Akamai MFA Splunk app

This section provides an overview of the log lines visible in the ​Akamai MFA​ app for Splunk. It also provides a dictionary of data available in the logs, describing the content in each log field and its meaning.

For this integration, you need:

Authentication events

The authentication events logs are JSON-formatted at the source and composed of key-value pairs, where the value is a string or a dictionary of a key-value pair. Fields in the Splunk logs lines appear in a certain order.

Here you can see an example of the authentication events log lines in the ​Akamai MFA​ Splunk app.

{“uuid": "aud_JfNqdl6zSByrU0ovrbJ6m", "created_at": "2021-03-23T19:36:20.047688", "browser_ip": "49.207.58.115", "app_id":"app_3IyJXh2U9Jiws6bvxcf8X", “app_name”: “Test Application”,"device": "push", "auth_method": "push", "user_id":"user_6Hy1v24DZIr8b0UHYi5dv3", "username": "nityagi", "is_success": true, "device_metadata": "Android", "receipt": "", "browser_type": "Chrome", "browser_version": "88.0.4324", "browser_os": "MacOS", "browser_os_version": "10.15.7", "device_os": "android", "device_os_version": "10.0.0", "browser_geo_location": "BANGALORE KA, IN", "device_geo_location": "BANGALORE KA, IN", "device_ip": "49.207.58.115”,“denial_type”: null“device_id”: “device_3kbTGOPbHxH3KfYkPzm31e”, “policy_attr_name”: null, “policy_uuid”: null,“principal_type”: null,“principal_uuid”: null}

The following table describes JSON keys for the authentication events that are pushed to Splunk, the sequence of fields in the Splunk log lines, and explains the content of these fields.

No.KeyType of contentField descriptionExample
1uuidString or emptyThe ID that looks up audit events.aud_JfNqdl6zSByrU0ovrbJ6m
2created_atISO 8601 datetimeDate and time when the event was created.2021-03-23T19:36:20.047688
3browser_ipStringThe IP address of the browser client that initiated the event.49.207.58.115
4app_idString or emptyThe ID that looks up apps. Corresponds to the ID of the app (if authentication is made against an app).app_3IyJXh2U9Jiws6bvxcf8X
5app_nameString or emptyThe name of the application that was used for authentication.
6deviceenumThe type of the device that performs the authentication.push
7auth_methodenumThe method used by the device to authenticate.push
8user_idStringThe ID that looks up users. Corresponds to the ID of the user that is authenticated.user_6Hy1v24DZIr8b0UHYi5dv3
9usernameString or emptyUsername of the authenticated user. (looked up separate from the record here).nityagi
10is_successBooleanInforms if the authentication attempt was successful.true
11device_metadataString or emptyExtra information about the device that made the authentication.Android
12receiptString or emptyA Base64-encoded string. Receipt of the transaction. Its form varies, but it is typically represented as a string, json or, a bytearray once decoded from base64.
13browser_typeString or emptyThe type of the browser.Chrome
14browser_versionString or emptyThe browser version, for example, 14.34.2. The version of the browser that made the authentication request.88.0.4324
15browser_osString or emptyThe operating system on which runs the browser that made the auth request.macOS
16browser_os_versionString or emptyThe browser version, for example 14.34.2. The version of the operating system on which runs the browser that made the authentication request.10.15.7
17device_osString or emptyThe operating system of the device that approved or denied the authentication request.Android
18device_os_versionString or emptyThe OS version of the device that approved or denied the authentication request, for example 14.34.2.10.0.0
19browser_geo_locationString or emptyThe location (via IP lookup) of the browser that made the authentication request.BANGALORE KA, IN
20device_geo_locationString or emptyThe location (via IP lookup) of the device that approved or denied the authentication request.BANGALORE KA, IN
21device_ipString or emptyThe IP address of the device that approved or denied the authentication request.49.207.58.115
22denial_typeString or EmptyIndicates whether the authentication failed due to the policy or user-related issues.
If denial_type value is null, it means that the authentication attempt was successful.
policy
23device_idString or EmptyThe ID of the device that performed the authentication.device_3kbTGOPbHxH3KfYkPzm31e
24policy_attr_nameString or EmptyThe name of the attribute that caused the denial.Existing user
25policy_uuidString or EmptyThe ID of the ​Akamai​ authentication policy containing the attribute that caused the denial.policy_5iMncPFO8euHE8JRviQL4j
26principal_typeString or EmptyThe type of the principal that caused the failure.
27principal_uuidString or EmptyThe ID of the associated principal containing the policy attribute that caused the denial. The ID is not present if the policy denial was created when the user violated a default policy setting.Tenant

Session history

The session history logs are JSON-formatted at the source and composed of key-value pairs, where the value is a string or a dictionary of a key-value pair. Fields in the Splunk logs lines appear in a certain order.

Here you can see an example of the session history log lines in the ​Akamai MFA​ Splunk app.

{"started_at": "2025-10-09T05:42:14.760458Z", "ended_at": "2025-10-09T05:42:30.342548Z", "session_id": "session_6XeoBhO6mnAH0WMuLTINO3", "outcome": "success", "app": {"id": "app_2Zm4nmF7OPiK87cD4P2Vly", "name": "phone_only", "app_type": "demo"}, "provided_username": "mfa_user", "user_id": "user_2PVk0rPac6BHnc46kix563", "endpoint": {"geo_country": "US", "geo_state_or_province": "QUINCY WA, US", "ip": "127.0.0.1", "browser_type": "Chrome", "browser_version": "141.0.0", "os": "Linux", "os_version": "5.4.0"}, "attempts_started": 2, "attempts_concluded": 1, "attempts_succeeded": 1, "attempts_failed": 0, "last_incomplete_attempt": {"attempt_id": "attempt_5Zur8hWnqgthIv5NCOvJV9", "started": {"time": "2025-10-09T05:42:16.253138", "user_id": "user_2PVk0rPac6BHnc46kix563", "auth_method": "text_code", "intent": "login"}, "concluded": null}, "last_failed_attempt": null, "last_successful_attempt": {"attempt_id": "attempt_996HVkYl4h28RFeSzfKurp", "started": {"time": "2025-10-09T05:42:25.690508", "user_id": "user_2PVk0rPac6BHnc46kix563", "auth_method": "text_code", "intent": "login"}, "concluded": {"concluded": {"time": "2025-10-09T05:42:30.342548Z", "user_id": "user_2PVk0rPac6BHnc46kix563", "success": true, "auth_method": "text_code", "intent": "login"}}}, "distinct_policies_used": 1, "policies": {"policy_1": {"policy_id": "policy_7NE52CkKuyAh9hZhSa3NMK", "policy_name": null, "principal_type": "Tenant", "caveat": null}}}

The following table describes JSON keys for the session history events that are pushed to Splunk, the sequence of fields in the Splunk log lines, and explains the content of these fields.

No.KeyType of contentField descriptionExample
1started_atTimestampStart time of the session2025-10-09T05:42:14.760458Z
2ended_atTimestampEnd time of the session2025-10-09T05:42:30.342548Z
3session_idStringUnique identifier for the sessionsession_6XeoBhO6mnAH0WMuLTINO3
4outcomeString (enum)Result of the sessionsuccess
5app.idStringApplication (Integration) IDapp_2Zm4nmF7OPiK87cD4P2Vly
6app.nameStringName of the applicationphone_only
7app.app_typeStringType of the applicationdemo
8provided_usernameStringUsername entered during sessionmfa_user
9user_idStringUnique identifier for the useruser_2PVk0rPac6BHnc46kix563
10endpoint.geo_countryString (ISO code)Country of the user's IPUS
11endpoint.geo_state_or_provinceStringRegion/state of the user's IPQUINCY WA, US
12endpoint.ipIP AddressIP address used in session127.0.0.1
13endpoint.browser_typeStringBrowser type usedChrome
14endpoint.browser_versionStringBrowser version141.0.0
15endpoint.osStringOperating systemLinux
16endpoint.os_versionStringOS version5.4.0
17attempts_startedIntegerNumber of authentication attempts started2
18attempts_concludedIntegerNumber of attempts concluded1
19attempts_succeededIntegerNumber of successful attempts1
20attempts_failedIntegerNumber of failed attempts0
21last_incomplete_attempt.attempt_idStringID of the last incomplete attemptattempt_5Zur8hWnqgthIv5NCOvJV9
22last_incomplete_attempt.started.timeTimestampStart time of the last incomplete attempt2025-10-09T05:42:16.253138
23last_incomplete_attempt.started.auth_methodStringAuth method used in last incomplete attempttext_code
24last_incomplete_attempt.started.intentStringIntent of the incomplete attemptlogin
25last_failed_attemptLast failed attemptnull
26last_successful_attempt.attempt_idStringID of the last successful attemptattempt_996HVkYl4h28RFeSzfKurp
27last_successful_attempt.started.timeTimestampStart time of last successful attempt2025-10-09T05:42:25.690508
28last_successful_attempt.concluded.concluded.timeTimestampEnd time of last successful attempt2025-10-09T05:42:30.342548Z
29last_successful_attempt.concluded.concluded.successBooleanWhether last attempt succeededtrue
30distinct_policies_usedIntegerNumber of unique policies used1
31policies.policy_1.policy_idStringPolicy ID usedpolicy_7NE52CkKuyAh9hZhSa3NMK
32policies.policy_1.policy_nameStringName of the policy (if available)null
33policies.policy_1.principal_typeStringType of principal the policy applies toTenant
34policies.policy_1.caveatStringAny additional caveat or conditionnull

Resource actions

The resource action logs are JSON-formatted at the source and composed of key-value pairs, where the value is a string or a dictionary of a key-value pair. Fields in the Splunk logs lines appear in a certain order. These logs let you audit admin events.

Here you can see an example of the resource action log lines in the ​Akamai MFA​ Splunk app.

{"time": "2025-10-08T21:41:39.602221Z", "uuid": "aud_3ZzFdAEddSCammrBYfwZwG", "actor_name": "nsmith", "actor_role": "admin", "resource_type": "integration", "resource_id": "app_2Zm4nmF7OPiK87cD4P2Vly", "resource_name": "MFA_UI_101010100", "action": "delete", "path_and_query": "/api/v1/control/applications/app_2Zm4nmF7OPiK87cD4P2Vly", "http_method": "delete", "request_id": "2kh520fz-c8fy-47fh-b5r5-70477ci767d9", "user_id": "", "resource_state": "{\"id\": \"app_2Zm4nmF7OPiK87cD4P2Vly\", \"name\": \"MFA_UI_101010100\", \"app_type\": \"generic_oidc\", \"created_at\": \"2025-10-08T21:40:00.508165\", \"deleted_at\": \"2025-10-08T21:41:39.584469Z\", \"is_enabled\": true, \"updated_at\": \"2025-10-08T21:41:39.615258\", \"username_modification\": {\"strategy\": \"no_modify\"}}"}

The following table describes JSON keys for the resource action events that are pushed to Splunk, the sequence of fields in the Splunk log lines, and explains the content of these fields.

No.KeyType of contentField descriptionExample
1timeTimestampTime the action occurred2025-10-08T21:41:39.602221Z
2uuidString (UUID)Unique identifier for the audit eventaud_3ZzFdAEddSCammrBYfwZwG
3actor_nameStringUsername of the user performing the actionnsmith
4actor_roleStringRole of the useradmin
5resource_typeStringType of resource affectedintegration
6resource_idStringUnique identifier of the resourceapp_2Zm4nmF7OPiK87cD4P2Vly
7resource_nameStringName of the affected resourceMFA_UI_101010100
8actionString (enum)Action performeddelete
9path_and_queryString (URL path)API endpoint path and query used for the request/api/v1/control/applications/app_2Zm4nmF7OPiK87cD4P2Vly
10http_methodStringHTTP method used for the requestdelete
11request_idString (UUID)Unique request identifier2kh520fz-c8fy-47fh-b5r5-70477ci767d9
12user_idStringUser ID associated with the action (empty if not tracked)
13resource_state.idStringID of the resource in its final stateapp_2Zm4nmF7OPiK87cD4P2Vly
14resource_state.nameStringName of the resource in its final stateMFA_UI_101010100
15resource_state.app_typeStringType of the application (integration)generic_oidc
16resource_state.created_atTimestampTimestamp when the resource was created2025-10-08T21:40:00.508165
17resource_state.deleted_atTimestampTimestamp when the resource was deleted2025-10-08T21:41:39.584469Z
18resource_state.is_enabledBooleanWhether the resource is enabledtrue
19resource_state.updated_atTimestampTimestamp of the last update to the resource2025-10-08T21:41:39.615258
20resource_state.username_modification.strategyStringStrategy used for modifying usernamesno_modify

Splunk fields extraction

As all the log lines are JSON-formatted from the source, there is no need to extract fields separately. Log lines will appear automatically in the search as soon as the logs are pushed.