Illumio Plugin for Threat Exchange

This document explains how to install, configure, and use the Illumio plugin with the Threat Exchange module of the Netskope Cloud Exchange platform.

The Illumio plugin retrieves workloads within a configured policy scope and creates Netskope Threat IoCs for all interfaces on each workload. The IoCs can then be used for granular access control with workloads that are not managed by Illumio policy.

Prerequisites

To complete the plugin configuration, you’ll need:

• A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
• A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
• An Illumio Policy Compute Engine (PCE) version 21.2 or higher.
• Labeled PCE Workloads within the defined policy scope.
• The Netskope CE server must be able to access the PCE over HTTP/S, optionally via proxy.

Workflow

1. Create an API key on the PCE.
2. Configure the Illumio plugin.
3. Validate the Illumio plugin.

Click play to watch a video.

Create an API Key on the PCE

1. On the PCE, select My API Keys from the User dropdown in the top-right corner.

   

2. Click Add at the top-left of the page and enter a name and optional description for the API key.

   

3. Click Create and copy the API key Username and Secret as these will be used by the plugin to authenticate to the PCE API. Optionally, download the credentials and store them in a secure location.

   

Configure the Illumio Plugin

1. In Cloud Exchange, go to Settings > Plugins.
2. Search for and select the Illumio plugin box to open to the plugin configuration page.
3. Enter the basic information page for the plugin:

   

   • Configuration Name: Enter a valid name for the plugin (alphanumeric and spaces).
   • Sync Interval: Adjust the resync interval for the plugin.
   • Aging Criteria: Adjust the expiration time for the Threat IoCs created by the plugin.
   • Override Reputation: Optionally, set the reputation values for Threat IoCs created by the plugin.
   • Enable SSL verification: Toggle TLS certificate verification when connecting to the PCE.
   • Use System Proxy: Toggle the use of the HTTP/S proxy configured in Netskope when connecting to the PCE.
4. Click Next.
5. Enter the configuration parameters for the plugin:

   

   • PCE URL: Enter the PCE FQDN. You can optionally include the scheme.
   • PCE Port Number: Enter the port number the PCE cluster is listening on. Defaults to 443.
   • PCE Organization ID: Enter the Org ID shown when creating the API key.
   • API Authentication Username: Enter the API Username for the key created above.
   • API Secret: Enter the API Secret for the key created above.
   • Label Scope: Enter a comma-separated list of label keys and values separated with colons. For example: app:Quarantine, env:Quarantine, loc:Quarantine 
   • Enable Tagging: Toggle whether Netskope tags will be created for labels on Workloads within the defined scope.
6. Click Next.
7. Click Save in the top-right corner of the page. The configuration will be validated, and the plugin will test the connection to the PCE. The new plugin can now be viewed under Threat Exchange > Plugins.

Validate the Illumio Plugin

1. Once the plugin runs, verify that Threat IoCs are being created for the Workloads within the defined scope.
2. On the PCE, go to the Workloads page and narrow the filter to the Label Scope configured for the plugin.

   

3. In Cloud Exchange, go to Threat Exchange > Threat IoCs and narrow the filter to just Illumio Workload entries. This can be done by searching for Illumio in the IoC Comments field, as shown below.

   

4. The Workloads within the configured scope should have IoCs created for their hostnames and interface addresses.