parts of their application environments, we also see them extend Illumio to more teams across their organization — like the Security Operations Center (SOC) teams who rely on tools like security information and event management (SIEM) to monitor environments for alerts and anomalies.
Illumio's integration with Splunk gives SOC teams the ability to quickly identify potentially compromised workloads and enables Illumio administrators to be able to monitor the health of the Illumio solution.
We integrate with Splunk in the following ways:
Illumio and Splunk server
Illumio ASP forwards audit events, policy events, and health of the Illumio solution directly to Splunk Enterprise Server, where the data can be integrated with existing security operations tools such as Splunk Enterprise Security, the Illumio App for Splunk, and SOC team workflows.
Illumio technology add-on (TA) for Splunk
The Illumio Technology Add-On for Splunk enriches Illumio Policy Compute Engine (PCE) data with Common Information Model (CIM) field names, event types, and tags. The TA enables Illumio data to be easily used with Splunk Enterprise Security, the Illumio App for Splunk, and other applications in the Splunk ecosystem.
The Illumio TA is available as a free download from Splunkbase here.
Illumio and Splunk enterprise security
Splunk Enterprise Security (ES) is a premium solution that provides customers with the ability to quickly detect and respond to internal and external attacks. Illumio integration with Splunk ES helps to simplify threat management and minimize risk. Splunk ES streamlines all aspects of security operations and is suitable for organizations of all sizes and expertise. The Technology Add-on for Illumio will tag incoming Illumio data with CIM tags so that Illumio data can be effectively used within Splunk ES.
The Illumio app for Splunk
The Illumio App for Splunk is a set of prebuilt dashboards that enhance Illumio integration with Splunk by providing security and operational insights into Illumio-secured environments. The Illumio App for Splunk comes with the following dashboards:
Security Operations Dashboard –gives SOC staff insights to quickly pinpoint potential attacks and identify compromised workloads.
PCE Operations Dashboard –gives Illumio admins a "single pane of glass" to monitor the health of all deployed and managed PCEs.
Workload Operations Dashboard –provides Illumio admins with visibility into VENs, including details on workloads that were taken offline or suspended and potentially requiring manual intervention.
The Illumio App for Splunk is available as a free download from Splunkbase here.
Adaptive Response initiative
Illumio provides an Adaptive Response Action for use within Splunk ES, which enables the ability to quarantine potentially breached workloads. This allows SOC teams to take action on workloads exhibiting potentially risky activity by leveraging Splunk AR, the Illumio REST API, and Illumio policy to isolate the compromised workloads from other production workloads while still allowing access by forensic teams. By calling into the Illumio REST API, microsegmentation policies are applied instantaneously and contain the impact of the compromised workload within seconds.
Integrating Illumio with SIEM platforms like Splunk gives SOC teams unique and critical insight into data center activity to augment their other alerts and feeds with the ability to quickly identify unauthorized communications that might be an indicator of a breach.