You'll want to keep a close eye on how your security policy is working, to make sure you're covering the right traffic and that your settings aren't alerting on or denying valid requests. When you create a Security Configuration, it's a good idea to set actions to Alert at first, instead of Deny. After you activate the entire Security Configuration, check traffic in Web Security Analytics to see if rules are triggering false positives (regular requests flagged as problems). Also consult security reports, and set up notifications to get emails when important events occur.

Tracking activity with these tools lets you gauge the settings and how accurate and effective your protections are. You can use this information to tweak protection controls you set. Once you feel comfortable that rules and other protections are not producing false-positives, you can contemplate setting controls to deny.

👍

You can introduce some initial adjustments within a few hours of activating your Security Configuration. Proper adjustments require more data, collected over weeks, so you can identify specific patterns.

Web Security reports

After you get protections activated for your website and or web apps, you should continuously monitor and assess how they're handling web requests. Each site is different, and you'll inevitably have to adjust controls and protection profiles to achieve the results you want and cut down on false-positives and other issues.

🚧

For reporting to be useful, make sure you log HTTP header data. Go to your App & API Protector Hybrid Security Configuration > Advanced settings > Logging > HTTP header data logging. Make sure that the setting is On. You can also select which data categories to log, such as Standard headers, Custom headers, and Cookies.

Using reports you can tackle the following tasks:

• See attack traffic
  Security Center gives you a higher-level view and shows big-picture data like attack traffic vs. regular traffic. Go to Akamai Center and log in. From the menu, select ☰ > WEB & DATA CENTER SECURITY > Security Center. Start at the Web Security dashboard where you can investigate your attack traffic.
• See web application firewall activity
  View activity by attack group and see what actions have been applied. See what hostnames and security policies attackers have targeted, and the geographic locations from which requests originate. In Security Center, on the left side of the screen, click Trends > Web Application Firewall.
• View attack data across dimensions
  Web Security Analytics lets you view traffic across products and protection types. Drill down by individual dimensions to get specifics, and pivot chart views to group and compare values.
• See DoS attack traffic
  The DoS activity report shows any detected DoS attack traffic and resulting actions. See targeted hostnames and security policies that are detecting this activity. In Security Center, on the left side of the screen, select Trends > DoS (Web Security).

Read more about all these reports and tools in the Security Center Guide.

SIEM integration (Protector v1.4.0)

Security Information and Event Management (SIEM) integration lets you capture security events generated in Protector instances and analyze them in your favorite SIEM application.

You can configure SIEM integration directly from your Security Configuration > Advanced Settings > Logging > Data collection for SIEM Integration.

Security events are exposed through the SIEM OPEN API which SIEM connectors use to retrieve event data.

You can use built-in connectors for Splunk or CEF. All connectors retrieve event data through the SIEM OPEN API. Learn more about connectors.

🚧

The SIEM integration for App & API Protector Hybrid follows the same core principles as the universal SIEM guide used across Akamai’s security portfolio. The functional differences include:

• App & API Protector Hybrid does not support including the JA4 client TLS fingerprint in SIEM events.
• When configuring exceptions, App & API Protector Hybrid supports the following categories: Rate Limiting, Custom Rules, and Web Application Firewall.