Akamai MFA Splunk app

This section provides an overview of the log lines visible in the ‚ÄčAkamai MFA‚Äč app for Splunk. It also provides a dictionary of data available in the logs, describing the content in each log field and its meaning.

For this integration, you need:

The Authentication events logs are JSON-formatted at the source and composed of key-value pairs, where the value is a string or a dictionary of a key-value pair. Fields in the Splunk logs lines appear in a certain order.

Here you can see an example of the Authentication events log lines in the ‚ÄčAkamai MFA‚Äč Splunk app.

{‚Äúuuid": "aud_JfNqdl6zSByrU0ovrbJ6m", "created_at": "2021-03-23T19:36:20.047688", "browser_ip": "49.207.58.115", "app_id":"app_3IyJXh2U9Jiws6bvxcf8X", ‚Äúapp_name‚ÄĚ: ‚ÄúTest Application‚ÄĚ,"device": "push", "auth_method": "push", "user_id":"user_6Hy1v24DZIr8b0UHYi5dv3", "username": "nityagi", "is_success": true, "device_metadata": "Android", "receipt": "", "browser_type": "Chrome", "browser_version": "88.0.4324", "browser_os": "MacOS", "browser_os_version": "10.15.7", "device_os": "android", "device_os_version": "10.0.0", "browser_geo_location": "BANGALORE KA, IN", "device_geo_location": "BANGALORE KA, IN", "device_ip": "49.207.58.115‚ÄĚ,‚Äúdenial_type‚ÄĚ: null‚Äúdevice_id‚ÄĚ: ‚Äúdevice_3kbTGOPbHxH3KfYkPzm31e‚ÄĚ, ‚Äúpolicy_attr_name‚ÄĚ: null, ‚Äúpolicy_uuid‚ÄĚ: null,‚Äúprincipal_type‚ÄĚ: null,‚Äúprincipal_uuid‚ÄĚ: null}

The following table describes JSON keys for the Authentication events that are pushed to Splunk, the sequence of fields in the Splunk log lines, and explains the content of these fields.

No.

Key

Type of content

Field description

Example

1

uuid

String or empty

The ID that looks up audit events.

aud_JfNqdl6zSByrU0ovrbJ6m

2

created_at

ISO 8601 datetime

Date and time when the event was created.

2021-03-23T19:36:20.047688

3

browser_ip

String

The IP address of the browser client that initiated the event.

49.207.58.115

4

app_id

String or empty

The ID that looks up apps. Corresponds to the ID of the app (if authentication is made against an app).

app_3IyJXh2U9Jiws6bvxcf8X

5

app_name

String or empty

The name of the application that was used for authentication.

6

device

enum

The type of the device that performs the authentication.

push

7

auth_method

enum

The method used by the device to authenticate.

push

8

user_id

String

The ID that looks up users. Corresponds to the ID of the user that is authenticated.

user_6Hy1v24DZIr8b0UHYi5dv3

9

username

String or empty

Username of the authenticated user. (looked up separate from the record here).

nityagi

10

is_success

Boolean

Informs if the authentication attempt was successful.

true

11

device_metadata

String or empty

Extra information about the device that made the authentication.

Android

12

receipt

String or empty

A Base64-encoded string. Receipt of the transaction. Its form varies, but it is typically represented as a string, json or, a bytearray once decoded from base64.

13

browser_type

String or empty

The type of the browser.

Chrome

14

browser_version

String or empty

The browser version, for example, 14.34.2. The version of the browser that made the authentication request.

88.0.4324

15

browser_os

String or empty

The operating system on which runs the browser that made the auth request.

macOS

16

browser_os_version

String or empty

The browser version, for example 14.34.2. The version of the operating system on which runs the browser that made the authentication request.

10.15.7

17

device_os

String or empty

The operating system of the device that approved or denied the authentication request.

Android

18

device_os_version

String or empty

The OS version of the device that approved or denied the authentication request, for example 14.34.2.

10.0.0

19

browser_geo_location

String or empty

The location (via IP lookup) of the browser that made the authentication request.

BANGALORE KA, IN

20

device_geo_location

String or empty

The location (via IP lookup) of the device that approved or denied the authentication request.

BANGALORE KA, IN

21

device_ip

String or empty

The IP address of the device that approved or denied the authentication request.

49.207.58.115

22

denial_type

String or Empty

Indicates whether the authentication failed due to the policy or user-related issues.
If denial_type value is null, it means that the authentication attempt was successful.

policy

23

device_id

String or Empty

The ID of the device that performed the authentication.

device_3kbTGOPbHxH3KfYkPzm31e

24

policy_attr_name

String or Empty

The name of the attribute that caused the denial.

Existing user

25

policy_uuid

String or Empty

The ID of the ‚ÄčAkamai‚Äč authentication policy containing the attribute that caused the denial.

policy_5iMncPFO8euHE8JRviQL4j

26

principal_type

String or Empty

The type of the principal that caused the failure.

27

principal_uuid

String or Empty

The ID of the associated principal containing the policy attribute that caused the denial. The ID is not present if the policy denial was created when the user violated a default policy setting.

Tenant

Splunk fields extraction

As all the log lines are JSON-formatted from the source, there is no need to extract fields separately. Log lines will appear automatically in the search as soon as the logs are pushed.


Did this page help you?