SIEM

Akamai SIEM Integration

Use your favorite security information and event management (SIEM) solution to analyze security events generated from the Akamai platform. Capture, retain, and deliver security information and events to your SIEM app in near real-time. If you use Kona Site Defender, Client Reputation, Web Application Protector, or Bot Manager you can analyze security events generated on the Akamai platform alongside security events from other sources. 

Use on-premise and cloud-based SIEM tools like Splunk, QRadar, ArcSight, and more. You can control and protect the data feed with:

Event filtering

Filter the security events collected in your SIEM by security configuration and security policy, so you can focus on real threats.

Data retention

The Collector stores security event data for 12 hours, enabling you to go back and capture missed events if necessary.

SIEM overload protection

In your SIEM connector, you can define the maximum number of security events fetched in each request to avoid overloading the SIEM application.

Fetch interval

You can define how often the SIEM connectors make a call to the SIEM API to fetch security event data,

workflow

How it works

Each time a security policy gets triggered, the system generates a security event. The Akamai Security Events Collector captures security events across edge servers and exposes a RESTful SIEM API for fetching these events.

The SIEM connector is installed behind your corporate firewall. The connector makes periodic calls to the SIEM API to securely collect JSON event data in near real-time from the Akamai Security Events Collector. The connector then converts the events into the proper format and sends the data to your SIEM software.

Set up SIEM integration

You set up SIEM integration in four basic steps:

Step 1: Turn on SIEM integration

  1. Visit https://control.akamai.com/ and log in.
  2. In Control Center, under WEB & DATA CENTER SECURITY, click Security Configuration.
  3. Open the security configuration for which you want to collect SIEM data.
  4. Click the Advanced Settings tab and expand the SIEM Integration section.
  5. In Allow data collection for SIEM, click Yes.
  6. Choose the security policies for which you want to export data. Select:
    • ALL Security policies if you want to send SIEM data for events that violate any or all security policies within the security configuration.
    • Customize for specific security policies if you want data regarding one or more specific security policies. Select the appropriate policies from the dropdown list.
  7. To include events generated by Bot Manager, set Include Bot Manager Events to Yes. To exclude Bot Manager events, choose No

  8. To include events generated by Account Protector, set Include Account Protector Events to Yes. To exclude those events, choose No.

  9. Skip the SIEM Event Version field for now.
  10. Push your security configuration changes to the production network. On the upper right of the Security Configuration page, click Activate. Under Network, click Production, and then click Activate.

If you want to enable SIEM integration for additional Security Configurations, repeat the preceding process for each configuration and then continue to Step 2.

Step 2: Set up a user to manage SIEM

Add or assign a user to manage your SIEM APIs.

  1. In Control Center, under ACCOUNT ADMIN, click Identity & access.
  2. On the Users and API Clients tab, find the user you want to assign the role to or click Create user.
    • To assign the SIEM role to an existing user, open the user's account and click the Edit roles tab. Find the appropriate group, click the Roles dropdown, and select the Manage SIEM role. Click Submit.
    • To assign the SIEM role to a new user, click Create user. Enter basic information for the user, then scroll down to the Assign Roles section. Find the appropriate group, click the Roles dropdown, and select the Manage SIEM role. Click Save.  

      Note that only the Manage SIEM role has the required permissions: don't assign this user any other role. 

  3. If you want to assign the Manage SIEM role for another group, select the group and repeat the preceding process. Note that if you have multiple Groups and Users within your account, you must assign a user the Manage SIEM role for each group that contains a security configuration. This must be the same person you associate with the API credentials in Step 3.

Step 3: Provision the SIEM API and get access tokens

To move data from Akamai Security Events Collector to your system, the SIEM connector uses Akamai’s SIEM API, a REST API service that requires authentication and authorization.

After you’ve enabled SIEM integration and assigned a user to the Manage SIEM role, you’re ready to provision credentials for the SIEM API. To do so, visit Get Started with APIs.

Follow the steps to provision the SIEM API for the user assigned to manage SIEM. Copy and save the tokens you generate: you’ll need them to complete the final step.

Step 4: Install and configure your SIEM connector

Install your SIEM connector behind your firewall. SIEM connectors use Akamai’s SIEM API to retrieve security events (in JSON format) from the Akamai Security Events Collector. The connector converts the JSON values to your SIEM software’s data format and sends the events to your SIEM software. 

Connector setup depends upon the SIEM solution you use. Read on to learn about sample connectors and tools you can use to get started quickly.

 

Connectors and tools

Download the sample connector you want to employ and follow the integration instructions. You can use the test client to help troubleshoot any issues.

ToolVersionDownloadIntegration InstructionsSample Code
Splunk sample connector1.4.9

Download from splunkbase 

Note: On Splunkbase, subscribe to this connector to get notified of future updates.

DocumentationOn GitHub
CEF Syslog sample connector1.7.1DownloadDocumentationOn GitHub
SIEM Test Client DownloadSee package readme file 

Code your own connector

If your SIEM solution isn't supported by a sample connector, you can develop your own custom connector using the SIEM API. The API returns a list of JSON objects representing each security event. See the SIEM API documentation for details.

If you write a connector of your own Akamai strongly recommends that you employ a standard JSON parser. This helps your connector deal with updates to the event JSON.


Support

Need additional assistance? Visit the SIEM Connectors Community page to get answers from Akamai engineers and other SIEM administrators

Join the Akamai Developer Program

The Akamai Developer Program features tailored content to connect you to the latest tools, exclusive beta releases, upcoming events, and so much more that helps you get the most out of Akamai.

join the program