Skip to content

adding illumio solution for content hub #12636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
v-atulyadav merged 11 commits into from
Aug 14, 2025
Merged

adding illumio solution for content hub #12636

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
7bd0a87
adding illumio solution for content hub
idoshabi07 Aug 10, 2025
bfbc8bd
adding release note
idoshabi07 Aug 12, 2025
3b846e3
solution packaged
v-maheshbh Aug 12, 2025
816e8d6
solution updated
v-maheshbh Aug 12, 2025
b9193e5
Revert "solution updated"
v-maheshbh Aug 12, 2025
5629fee
Removed null values
v-maheshbh Aug 12, 2025
3371303
Update 3.0.0.zip
v-maheshbh Aug 13, 2025
1d0835f
Merge branch 'master' into pr/12636
v-maheshbh Aug 13, 2025
a7f81f8
Update standardLogStreams.ps1
v-maheshbh Aug 13, 2025
42d3e66
solution updated
v-maheshbh Aug 13, 2025
0f2a14b
Merge branch 'master' into pr/12636
v-maheshbh Aug 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions Solutions/Illumio Insight/Data Connectors/IllumioInsight_CCP/IllumioInsight_DCR.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
[
{
"name": "illumioInsightsDCR",
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.Insights/dataCollectionRules",
"location": "{{location}}",
"kind": null,
"properties": {
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "{{workspaceResourceId}}",
"name": "clv2ws1"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-IlumioInsights"
],
"destinations": [
"clv2ws1"
]
}
],
"dataCollectionEndpointId": "{{dataCollectionEndpointId}}"
}
}
]
119 changes: 119 additions & 0 deletions Solutions/Illumio Insight/Data Connectors/IllumioInsight_CCP/IllumioInsight_Definition.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
{
"name": "IllumioInsightsDefinition",
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
"location": "{{location}}",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "IllumioInsightsDefinition",
"title": "Illumio Insights",
"descriptionMarkdown": "The Illumio Insights data connector allows ingesting logs from the Illumio API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses the Illumio API to fetch logs and it supports DCR-based ingestion time transformations that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.",
"publisher": "Microsoft",
"graphQueries": [
{
"metricName": "Total incident logs received",
"legend": "Illumio Insights incident Logs",
"baseQuery": "IlumioInsights"
}
],
"sampleQueries": [
{
"description": "Get Sample of Illumio Insights logs",
"query": "IlumioInsights| take 10"
}
],
"dataTypes": [
{
"name": "IlumioInsights",
"lastDataReceivedQuery": "IlumioInsights\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors",
"value": null
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"tenant": null,
"licenses": null,
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true,
"action": false
}
}
]
},
"instructionSteps": [
{
"instructions": [
{
"type": "Markdown",
"parameters": {
"content": "#### Configuration steps for the Illumio Insights API\n\n**Prerequisites**\n- Register and Login to Illumio Console with valid credentials\n- Client Credentials need to be stored in Microsoft Sentinel account for the tenant\n\n**Step 1: Register the Service Account**\n1. Go to **Illumio Console → Access → Service Accounts**\n2. Create a service account for the tenant\n3. Once you create a service account, you will receive the client credentials\n4. Copy the **Username** (API Key) and the **Secret**\n\n**Step 2: Add Client Credentials to Sentinel Account**\n- Add the API key and secret to Sentinel Account for tenant authentication\n- These credentials will be used to authenticate calls to the Illumio SaaS API\n\n**Step 3: API Usage**\nThe connector will use these credentials to call the Illumio SaaS API:\n- **Endpoint**: `GET https://insights.graph.illum.io/api/v1/resource-insights`\n- **Required Headers**:\n - `x-azure-tenant-id`: Your Azure tenant ID\n - `x-illumio-tenant-id`: Your Illumio tenant ID\n - `x-auth-key`: The API key obtained from step 1\n\n**Authentication Validation**\nIllumio validates the request against:\n- Signature against Entra ID's public keys\n- Audience (aud) matches your API's App ID URI\n- Issuer validation\n\nPlease fill in the required fields below with the credentials obtained from the Illumio Console:"
}
},
{
"type": "CopyableLabel",
"parameters": {
"label": "Tenant ID (Directory ID)",
"fillWith": [
"TenantId"
]
}
},
{
"parameters": {
"label": "Azure tenant Id ",
"placeholder": "{tenantId}",
"type": "text",
"name": "tenantId"
},
"type": "Textbox"
},
{
"parameters": {
"label": "Illumio Tenant Id",
"placeholder": "{illumioTenantId}",
"type": "text",
"name": "illumioTenantId"
},
"type": "Textbox"
},
{
"type": "Textbox",
"parameters": {
"label": "API Token",
"placeholder": "API Token",
"type": "password",
"name": "apiToken"
}
},
{
"parameters": {
"label": "toggle",
"name": "toggle"
},
"type": "ConnectionToggleButton"
}
],
"innerSteps": null
}
],
"isConnectivityCriteriasMatchSome": false
}
}
}
46 changes: 46 additions & 0 deletions ...ions/Illumio Insight/Data Connectors/IllumioInsight_CCP/IllumioInsight_PollingConfig.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
{
"type": "Microsoft.SecurityInsights/dataConnectors",
"apiVersion": "2021-10-01-preview",
"name": "IllumioInsights",
"location": "{{location}}",
"kind": "RestApiPoller",
"properties": {
"connectorDefinitionName": "IllumioInsightsDefinition",
"dataType": "IlumioInsights",
"auth": {
"type": "APIKey",
"ApiKey": "{{apiToken}}",
"ApiKeyName": "x-auth-key",
"ApiKeyIdentifier": ""
},
"request": {
"apiEndpoint": "https://insights.graph.illum.io/api/v1/resource-insights",
"queryWindowInMin": 15,
"queryTimeFormat": "UnixTimestampInMills",
"queryParameters": {
"after": "{_QueryWindowEndTime}"
},
"timeoutInSeconds": 60,
"rateLimitQPS": 10,
"headers": {
"Accept": "application/json",
"User-Agent": "Scuba",
"x-azure-tenant-id": "{{tenantId}}",
"x-illumio-tenant-id": "{{illumioTenantId}}"
},
"httpMethod": "Get"
},
"response": {
"eventsJsonPaths": [
"$"
],
"ConvertChildPropertiesToArray": true,
"format": "json"
},
"dcrConfig": {
"streamName": "ILUMIO_INSIGHTS",
"dataCollectionEndpoint": "{{dataCollectionEndpoint}}",
"dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}"
}
}
}
28 changes: 28 additions & 0 deletions Solutions/Illumio Insight/Data Connectors/IllumioInsight_CCP/solutionMetadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-illumio-api",
"firstPublishDate": "2024-09-08",
"providers": [
"Illumio"
],
"categories": {
"domains": [
"Security"
],
"verticals": []
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"SolutionName": "Illumio Insights",
"SolutionAuthor": "Microsoft",
"SolutionVersion": "1.0.0",
"packageIcon": "illumio",
"SolutionTier": "Microsoft",
"PackageId": "illumioinsights-api",
"ConnectorDefinitionTemplateVersion": "1.0.0",
"DataConnectorsTemplateVersion": "1.0.0"
}
15 changes: 15 additions & 0 deletions Solutions/Illumio Insight/Data Connectors/SolutionMetadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-illumioinsight",
"firstPublishDate": "2025-08-10",
"providers": ["Illumio"],
"categories": {
"domains" : ["Security - Threat Protection"]
},
"support": {
"name": "Microsoft",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
14 changes: 14 additions & 0 deletions Solutions/Illumio Insight/Data/Solution_IllumioCore.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"Name": "Illumio Insight",
"Author": "Microsoft",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The Illumio Insights data connector allows ingesting logs from the Illumio API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses the Illumio API to fetch logs and it supports DCR-based ingestion time transformations that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.",
"Data Connectors": [
"Solutions/Illumio Insight/Data Connectors/IllumioInsight_CCP/IllumioInsight_Definition.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel",
"Version": "3.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
}
Binary file added Solutions/Illumio Insight/Package/3.0.0.zip
View file
Open in desktop
Binary file not shown.
85 changes: 85 additions & 0 deletions Solutions/Illumio Insight/Package/createUiDefinition.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Illumio%20Insight/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Illumio Insights data connector allows ingesting logs from the Illumio API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses the Illumio API to fetch logs and it supports DCR-based ingestion time transformations that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Illumio Insight. You can get Illumio Insight data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}
Loading
Loading