Skip to content

ILLUMIO CORE

Illumio

About

Illumio Core (formerly Illumio ASP) is a segmentation solution that can help stop ransomware and cyberattacks from spreading by delivering visibility, a policy creation engine, and automated segmentation and enforcement.

Product Details

Vendor URL: Illumio Core

Product Type: Workload Secuirty

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Events Setup

Parser Details

Log Format: JSON

Expected Normalization Rate: 100%

Data Label: ILLUMIO_CORE

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
timestamp metadata.event_timestamp
pd metadata.product_event_type
src_hostname principal.hostname
src_ip principal.ip
src_href principal.url
src_labels.app principal.application
src_labels.loc principal.location.name
src_labels.env principal.resource.name
src_hostname principal.asset.hostname
src_ip principal.asset.ip
src_labels.role principal.asset.attribute.roles.name
dst_hostname target.hostname
un target.user.userid
pn target.process.file.full_path
dst_ip target.ip
dst_port target.port
dst_href target.url
dst_labels.app target.application
dst_labels.loc target.location.name
dst_labels.env target.resource.name
dst_hostname target.asset.hostname
dst_ip target.asset.ip
dst_labels.role target.asset.attribute.roles.name
pd:0=Allowed pd:1=potentially blocked pd:2=blocked pd:3=unknown (idle mode) security_result.summary

Product Event Types

Event UDM Event Classification
All GENERIC_EVENT

Log Sample

{
  "tdms": 38996,
  "ddms": 38996,
  "pn": "file.exe",
  "un": "domain\username1",
  "fqdn": "hostname1.domain.com",
  "src_ip": "10.10.10.2",
  "dst_ip": "10.10.10.1",
  "class": "U",
  "proto": 6,
  "dst_port": 8080,
  "count": 1,
  "dir": "O",
  "timestamp": "2022-05-27T14:47:07Z",
  "state": "A",
  "pd_qualifier": 0,
  "src_hostname": "hostname1",
  "src_href": "/orgs/111/workloads/",
  "dst_hostname": "hostname2",
  "dst_href": "/orgs/111/workloads/",
  "network": "Private",
  "src_labels": {
    "app": "app1",
    "env": "PROD",
    "loc": "dc1",
    "role": "role"
  },
  "dst_labels": {
    "app": "app2",
    "env": "PROD",
    "loc": "dc1",
    "role": "role"
  },
  "pd": 0,
  "interval_sec": 601,
  "pce_fqdn": "hostname2.domain.com",
  "version": 4
}

Sample Parsing

metadata.event_timestamp = "2022-05-27T14:54:04.258420Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Illumio"
metadata.product_name = "Core"
metadata.product_event_type = "0"
principal.hostname = "hostname1"
principal.ip = "10.10.10.2"
principal.url = "/orgs/111/workloads/"
principal.application = "app1"
principal.location.name = "dc1"
principal.resource.name = "PROD"
principal.asset.hostname = "hostname1"
principal.asset.ip = "10.10.10.2"
principal.asset.attribute.roles.name = "role"
target.hostname = "hostname2"
target.user.userid = "domain\username1"
target.process.file.full_path = "file.exe"
target.ip = "10.10.10.1"
target.port = 8080
target.url = "/orgs/111/workloads/"
target.application = "app2"
target.location.name = "dc1"
target.resource.name = "PROD"
target.asset.hostname = "hostname2"
target.asset.ip = "10.10.10.1"
target.asset.attribute.roles.name = "role_name"
security_result.summary = "allowed"

Parser Alerting

This product currently does not have any parser-based alerting