Akamai Integration
<div class="condensed-table">
| | |
| --- | --- |
| Version | 2.27.2 (View all) |
| Compatible Kibana version(s) | 8.13.0 or higher |
| Supported Serverless project types
What’s this? | Security
Observability |
| Subscription level
What’s this? | Basic |
| Level of support
What’s this? | Community |
</div>
The Akamai integration collects events from the Akamai API, specifically reading from the Akamai SIEM API.
The Security Information and Event Management API allows you to capture security events generated on the Akamai platform in your SIEM application.
Use this API to get security event data generated on the Akamai platform and correlate it with data from other sources in your SIEM solution. Capture security event data incrementally, or replay missed security events from the past 12 hours. You can store, query, and analyze the data delivered through this API on your end, then go back and adjust your Akamai security settings. If you’re coding your own SIEM connector, it needs to adhere to these specifications in order to pull in security events from Akamai Security Events Collector (ASEC) and process them properly.
See Akamai API get started to set up your Akamai account and get your credentials.
- Configure the Data Forwarder to ingest data into a GCS bucket.
- Configure the GCS bucket names and credentials along with the required configs under the "Collect Akamai SIEM logs via Google Cloud Storage" section.
- Make sure the service account and authentication being used, has proper levels of access to the GCS bucket Manage Service Account Keys
NOTE:
- The GCS input currently does not support fetching of buckets using bucket prefixes, so the bucket names have to be configured manually for each data stream.
- The GCS input currently only accepts a service account JSON key or a service account JSON file for authentication.
- The GCS input currently only supports JSON data.
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| akamai.siem.bot.response_segment | Numeric response segment indicator. Segments are used to group and categorize bot scores. | long |
| akamai.siem.bot.score | Score assigned to the request by Botman Manager. | long |
| akamai.siem.client_data.app_bundle_id | Unique identifier of the app bundle. An app bundle contains both the software itself and the accompanying configuration information. | keyword |
| akamai.siem.client_data.app_version | Version number of the app. | keyword |
| akamai.siem.client_data.sdk_version | SDK version | keyword |
| akamai.siem.client_data.telemetry_type | Specifies the telemetry type in use. | long |
| akamai.siem.client_reputation | Client IP scores for Client Reputation. | keyword |
| akamai.siem.config_id | ID of the Security Configuration applied to the request. | keyword |
| akamai.siem.policy_id | ID of the Firewall policy applied to the request. | keyword |
| akamai.siem.request.headers | HTTP Request headers | flattened |
| akamai.siem.response.headers | HTTP response headers | flattened |
| akamai.siem.rule_actions | Actions taken for this request. | keyword |
| akamai.siem.rule_tags | The set of categories for the triggered rule. | keyword |
| akamai.siem.rules | Rules triggered by this request | nested |
| akamai.siem.rules.ruleActions | Actions of rules that triggered for this request. | keyword |
| akamai.siem.rules.ruleData | User data of rules that triggered for this request. | keyword |
| akamai.siem.rules.ruleMessages | Messages of rules that triggered for this request. | keyword |
| akamai.siem.rules.ruleSelectors | Selectors of rules that triggered for this request. | keyword |
| akamai.siem.rules.ruleTags | Tags of rules that triggered for this request. | keyword |
| akamai.siem.rules.ruleVersions | Versions of rules triggered for this request. | keyword |
| akamai.siem.rules.rules | Rules that triggered for this request. | keyword |
| akamai.siem.slow_post_action | Action taken if a Slow POST attack is detected: W for Warn or A for deny (abort). | keyword |
| akamai.siem.slow_post_rate | Recorded rate of a detected Slow POST attack. | long |
| akamai.siem.user_risk.allow | Indicates whether the user is on the allow list. A 0 indicates that the user was not on the list; a 1 indicates that the user was on the list. | long |
| akamai.siem.user_risk.general | Indicators of general behavior observed for relevant attributes. For example, duc_1h represents the number of users recorded on a specific device in the past hour. | flattened |
| akamai.siem.user_risk.risk | Indicators that increased the calculated risk score. For example, the value udfp represents the risk of the device fingerprint based on the user’s behavioral profile. | flattened |
| akamai.siem.user_risk.score | Calculated risk scores. Scores range from 0 (no risk) to 100 (the highest possible risk). | long |
| akamai.siem.user_risk.status | Status code indicating any errors that might have occurred when calculating the risk score. | long |
| akamai.siem.user_risk.trust | Indicators that were trusted. For example, the value ugp indicates that the user’s country or area is trusted. | flattened |
| akamai.siem.user_risk.uuid | Unique identifier of the user whose risk data is being provided. | keyword |
| data_stream.dataset | Data stream dataset name. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Type of Filebeat input. | keyword |
| log.flags | Flags for the log file. | keyword |
| log.offset | Offset of the entry in the log file. | long |
**Example**
An example event for siem looks as following:
{
"@timestamp": "2016-08-11T13:45:33.026Z",
"agent": {
"ephemeral_id": "9bba2ff8-f15b-4c09-8ac9-60ee0045a851",
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.8.0"
},
"akamai": {
"siem": {
"bot": {
"response_segment": 3,
"score": 100
},
"client_data": {
"app_bundle_id": "com.mydomain.myapp",
"app_version": "1.23",
"sdk_version": "4.7.1",
"telemetry_type": 2
},
"config_id": "6724",
"policy_id": "scoe_5426",
"request": {
"headers": {
"Accept": "text/html,application/xhtml xml",
"User-Agent": "BOT/0.1 (BOT for JCE)"
}
},
"response": {
"headers": {
"Content-Type": "text/html",
"Mime-Version": "1.0",
"Server": "AkamaiGHost"
}
},
"rule_actions": [
"alert",
"deny"
],
"rule_tags": [
"web_attack/xss",
"automation/misc"
],
"rules": [
{
"ruleActions": "ALERT",
"ruleData": "alert(",
"ruleMessages": "Cross-site Scripting (XSS) Attack",
"ruleSelectors": "ARGS:a",
"ruleTags": "WEB_ATTACK/XSS",
"rules": "950004"
},
{
"ruleActions": "DENY",
"ruleData": "curl",
"ruleMessages": "Request Indicates an automated program explored the site",
"ruleSelectors": "REQUEST_HEADERS:User-Agent",
"ruleTags": "AUTOMATION/MISC",
"rules": "990011"
}
],
"user_risk": {
"allow": 0,
"general": {
"duc_1d": "30",
"duc_1h": "10"
},
"risk": {
"udfp": "1325gdg4g4343g/M",
"unp": "74256/H"
},
"score": 75,
"status": 0,
"trust": {
"ugp": "US"
},
"uuid": "964d54b7-0821-413a-a4d6-8131770ec8d5"
}
}
},
"client": {
"address": "89.160.20.156",
"as": {
"number": 29518,
"organization": {
"name": "Bredband2 AB"
}
},
"geo": {
"city_name": "Linköping",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
},
"ip": "89.160.20.156"
},
"data_stream": {
"dataset": "akamai.siem",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
"snapshot": true,
"version": "8.8.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"network"
],
"created": "2023-05-09T21:06:11.267Z",
"dataset": "akamai.siem",
"id": "2ab418ac8515f33",
"ingested": "2023-05-09T21:06:12Z",
"kind": "event",
"original": "{\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\":\"TLSv1.2\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}",
"start": "2016-08-11T13:45:33.026Z"
},
"http": {
"request": {
"id": "2ab418ac8515f33",
"method": "POST"
},
"response": {
"bytes": 34523,
"status_code": 301
},
"version": "2"
},
"input": {
"type": "httpjson"
},
"network": {
"protocol": "http",
"transport": "tcp"
},
"observer": {
"type": "proxy",
"vendor": "akamai"
},
"related": {
"ip": [
"89.160.20.156"
]
},
"source": {
"address": "89.160.20.156",
"as": {
"number": 29518,
"organization": {
"name": "Bredband2 AB"
}
},
"geo": {
"city_name": "Linköping",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
},
"ip": "89.160.20.156"
},
"tags": [
"akamai-siem",
"forwarded",
"preserve_original_event"
],
"tls": {
"version": "1.2",
"version_protocol": "tls"
},
"url": {
"domain": "www.example.com",
"full": "www.example.com/examples/1/?a%3D..%2F..%2F..%2Fetc%2Fpasswd",
"path": "/examples/1/",
"port": 80,
"query": "a=../../../etc/passwd"
}
}
**Changelog**
| Version | Details | Kibana version(s) |
|---|---|---|
| 2.27.2 | pass:[] Bug fix (View pull request) Events with the same requestId are now properly indexed. Previously, multiple records with the same requestId could conflict (and be dropped) due to variations in other fields like httpMessage.bytes or httpMessage.responseHeaders. |
8.13.0 or higher |
| 2.27.1 | pass:[] Bug fix (View pull request) Fix pipeline error when converting an empty numerical field. |
8.13.0 or higher |
| 2.27.0 | pass:[] Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error". |
8.13.0 or higher |
| 2.26.0 | pass:[] Enhancement (View pull request) Handle input leniently. pass:[] Enhancement (View pull request) Improve efficiency of script processing. pass:[] Bug fix (View pull request) Fix handling of missing fields. |
8.13.0 or higher |
| 2.25.4 | pass:[] Bug fix (View pull request) Remove experimental/beta status warnings. |
8.13.0 or higher |
| 2.25.3 | pass:[] Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines. |
8.13.0 or higher |
| 2.25.2 | pass:[] Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines. |
8.13.0 or higher |
| 2.25.1 | pass:[] Bug fix (View pull request) Fix definition of subfields of nested objects |
8.13.0 or higher |
| 2.25.0 | pass:[] Enhancement (View pull request) Allow @custom pipeline access to event.original without setting preserve_original_event. |
8.13.0 or higher |
| 2.24.0 | pass:[] Enhancement (View pull request) Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. |
8.13.0 or higher |
| 2.23.2 | pass:[] Bug fix (View pull request) Handle HTTP headers without values. |
8.12.0 or higher |
| 2.23.1 | pass:[] Bug fix (View pull request) Fix errors processing empty userRiskData.{risk,trust,general} values. |
8.12.0 or higher |
| 2.23.0 | pass:[] Enhancement (View pull request) Set sensitive values as secret and add missing mappings. |
8.12.0 or higher |
| 2.22.0 | pass:[] Bug fix (View pull request) Require 8.11.0 or greater because it contains necessary fixes to the Elastic Agent. |
8.11.0 or higher |
| 2.21.1 | pass:[] Enhancement (View pull request) Changed owners |
8.7.1 or higher |
| 2.21.0 | pass:[] Enhancement (View pull request) Limit request tracer log count to five. |
8.7.1 or higher |
| 2.20.0 | pass:[] Enhancement (View pull request) ECS version updated to 8.11.0. |
8.7.1 or higher |
| 2.19.0 | pass:[] Enhancement (View pull request) Improve event.original check to avoid errors if set. |
8.7.1 or higher |
| 2.18.0 | pass:[] Enhancement (View pull request) Set community owner type. |
8.7.1 or higher |
| 2.17.0 | pass:[] Enhancement (View pull request) ECS version updated to 8.10.0. |
8.7.1 or higher |
| 2.16.0 | pass:[] Enhancement (View pull request) The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest. |
8.7.1 or higher |
| 2.15.0 | pass:[] Enhancement (View pull request) Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. |
8.7.1 or higher |
| 2.14.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.9.0. |
8.7.1 or higher |
| 2.13.0 | pass:[] Enhancement (View pull request) Document duration units. |
8.7.1 or higher |
| 2.12.0 | pass:[] Enhancement (View pull request) Add event limit parameter to REST endpoint stream. |
8.7.1 or higher |
| 2.11.0 | pass:[] Enhancement (View pull request) Document valid duration units. |
8.7.1 or higher |
| 2.10.0 | pass:[] Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors. |
8.7.1 or higher |
| 2.9.1 | pass:[] Bug fix (View pull request) Fix sign of initial interval for start time offset calculation. |
8.7.1 or higher |
| 2.9.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.8.0. |
8.7.1 or higher |
| 2.8.2 | pass:[] Enhancement (View pull request) fixed a variable naming issue in manifest.yml files for the gcs stream. |
8.7.1 or higher |
| 2.8.1 | pass:[] Bug fix (View pull request) fixed a variable naming issue in the gcs.yml.hbs file. |
8.7.1 or higher |
| 2.8.0 | pass:[] Enhancement (View pull request) Add a new flag to enable request tracing |
8.7.1 or higher |
| 2.7.0 | pass:[] Enhancement (View pull request) Update package-spec version to 2.7.0. |
8.4.0 or higher |
| 2.6.2-beta | pass:[] Bug fix (View pull request) Added support for the to query parameter in the initial time based requests. |
— |
| 2.6.1-beta | pass:[] Bug fix (View pull request) Modify pagination to begin with a time based query and then switch to offset based. |
— |
| 2.6.0 | pass:[] Enhancement (View pull request) Added optional toggle to enable debug trace logging. |
8.5.0 or higher |
| 2.5.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.7.0. |
8.3.0 or higher |
| 2.4.1 | pass:[] Enhancement (View pull request) Added categories and/or subcategories. |
8.3.0 or higher |
| 2.4.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.6.0. |
8.3.0 or higher |
| 2.3.0 | pass:[] Enhancement (View pull request) Added support for GCS input. |
8.3.0 or higher |
| 2.2.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.5.0. |
8.3.0 or higher |
| 2.1.2 | pass:[] Bug fix (View pull request) Remove duplicate fields. |
8.3.0 or higher |
| 2.1.1 | pass:[] Enhancement (View pull request) Use ECS geo.location definition. |
8.3.0 or higher |
| 2.1.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.4.0 |
8.3.0 or higher |
| 2.0.1 | pass:[] Bug fix (View pull request) Fix proxy URL documentation rendering. |
8.3.0 or higher |
| 2.0.0 | pass:[] Enhancement (View pull request) Add dashboard. |
8.3.0 or higher |
| 1.1.1 | pass:[] Enhancement (View pull request) Update package name and description to align with standard wording |
7.16.0 or higher 8.0.0 or higher |
| 1.1.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.3.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.0.1 | pass:[] Enhancement (View pull request) improve the English in the readme file |
7.16.0 or higher 8.0.0 or higher |
| 1.0.0 | pass:[] Enhancement (View pull request) Make GA |
7.16.0 or higher 8.0.0 or higher |
| 0.2.0 | pass:[] Enhancement (View pull request) Update to ECS 8.2 |
— |
| 0.1.3 | pass:[] Bug fix (View pull request) Fix typo in config template for ignoring host enrichment |
— |
| 0.1.2 | pass:[] Enhancement (View pull request) Add documentation for multi-fields |
— |
| 0.1.1 | pass:[] Enhancement (View pull request) Update to ECS 8.0 |
— |
| 0.1.0 | pass:[] Enhancement (View pull request) initial release |
— |