Guide

Manage security events

Suggest Edits

The Akamai SIEM API provides a mechanism to retrieve security events that can be injected into a data visualization or alerting platform.

Working with the SIEM API requires that your access role is Manage-Siem and your API access level is read/write. Work with your account administrator to set up your credentials.

Polling Data

You can get SIEM data using an offset of the last pull you did or over a date range. Both ways accept a limit and allow you to URL and base-64 decode the returned data.

Parameters

Required

🚧

You must use one of date or offset.

  • -ConfigID. The ID of your security configuration. This is found through the UI in your security config, either under Advanced/Data Collection for SIEM or in the address bar of your browser. You can also use the PowerShell command Get-AppSecConfiguration -ConfigName MyConfig if you have access to the Application Security API.

  • -From and -To. Used to represent the date range bounds. Dates are in UNIX epoch format. You can get the date with an online converter or convert directly in your shell.

    # Preset date
$Date = Get-Date

# Past date
$ThePast = (Get-Date).AddHours(-2)

# Conversion
$EpochTime = [Math]::Floor([decimal](Get-Date($Date).ToUniversalTime()-uformat "%s"))

  • -Offset. A tokenized value representing your last data pull. The token can be found in the response from your last pull at ResponseContext.Offset.

Optional

These parameters manipulate the response data.

  • -Limit. Defines the approximate maximum number of security events each fetch returns. The default limit is 10000 and the maximum limit available is 600000.
  • -Decode. Decodes the base-64 encoded response returned from the call.

Get data

Use the Get-SIEMData command to poll SIEM data. 

# Get decoded data over a date range
Get-SIEMData -ConfigID 12345 -From 1674086045 -To 1674087625 -Decode

# Get decoded data since the last pull
Get-SIEMData -ConfigID 12345 -Offset exoffset10aa6928e57cd5a3000433b9 -Decode

type        : akamai_siem
format      : json
version     : 1.0
attackData  : @{configId=12345; policyId=pol1_12345; clientIP=123.45.678.910; rules=1234567;; ruleVersions=1;; ruleMessages=Unknown Bots (HTTP Libraries);;
              ruleTags=AKAMAI/BOT/UNKNOWN_BOT;; ruleData=curl_A109B345C765ABC8D7E2F1A2BC2D9EAB;; ruleSelectors=; ruleActions=monitor;}
httpMessage : @{requestId=1a12345; start=1674086564; protocol=HTTP/1.1; method=HEAD; host=pol.jsmith.net; port=80; path=/; requestHeaders=System.Object[];
              status=403; bytes=0; responseHeaders=System.Object[]}
geo         : @{continent=OC; country=AU; city=SYDNEY; regionCode=NSW; asn=14061}

Parse data

Set your pull to a variable to use the data.

$Data = Get-SIEMData -ConfigID 12345 -From 1674086045 -To 1674087625 -Decode
$Data.Events | foreach {
    # Process events here
}

Updated about 2 months ago