Akamai MFA Splunk app

This section provides an overview of the log lines visible in the ‚ÄčAkamai MFA‚Äč app for Splunk. It also provides a dictionary of data available in the logs, describing the content in each log field and its meaning.

For this integration, you need:

The Authentication events logs are JSON-formatted at the source and composed of key-value pairs, where the value is a string or a dictionary of a key-value pair. Fields in the Splunk logs lines appear in a certain order.

Here you can see an example of the Authentication events log lines in the ‚ÄčAkamai MFA‚Äč Splunk app.

{‚Äúuuid": "aud_JfNqdl6zSByrU0ovrbJ6m", "created_at": "2021-03-23T19:36:20.047688", "browser_ip": "49.207.58.115", "app_id":"app_3IyJXh2U9Jiws6bvxcf8X", ‚Äúapp_name‚ÄĚ: ‚ÄúTest Application‚ÄĚ,"device": "push", "auth_method": "push", "user_id":"user_6Hy1v24DZIr8b0UHYi5dv3", "username": "nityagi", "is_success": true, "device_metadata": "Android", "receipt": "", "browser_type": "Chrome", "browser_version": "88.0.4324", "browser_os": "MacOS", "browser_os_version": "10.15.7", "device_os": "android", "device_os_version": "10.0.0", "browser_geo_location": "BANGALORE KA, IN", "device_geo_location": "BANGALORE KA, IN", "device_ip": "49.207.58.115‚ÄĚ,‚Äúdenial_type‚ÄĚ: null‚Äúdevice_id‚ÄĚ: ‚Äúdevice_3kbTGOPbHxH3KfYkPzm31e‚ÄĚ, ‚Äúpolicy_attr_name‚ÄĚ: null, ‚Äúpolicy_uuid‚ÄĚ: null,‚Äúprincipal_type‚ÄĚ: null,‚Äúprincipal_uuid‚ÄĚ: null}

The following table describes JSON keys for the Authentication events that are pushed to Splunk, the sequence of fields in the Splunk log lines, and explains the content of these fields.

No.KeyType of contentField descriptionExample
1uuidString or emptyThe ID that looks up audit events.aud_JfNqdl6zSByrU0ovrbJ6m
2created_atISO 8601 datetimeDate and time when the event was created.2021-03-23T19:36:20.047688
3browser_ipStringThe IP address of the browser client that initiated the event.49.207.58.115
4app_idString or emptyThe ID that looks up apps. Corresponds to the ID of the app (if authentication is made against an app).app_3IyJXh2U9Jiws6bvxcf8X
5app_nameString or emptyThe name of the application that was used for authentication.
6deviceenumThe type of the device that performs the authentication.push
7auth_methodenumThe method used by the device to authenticate.push
8user_idStringThe ID that looks up users. Corresponds to the ID of the user that is authenticated.user_6Hy1v24DZIr8b0UHYi5dv3
9usernameString or emptyUsername of the authenticated user. (looked up separate from the record here).nityagi
10is_successBooleanInforms if the authentication attempt was successful.true
11device_metadataString or emptyExtra information about the device that made the authentication.Android
12receiptString or emptyA Base64-encoded string. Receipt of the transaction. Its form varies, but it is typically represented as a string, json or, a bytearray once decoded from base64.
13browser_typeString or emptyThe type of the browser.Chrome
14browser_versionString or emptyThe browser version, for example, 14.34.2. The version of the browser that made the authentication request.88.0.4324
15browser_osString or emptyThe operating system on which runs the browser that made the auth request.macOS
16browser_os_versionString or emptyThe browser version, for example 14.34.2. The version of the operating system on which runs the browser that made the authentication request.10.15.7
17device_osString or emptyThe operating system of the device that approved or denied the authentication request.Android
18device_os_versionString or emptyThe OS version of the device that approved or denied the authentication request, for example 14.34.2.10.0.0
19browser_geo_locationString or emptyThe location (via IP lookup) of the browser that made the authentication request.BANGALORE KA, IN
20device_geo_locationString or emptyThe location (via IP lookup) of the device that approved or denied the authentication request.BANGALORE KA, IN
21device_ipString or emptyThe IP address of the device that approved or denied the authentication request.49.207.58.115
22denial_typeString or EmptyIndicates whether the authentication failed due to the policy or user-related issues.
If denial_type value is null, it means that the authentication attempt was successful.
policy
23device_idString or EmptyThe ID of the device that performed the authentication.device_3kbTGOPbHxH3KfYkPzm31e
24policy_attr_nameString or EmptyThe name of the attribute that caused the denial.Existing user
25policy_uuidString or EmptyThe ID of the ‚ÄčAkamai‚Äč authentication policy containing the attribute that caused the denial.policy_5iMncPFO8euHE8JRviQL4j
26principal_typeString or EmptyThe type of the principal that caused the failure.
27principal_uuidString or EmptyThe ID of the associated principal containing the policy attribute that caused the denial. The ID is not present if the policy denial was created when the user violated a default policy setting.Tenant

Splunk fields extraction

As all the log lines are JSON-formatted from the source, there is no need to extract fields separately. Log lines will appear automatically in the search as soon as the logs are pushed.