Insights

This topic provides an overview of the Insights page. For a list of functionality and features, see Insights Functionality and Features.

The Illumio Insights page provides a view into traffic patterns, and network and security configurations in your network. The insights on traffic patterns ranges from cross-connectivity traffic to external connectivity traffic patterns. Within each pattern, you'll see sub-patterns that security analysts can use to gain insights about the activities in your network. Similarly, the configuration insights illuminate cloud configurations in your environment that do not adhere to best practices. This page offers key visibility to inform segmentation decisions that harden the environment for zero trust.

A traffic insight, for example, offers various ways to consume the information it presents:

  • You can analyze traffic within different time frames.
  •  You can choose to compare single time frame (e.g., last week or last month) or choose to compare traffic activities between two different time frames for any insight (e.g., last week vs. the week prior).
  •  When you compare two time frames, the results provide:
    • The percentage increase or decrease for each finding
    • Whether the current summary of flows/data transferred is new, such as when such a pattern was not active in the previous time-frame

Insights also let you filter by:

  • Traffic type (allowed/denied)
  • Source & destination column values, to quickly identify specific insightful traffic patterns
  • Risky ports

Select insights in the carousel by clicking on a tile, such as Cross Talkers - Cross Cloud Traffic, which provides an overview of traffic between internal sources and destinations across different cloud service providers (CSPs), organized in a tabular format:

Traffic Type

Source

Destination

Flows

Bytes

Insights Catalog

Illumio Insights provides three main categories of insights: cross talkers, external talkers, and cloud configurations.

A cross talker insight is a summary of flows and data transfers between top-level aggregations of source and destination IPs that you own. The top-level aggregations include Cross Region, Cross Account, Cross Tenant, and Cross Cloud Traffic.

An external talker insight offers various insights for high level aggregations of the customer IPs, and the customer has a view of external IPs (non-aggregated) by the IP type – Malicious, Known, and Unknown external IP traffic flows. Additionally, Illumio provides the External IP aggregations at the geo-level and the CSP-level for easy consumption of the external traffic patterns.

A cloud configuration illuminate cloud configurations in your environment that do not adhere to best practices.

Cross Talkers

The Insights page currently displays the following types of cross talker traffic:

Tile Name Description
Cross Cloud Traffic This provides an aggregated view of traffic activities across your organization’s internal resources in different CSPs (e.g., traffic flows between AWS and Azure), offering critical insights and trends for cross-cloud segmentation decisions.
Cross Region Traffic This provides an aggregated view of traffic activities between the organization’s resources in different cloud regions (e.g., flows between us-east-1 and ap-west-1), offering critical insights and trends for cross-region segmentation decisions.
Cross Account Traffic This provides an aggregated view of traffic activities between the organization’s resources in different cloud accounts (e.g., traffic flows between various AWS accounts or Azure subscriptions), offering critical insights for cross-account segmentation decisions.
Cross Tenant Traffic This provides an aggregated view of traffic activities between the organization’s resources in different cloud tenants (e.g., traffic flows between various AWS Org Accounts and Azure Tenants), offering critical insights and trends for cross-tenant segmentation decisions.

External Talkers

The Insights page currently displays the following types of external talker traffic:

Tile Name Description
Account to Malicious External IP Traffic This provides an aggregated view of traffic from cloud accounts to external IPs flagged as malicious, providing insights for blocking harmful communications.
Account to Unknown External IP Traffic This provides an aggregated view of traffic from cloud accounts to external IPs flagged as unknown, providing insights to assess and mitigate potential risks.
Account to Known External IP Traffic This provides an aggregated view of traffic from cloud accounts to external IP addresses flagged as known non-malicious IP. This insight provides an opportunity to review traffic trends and ensure secure communications.
Tenant to Malicious External IP Traffic This provides an aggregated view of traffic from cloud tenants to external IPs flagged as malicious, providing insights for blocking harmful communications.
Tenant to Unknown External IP Traffic This provides and aggregated view of traffic from cloud tenants to external IPs flagged as unknown, providing insights to assess and mitigate potential risks.
Tenant to Known External IP Traffic This provides an aggregated view of traffic from cloud tenants to external IP addresses flagged as known non-malicious IP. This insight provides an opportunity to review traffic trends and ensure secure communications.
Region to Malicious External IP Traffic This provides an aggregated view of traffic from cloud regions to external IPs flagged as malicious, providing insights for blocking harmful communications.
Region to Unknown External IP Traffic This provides an aggregated view of traffic from cloud regions to external IPs flagged as unknown, providing insights to assess and mitigate potential risks.
Region to Known External IP Traffic This provides an aggregated view of traffic from cloud regions to external IP addresses flagged as known non-malicious IP. This insight provides an opportunity to review traffic trends to known external IPs and ensure secure communications.
Azure Tenant to AWS IP Traffic This provides an aggregated view of traffic flows from Azure tenants to AWS IP addresses, providing key insights for monitoring cross-cloud communications at different level of aggregation for source and destination.
Account to External Cloud Traffic This provides an aggregated view of traffic flows from cloud accounts to external IP addresses hosted on different cloud hosting service providers, offering critical insights into the origin of the external IP.
Tenant to External Cloud Traffic This provides an aggregated view of traffic flows from cloud tenants to external IP addresses hosted on different cloud hosting service providers, offering critical insights into the origin of the external IP.
Region to External Cloud Traffic This provides an aggregated view of traffic flows from cloud regions to external IP addresses hosted on different cloud hosting service providers, offering critical insights into the origin of the external IP.
Account to External Geo Traffic This provides an aggregated view of traffic flows from cloud accounts to external IP addresses aggregated at the country level, offering critical insights into traffic trends to external IPs in different geographies.
Tenant to External Geo Traffic This provides an aggregated view of traffic flows from cloud tenants to external IP addresses aggregated at the country level, offering critical insights into traffic trends to external IPs in different geographies.
Region to External Geo Traffic This provides an aggregated view of traffic flows from cloud regions to external IP addresses aggregated at the country level, offering critical insights into traffic trends to external IPs in different geographies.

Cloud Configurations

Tile Name Description
Cross Talking Peering Connections This provides a list of all the peering connections in AWS and Azure cloud that allow cross-connectivity across cloud regions and accounts. It helps in understanding the peering connections in environment that allows cross region, account, or tenant traffic.
Internet Exposed EC2 Instances This reports all EC2 instances in AWS with external connectivity through internet-facing load balancers, identifying potentially exposed resources and offering critical insights for securing these connections.
Traffic Blind Spots This provides an overview of areas where you may not have network visibility. The report lists all VPCs and NSGs where flow logs are not enabled from the onboarded accounts (AWS) and/or subscriptions (Azure).
Unprotected Resources This provides a list of resources that do not have security controls attached to it. Specifically, resources in Azure that do not have NSG attachments at any level- NIC/Subnet, and resources in AWS that aren’t deployed in a VPC boundary.

Caveats

The following are things to keep in mind when using the Insights page:

  • The Insights page gets updated over time, so check here as new tiles are added

  • Insights are provided in near-real-time, available up to the latest hour, and cover a maximum rolling window of 90 days

  • The user interface will show up to 10,000 findings per insight, sorted by bytes of transferred data in descending order

  • You must enable data flow collection to use the Insights feature

  • Illumio uses threat-intelligence data from third-party vendors to determine malicious and known IPs