Guide
  1. Get started

SIEM Integration

Use your favorite Security Information and Event Management (SIEM) solution to analyze security events generated from the ​Akamai​ platform. Capture, retain, and deliver security information and events to your SIEM app in near real time. If you use App & API Protector, Kona Site Defender, Client Reputation, Web Application Protector, Bot Manager, or Account Protector you can analyze security events generated on the ​Akamai​ platform alongside security events from other sources.

Use on-premises and cloud-based SIEM tools like Splunk, QRadar, and Arcsight, and more. You can control and protect the data feed with:

  • Event filtering
    You can filter the security events to collect in your SIEM by security configuration and security policy, which helps you focus on real threats.

  • Data retention
    The Collector stores security event data for 12 hours, enabling you to go back and capture missed events if necessary.

  • SIEM overload protection
    In your SIEM connector, you can define the maximum number of security events fetched in each request. This helps you avoid overloading the SIEM application.

  • Fetch interval
    You can define how often the SIEM connectors make a call to the SIEM API to fetch security event data.

How SIEM Integration works

The SIEM Integration Workflow

Each time a security policy triggers, the system generates a security event. The ​Akamai​ Security Events Collector captures these security events across edge servers and exposes a RESTful SIEM API for fetching these events.

You install the SIEM connector behind your corporate firewall. The connector makes periodic calls to the SIEM API to securely collect JSON event data in near real time from the ​Akamai​ Security Events Collector. The connector then converts these events into the proper format and sends the data to your SIEM software.

Set up SIEM integration

You set up SIEM integration in four basic steps:

Step 1: Turn on SIEM integration

  1. Visit ​Akamai Control Center​ and log in.

  2. In ​Control Center​, under WEB & DATA CENTER SECURITY, click Security Configuration.

  3. Open the security configuration (and the appropriate version of that configuration) for which you want to collect SIEM data.

  4. Click Advanced Settings and expand Data collection for SIEM Integrations.

  5. Click On to enable SIEM.

  6. Choose the security policies for which you want to export data. Select:

    • All Security policies if you want to send SIEM data for events that violate any or all security policies within the security configuration.

    • Specific security policies if you want data regarding one or more specific security policies. Select the appropriate policies from the dropdown list.

  7. If you use Account Protector and want to include the unencrypted Username, turn on the Include username checkbox. When you include username, anyone with access to your SIEM output can potentially see this value and its associated risk score.

  8. If you want to receive JA4 fingerprint information in SIEM events, turn on the Include the JA4 Client TLS Fingerprint checkbox.

  9. If you want to exclude events belonging to a specific protection type and action, click Add exception. Select the protection and the associated actions you don't want SIEM to collect. Then click Save.
    Presets are that all protection types and actions go to SIEM, except bot management. To send bot events too, click Add exception, click the bot management line's x to delete it and click Save.

    📘

    Why do I see a protection type and action I excluded in my SIEM results?

    If a collectible attack type occurs on the same web request, SIEM collects all event data for the request, which could include the type of event you excluded.

👍

If SIEM events are on, Firewall for AI is now part of it by default. You can use exceptions to turn FAI off, if you want.

  1. Skip the SIEM Event Version field for now.

  2. Copy the value in the Web Security Configuration ID field. You’ll need this later in the configuration process.

  3. Push your security configuration changes to the production network. On the Security Configuration page, click Activate. Under Network, click Production, and then click Activate.

If you want to enable SIEM integration for additional security configurations, repeat the preceding process for each configuration before continuing to Step 2.

Step 2: Set up a service account or user to manage SIEM

There are two ways to manage SIEM, depending upon the size of your organization. If:

  • you need multiple people to be able to manage SIEM, follow steps to set up a service account (the most flexible option)
  • your team is small, you can have one user manage SIEM. Drawbacks include the need to use a unique email address with only SIEM management permission (so, in turn, a user with admin permissions must administrate this SIEM management account). If this approach works for your team, skip ahead to the Set up a user section.

Set up a service account

Use this setup approach if many people in your organization need to manage SIEM APIs. Service Accounts let you create API credentials without ties one specific user. Instead you delegate a list of authorized users who can manage and use the API credentials from the service account. This approach is efficient for large teams, because it lets any authorized user assume the identity of the service account when making API calls.

  1. Create a service account to manage SIEM by following these steps in the Identity Management guide

Set up a user

If only one person will manage SIEM APIs, and you can dedicate a unique email address to only this task, here's how to add or assign that individual user.

  1. In ​Control Center​, under ACCOUNT ADMIN, click Identity & access.

  2. On the Users and API Clients tab, find the user you want to assign the role to or click the Create user button.

  3. To assign the SIEM role to an existing user, open the user's account and click the Edit roles tab. Find the appropriate group, click the Roles dropdown, and select the Manage SIEM role. Click Submit.

    • To assign the SIEM role to a new user, click Create user. Enter basic information for the user and scroll down to the Assign Roles section. Find the appropriate group, click the Roles dropdown, and select the Manage SIEM role. Click Save.

      Note that only the Manage SIEM role has the proper permissions: don't assign this user any other role.

    • If you want to assign the Manage SIEM role for another group, select the group and repeat the preceding process. Note that, if you have multiple groups and users in your account, you must assign a user the Manage SIEM role for each group that contains a security configuration included in your SIEM results. This must be the same person you associate with the API credentials in Step 3.

Step 3: Provision SIEM API and get access tokens

To move data from the ​Akamai​ Security Events Collector to your system, the SIEM connector uses the ​Akamai​ SIEM API, a REST API service that requires authentication and authorization.

After you’ve enabled SIEM integration and assigned a service account or user to the Manage SIEM role, you’re ready to provision credentials for the SIEM API. Read how in the Identity Management guide's Create API client tokens topic

Download, or copy and save the tokens you generate. You’ll need them to complete the final step.

Step 4: Install and configure your SIEM connector

Install your SIEM connector behind your firewall. SIEM connectors use our SIEM API to retrieve security events (in JSON format) from the ​Akamai​ Security Events Collector. The connector converts the JSON values to the data format your SIEM software uses, and then sends the events to that software. 

Connector setup depends upon the SIEM solution you use. Read on to learn about sample connectors and tools you can use to get started quickly.

Connectors and tools

Download the sample connector you want and follow the integration instructions. You can use the test client to help troubleshoot any issues.

ToolVersionDetailsDownload
Splunk sample connector1.4.23SIEM Splunk connectorDownload
CEF Syslog sample connector1.7.13.1SIEM CEF connectorDownload
SIEM Test ClientExecutable test client to run diagnostics for debugging purposes.See package readme fileDownload

Code your own connector

If your SIEM solution isn't supported by a sample connector, you can develop your own custom connector using the SIEM API. The API returns a list of JSON objects representing each security event. See the SIEM API for details.

If you write a connector of your own ​Akamai​ strongly recommends that you employ a standard JSON parser. This will help your connector deal with updates to the event JSON.

Support

Need additional assistance? Visit the SIEM Connectors Community page to get answers from Akamai engineers and other SIEM administrators.

Updated 7 days ago