Akamai MFA Splunk app
This section provides an overview of the log lines visible in the Akamai MFA app for Splunk. It also provides a dictionary of data available in the logs, describing the content in each log field and its meaning.
For this integration, you need:
- Splunk Enterprise software. See the Splunk Enterprise Installation Manual.
- Splunk app version 8.1 and above.
- Logging-type integration with Akamai MFA. Follow the Splunk adapter
instructions to integrate.
The Authentication events logs are JSON-formatted at the source and composed of key-value pairs, where the value is a string or a dictionary of a key-value pair. Fields in the Splunk logs lines appear in a certain order.
Here you can see an example of the Authentication events log lines in the Akamai MFA Splunk app.
{“uuid": "aud_JfNqdl6zSByrU0ovrbJ6m", "created_at": "2021-03-23T19:36:20.047688", "browser_ip": "49.207.58.115", "app_id":"app_3IyJXh2U9Jiws6bvxcf8X", “app_name”: “Test Application”,"device": "push", "auth_method": "push", "user_id":"user_6Hy1v24DZIr8b0UHYi5dv3", "username": "nityagi", "is_success": true, "device_metadata": "Android", "receipt": "", "browser_type": "Chrome", "browser_version": "88.0.4324", "browser_os": "MacOS", "browser_os_version": "10.15.7", "device_os": "android", "device_os_version": "10.0.0", "browser_geo_location": "BANGALORE KA, IN", "device_geo_location": "BANGALORE KA, IN", "device_ip": "49.207.58.115”,“denial_type”: null“device_id”: “device_3kbTGOPbHxH3KfYkPzm31e”, “policy_attr_name”: null, “policy_uuid”: null,“principal_type”: null,“principal_uuid”: null}
The following table describes JSON keys for the Authentication events that are pushed to Splunk, the sequence of fields in the Splunk log lines, and explains the content of these fields.
| No. | Key | Type of content | Field description | Example |
|---|---|---|---|---|
| 1 | uuid | String or empty | The ID that looks up audit events. | aud_JfNqdl6zSByrU0ovrbJ6m |
| 2 | created_at | ISO 8601 datetime | Date and time when the event was created. | 2021-03-23T19:36:20.047688 |
| 3 | browser_ip | String | The IP address of the browser client that initiated the event. | 49.207.58.115 |
| 4 | app_id | String or empty | The ID that looks up apps. Corresponds to the ID of the app (if authentication is made against an app). | app_3IyJXh2U9Jiws6bvxcf8X |
| 5 | app_name | String or empty | The name of the application that was used for authentication. | |
| 6 | device | enum | The type of the device that performs the authentication. | push |
| 7 | auth_method | enum | The method used by the device to authenticate. | push |
| 8 | user_id | String | The ID that looks up users. Corresponds to the ID of the user that is authenticated. | user_6Hy1v24DZIr8b0UHYi5dv3 |
| 9 | username | String or empty | Username of the authenticated user. (looked up separate from the record here). | nityagi |
| 10 | is_success | Boolean | Informs if the authentication attempt was successful. | true |
| 11 | device_metadata | String or empty | Extra information about the device that made the authentication. | Android |
| 12 | receipt | String or empty | A Base64-encoded string. Receipt of the transaction. Its form varies, but it is typically represented as a string, json or, a bytearray once decoded from base64. | |
| 13 | browser_type | String or empty | The type of the browser. | Chrome |
| 14 | browser_version | String or empty | The browser version, for example, 14.34.2. The version of the browser that made the authentication request. | 88.0.4324 |
| 15 | browser_os | String or empty | The operating system on which runs the browser that made the auth request. | macOS |
| 16 | browser_os_version | String or empty | The browser version, for example 14.34.2. The version of the operating system on which runs the browser that made the authentication request. | 10.15.7 |
| 17 | device_os | String or empty | The operating system of the device that approved or denied the authentication request. | Android |
| 18 | device_os_version | String or empty | The OS version of the device that approved or denied the authentication request, for example 14.34.2. | 10.0.0 |
| 19 | browser_geo_location | String or empty | The location (via IP lookup) of the browser that made the authentication request. | BANGALORE KA, IN |
| 20 | device_geo_location | String or empty | The location (via IP lookup) of the device that approved or denied the authentication request. | BANGALORE KA, IN |
| 21 | device_ip | String or empty | The IP address of the device that approved or denied the authentication request. | 49.207.58.115 |
| 22 | denial_type | String or Empty | Indicates whether the authentication failed due to the policy or user-related issues. If denial_type value is null, it means that the authentication attempt was successful. | policy |
| 23 | device_id | String or Empty | The ID of the device that performed the authentication. | device_3kbTGOPbHxH3KfYkPzm31e |
| 24 | policy_attr_name | String or Empty | The name of the attribute that caused the denial. | Existing user |
| 25 | policy_uuid | String or Empty | The ID of the Akamai authentication policy containing the attribute that caused the denial. | policy_5iMncPFO8euHE8JRviQL4j |
| 26 | principal_type | String or Empty | The type of the principal that caused the failure. | |
| 27 | principal_uuid | String or Empty | The ID of the associated principal containing the policy attribute that caused the denial. The ID is not present if the policy denial was created when the user violated a default policy setting. | Tenant |
Splunk fields extraction
As all the log lines are JSON-formatted from the source, there is no need to extract fields separately. Log lines will appear automatically in the search as soon as the logs are pushed.
Updated almost 3 years ago