Security Information and Event Management API Resources

This section provides details on the SIEM API’s single fetch operation, and the parameters you specify in the request URL to configure the report.

API Summary

Operation Method Endpoint
Security Events   (download RAML)
Fetch Security Events GET /siem/v1/configs/{configId}{?offset,limit,from,to}

Fetch Security Events

Get security events data from your security configurations. Retrieve data in one of two modes: offset or time-based. Offset mode logs events as they occur. If the connection is disrupted, use time-based mode to go back and replay security events within the last 12 hours. Use Offset and limit parameters in offset mode. Use from, to and limit parameters in time-based mode. The potentially large response contains a series of JSON objects, each separated with a linebreak and each corresponding to a security event. (An expanded, formatted example appears below.) The last line of the response is a ResponseContext object that provides total records fetched, an offset to use a starting point for the next batch of data, and limit which shows if the fetch operation reached the limit you set.

GET /siem/v1/configs/{configId}{?offset,limit,from,to}

Sample: /siem/v1/configs/12892%3B29182%3B82912?offset=c0bc409010aa6928e57cd5a3000433b9&limit=10&from=1488816442&to=1488816784

Parameter Type Sample Description
URL Parameters
configId String 12892;29182;82912 Unique identifier for each security configuration. To report on more than one configuration, separate integer identifiers with semicolons.
Optional Query Parameters
from Integer 1488816442 The start of a specified time range, expressed in Unix epoch seconds. This is a required parameter to get time-based results for a set period, and you can’t use it in offset mode.
limit Integer 10 Defines the maximum number of security events each fetch returns, in both offset and time-based modes. The default limit is 150000.
offset String c0bc409010aa6928e57cd5a3000433b9 This token denotes the last message. If specified, this operation fetches only security events that have occurred from offset. This is a required parameter for offset mode and you can’t use it in time-based requests.
to Integer 1488816784 The end of a specified time range, expressed in Unix epoch seconds. You can’t use this parameter in offset mode and it’s an optional parameter in time-based mode. If omitted, the value defaults to the current time.

Status 200 application/json

Response Body:

{
    "attackData": {
        "ruleData": "dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZXJ0IFJ1bGVzOiA5NTAwMDI6OTUwMDA2LCBEZW55IFJ1bGU6ICwgTGFzdCBNYXRjaGVkIE1lc3NhZ2U6IFN5c3RlbSBDb21tYW5kIEluamVjdGlvbg%3d%3d",
        "ruleSelectors": "QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b",
        "rules": "OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ",
        "ruleActions": "YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d",
        "ruleMessages": "U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3IgQ29tbWFuZCBJbmplY3Rpb24%3d",
        "ruleVersions": "NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d",
        "policyId": "qik1_26545",
        "configId": "14227",
        "clientIP": "52.91.36.10",
        "ruleTags": "T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1RJT04%3d%3bQUtBTUFJL1BPTElDWS9DTURfSU5KRUNUSU9OX0FOT01BTFk%3d"
    },
    "format": "json",
    "type": "akamai_siem",
    "version": "1.0",
    "httpMessage": {
        "status": "200",
        "protocol": "HTTP/1.1",
        "requestHeaders": "User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml,application%2fxml%3bq%3d0.9,*%2f*%3bq%3d0.8%0d%0auniqueID%3a%20CR_H8%0d%0aAccept-Language%3a%20en-US,en%3bq%3d0.5%0d%0aAccept-Encoding%3a%20gzip,%20deflate%0d%0aConnection%3a%20keep-alive%0d%0aHost%3a%20www.hmapi.com%0d%0aContent-Length%3a%200%0d%0a",
        "bytes": "266",
        "method": "GET",
        "start": "1491303422",
        "host": "www.hmapi.com",
        "requestId": "1158db1758e37bfe67b7c09",
        "path": "/",
        "query": "option=com_jce%20telnet.exe",
        "responseHeaders": "Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20266%0d%0aExpires%3a%20Tue,%2004%20Apr%202017%2010%3a57%3a02%20GMT%0d%0aDate%3a%20Tue,%2004%20Apr%202017%2010%3a57%3a02%20GMT%0d%0aConnection%3a%20close%0d%0aSet-Cookie%3a%20ak_bmsc%3dAFE4B6D8CEEDBD286FB10F37AC7B256617DB580D417F0000FE7BE3580429E23D%7epluPrgNmaBdJqOLZFwxqQLSkGGMy4zGMNXrpRIc1Md4qtsDfgjLCojg1hs2HC8JqaaB97QwQRR3YS1ulk+6e9Dbto0YASJAM909Ujbo6Qfyh1XpG0MniBzVbPMUV8oKhBLLPVSNCp0xXMnH8iXGZUHlUsHqWONt3+EGSbWUU320h4GKiGCJkig5r+hc6V1pi3tt7u3LglG3DloEilchdo8D7iu4lrvvAEzyYQI8Hao8M0%3d%3b%20expires%3dTue,%2004%20Apr%202017%2012%3a57%3a02%20GMT%3b%20max-age%3d7200%3b%20path%3d%2f%3b%20domain%3d.hmapi.com%3b%20HttpOnly%0d%0a",
        "port": "80"
    },
    "geo": {
        "regionCode": "VA",
        "country": "US",
        "continent": "288",
        "asn": "14618",
        "city": "ASHBURN"
    }
}

You should already have a set of one or more configId values for each configuration you want data from. See Getting Started for more information.

  1. If you want data for more than one configId value, join them with a semicolon character, like this: /siem/configs/{config_id1};{config_id2}

  2. Specify how you want to fetch data in one of two ways:
    • If you have an offset value from running a previous report and want another progressive batch, specify it as a parameter. Otherwise specify NULL for an initial default set.
    • If you want data for a range of time rather than an offset-based query, specify from and to values as epoch seconds.
  3. Optionally set the limit parameter to cap the number of data records.

  4. Make a GET request to /siem/v1/configs/{configId}{?from,limit,offset,to}.

  5. The response body contains a series of JSON objects, one per line. Each line (except the last one) represents a security Event object containing information about attackData, httpMessage, and geolocation.

  6. If you want more information on the request that triggered a firewall policy rule and generated a security event, see the attackData, httpMessage, and geo sections in JSON objects representing each security event.

  7. If you want to receive the next report as a progressive batch from where there current fetch leaves off, store the offset value from the ResponseContext JSON object on the last line of the response body.

The sample request above shows all possible query parameters, but you wouldn’t use them all together in the same request. The following shows typical combinations for different types of requests:

Query parameters Yield data Sample request
offset Since a prior request. /siem/v1/configs/7777?offset=1500390779
offset, limit Since a prior request, limited. /siem/v1/configs/7777?offset=1500390779&limit=1000
from Since a point in time. /siem/v1/configs/7777?from=1499835600
from, limit Since a point in time, limited. /siem/v1/configs/7777?from=1499835600&limit=1000
from, to Over a range of time. /siem/v1/configs/7777?from=1499835600&to=1499875200
from, to, limit Over a range of time, limited. /siem/v1/configs/7777?from=1499835600&to=1499875200&limit=1000

If a single request contains parameters for both modes, time-based mode takes precedence.

Multi-JSON Response Format

Here’s a condensed view of the response format. Each event is listed on its own line, and the last line provides metadata on the whole batch. This ResponseContext object shows total records, an offset that marks the last record fetched, and optionally a limit value if set.


Last modified: 11/9/2017