Guide

Activate or deactivate SIEM event feeds (legacy customers only)

Suggest Edits

๐Ÿ“˜

The content on this page deals with a legacy feature of the Akamai Identity Cloud. If you are currently an Identity Cloud customer and are using SIEM event delivery, that feature is still supported. However, if youโ€™re new to the Identity Cloud, SIEM event delivery is no longer available.

To activate a SIEM feed, use the /eventdelivery/activate operation to activate the application. For example, this command activates SIEM Event Delivery for the application with the application ID htb8fuhxnf8e38jrzub3c7pfrr:

curl -X POST \
  https://v1.api.us.janrain.com/config/applications/htb8fuhxnf8e38jrzub3c7pfrr/eventdelivery/activate \
  -H 'Authorization: Basic M2dmYmdycmE3dzI4MmhndHJ5cGZxeDlwemhxaGpnZDU6Y2dkY3A3bWhjeWszYmZocnl2d2NmY2c3NTdqdzRhb3E='

There are several things to keep in mind when running the preceding command:

  • You must use an API client that has owner credentials to the application where SIEM delivery is being enabled. API clients that donโ€™t have the owner feature canโ€™t activate or deactivate SIEM delivery.

  • The sample command shown a moment ago enables SIEM Event Delivery, but does not associate any public keys with the S3 bucket. Because of that, customers wonโ€™t be able to access the events that get routed to the S3 bucket, at least not until one or more public keys have been added to the bucket. Keys can be added any time after the application has been activated; they can also be added at the same time that the application is activated. (If you add public keys when activating an application, keep in mind that you are limited to a maximum of 10 public keys per S3 bucket.)

    For example, this command activates the application htb8fuhxnf8e38jrzub3c7pfrr and, in the same command, associates a public key with that applicationโ€™s S3 bucket: 

curl -X POST \
      https://v1.api.us.janrain.com/config/applications/htb8fuhxnf8e38jrzub3c7pfrr/eventdelivery/activate \
      -H 'Authorization: Basic M2dmYmdycmE3dzI4MmhndHJ5cGZxlwemhxaGpnZDU6Y2dkY3A3bWhjeWszYmZocnl2d2NmY2c3NTdqdzRhb3E=' \
      -H 'Content-Type: application/json' \
      -H 'Postman-Token: e0f09f7a-2cae-4abe-af45-01363a75cc93' \
      -H 'cache-control: no-cache' \
      -d '
      ["ssh-rsa
    DDDAB3NzaC1yc2EAACCDEQABAAABAPOUh6tyPEFEzV0LX3XGF55RMsQz1x2cEikKDEY0aIj41qgxMCP/iteneq
    XSIFZBp5vizPvaoIR3Um9xK7PGoW8giupGn+EPuxIA4cDM4vzOqOkiMPhz5XK0whEjkVzTo4+S0puvDZuwIsdiW
    9mxhJc7tgBNL0c2r3SYVkz4G/fslNfRPAABAAM49f4fhtxPb5ok4Q2Lg9dPKVHO/Bgeu5woMc7RY0p1ej6D4CKF
    E6lymSDJpW0YHX/wqE9+cfNfRP7xGt5Rq9t2ta6F6fmX0agvpFyNfRPFbXeUBr7osSCJNgvavWbA4cDniWrOvYX
    2xwWdhXmX3ue68ZbabVoha3W1 karim.nafir@mail.com"]
    '
  • Activation of an application does not happen immediately. After you activate an application some backend provisioning (such as creating and configuring the S3 bucket) must take place before events can be delivered. That means it might take several minutes before an application is enabled for event delivery and before the application has an accessible S3 bucket. You can verify the status of an application at any point by calling the /eventdelivery/readStatus operation: 
curl -X GET \
      https://v1.api.us.janrain.com/config/applications/htb8fuhxnf8e38jrzub3c7pfrr/eventdelivery/readStatus \
      -H 'Authorization: Basic   
      M2dmYmdycmE3dzI4MmhndHJ5cGZxeDlwemhxaGpnZDU6Y2dkY3A3bWhjeWszYmZocnl2d2NmY2
      c3NTdqdzRhb3E='

When your application is fully configured, and when event delivery has begun, youโ€™ll see an API response similar to this:

curl -X GET \
      https://v1.api.us.janrain.com/config/applications/htb8fuhxnf8e38jrzub3c7pfrr/eventdelivery/readStatus \
      -H 'Authorization: Basic   
      M2dmYmdycmE3dzI4MmhndHJ5cGZxeDlwemhxaGpnZDU6Y2dkY3A3bWhjeWszYmZocnl2d2NmY2
      c3NTdqdzRhb3E='

๐Ÿ‘

Hereโ€™s another way to check and see if activation is complete: go to the S3 bucket and look for the test event which is delivered to the S3 bucket as part of the activation process. That test event will look similar to this:

{
 ย  ย "msts": 1562002027195,  
ย  ย  ย  "id": "60ced9d7-8735-4b4d-a2eb-f144d9c6704f",  
 ย  ย  "type": "eventdelivery\_initial\_activation\_event",  
ย  ย  ย "message": {  
ย  ย  ย  ย  "app\_id": "csz94t3wwngx8gy373zyv8m2xh"  
ย  ย  ย  ย  }  
}

If at any point you need to stop using the SIEM Event Delivery, you can do so by using the /eventdelivery/deactivate operation:

curl -X POST \
  https://v1.api.us.janrain.com/config/applications/htb8fuhxnf8e38jrzub3c7pfrr/eventdelivery/deactivate \
  -H 'Authorization: Basic M2dmYmdycmE3dzI4MmhndHJ5cGZxeDlwemhxaGpnZDU6Y2dkY3A3bWhjeWszYmZocnl2d2NmY2c3NTdqdzRhb3E='

When you deactivate SIEM Event Delivery service event messages will no longer be delivered to your S3 bucket. In addition, your SIEM event user account will be deleted; among other things, that means that you will not be able to use SFTP to access any files still in that bucket (because you no longer have a valid user account). Before you activate SIEM Event Delivery, you should verify that you have first used SFTP to download all the files that need to be downloaded.

Updated over 2 years ago