The Security Information and Event Management API

The Security Information and Event Management API allows you to capture security events generated on the Akamai platform in your SIEM application.

Who Should Use This API

Use this API to analyze security events generated on the Akamai platform and correlate them with security events generated from other sources in your SIEM solution. Capture security event data incrementally as it occurs or replay missed security events from the past 12 hours. You can use results to analyze rules, then go back and change them in your Akamai security settings. If you’re coding your own SIEM connector, it needs to adhere to these specifications in order to pull in security events from Akamai Security Events Collector (ASEC) and process them properly.

Getting Started

Before using this API for the first time, read Get Started to become familiar with OPEN API concepts.

The connector you build should support accessing SIEM API based on the authentication scheme of the OPEN protocol. Make sure the connector you build is configurable and able to authenticate itself to the OPEN API as described in the following documents:

More specifically, the connector configuration needs to support the following user-provided values:

  • Hostname (for API endpoint)
  • Client Token
  • Client Secret
  • Access Token

See this Java library that supports authentication of the OPEN clients. Find more code samples that demonstrate the proper way to perform the authentication on the Open Source API Clients page.

Review Authorize your Client to understand how a user creates OPEN API access credentials and authorizations. For the SIEM API, the user needs only the Manage SIEM role. Follow instructions in the SIEM Integration Guide to understand how to create a user with the Manage SIEM role.

The SIEM API requires a unique security configuration ID (configId) for each security configuration for which you want to fetch security event data. You’ll find these values in each security configuration’s SIEM Integration section.

In order for the SIEM API to return security events, you need to first turn on SIEM Integration and enable data collection. Follow the instructions in the SIEM Integration Guide to understand how to turn on SIEM Integration.

To get some sample connector code and debugging help, download the SIEM Test Client from the SIEM Integration Page. You can use this test client on the server where your third-party SIEM tool runs to confirm that you can fetch events using the SIEM API. See the test client’s README file for details.

NOTE: Eventually, the SIEM API may apply simple rate limiting that caps the number of client requests. Requests in excess of that rate would result in a 429 error response. The API does not produce an X-RateLimit-Reset HTTP header, so it is solely up to the API client to throttle its request rate.

To access the SIEM API from behind a proxy server, ensure that your proxy:

  • whitelists the domains *.cloudsecurity.akamaiapis.net

  • does not interfere with HTTP request headers for those domains. If, due to a strict enterprise security policy, your proxy does change these headers, make sure that at a minimum you allow and don’t change the Host and Authorization headers.

Note that some security event response values require decoding. Find details in the Configuration Rule Data section.


Last modified: 10/17/2017