icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Cancel Visit New Splunkbase Visit
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Apache License Version 2.0

Splunk Websites Terms and Conditions of Use

Thank You

Downloading Illumio App for Splunk
SHA256 checksum (illumio-app-for-splunk_401.tgz) 085517fd510bebfbb1afb2dbf7408b9d3a116278219f97ea6f6e9fd4feb83b7a SHA256 checksum (illumio-app-for-splunk_321.tgz) f9cc30293ac8bc1d19a9db0560aec9d65d4a15cdb8d665b45eb84c3efadba4d9 SHA256 checksum (illumio-app-for-splunk_320.tgz) 4b43639f31adf7311f46798e193d7df48ddb0a6750fa851f83a22c60b5133ea5 SHA256 checksum (illumio-app-for-splunk_310.tgz) b55da16f75799c3202a0f56b3491d0d472b7d1b0d57b043bfaa8bc2834df1b4f SHA256 checksum (illumio-app-for-splunk_300.tgz) 1bcffb34d2a5969f98ae4cbbda16911a3577883b545e92fcded160295ff1270c SHA256 checksum (illumio-app-for-splunk_230.tgz) 858ac05c5a78f9a60b3f32e2e7a104d90535b8e84226d6b019395bc1d94b3e92 SHA256 checksum (illumio-app-for-splunk_221.tgz) 1959c51eaeb79f056f3563dea6ad4ad9b1713eebac203d1192b5b6b22ad82145 SHA256 checksum (illumio-app-for-splunk_220.tgz) 9ba625ea5a756151f5a95e1a81ecba7b52b138dc4698222ab9c6f6d5d91eb63d SHA256 checksum (illumio-app-for-splunk_210.tgz) cbd571cbcbecce64b4e373333850369b2ad523de5f565c99a9b74f4c5840c4c2 SHA256 checksum (illumio-app-for-splunk_201.tgz) 32bcaadd42752da8d7ff0266c285fba5619de1440b9d624628f6d239c6756682 SHA256 checksum (illumio-app-for-splunk_200.tgz) 496c242bb19893252329d0280fcada9d5fdd6baa7a5e5bb1060f491c9bf34c63 SHA256 checksum (illumio-app-for-splunk_112.tgz) dd3f1cfb755aae60e881928739a3b1e82380182c32c01f2a509328bdf31abffc SHA256 checksum (illumio-app-for-splunk_101.tgz) f5f52a389bf0f58b26b56265439fa066e5f35a70ba59ab2370c6ab1b1464ef47 SHA256 checksum (illumio-app-for-splunk_100.tgz) f39e08d4b299a33a1c0d0896ea9fa63532eeaa6484b318614a194ff510cd0f2c
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate
splunk

Illumio App for Splunk

Splunk Cloud
Overview
Details
The Illumio App for Splunk integrates with the Illumio Policy Compute Engine (PCE) to provide security and operational insights into your Illumio-secured data center.

The Illumio App for Splunk provides seven visibility dashboards. With east-west traffic visibility, staff can pinpoint potential attacks and identify compromised workloads with Security Operations dashboard. Using the PCE Operations dashboards admins get a single-pane-of-glass to monitor the health of all deployed and managed PCEs. The PCE Authentication Events allows admins to track PCE access. The Workload Operations and Workload Investigations dashboards provide visibility into VENs with details on workloads that potentially require manual intervention. The Traffic Explorer dashboard provides visualization of traffic flows. The Change Monitoring dashboard provides an easy way to view PCE creates, deletes, and updates.

This app uses data input and CIM mapping provided by the Illumio TA for Splunk. Please install the Illumio TA for Splunk first.

Note: The Illumio App for Splunk is shipped with Data Model Acceleration disabled, which you can enable to use the full range of the app's capabilities. See the app README for details.


IMPORTANT: In v4.0, Syslog prefixes are stripped at index-time for JSON-formatted events. In addition, there are changes in the data schema.
Due to these changes, the search-time extractions and transforms for version 4.0.0 are incompatible with data indexed by previous versions of the TA. See the Upgrade Instructions in the README for more detailed instructions to continue using data collected from an earlier version, and to reconfigure custom searches.


Illumio App for Splunk compatibility:

v4.0.1 - Splunk 9.1, 9.0, 8.2, 8.1 + PCE 21.5, 22.2, 22.5, 23.2 and SaaS
v3.2.3 - Splunk 9.1, 9.0, 8.2, 8.1 + PCE 21.2, 21.5, 22.2, 22.5 and SaaS
v3.2.0 - Splunk 9.1, 9.0, 8.2, 8.1, 8.0, 7.3 + PCE 18.3, 19.1, 19.3, 20.1, 21.2, 21.5

Illumio App for Splunk

Overview

The Illumio App for Splunk integrates with the Illumio Policy Compute Engine (PCE) to provide security and operational insights into your Illumio secured data center. A dashboard view displays an overview of the security posture of the data center.

With improved visibility of east-west traffic, Security Operations Center (SOC) staff can detect unauthorized activity and potential attacks from traffic blocked by Illumio segmentation policy on workloads in "Enforcement" mode. Additionally, the Illumio App for Splunk provides visibility into potentially blocked traffic for workloads in "Test" mode. SOC staff can quickly pinpoint potential attacks and identify workloads with a significant number of blocked flows.

Version - 4.0.1

Supported Splunk versions
* 8.1.x * 8.2.x * 9.0.x * 9.1.x

Supported versions of the Illumio Policy Compute Engine (PCE)
* 21.5.x * 22.2.x * 22.5.x * 23.2.x * Illumio SaaS PCE (latest)

Supported Splunk Common Information Model (CIM) versions
* 4.x * 5.x

Prerequisites

  • The TA-Illumio add-on is required for field extractions and data collection
    • At least one illumio modular input must be configured to pull necessary data from the Illumio PCE
  • Syslog events must be forwarded to Splunk from the Illumio PCE. See the TA-Illumio documentation for instructions to configure event forwarding for on-prem and SaaS PCEs

Splunk Architecture

The Illumio Splunk integration is distributed in two parts:

1) The TA-Illumio add-on, which collects and parses syslog events and static objects from the PCE
2) This IllumioAppForSplunk app, which visualizes data from the PCE in Splunk dashboards and provides the Illumio data model to improve search performance

The app can be installed in either a standalone or distributed Splunk environment.

Note: Recommendations for the configuration and topology of a distributed Splunk environment are outside the scope of this document. See the documentation on Splunk Validated Architectures for suggestions on topology for distributed deployments.

For a standalone deployment, install and configure the TA per the installation instructions on Splunkbase, and install the app as described in the Installation section below.

For a distributed environment, install the TA to a heavy forwarder, to an indexer/indexer cluster, or to a search head/search head cluster. Install the app to the search head/search head cluster.

Custom Roles

  • illumio_quarantine_workload - this custom role must be assigned for a user to trigger the illumio_quarantine action. More details about this action can be found in the TA-Illumio documentation

Alerts

The Illumio App for Splunk has two scheduled alert saved searches configured but disabled by default. The Illumio_Check_PCE_Collector_Data and Illumio_VEN_Inactivity_Timer_Alert alerts can be configured and updated as needed:

  1. Navigate to Settings -> Searches, reports, and alerts
  2. Select Illumio App for Splunk from the App dropdown menu
  3. Select All or Nobody from the Owner dropdown menu
  4. In the Edit dropdown under Actions for the desired alert search, click Edit Schedule
  5. Toggle the Schedule Report flag on, and set the schedule and dispatch time range for the alert
  6. Set one or more actions to occur when the alert is triggered, such as sending an email or Slack message
  7. Click Save

Alert Examples

The following searches show how Illumio event data can be used to configure custom alerts for common issues. See the Illumio documentation on event monitoring best practices for suggestions of events and PCE behaviour to monitor.

Workloads affected by policy change - monitor security policy changes for high numbers of workloads affected by a single change: 

`illumio_get_index` sourcetype="illumio:pce" event_type="sec_policy.create" resource_changes{}.changes.workloads_affected.after > 50

The threshold of 50 in the search above can be adjusted based on the number of workloads and overall policy churn in the PCE.

Workload modified with specific label - monitor workload change operations for specific labels: 

`illumio_get_index` sourcetype="illumio:pce" event_type="workload.*" (resource_changes{}.changes.labels.created{}.value="Quarantine" OR resource_changes{}.changes.labels.deleted{}.value="Quarantine")

One or more label values that represent high-value applications or zones, such as a Production environment or a customer database, can be monitored to send an alert whenever a workload with those labels is modified.

System warnings and errors - monitor system health events for warning or higher severity messages: 

`illumio_get_index` sourcetype="illumio:pce:health" (sev="warn*" OR sev="err*" OR sev="fatal")

Set a relatively high threshold and send an alert if the number of system warnings and errors spikes on the PCE.

Saved Searches

The Illumio App for Splunk provides the following saved searches:

Search Name Type Schedule Auto-summary Schedule Auto-Summary Range Description Enabled by Default
Illumio_Auditable_Events scheduled report /15 * * * 55 0 * * 0 -1w -> now used to summarize auditable events yes
Illumio_PortScan_Traffic scheduled report /20 * * * 55 1 * * 0 -1w -> now used to summarize possible instances of port scanning yes
Illumio_PortScan search - - - uses the illumio_port_scan_settings_lookup and the Illumio_PortScan_Traffic summary to identify instances of port scanning above the thresholds configured in Illumio modular inputs yes
Illumio_Firewall_Tampering   scheduled report /15 * * * 55 2 * * 0 -1w -> now used to summarize firewall tampering events yes
Illumio_Check_PCE_Collector_Data scheduled alert /5 * * * - - raised if no events from the PCE have been indexed in the dispatch time range no
Illumio_VEN_Inactivity_Timer_Alert scheduled alert /5 * * * - - raised if one or more VEN suspend events are reported by the PCE in the dispatch time range no

Data Model

The Illumio App for Splunk provides an Illumio data model that can help to improve search performance at the cost of disk space by building a limited index of PCE syslog event fields.

The model provides the following objects:

Name Type Parent Base Search Description
Audit root event node - `illumio_get_index` sourcetype="illumio:pce" auditable syslog events
Traffic root event node - `illumio_get_index` sourcetype="illumio:pce:collector" traffic flow events
Status root event node - `illumio_get_index` sourcetype="illumio:pce:health" system health and status events
Status.Policy child event node Status event_source="policy" policy service events
Status.Collector child event node Status event_source="collector" collector service events
Status.FlowAnalytics child event node Status event_source="flow_analytics" flow_analytics service events

Note: Per Splunk app guidelines, model acceleration is disabled by default

Using the Data Model

Illumio data model nodes can be referenced using the tstats command. For example, the following search uses the Traffic node to sum flow counts from a given PCE over time by source/destination IP:

| tstats sum(Traffic.count) AS flows FROM datamodel=Illumio.Traffic WHERE Traffic.pce_fqdn="my.pce.com" BY _time, Traffic.src_ip, Traffic.dest_ip

Data Model Acceleration

Note: Enabling/disabling acceleration for the Illumio data model requires the accelerate_datamodel capabiility

To enable acceleration:

  1. Navigate to Settings -> Data models
  2. Select Illumio App for Splunk from the App dropdown menu
  3. Click the Edit dropdown under Actions for the Illumio data model
  4. Click Edit Acceleration
  5. Check the Acceleration toggle in the dialog and adjust the Summary Range and advanced settings as needed. See the Splunk documentation on data model acceleration for a more detailed explanation of the individual parameters for configuring acceleration
  6. Click Save. It may take quite a bit of time to build the summary for the accelerated model - the progress can be seen under the ACCELERATION section after clicking the caret to the left of the model name

Note: If using a distributed search head cluster, see the Splunk documentation on sharing data model acceleration summaries to aviod rebuilding the summary on each search head in the cluster

Rebuilding the Data Model

To rebuild the summary for the data model:

  1. Navigate to Settings -> Data models
  2. Select Illumio App for Splunk from the App dropdown menu
  3. Click the caret to the left of the Illumio data model name
  4. Click Rebuild under the ACCELERATION section

Release Notes

Version 4.0.1

  • Removed illumio_quarantine role definition - it has been moved to TA-Illumio in v4.0.1
  • Fixed overly-broad bucketing for some visualizations using accelerated tstats searches
  • Removed Managed Workloads by Enforcement Mode panel from the Workload Operations dashboard as it duplicated the Policy Enforcement Mode panel on the Workload Investigation dashboard
  • Updated the Flows by Policy Decision panel on the Traffic Explorer dashboard to show both port and protocol. Drilldown now sets both filters on click

Version 4.0.0

New Features

  • Added support for label types beyond the default RAEL dimensions
  • The app now seamlessly supports inputs for multiple PCEs as well as multiple organizations within the same PCE cluster
  • A custom script, resubmit_click_handler.js, has been added. It is used on the Change Monitoring and Traffic Explorer dashboards to automatically update searches when a token-set drilldown is clicked

Improvements

Data model and Searches

  • The Illumio datamodel has been updated and no longer uses the Illumio.Illumio root node. It is replaced by three root event nodes for the illumio:pce, illumio:pce:collector, and illumio:pce:health sourcetypes. See the Data Model section above for further details
  • The Illumio_PortScan saved search has been split into a summary search (Illumio_PortScan_Traffic) and a filtering search (Illumio_PortScan). It now requires pce_fqdn and org_id values to be passed as parameters: | savedsearch Illumio_PortScan pce_fqdn="my.pce.com" org_id=1

Dashboards

  • Search performance on dashboards has been significantly improved
  • Dashboard searches have been overhauled to use KV Store lookups for PCE metadata objects where appropriate
  • Role/App/Environment/Location label filters have been removed from dashboards and replaced with a single multivalue filter for all label dimensions
  • Dashboards other than PCE Operations now provide an Org ID filter
  • Change Monitoring
    • Removed Daily Changes/Creates/Updates/Deletes panels in favour of single Total Changes chart
    • Simplified searches and drilldowns
    • Added a Latest Policy Changes view showing changes in the most recent security policy create events
  • Traffic Explorer
    • Changed to a single base tstats search to improve performance
    • Added filters for both source and destination labels and hostname/IP
  • PCE Operations
    • Removed custom javascript and changed to trellis searches for viewing cluster host status
    • Added warning/critical thresholds to PCE status charts
  • Security Operations
    • Simplified dashboard
  • Workload Operations / Workload Investigation
    • Dashboard use the illumio_workloads_lookup to improve performance and simplify searches

QoL

  • illumio.xml has been renamed to security_operations.xml to better reflect the dashboard it represents
  • The incorrect spelling Firewall Tempering has been corrected to Tampering in all locations
  • All dashboards now use a Submit button instead of submit-on-change

Removed Features

  • All custom javascript from previous versions of the app have been removed
  • All KVStore collections in the app have been removed. Mapping lookups are superseded by their new counterparts in the Illumio TA, and the static CSV lookups have been changed to fixed values in the relevant dashboards
  • The Alert Configurations page has been removed - these custom alerts had limited usefulness; similar searches to create custom alerts can be found in the alerts section above
  • The Alerts link has been removed - this was an unnecessary redirect to the alert settings page
  • The following macros have been removed:
    • illumio_get_time(1) - the searches on the Security Operations dashboard using this macro have been changed
    • illumio_portscan_index - port scan data is no longer summarized to this index
    • illumio_system_health, illumio_rule_update, illumio_policy_provisioning, illumio_workload_labeling - these were set using the now-removed Alert Configurations page
  • All outputlookup saved searches have been removed: Illumio_Workload_Mapping, Illumio_IP_Lists_Mapping, Illumio_Services_Mapping, Illumio_PortScan_Details, Illumio_Host_Details, Illumio_Host_Details_S3, and Illumio_hostname_ip_mapping are superseded by the updated PCE metadata KVStore collections in the Illumio TA
  • The Supercluster leader_fqdn token has been removed from all dashboards and searches

Version 3.2.1

  • Added support for SaaS PCE.

Version 3.2.0

  • Added below dashboards:
    1) PCE Authentication Events
    2) Traffic Explorer
    3) Change Monitoring
  • Added below panels in PCE Operations (On-Prem Only) dashboard:
    1) Data Ingestion Volume In The Last Day
    2) Data Ingestion Volume In The Last 30 Days
  • Updated below panels in Workload Investigations dashboard.
    • Removed Traffic Events panel.
    • Added Active VEN, Suspended VEN, Stopped VEN, Policy Enforcement State and Policy Synchronization Status panels.
    • Added Status, Severity and Notification Type filter to the Audit Events panel.
  • Added "Unknown" option on "Security Operations" dashboard's "Traffic" filter.
  • Fixed disk latency issue in "PCE Operations (On-Prem Only)" dashboard's "Cluster Cores" Panel.
  • Bundled the jQuery3 in the app package.
  • Added "Supercluster Leader" filter to all dashboards.
  • Added "illumio_portscan_index" macro to summarize port scan data to custom index.
  • Modified "Illumio_Workload_Mapping" savedsearch so that it clears records older than 30 days in "illumio_workload_mapping_lookup" lookup.

Version 3.1.0

  • Added below panels in PCE Operations dashboard:
    1) VEN Heartbeat Latency
    2) VEN Policy Latency
    3) Collector Flow Rate
    4) Traffic Ingest Rate
    5) Policy Database Summary
    6) Disk Latency in Cluster Cores Section
  • Used Basesearch for panels in PCE operations dashboard to improve search performance.

Version 3.0.0

  • Splunk 8 Support.
  • Made App Python23 compatible.
  • Changed all queries to datamodel for sourcetype "illumio:pce".
  • Added label filters on Workload Investigation.
  • Added Allowed option on Security Operations.

EULA

See the EULA document on the Illumio Integrations docs site.

Support

License

Copyright 2023 Illumio, Inc. All rights reserved.

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.

Release Notes

Version 4.0.1
Dec. 1, 2023

v4.0.1

  • Removed illumio_quarantine role definition - it has been moved to TA-Illumio v4.0.1
  • Fixed overly-broad bucketing for some visualizations using accelerated tstats searches
  • Removed Managed Workloads by Enforcement Mode panel from the Workload Operations dashboard as it duplicated the Policy Enforcement Mode panel on the Workload Investigation dashboard
  • Updated the Flows by Policy Decision panel on the Traffic Explorer dashboard to show both port and protocol. Drilldown now sets both filters on click

v4.0.0

  • Added support for label types beyond the default RAEL dimensions
  • The app now seamlessly supports inputs for multiple PCEs as well as multiple organizations within the same PCE cluster
  • A custom script, resubmit_click_handler.js, has been added. It is used on the Change Monitoring and Traffic Explorer dashboards to automatically update searches when a token-set drilldown is clicked

*For additional information on Improvements and Changes, refer to the README
Version 3.2.1
May 4, 2022
  • Version 3.2.1
    • Improved support for SaaS PCE.
    • Fixed assorted dashboards reporting “0” traffic for SaaS PCE
Version 3.2.0
Nov. 11, 2021
  • New dashboard: Traffic Explorer
  • New dashboard: Change Monitoring
  • Supercluster support
  • Presentation bug fixes--disk latency, event type, user/username, pce_fqdn
Version 3.1.0
July 18, 2020

Illumio App For Splunk v3.1.0
Added health metrics panels in PCE Operations dashboard
- VEN Heartbeat Latency
- VEN Policy Latency
- Collector Flow Rate
- Traffic Ingest Rate
- Policy Database Summary
- Disk Latency in Cluster Cores Section
Used Basesearch for panels in PCE operations dashboard to improve search performance
Version 3.0.0
Jan. 25, 2020

Splunk 8 Support
Made App Python23 compatible
Changed all queries to the data model for sourcetype illumio:pce
Added label filters on Workload Investigation
Added Allowed option on Security Operations
Version 2.3.0
Nov. 26, 2019

Added Alert Configuration screen to create/update alert filters
Added Alerts page to setup the configured alerts filters
Workload Investigation: Added drill down from panel Audit Events
Added support of S3 collected data
Version 2.2.1
Sept. 6, 2019

Fixed the bug with Quarantine workload from the drill-down of Firewall Tampering panel
Panels using Syslog data will now use pce_fqdn field instead of fqdn field
Auditable event count uses both system events and audit events
In the Workload Operations dashboard, modified default time range from 60 minutes to 72 hours
Added 'PCE' column in the drill-down of Firewall Tampering panel
Removed "Illumio_Host_PublicIP_Mapping" and "Illumio_PublicIP_Host_Mapping" saved searches as we are not using host field anymore inside "illumio_host_details_lookup"
Version 2.2.0
July 26, 2019

Created new dashboard "Workload Investigation"
Created new panels "VEN Count", "VEN Event Count By Status", "Agent Event Count By EventType" and "Workload Event Count By EventType" in "Workload Operations" dashboard
Modified panels "Managed VEN by Version", "Managed VEN by Mode" and "Managed VEN by Operating System" in "Workload Operations" dashboard
Updated the logic of "Port Scan" panel and its drill-down
Fixed issue with quarantining destination workload in port scan panel
Removed "dnslookup" custom command
Documented steps of configuration for SUF
Version 2.1.0
June 7, 2019

Certified Addon/App with Illumio v18.3.1 and v19.1
Added support of JSON data format for Illumio Cloud data
Added test script to check the connection with Illumio server
Updated the search time of single value panels to last 60 minutes with a trend line of 24 hours in Security Operations dashboard
Minor Bug Fixes in the panels "Top Workloads with" and "Managed VEN by Operating System"
Fixed the bug related to label filter not considering label type while searching for traffic data in Security Operations dashboard
Version 2.0.1
April 17, 2019

Removed VEN Changes by Type panel from Workload Operations
Version 2.0.0
Sept. 19, 2018

Support for PCE 18.1 and PCE 18.2.
Version 1.1.2
Dec. 2, 2017

Create an alert that gets triggered if there is no data for more than 5 minutes
New Dashboard - Workload Operations
New Dashboard - PCE Operations
Enhancement in the existing Security Operations Dashboard.
App Cert Compliance Changes
App Branding related changes
Support for PCE V17.2
Minor Bug Fixes
Version 1.0.1
Aug. 22, 2017
Version 1.0.0
July 27, 2017

The Illumio App for Splunk integrates with the Illumio Policy Compute Engine (PCE) to provide security and operational insights into your Illumio secured data center. A dashboard view displays an overview of the security posture of the data center.

Before installing this app, please install the Illumio Technology Add-On (TA) for Splunk available at https://splunkbase.splunk.com . The TA provides data inputs configuration and CIM mapping support.
4,422
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
Built by
Illumio Inc
Support
Developer Supported
Contact Developer Questions on Splunk Answers Flag as inappropriate
Compatibility
This version of the app (3.1.0) is not available for Splunk Cloud. However, version 4.0.1 of this app is available for Splunk Cloud.
This version of the app (3.0.0) is not available for Splunk Cloud. However, version 4.0.1 of this app is available for Splunk Cloud.
This version of the app (2.3.0) is not available for Splunk Cloud. However, version 4.0.1 of this app is available for Splunk Cloud.
This version of the app (2.2.1) is not available for Splunk Cloud. However, version 4.0.1 of this app is available for Splunk Cloud.
This version of the app (2.2.0) is not available for Splunk Cloud. However, version 4.0.1 of this app is available for Splunk Cloud.
This version of the app (2.1.0) is not available for Splunk Cloud. However, version 4.0.1 of this app is available for Splunk Cloud.
This version of the app (2.0.1) is not available for Splunk Cloud. However, version 4.0.1 of this app is available for Splunk Cloud.
This version of the app (2.0.0) is not available for Splunk Cloud. However, version 4.0.1 of this app is available for Splunk Cloud.
This version of the app (1.1.2) is not available for Splunk Cloud. However, version 4.0.1 of this app is available for Splunk Cloud.
This version of the app (1.0.1) is not available for Splunk Cloud. However, version 4.0.1 of this app is available for Splunk Cloud.
This version of the app (1.0.0) is not available for Splunk Cloud. However, version 4.0.1 of this app is available for Splunk Cloud.
Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise
Splunk Versions: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 5.x, 4.x Splunk Versions: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 4.x, 3.x Splunk Versions: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0, 7.3 Platform: Platform Independent CIM Versions: 4.x, 3.x Splunk Versions: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0, 7.3, 7.2, 7.1, 7.0 Platform: Platform Independent CIM Versions: 4.x, 3.x Splunk Versions: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0, 7.3, 7.2, 7.1, 7.0 Platform: Platform Independent CIM Versions: 4.x, 3.x Splunk Versions: 7.3, 7.2, 7.1, 7.0 Platform: Platform Independent CIM Versions: 4.x, 3.x Splunk Versions: 7.3, 7.2, 7.1, 7.0 Platform: Platform Independent CIM Versions: 4.x, 3.x Splunk Versions: 7.3, 7.2, 7.1, 7.0 Platform: Platform Independent CIM Versions: 4.x, 3.x Splunk Versions: 7.3, 7.2, 7.1, 7.0 Platform: Platform Independent CIM Versions: 4.x, 3.x Splunk Versions: 7.2, 7.1, 7.0 Platform: Platform Independent CIM Versions: 4.x Splunk Versions: 7.2, 7.1, 7.0 Platform: Platform Independent CIM Versions: 4.x Splunk Versions: 7.0 Platform: Platform Independent CIM Versions: 4.x Platform: Platform Independent CIM Versions: 4.x Platform: Platform Independent CIM Versions: 4.x
Licensing
Apache License Version 2.0
Category & Contents
Categories: Security, Fraud & Compliance
App Type: App
Source Code: illumio-splunk-app
Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Submit New Splunk App Dev Resources
PLATFORM
Data-to-Everything Platform
Splunk Cloud
Splunk Enterprise
Splunk Machine Learning Toolkit
Splunk Data Stream Processor
Pricing
Free Trials & Downloads
SECURITY PRODUCTS
Splunk Enterprise Security
Splunk Phantom
Splunk Mission Control
Splunk User Behavior Analytics
IT OPERATIONS & OBSERVABILITY PRODUCTS
Splunk Infrastructure Monitoring
Splunk IT Service Intelligence
Splunk Application Performance Monitoring
Splunk On-Call
SOLUTIONS BY INITIATIVE
Cloud Transformation
SOLUTIONS BY FUNCTION
Security
IT
Devops
SOLUTIONS BY INDUSTRY
Aerospace & Defense
Communications
Energy & Utilities
Financial Services
Healthcare
Higher Education
Manufacturing
Nonprofits
Online Services
Public Sector
Retail
WHY SPLUNK?
Why Splunk?
Customer Stories
Partners
Data-to-Everything
Diversity & Inclusion
SUPPORT
Support Portal
Support Programs
Splunk Answers
Contact Us
Product Security Updates
RESOURCES
Events
Webinars
Blogs
Customer Success
Expert Services
Data Insider
View All Resources
FOR DEVELOPERS
Documentation
Best Practices
Get Started with Splunk
Training & Certification
User Groups
Community
Splunkbase
Splunk dev
COMPANY
About Splunk
Careers
Leadership
Splunk for Good
Splunk Ventures
Splunk Protects
Newsroom
COVID-19 Response
SPLUNK SITES
.conf
Splunk Live!
T-Shirt Store
Investor Relations
Follow Us:
© 2005-2025 Splunk LLC All rights reserved.
Sitemap | Privacy | Website Terms of Use | Splunk Licensing Terms | Export Control | Modern Slavery Statement | Splunk Patents | Report a Problem
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk LLC in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.