Integrations

Akamai SIEM Integration for Splunk and CEF Syslog

Use your favorite Security Information and Event Management (SIEM) solution to analyze security events generated from the Akamai platform. Capture, retain, and deliver security information and events to your SIEM app in real-time. If you use Kona Site Defender, Client Reputation, Web Application Protector, or Bot Manager (BETA) you can analyze security events generated on the Akamai platform alongside security events from other sources. 

How it works

Every time a security policy triggers, the system generates a security event. The Akamai Security Events Collector captures these security events across edge servers and exposes a RESTful SIEM API for fetching security events.

You install the SIEM connector behind your corporate firewall. The connector makes periodic calls to SIEM API to securely collect JSON events data in near real time from the Akamai Security Events Collector via its API. The connector then converts these events into proper format and sends the data to your SIEM software.

SIEM workflow diagram

Features

Use on-premise and cloud-based SIEM tools like Splunk, QRadar, ArcSight, and more. You can control and protect the data feed with:

  • Event filtering. You can filter the security events to collect in your SIEM by security configuration and security policy, which helps you focus on real threats
  • Data retention. The Collector stores security events data for 12 hours, so you can go back in time to capture missed events, if necessary.
  • SIEM overload protection. In your SIEM connector, you can define the maximum number of security events fetched in each request to avoid overloading the SIEM application.
  • Fetch interval. You can define how often the SIEM connectors make a call to SIEM API to fetch security events data

Set up SIEM integration

You set up SIEM integration in four basic steps:

Step 1: Turn on SIEM integration

  1. Visit https://control.akamai.com/ and log in.
  2. From the menu, choose Configure, then under Security, choose Security Configuration.
  3. Open the security configuration for which you want SIEM data.
  4. Scroll down to the SIEM Integration section.
  5. In Allow data collection for SIEM, click Yes.
  6. Choose the security policies for which you want to export data. Enable SIEM integration for:
    • ALL Security policies if you want to send SIEM data for events that violate any/all security policies within the security configuration.
    • Customize for specific security policies if you want data regarding one or more specific security policies. In the drop down list, choose the policies you want.
  7. Skip the SIEM Event Version field for now.
  8. Copy the number in the Security Config ID field. You’ll need it in a minute.
  9. Push security configuration changes to the production network.
    On the upper right of the Security Configuration page, click the Activate button. Under Network, choose Production, and click Activate.

If you want to enable SIEM integration for another Security Configuration, open that configuration and repeat the steps you just followed. Once you’ve done so for all configurations, continue on to the next step .

Step 2: Set up a user to manage SIEM

Add or assign a user to manage your SIEM APIs.

  1. From the control center menu, select Configure, then under Organization, choose Manage Users and Groups.
  2. On the left side of the screen, in the Groups pane, choose the group for which you want security events.
  3. Add or edit a user to manage SIEM integration. In the list, find the user you want or click the Create a New User button.
  4. If you created a new user, complete the new user information fields.
  5. In the groups/roles tables, go to the first group in the list, click the dropdown arrow beside the gear icon, and choose Select Role. A dialog box opens.
  6. In the Filter box, type SIEM. Choose the Manage SIEM role and click Select.

    Note: Only the Manage SIEM role has the proper permissions. Do not assign any other role. For example, an IDM Non-Admin Manage API Clients permission won't suffice.

  7. In the Edit User dialog box, click Save.
  8. If you want events for another group too, select the group and repeat Steps 3-8.

    Note: If you have multiple Groups and Users within your account, you must assign a user the Manage SIEM role for each group that contains a security configuration you want to include in SIEM results. Usually, this is the same person, and must be the same person you associate with the API credentials in Step 3: Provision SIEM API and get access tokens.

Step 3: Provision SIEM API and get access tokens

To move data from Akamai Security Events Collector to your system, the SIEM connector uses Akamai’s SIEM API, a REST API service that requires authentication and authorization.

Once you’ve turned on SIEM integration and set up a user for it, you’re ready to provision credentials for the SIEM API. To do so, visit

https://developer.akamai.com/api/getting-started

Then follow the steps to provision the SIEM API for the user you assigned to manage SIEM. Copy and save the tokens you generate. You’ll need them to complete your next step.

Step 4: Install and configure your SIEM connector

You install your SIEM connector behind your firewall. The connector uses Akamai’s SIEM API to retrieve security events in JSON format from the Akamai Security Events Collector. The connector converts the JSON to the data format your SIEM software consumes and sends security events on to your SIEM software. The connector lets you:

  • Define the interval to call SIEM OPEN API and pull in security events.
  • Define the number of security events to pull in during each call.
  • Handle network failures during data pull by re-trying to fetch security events. If you lose your connection, you can also retrieve event history from the last 12 hours.

Connector setup, depends upon what SIEM solution you use. Read on to learn about sample connectors and tools you can use to get started quickly.

Connectors and tools

Download the sample connector you want and follow the integration instructions. You can use the test client to help troubleshoot any issues.

ToolVersionDetailsDownloadIntegration InstructionsSample code
Splunk sample connector1.4.7

Tested OS Version:
CentOS 7
Windows Server 2012 R2
Mac OS X El Capitan Version 10.11.6

Splunk version:
6.5.3+ (including 7.3)

Download from splunkbase 

Note: On Splunkbase, subscribe to this connector to get notified of future updates.

Documentation

On GitHub
CEF Syslog sample connector1.6.0

Tested OS Version:Mac OS X El Capitan Version 10.11.6
Ubuntu 14.04.5 LTS - 64-bit

HP ArcSight Logger version:
6.1.0.7504.1

Download

Documentation

On GitHub
SIEM Test Client Executable test client to run diagnostics for debugging purposes.Download

See package readme file

 

Code your own connector

If your SIEM solution isn't supported by a sample connector, you can develop your own custom connector using the SIEM API. The API returns a list of JSON objects representing each security event. See the SIEM API documentation for details.

Support

Need additional assistance? Visit the SIEM Connectors Community page to get answers from Akamai engineers and other SIEM administrators.