Akamai MFA Splunk app
This section provides an overview of the log lines visible in the Akamai MFA app for Splunk. It also provides a dictionary of data available in the logs, describing the content in each log field and its meaning.
For this integration, you need:
- Splunk Enterprise software. See the Splunk Enterprise Installation Manual.
- Splunk app version 8.1 and above.
- Logging-type integration with Akamai MFA. Follow the Splunk adapter
instructions to integrate.
Authentication events
The authentication events logs are JSON-formatted at the source and composed of key-value pairs, where the value is a string or a dictionary of a key-value pair. Fields in the Splunk logs lines appear in a certain order.
Here you can see an example of the authentication events log lines in the Akamai MFA Splunk app.
{“uuid": "aud_JfNqdl6zSByrU0ovrbJ6m", "created_at": "2021-03-23T19:36:20.047688", "browser_ip": "49.207.58.115", "app_id":"app_3IyJXh2U9Jiws6bvxcf8X", “app_name”: “Test Application”,"device": "push", "auth_method": "push", "user_id":"user_6Hy1v24DZIr8b0UHYi5dv3", "username": "nityagi", "is_success": true, "device_metadata": "Android", "receipt": "", "browser_type": "Chrome", "browser_version": "88.0.4324", "browser_os": "MacOS", "browser_os_version": "10.15.7", "device_os": "android", "device_os_version": "10.0.0", "browser_geo_location": "BANGALORE KA, IN", "device_geo_location": "BANGALORE KA, IN", "device_ip": "49.207.58.115”,“denial_type”: null“device_id”: “device_3kbTGOPbHxH3KfYkPzm31e”, “policy_attr_name”: null, “policy_uuid”: null,“principal_type”: null,“principal_uuid”: null}
The following table describes JSON keys for the authentication events that are pushed to Splunk, the sequence of fields in the Splunk log lines, and explains the content of these fields.
| No. | Key | Type of content | Field description | Example |
|---|---|---|---|---|
| 1 | uuid | String or empty | The ID that looks up audit events. | aud_JfNqdl6zSByrU0ovrbJ6m |
| 2 | created_at | ISO 8601 datetime | Date and time when the event was created. | 2021-03-23T19:36:20.047688 |
| 3 | browser_ip | String | The IP address of the browser client that initiated the event. | 49.207.58.115 |
| 4 | app_id | String or empty | The ID that looks up apps. Corresponds to the ID of the app (if authentication is made against an app). | app_3IyJXh2U9Jiws6bvxcf8X |
| 5 | app_name | String or empty | The name of the application that was used for authentication. | |
| 6 | device | enum | The type of the device that performs the authentication. | push |
| 7 | auth_method | enum | The method used by the device to authenticate. | push |
| 8 | user_id | String | The ID that looks up users. Corresponds to the ID of the user that is authenticated. | user_6Hy1v24DZIr8b0UHYi5dv3 |
| 9 | username | String or empty | Username of the authenticated user. (looked up separate from the record here). | nityagi |
| 10 | is_success | Boolean | Informs if the authentication attempt was successful. | true |
| 11 | device_metadata | String or empty | Extra information about the device that made the authentication. | Android |
| 12 | receipt | String or empty | A Base64-encoded string. Receipt of the transaction. Its form varies, but it is typically represented as a string, json or, a bytearray once decoded from base64. | |
| 13 | browser_type | String or empty | The type of the browser. | Chrome |
| 14 | browser_version | String or empty | The browser version, for example, 14.34.2. The version of the browser that made the authentication request. | 88.0.4324 |
| 15 | browser_os | String or empty | The operating system on which runs the browser that made the auth request. | macOS |
| 16 | browser_os_version | String or empty | The browser version, for example 14.34.2. The version of the operating system on which runs the browser that made the authentication request. | 10.15.7 |
| 17 | device_os | String or empty | The operating system of the device that approved or denied the authentication request. | Android |
| 18 | device_os_version | String or empty | The OS version of the device that approved or denied the authentication request, for example 14.34.2. | 10.0.0 |
| 19 | browser_geo_location | String or empty | The location (via IP lookup) of the browser that made the authentication request. | BANGALORE KA, IN |
| 20 | device_geo_location | String or empty | The location (via IP lookup) of the device that approved or denied the authentication request. | BANGALORE KA, IN |
| 21 | device_ip | String or empty | The IP address of the device that approved or denied the authentication request. | 49.207.58.115 |
| 22 | denial_type | String or Empty | Indicates whether the authentication failed due to the policy or user-related issues. If denial_type value is null, it means that the authentication attempt was successful. | policy |
| 23 | device_id | String or Empty | The ID of the device that performed the authentication. | device_3kbTGOPbHxH3KfYkPzm31e |
| 24 | policy_attr_name | String or Empty | The name of the attribute that caused the denial. | Existing user |
| 25 | policy_uuid | String or Empty | The ID of the Akamai authentication policy containing the attribute that caused the denial. | policy_5iMncPFO8euHE8JRviQL4j |
| 26 | principal_type | String or Empty | The type of the principal that caused the failure. | |
| 27 | principal_uuid | String or Empty | The ID of the associated principal containing the policy attribute that caused the denial. The ID is not present if the policy denial was created when the user violated a default policy setting. | Tenant |
Session history
The session history logs are JSON-formatted at the source and composed of key-value pairs, where the value is a string or a dictionary of a key-value pair. Fields in the Splunk logs lines appear in a certain order.
Here you can see an example of the session history log lines in the Akamai MFA Splunk app.
{"started_at": "2025-10-09T05:42:14.760458Z", "ended_at": "2025-10-09T05:42:30.342548Z", "session_id": "session_6XeoBhO6mnAH0WMuLTINO3", "outcome": "success", "app": {"id": "app_2Zm4nmF7OPiK87cD4P2Vly", "name": "phone_only", "app_type": "demo"}, "provided_username": "mfa_user", "user_id": "user_2PVk0rPac6BHnc46kix563", "endpoint": {"geo_country": "US", "geo_state_or_province": "QUINCY WA, US", "ip": "127.0.0.1", "browser_type": "Chrome", "browser_version": "141.0.0", "os": "Linux", "os_version": "5.4.0"}, "attempts_started": 2, "attempts_concluded": 1, "attempts_succeeded": 1, "attempts_failed": 0, "last_incomplete_attempt": {"attempt_id": "attempt_5Zur8hWnqgthIv5NCOvJV9", "started": {"time": "2025-10-09T05:42:16.253138", "user_id": "user_2PVk0rPac6BHnc46kix563", "auth_method": "text_code", "intent": "login"}, "concluded": null}, "last_failed_attempt": null, "last_successful_attempt": {"attempt_id": "attempt_996HVkYl4h28RFeSzfKurp", "started": {"time": "2025-10-09T05:42:25.690508", "user_id": "user_2PVk0rPac6BHnc46kix563", "auth_method": "text_code", "intent": "login"}, "concluded": {"concluded": {"time": "2025-10-09T05:42:30.342548Z", "user_id": "user_2PVk0rPac6BHnc46kix563", "success": true, "auth_method": "text_code", "intent": "login"}}}, "distinct_policies_used": 1, "policies": {"policy_1": {"policy_id": "policy_7NE52CkKuyAh9hZhSa3NMK", "policy_name": null, "principal_type": "Tenant", "caveat": null}}}
The following table describes JSON keys for the session history events that are pushed to Splunk, the sequence of fields in the Splunk log lines, and explains the content of these fields.
| No. | Key | Type of content | Field description | Example |
|---|---|---|---|---|
| 1 | started_at | Timestamp | Start time of the session | 2025-10-09T05:42:14.760458Z |
| 2 | ended_at | Timestamp | End time of the session | 2025-10-09T05:42:30.342548Z |
| 3 | session_id | String | Unique identifier for the session | session_6XeoBhO6mnAH0WMuLTINO3 |
| 4 | outcome | String (enum) | Result of the session | success |
| 5 | app.id | String | Application (Integration) ID | app_2Zm4nmF7OPiK87cD4P2Vly |
| 6 | app.name | String | Name of the application | phone_only |
| 7 | app.app_type | String | Type of the application | demo |
| 8 | provided_username | String | Username entered during session | mfa_user |
| 9 | user_id | String | Unique identifier for the user | user_2PVk0rPac6BHnc46kix563 |
| 10 | endpoint.geo_country | String (ISO code) | Country of the user's IP | US |
| 11 | endpoint.geo_state_or_province | String | Region/state of the user's IP | QUINCY WA, US |
| 12 | endpoint.ip | IP Address | IP address used in session | 127.0.0.1 |
| 13 | endpoint.browser_type | String | Browser type used | Chrome |
| 14 | endpoint.browser_version | String | Browser version | 141.0.0 |
| 15 | endpoint.os | String | Operating system | Linux |
| 16 | endpoint.os_version | String | OS version | 5.4.0 |
| 17 | attempts_started | Integer | Number of authentication attempts started | 2 |
| 18 | attempts_concluded | Integer | Number of attempts concluded | 1 |
| 19 | attempts_succeeded | Integer | Number of successful attempts | 1 |
| 20 | attempts_failed | Integer | Number of failed attempts | 0 |
| 21 | last_incomplete_attempt.attempt_id | String | ID of the last incomplete attempt | attempt_5Zur8hWnqgthIv5NCOvJV9 |
| 22 | last_incomplete_attempt.started.time | Timestamp | Start time of the last incomplete attempt | 2025-10-09T05:42:16.253138 |
| 23 | last_incomplete_attempt.started.auth_method | String | Auth method used in last incomplete attempt | text_code |
| 24 | last_incomplete_attempt.started.intent | String | Intent of the incomplete attempt | login |
| 25 | last_failed_attempt | Last failed attempt | null | |
| 26 | last_successful_attempt.attempt_id | String | ID of the last successful attempt | attempt_996HVkYl4h28RFeSzfKurp |
| 27 | last_successful_attempt.started.time | Timestamp | Start time of last successful attempt | 2025-10-09T05:42:25.690508 |
| 28 | last_successful_attempt.concluded.concluded.time | Timestamp | End time of last successful attempt | 2025-10-09T05:42:30.342548Z |
| 29 | last_successful_attempt.concluded.concluded.success | Boolean | Whether last attempt succeeded | true |
| 30 | distinct_policies_used | Integer | Number of unique policies used | 1 |
| 31 | policies.policy_1.policy_id | String | Policy ID used | policy_7NE52CkKuyAh9hZhSa3NMK |
| 32 | policies.policy_1.policy_name | String | Name of the policy (if available) | null |
| 33 | policies.policy_1.principal_type | String | Type of principal the policy applies to | Tenant |
| 34 | policies.policy_1.caveat | String | Any additional caveat or condition | null |
Resource actions
The resource action logs are JSON-formatted at the source and composed of key-value pairs, where the value is a string or a dictionary of a key-value pair. Fields in the Splunk logs lines appear in a certain order. These logs let you audit admin events.
Here you can see an example of the resource action log lines in the Akamai MFA Splunk app.
{"time": "2025-10-08T21:41:39.602221Z", "uuid": "aud_3ZzFdAEddSCammrBYfwZwG", "actor_name": "nsmith", "actor_role": "admin", "resource_type": "integration", "resource_id": "app_2Zm4nmF7OPiK87cD4P2Vly", "resource_name": "MFA_UI_101010100", "action": "delete", "path_and_query": "/api/v1/control/applications/app_2Zm4nmF7OPiK87cD4P2Vly", "http_method": "delete", "request_id": "2kh520fz-c8fy-47fh-b5r5-70477ci767d9", "user_id": "", "resource_state": "{\"id\": \"app_2Zm4nmF7OPiK87cD4P2Vly\", \"name\": \"MFA_UI_101010100\", \"app_type\": \"generic_oidc\", \"created_at\": \"2025-10-08T21:40:00.508165\", \"deleted_at\": \"2025-10-08T21:41:39.584469Z\", \"is_enabled\": true, \"updated_at\": \"2025-10-08T21:41:39.615258\", \"username_modification\": {\"strategy\": \"no_modify\"}}"}
The following table describes JSON keys for the resource action events that are pushed to Splunk, the sequence of fields in the Splunk log lines, and explains the content of these fields.
| No. | Key | Type of content | Field description | Example |
|---|---|---|---|---|
| 1 | time | Timestamp | Time the action occurred | 2025-10-08T21:41:39.602221Z |
| 2 | uuid | String (UUID) | Unique identifier for the audit event | aud_3ZzFdAEddSCammrBYfwZwG |
| 3 | actor_name | String | Username of the user performing the action | nsmith |
| 4 | actor_role | String | Role of the user | admin |
| 5 | resource_type | String | Type of resource affected | integration |
| 6 | resource_id | String | Unique identifier of the resource | app_2Zm4nmF7OPiK87cD4P2Vly |
| 7 | resource_name | String | Name of the affected resource | MFA_UI_101010100 |
| 8 | action | String (enum) | Action performed | delete |
| 9 | path_and_query | String (URL path) | API endpoint path and query used for the request | /api/v1/control/applications/app_2Zm4nmF7OPiK87cD4P2Vly |
| 10 | http_method | String | HTTP method used for the request | delete |
| 11 | request_id | String (UUID) | Unique request identifier | 2kh520fz-c8fy-47fh-b5r5-70477ci767d9 |
| 12 | user_id | String | User ID associated with the action (empty if not tracked) | |
| 13 | resource_state.id | String | ID of the resource in its final state | app_2Zm4nmF7OPiK87cD4P2Vly |
| 14 | resource_state.name | String | Name of the resource in its final state | MFA_UI_101010100 |
| 15 | resource_state.app_type | String | Type of the application (integration) | generic_oidc |
| 16 | resource_state.created_at | Timestamp | Timestamp when the resource was created | 2025-10-08T21:40:00.508165 |
| 17 | resource_state.deleted_at | Timestamp | Timestamp when the resource was deleted | 2025-10-08T21:41:39.584469Z |
| 18 | resource_state.is_enabled | Boolean | Whether the resource is enabled | true |
| 19 | resource_state.updated_at | Timestamp | Timestamp of the last update to the resource | 2025-10-08T21:41:39.615258 |
| 20 | resource_state.username_modification.strategy | String | Strategy used for modifying usernames | no_modify |
Splunk fields extraction
As all the log lines are JSON-formatted from the source, there is no need to extract fields separately. Log lines will appear automatically in the search as soon as the logs are pushed.
Updated 13 days ago