Infrastructure Security Analytics provides insights into security threats across various ​Akamai​ products, including Edge DNS, Prolexic, and App & API Protector. The platform allows you to effectively identify and address vulnerabilities.

From the Destinations tab of the Infrastructure Security Analytics page, you can manually or automatically send security events to a supported third-party SIEM and IT Service Management solution. By configuring destinations, you receive actionable event data that enhances your security operations, helps address vulnerabilities, and improves your organization’s security posture.

The following solutions are supported as destinations for Infrastructure Security Analytics:

• Google Security Operations (Google SecOps)
• Microsoft Sentinel
• ServiceNow
• Splunk
• Custom HTTPS Endpoint. An API endpoint that allows your on-premise application to receive and process data and logs.

You can manually or automatically deliver data to your configured destination. If you select to manually deliver data, you can go to a zone and from the actions menu, select to deliver data to your destination. If you select to Automatically deliver data, data is delivered without requiring any further action.

The following event data is delivered with each delivery type.

📘

Currently, you can only select Manual as the delivery type for ServiceNow and a custom HTTPS endpoint. You can only select Automatic as the delivery type for Google SecOps, Microsoft Sentinel, and Splunk.

For improved security, you can create a Akamaized hostname that acts as an endpoint for sending infrastructure security analytics to your destination. This process requires that you create a property with the destination URL as the hostname. The property then acts as a proxy between infrastructure security analytics and your configured destination. To learn more, see Use an Akamaized hostname as an endpoint for sending data.

Configure Google SecOps as a destination

Complete this procedure to configure Google Security Operations as a destination for infrastructure security analytics event data.

Before you begin

Make sure you have the following information:

• Customer ID. The Customer ID is a unique identifier for your configuration in Google Security Operations.
• Service Account Credentials. You can obtain these credentials from the Google Cloud Platform (GCP). For detailed instructions, see the Google Cloud IAM documentation.
  To find these credentials:
  1. Sign in to your Google Cloud account.
  2. Navigate to the IAM (Identity and Access Management) section.
  3. Select Service Accounts.
  4. Create a new service account or select an existing one.
  5. Download the JSON key file for this service account.

To locate the Customer ID and generate service account credentials, see the official Google Security Operations documentation.

To configure a Google Security Operations destination:

1. In Control Center, go to ☰ > DNS SOLUTIONS > Edge DNS. Click Security analytics.
2. Click Destinations. You can view and edit previously created destinations from this page.
3. Click Create destination and select Outbound.
4. In the Destination field, enter a name for your destination configuration.
5. In the Destination Type, select Google Secops.
6. In the Customer ID field, enter the ID.
7. In the Delivery Type menu, select Automatic. Currently, Automatic is the only delivery method available for Google SecOps.
8. For Event Types, select the type of data that you want to send. For Edge DNS, you can select NXDOMAIN Spikes and Dangling CNAMEs. For Prolexic, you can select Prolexic Attacks, Prolexic Alerts, and Prolexic Traffic.
   An event schema is available for you to view.
9. Click Next.
10. In the Authentication type menu, select Service Account.
11. In the Service Account Credentials field, drop the credentials from Google SecOps into this field or browse for the credentials on your computer.
12. Click Next.
13. Review the information for this configuration, and click Validate & Save. After saving, ​Akamai​ sends a request to Google SecOps. Verify the connection.
    If a connection is established, data is automatically delivered to Google SecOps.

Configure Microsoft Sentinel as a destination

Complete this procedure to configure Microsoft Sentinel as a destination for infrastructure security analytics event data.

Before you begin

Make sure you have the following information:

• Client secret. A secret key used for authenticating the application. This can be generated in the Certificates & secrets section of the app registration in Azure Entra Admin Center.
• Application (client) ID. The unique GUID of your application. You can find this in the App registrations section of Azure Entra Admin Center.
• Primary Domain. The primary domain associated with the tenant / directory. You can find it in the Overview section of Azure Entra Admin Center.
• Log Ingestion URI. The endpoint where data collected by Data Collection Rules (DCRs) is sent. This is configurable in Azure Monitor. This may be either a DCR or DCE URI. See the DCR JSON view in the Azure portal.
• Data Collection Rule ID. The Data Collection Rule (DCR) immutable ID. This is created and managed in Azure Monitor, which links the rule to Microsoft Sentinel. You can find this ID in the Data Collection Rule’s JSON view.
• Data Collection Rule Stream Name. The Data Collection Rule (DCR) stream name. You set this up when creating the Data Collection Rule in Azure Monitor.

To learn how to get this information, see the official Microsoft Sentinel documentation for detailed instructions.

To configure a Microsoft Sentinel destination:

1. In Control Center, go to ☰ > DNS SOLUTIONS > Edge DNS.
2. Click Security analytics.
3. Click Destinations. You can view and edit previously created destinations from this page.
4. Click Create destination and select Outbound.
5. In the Destination Name field, enter a name for your destination configuration.
6. In the Destination Type menu, select Microsoft Sentinel.
7. Enter the application (client) ID, primary domain, log ingestion URI, data collection rule ID, and data collection rule stream name in the specific fields for this data.
8. In the Delivery Type menu, select Automatic. Currently, Automatic is the only delivery method available for Microsoft Sentinel.
9. For Event Types, select the type of data that you want to send. For Edge DNS, you can select NXDOMAIN Spikes and Dangling CNAMEs. For Prolexic, you can select Prolexic Attacks, Prolexic Alerts, and Prolexic Traffic.
   An event schema is available for you to view.
10. Click Next.
11. In the Authentication Type menu, select Client Secret.
12. In the Client Secret field, enter the client secret.
13. Click Next.
14. Review the information for this configuration, and click Validate & Save. After saving, ​Akamai​ sends a request to Microsoft Sentinel. Verify the connection.
    If a connection is established, data is automatically delivered to Microsoft Sentinel.

Configure ServiceNow as a destination

Complete this procedure to configure ServiceNow as a destination for infrastructure security analytics event data.

Before you begin

Make sure you have the following information:

• ServiceNow Instance Name. The name of your ServiceNow instance. This is the prefix of your instance URL (for example, https://{instance_name}.service-now.com).
• API Key. You generate this key in ServiceNow for token-based authentication. Ensure the associated account has permissions to allow POST calls to the "incident" table via the Table API. As part of the process for configuring the API key, you create an inbound authentication profile and API access policy. For instructions, see the ServiceNow documentation.

To configure a ServiceNow destination:

1. In Control Center, go to ☰ > DNS SOLUTIONS > Edge DNS.
2. Click Security analytics.
3. Click Destinations. You can view and edit previously created destinations from this page.
4. Click Create destination and select Outbound.
5. In the Destination field, enter a name for your destination configuration.
6. In the Destination Type, select ServiceNow.
7. In the ServiceNow Instance Name field, enter the name of your instance.
8. In the Delivery Type menu, select Manual. After you configure this destination, you can manually deliver data.
9. Click Next.
10. Complete authentication settings:
    1. In the Authentication Type menu, select API Key.
    2. In the API Key field, paste the ServiceNow API key. Make sure the API key associated with your ServiceNow account has the correct permissions to make POST calls.
11. Click Next.
12. Review the information for this configuration, and click Validate & Save. After saving, ​Akamai​ sends a POST call to the service to validate the connection.

Next step:

Manually deliver data to ServiceNow. See Manually deliver events to a destination.

Configure Splunk as a destination

Complete this procedure to configure Splunk as a destination for infrastructure security analytics event data.

Before you begin

Make sure you have the following information:

• HEC Host. The hostname or endpoint of Splunk HTTP Event Collector (HEC). This is typically provided during the Splunk setup process (for example, splunkhec.com).
• HEC Install Type. The type of Splunk installation you are using (for example, Splunk Cloud Platform).
• HEC Indexer Acknowledgement. Indicates whether indexer acknowledgment is enabled for the HEC token. This setting is primarily supported by AWS Kinesis Firehose. If you're unsure about this setting, set it to false.
• HEC Port (Optional). The port number used for HEC. By default, this is set to 443. If you're using Splunk Enterprise, this is set to 8088.
• Index (Optional). The name of the Splunk index where events will be stored. By default, this is set to “main.”
• Source Name (Optional). The identifier for the source of the data. By default, this is set to “​Akamai​ Security Analytics.”

To learn more about Splunk HTTP Event Collector, see the official Splunk documentation.

To configure Splunk as a destination:

1. In Control Center, go to ☰ > DNS SOLUTIONS> Edge DNS.
2. Click Security analytics.
3. Click Destinations. You can view and edit previously created destinations from this page.
4. Click Create destination and select Outbound.
5. In the Destination Name field, enter a name for your destination configuration.
6. In the Destination Type menu, select Splunk.
7. In the provided fields, enter the HEC host, HEC install type, HEC port, index, and source name.
8. Select whether HEC Indexer Acknowledgement is enabled or disabled.
9. In the Delivery Type menu, select Automatic. Currently, Automatic is the only delivery method available for Splunk.
10. For Event Types, select the type of data that you want to send. For Edge DNS, you can select NXDOMAIN Spikes and Dangling CNAMEs. For Prolexic, you can select Prolexic Attacks, Prolexic Alerts, and Prolexic Traffic. An event schema is available for you to view.
11. Click Next.
12. In the Authentication Type menu, select Token.
13. Enter the token in the provided field.
14. Click Next.
15. Review the information for this configuration, and click Validate & Save. After saving, ​Akamai​ sends a request to Splunk. Verify the connection.
    If a connection is established, data is automatically delivered to Splunk.

Configure a custom HTTPS endpoint as a destination

Complete this procedure to configure a custom HTTPS API endpoint as a destination for infrastructure security analytics event data.

Before you begin

Make sure you have the following information:

• Endpoint URL. The secure URL where security events are sent and stored.
• Basic Auth Credentials. The username and password used in the authorization header for basic authentication.

To configure a custom HTTPS endpoint destination:

1. In Control Center, go to ☰ > DNS SOLUTIONS > Edge DNS.
2. Click Security analytics.
3. Click Destinations. You can view and edit previously created destinations from this page.
4. Click Create destination and select Outbound.
5. In the Destination field, enter a name for your destination configuration.
6. In the Destination Type, select Custom HTTPS.
7. In the Endpoint URL field, enter the URL.
8. In the Delivery Type menu, select Manual. After you configure this destination, you can manually deliver data.
9. Click Next.
10. In the Authentication Type menu, select Basic Auth.
11. Enter the username and password in the provided fields.
12. Click Next.
13. Review the information for this configuration, and click Validate & Save. After saving, Akamai sends a sample request to the provided endpoint. The sample request follows this format: {"accessValidation":true}.

Next step:

Manually deliver data to your custom HTTPS API endpoint. See Manually deliver events to a destination.

Manually deliver events to a destination

You can manually deliver infrastructure and security analytics data to your SIEM or IT Service Management solution. Complete this procedure to deliver data from a zone to your configured destination.

📘

If you selected Automatic as the delivery type for your destination, this process delivers data in addition to events that are delivered with the Automatic setting.

To deliver events to a destination:

1. In Control Center, go to ☰ > DNS SOLUTIONS > Edge DNS.
2. Click Security analytics.
3. In the Zones tab, go to the zone that you want event data on.
4. From the Action menu of the zone, select Destination Delivery.
5. From the Destination menu, select a destination that you configured.
6. From the Event Type menu, select the event data that you want to send. For example, related domains or dangling CNAMEs.
7. If related domains or dangling CNAMEs were detected in the zone, you can select the specific items you want data for.
8. Click Next.
9. Review the event delivery details.
10. Click Deliver to send events to the selected destination.

Use an Akamaized hostname as an endpoint for sending data

For improved security, you can create a Akamaized hostname that acts as an endpoint for sending infrastructure security analytics to your destination. This process requires that you create a property with the destination URL as the hostname. The property then acts as a proxy between infrastructure security analytics and your configured destination. With this feature, you can filter incoming events to your destination endpoint by IP addresses using the Origin IP Access List. This means only IP addresses that belong to your Akamaized property hostname can send logs to your destination. Using Akamaized hostnames as endpoints also requires enabling the Allow POST behavior in your property.

To enable this feature:

1. Go to Property Manager. In Control Center, go to ☰ > CDN > Properties, and create a new property. We recommend choosing API Acceleration as the product. See Create a brand new property.
2. Set your destination URL (for example, Splunk HTTP Event Collector URL) as the property hostname. See Redirect users to edge servers.
3. Return to the Property Groups page.
4. Click the name of the property you created.
5. Activate the property on the production network. Only properties active on the production network can serve as destinations. See Activate property on production.
6. On the Property Details page, click the Version of your configuration that you want to access in Manage Versions and Activations.
   The Property Manager Editor appears.
7. In the default rule, click Add Behavior, and select Origin IP Access List. Click Insert Behavior.
   The Origin IP Access List behavior appears in the default rule.
8. Set the Enable slider in the Origin IP Access Control List behavior to On. Click Save.
9. Click Add behavior, and select Allow POST.
10. Click Insert Behavior.
    The Allow POST behavior appears in the default rule.
11. Set the Behavior option in the Allow POST behavior to Allow.
12. Click Save.

    📘

    You might need to additionally configure your property to ensure uninterrupted data flow. See Configuration best practices in the Property Manager guide for other behaviors you can configure in your property.

13. Configure the firewall settings at your destination endpoint to allow access for IP addresses that belong to CIDR blocks for your Akamaized hostname. See the Origin IP Access List behavior for the list of IP addresses to put on the allow list.

After successfully configuring an Akamaized hostname as the destination endpoint, avoid editing an active property’s setup in Property Manager to ensure uninterrupted data flow. Adding, deleting, and editing hostnames and behaviors may cause unexpected behavior in sending events.