Akamai

Collect logs from Akamai with Elastic Agent.


Version	2.25.1 (View all)
Compatible Kibana version(s)	8.13.0 or higher
Supported Serverless project types What's this?	Security Observability
Subscription level What's this?	Basic
Level of support What's this?	Community

The Akamai integration collects events from the Akamai API, specifically reading from the Akamai SIEM API.

Logs

SIEM

The Security Information and Event Management API allows you to capture security events generated on the Akamai platform in your SIEM application.

Use this API to get security event data generated on the Akamai platform and correlate it with data from other sources in your SIEM solution. Capture security event data incrementally, or replay missed security events from the past 12 hours. You can store, query, and analyze the data delivered through this API on your end, then go back and adjust your Akamai security settings. If you’re coding your own SIEM connector, it needs to adhere to these specifications in order to pull in security events from Akamai Security Events Collector (ASEC) and process them properly.

See Akamai API get started to set up your Akamai account and get your credentials.

To collect data from GCS Bucket [Beta], follow the below steps:

Configure the Data Forwarder to ingest data into a GCS bucket.
Configure the GCS bucket names and credentials along with the required configs under the "Collect Akamai SIEM logs via Google Cloud Storage" section.
Make sure the service account and authentication being used, has proper levels of access to the GCS bucket Manage Service Account Keys

Note:

The GCS input currently does not support fetching of buckets using bucket prefixes, so the bucket names have to be configured manually for each data stream.
The GCS input currently only accepts a service account JSON key or a service account JSON file for authentication.
The GCS input currently only supports JSON data.
This input is still in beta.

Exported fields

Field	Description	Type
@timestamp	Event timestamp.	date
akamai.siem.bot.response_segment	Numeric response segment indicator. Segments are used to group and categorize bot scores.	long
akamai.siem.bot.score	Score assigned to the request by Botman Manager.	long
akamai.siem.client_data.app_bundle_id	Unique identifier of the app bundle. An app bundle contains both the software itself and the accompanying configuration information.	keyword
akamai.siem.client_data.app_version	Version number of the app.	keyword
akamai.siem.client_data.sdk_version	SDK version	keyword
akamai.siem.client_data.telemetry_type	Specifies the telemetry type in use.	long
akamai.siem.client_reputation	Client IP scores for Client Reputation.	keyword
akamai.siem.config_id	ID of the Security Configuration applied to the request.	keyword
akamai.siem.policy_id	ID of the Firewall policy applied to the request.	keyword
akamai.siem.request.headers	HTTP Request headers	flattened
akamai.siem.response.headers	HTTP response headers	flattened
akamai.siem.rule_actions	Actions taken for this request.	keyword
akamai.siem.rule_tags	The set of categories for the triggered rule.	keyword
akamai.siem.rules	Rules triggered by this request	nested
akamai.siem.rules.ruleActions	Actions of rules that triggered for this request.	keyword
akamai.siem.rules.ruleData	User data of rules that triggered for this request.	keyword
akamai.siem.rules.ruleMessages	Messages of rules that triggered for this request.	keyword
akamai.siem.rules.ruleSelectors	Selectors of rules that triggered for this request.	keyword
akamai.siem.rules.ruleTags	Tags of rules that triggered for this request.	keyword
akamai.siem.rules.ruleVersions	Versions of rules triggered for this request.	keyword
akamai.siem.rules.rules	Rules that triggered for this request.	keyword
akamai.siem.slow_post_action	Action taken if a Slow POST attack is detected: W for Warn or A for deny (abort).	keyword
akamai.siem.slow_post_rate	Recorded rate of a detected Slow POST attack.	long
akamai.siem.user_risk.allow	Indicates whether the user is on the allow list. A 0 indicates that the user was not on the list; a 1 indicates that the user was on the list.	long
akamai.siem.user_risk.general	Indicators of general behavior observed for relevant attributes. For example, duc_1h represents the number of users recorded on a specific device in the past hour.	flattened
akamai.siem.user_risk.risk	Indicators that increased the calculated risk score. For example, the value udfp represents the risk of the device fingerprint based on the user's behavioral profile.	flattened
akamai.siem.user_risk.score	Calculated risk scores. Scores range from 0 (no risk) to 100 (the highest possible risk).	long
akamai.siem.user_risk.status	Status code indicating any errors that might have occurred when calculating the risk score.	long
akamai.siem.user_risk.trust	Indicators that were trusted. For example, the value ugp indicates that the user’s country or area is trusted.	flattened
akamai.siem.user_risk.uuid	Unique identifier of the user whose risk data is being provided.	keyword
data_stream.dataset	Data stream dataset name.	constant_keyword
data_stream.namespace	Data stream namespace.	constant_keyword
data_stream.type	Data stream type.	constant_keyword
event.dataset	Event dataset	constant_keyword
event.module	Event module	constant_keyword
host.containerized	If the host is a container.	boolean
host.os.build	OS build information.	keyword
host.os.codename	OS codename, if any.	keyword
input.type	Type of Filebeat input.	keyword
log.flags	Flags for the log file.	keyword
log.offset	Offset of the entry in the log file.	long

An example event for siem looks as following:

{
    "@timestamp": "2016-08-11T13:45:33.026Z",
    "agent": {
        "ephemeral_id": "9bba2ff8-f15b-4c09-8ac9-60ee0045a851",
        "id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.8.0"
    },
    "akamai": {
        "siem": {
            "bot": {
                "response_segment": 3,
                "score": 100
            },
            "client_data": {
                "app_bundle_id": "com.mydomain.myapp",
                "app_version": "1.23",
                "sdk_version": "4.7.1",
                "telemetry_type": 2
            },
            "config_id": "6724",
            "policy_id": "scoe_5426",
            "request": {
                "headers": {
                    "Accept": "text/html,application/xhtml xml",
                    "User-Agent": "BOT/0.1 (BOT for JCE)"
                }
            },
            "response": {
                "headers": {
                    "Content-Type": "text/html",
                    "Mime-Version": "1.0",
                    "Server": "AkamaiGHost"
                }
            },
            "rule_actions": [
                "alert",
                "deny"
            ],
            "rule_tags": [
                "web_attack/xss",
                "automation/misc"
            ],
            "rules": [
                {
                    "ruleActions": "ALERT",
                    "ruleData": "alert(",
                    "ruleMessages": "Cross-site Scripting (XSS) Attack",
                    "ruleSelectors": "ARGS:a",
                    "ruleTags": "WEB_ATTACK/XSS",
                    "rules": "950004"
                },
                {
                    "ruleActions": "DENY",
                    "ruleData": "curl",
                    "ruleMessages": "Request Indicates an automated program explored the site",
                    "ruleSelectors": "REQUEST_HEADERS:User-Agent",
                    "ruleTags": "AUTOMATION/MISC",
                    "rules": "990011"
                }
            ],
            "user_risk": {
                "allow": 0,
                "general": {
                    "duc_1d": "30",
                    "duc_1h": "10"
                },
                "risk": {
                    "udfp": "1325gdg4g4343g/M",
                    "unp": "74256/H"
                },
                "score": 75,
                "status": 0,
                "trust": {
                    "ugp": "US"
                },
                "uuid": "964d54b7-0821-413a-a4d6-8131770ec8d5"
            }
        }
    },
    "client": {
        "address": "89.160.20.156",
        "as": {
            "number": 29518,
            "organization": {
                "name": "Bredband2 AB"
            }
        },
        "geo": {
            "city_name": "Linköping",
            "continent_name": "Europe",
            "country_iso_code": "SE",
            "country_name": "Sweden",
            "location": {
                "lat": 58.4167,
                "lon": 15.6167
            },
            "region_iso_code": "SE-E",
            "region_name": "Östergötland County"
        },
        "ip": "89.160.20.156"
    },
    "data_stream": {
        "dataset": "akamai.siem",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "cdda426a-7e47-48c4-b2f5-b9f1ad5bf08a",
        "snapshot": true,
        "version": "8.8.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "network"
        ],
        "created": "2023-05-09T21:06:11.267Z",
        "dataset": "akamai.siem",
        "id": "2ab418ac8515f33",
        "ingested": "2023-05-09T21:06:12Z",
        "kind": "event",
        "original": "{\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\":\"TLSv1.2\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}",
        "start": "2016-08-11T13:45:33.026Z"
    },
    "http": {
        "request": {
            "id": "2ab418ac8515f33",
            "method": "POST"
        },
        "response": {
            "bytes": 34523,
            "status_code": 301
        },
        "version": "2"
    },
    "input": {
        "type": "httpjson"
    },
    "network": {
        "protocol": "http",
        "transport": "tcp"
    },
    "observer": {
        "type": "proxy",
        "vendor": "akamai"
    },
    "related": {
        "ip": [
            "89.160.20.156"
        ]
    },
    "source": {
        "address": "89.160.20.156",
        "as": {
            "number": 29518,
            "organization": {
                "name": "Bredband2 AB"
            }
        },
        "geo": {
            "city_name": "Linköping",
            "continent_name": "Europe",
            "country_iso_code": "SE",
            "country_name": "Sweden",
            "location": {
                "lat": 58.4167,
                "lon": 15.6167
            },
            "region_iso_code": "SE-E",
            "region_name": "Östergötland County"
        },
        "ip": "89.160.20.156"
    },
    "tags": [
        "akamai-siem",
        "forwarded",
        "preserve_original_event"
    ],
    "tls": {
        "version": "1.2",
        "version_protocol": "tls"
    },
    "url": {
        "domain": "www.example.com",
        "full": "www.example.com/examples/1/?a%3D..%2F..%2F..%2Fetc%2Fpasswd",
        "path": "/examples/1/",
        "port": 80,
        "query": "a=../../../etc/passwd"
    }
}

Changelog

Version	Details	Kibana version(s)
2.25.1	Bug fix View pull request Fix definition of subfields of nested objects	8.13.0 or higher
2.25.0	Enhancement View pull request Allow @custom pipeline access to event.original without setting preserve_original_event.	8.13.0 or higher
2.24.0	Enhancement View pull request Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.	8.13.0 or higher
2.23.2	Bug fix View pull request Handle HTTP headers without values.	8.12.0 or higher
2.23.1	Bug fix View pull request Fix errors processing empty userRiskData.{risk,trust,general} values.	8.12.0 or higher
2.23.0	Enhancement View pull request Set sensitive values as secret and add missing mappings.	8.12.0 or higher
2.22.0	Bug fix View pull request Require 8.11.0 or greater because it contains necessary fixes to the Elastic Agent.	8.11.0 or higher
2.21.1	Enhancement View pull request Changed owners	8.7.1 or higher
2.21.0	Enhancement View pull request Limit request tracer log count to five.	8.7.1 or higher
2.20.0	Enhancement View pull request ECS version updated to 8.11.0.	8.7.1 or higher
2.19.0	Enhancement View pull request Improve 'event.original' check to avoid errors if set.	8.7.1 or higher
2.18.0	Enhancement View pull request Set 'community' owner type.	8.7.1 or higher
2.17.0	Enhancement View pull request ECS version updated to 8.10.0.	8.7.1 or higher
2.16.0	Enhancement View pull request The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest.	8.7.1 or higher
2.15.0	Enhancement View pull request Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.	8.7.1 or higher
2.14.0	Enhancement View pull request Update package to ECS 8.9.0.	8.7.1 or higher
2.13.0	Enhancement View pull request Document duration units.	8.7.1 or higher
2.12.0	Enhancement View pull request Add event limit parameter to REST endpoint stream.	8.7.1 or higher
2.11.0	Enhancement View pull request Document valid duration units.	8.7.1 or higher
2.10.0	Enhancement View pull request Ensure event.kind is correctly set for pipeline errors.	8.7.1 or higher
2.9.1	Bug fix View pull request Fix sign of initial interval for start time offset calculation.	8.7.1 or higher
2.9.0	Enhancement View pull request Update package to ECS 8.8.0.	8.7.1 or higher
2.8.2	Enhancement View pull request fixed a variable naming issue in manifest.yml files for the gcs stream.	8.7.1 or higher
2.8.1	Bug fix View pull request fixed a variable naming issue in the gcs.yml.hbs file.	8.7.1 or higher
2.8.0	Enhancement View pull request Add a new flag to enable request tracing	8.7.1 or higher
2.7.0	Enhancement View pull request Update package-spec version to 2.7.0.	8.4.0 or higher
2.6.2-beta	Bug fix View pull request Added support for the 'to' query parameter in the initial time based requests.	—
2.6.1-beta	Bug fix View pull request Modify pagination to begin with a time based query and then switch to offset based.	—
2.6.0	Enhancement View pull request Added optional toggle to enable debug trace logging.	8.5.0 or higher
2.5.0	Enhancement View pull request Update package to ECS 8.7.0.	8.3.0 or higher
2.4.1	Enhancement View pull request Added categories and/or subcategories.	8.3.0 or higher
2.4.0	Enhancement View pull request Update package to ECS 8.6.0.	8.3.0 or higher
2.3.0	Enhancement View pull request Added support for GCS input.	8.3.0 or higher
2.2.0	Enhancement View pull request Update package to ECS 8.5.0.	8.3.0 or higher
2.1.2	Bug fix View pull request Remove duplicate fields.	8.3.0 or higher
2.1.1	Enhancement View pull request Use ECS geo.location definition.	8.3.0 or higher
2.1.0	Enhancement View pull request Update package to ECS 8.4.0	8.3.0 or higher
2.0.1	Bug fix View pull request Fix proxy URL documentation rendering.	8.3.0 or higher
2.0.0	Enhancement View pull request Add dashboard.	8.3.0 or higher
1.1.1	Enhancement View pull request Update package name and description to align with standard wording	7.16.0 or higher 8.0.0 or higher
1.1.0	Enhancement View pull request Update package to ECS 8.3.0.	7.16.0 or higher 8.0.0 or higher
1.0.1	Enhancement View pull request improve the English in the readme file	7.16.0 or higher 8.0.0 or higher
1.0.0	Enhancement View pull request Make GA	7.16.0 or higher 8.0.0 or higher
0.2.0	Enhancement View pull request Update to ECS 8.2	—
0.1.3	Bug fix View pull request Fix typo in config template for ignoring host enrichment	—
0.1.2	Enhancement View pull request Add documentation for multi-fields	—
0.1.1	Enhancement View pull request Update to ECS 8.0	—
0.1.0	Enhancement View pull request initial release	—

On this page

Article navigation

Logs

SIEM

To collect data from GCS Bucket [Beta], follow the below steps:

Changelog