ILLUMIO CORE¶
About¶
Illumio Core (formerly Illumio ASP) is a segmentation solution that can help stop ransomware and cyberattacks from spreading by delivering visibility, a policy creation engine, and automated segmentation and enforcement.
Product Details¶
Vendor URL: Illumio Core
Product Type: Workload Secuirty
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Events Setup
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: ILLUMIO_CORE
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
timestamp | metadata.event_timestamp |
pd | metadata.product_event_type |
src_hostname | principal.hostname |
src_ip | principal.ip |
src_href | principal.url |
src_labels.app | principal.application |
src_labels.loc | principal.location.name |
src_labels.env | principal.resource.name |
src_hostname | principal.asset.hostname |
src_ip | principal.asset.ip |
src_labels.role | principal.asset.attribute.roles.name |
dst_hostname | target.hostname |
un | target.user.userid |
pn | target.process.file.full_path |
dst_ip | target.ip |
dst_port | target.port |
dst_href | target.url |
dst_labels.app | target.application |
dst_labels.loc | target.location.name |
dst_labels.env | target.resource.name |
dst_hostname | target.asset.hostname |
dst_ip | target.asset.ip |
dst_labels.role | target.asset.attribute.roles.name |
pd:0=Allowed pd:1=potentially blocked pd:2=blocked pd:3=unknown (idle mode) | security_result.summary |
Product Event Types¶
Event | UDM Event Classification |
---|---|
All | GENERIC_EVENT |
Log Sample¶
{
"tdms": 38996,
"ddms": 38996,
"pn": "file.exe",
"un": "domain\username1",
"fqdn": "hostname1.domain.com",
"src_ip": "10.10.10.2",
"dst_ip": "10.10.10.1",
"class": "U",
"proto": 6,
"dst_port": 8080,
"count": 1,
"dir": "O",
"timestamp": "2022-05-27T14:47:07Z",
"state": "A",
"pd_qualifier": 0,
"src_hostname": "hostname1",
"src_href": "/orgs/111/workloads/",
"dst_hostname": "hostname2",
"dst_href": "/orgs/111/workloads/",
"network": "Private",
"src_labels": {
"app": "app1",
"env": "PROD",
"loc": "dc1",
"role": "role"
},
"dst_labels": {
"app": "app2",
"env": "PROD",
"loc": "dc1",
"role": "role"
},
"pd": 0,
"interval_sec": 601,
"pce_fqdn": "hostname2.domain.com",
"version": 4
}
Sample Parsing¶
metadata.event_timestamp = "2022-05-27T14:54:04.258420Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Illumio"
metadata.product_name = "Core"
metadata.product_event_type = "0"
principal.hostname = "hostname1"
principal.ip = "10.10.10.2"
principal.url = "/orgs/111/workloads/"
principal.application = "app1"
principal.location.name = "dc1"
principal.resource.name = "PROD"
principal.asset.hostname = "hostname1"
principal.asset.ip = "10.10.10.2"
principal.asset.attribute.roles.name = "role"
target.hostname = "hostname2"
target.user.userid = "domain\username1"
target.process.file.full_path = "file.exe"
target.ip = "10.10.10.1"
target.port = 8080
target.url = "/orgs/111/workloads/"
target.application = "app2"
target.location.name = "dc1"
target.resource.name = "PROD"
target.asset.hostname = "hostname2"
target.asset.ip = "10.10.10.1"
target.asset.attribute.roles.name = "role_name"
security_result.summary = "allowed"
Parser Alerting¶
This product currently does not have any parser-based alerting