Use your favorite Security Information and Event Management (SIEM) solution to analyze security events generated from the Akamai platform. Capture, retain, and deliver security information and events to your SIEM app in near real time. If you use App & API Protector, Kona Site Defender, Client Reputation, Web Application Protector, or Bot Manager, you can analyze security events generated on the Akamai platform alongside security events from other sources.
Use on-premises and cloud-based SIEM tools like Splunk, QRadar, and Arcsight, and more. You can control and protect the data feed with:
You can filter the security events to collect in your SIEM by security configuration and security policy, which helps you focus on real threats.
The Collector stores security event data for 12 hours, enabling you to go back and capture missed events if necessary.
SIEM overload protection
In your SIEM connector, you can define the maximum number of security events fetched in each request. This helps you avoid overloading the SIEM application.
You can define how often the SIEM connectors make a call to the SIEM API to fetch security event data.
How SIEM Integration works
Each time a security policy triggers, the system generates a security event. The Akamai Security Events Collector captures these security events across edge servers and exposes a RESTful SIEM API for fetching these events.
You install the SIEM connector behind your corporate firewall. The connector makes periodic calls to the SIEM API to securely collect JSON event data in near real time from the Akamai Security Events Collector. The connector then converts these events into the proper format and sends the data to your SIEM software.
Set up SIEM integration
You set up SIEM integration in four basic steps:
Step 1: Turn on SIEM integration
Visit Akamai Control Center and log in.
In Control Center, under WEB & DATA CENTER SECURITY, click Security Configuration.
Open the security configuration (and the appropriate version of that configuration) for which you want to collect SIEM data.
Click Advanced Settings and expand Data collection for SIEM Integrations.
Click On to enable SIEM.
Choose the security policies for which you want to export data. Select:
All Security policies if you want to send SIEM data for events that violate any or all security policies within the security configuration.
Specific security policies if you want data regarding one or more specific security policies. Select the appropriate policies from the dropdown list.
To include events generated by Bot Manager, set Include Bot Manger Events to Yes. To exclude Bot Manager events, choose No.
To include events generated by Account Protector, set Include user-risk-only events to Yes. To exclude those events, choose No.
Skip the SIEM Event Version field for now.
Copy the value in the Web Security Configuration ID field. You’ll need this later in the configuration process.
Push your security configuration changes to the production network. On the Security Configuration page, click Activate. Under Network, click Production, and then click Activate.
If you want to enable SIEM integration for additional security configurations, repeat the preceding process for each configuration before continuing to Step 2.
Step 2: Set up a user to manage SIEM
Add or assign a user to manage your SIEM APIs.
In Control Center, under ACCOUNT ADMIN, click Identity & access.
On the Users and API Clients tab, find the user you want to assign the role to or click the Create user button.
To assign the SIEM role to an existing user, open the user's account and click the Edit roles tab. Find the appropriate group, click the Roles dropdown, and select the Manage SIEM role. Click Submit.
To assign the SIEM role to a new user, click Create user. Enter basic information for the user and scroll down to the Assign Roles section. Find the appropriate group, click the Roles dropdown, and select the Manage SIEM role. Click Save.
Note that only the Manage SIEM role has the proper permissions: don't assign this user any other role.
If you want to assign the Manage SIEM role for another group, select the group and repeat the preceding process. Note that, if you have multiple groups and users in your account, you must assign a user the Manage SIEM role for each group that contains a security configuration included in your SIEM results. This must be the same person you associate with the API credentials in Step 3.
Step 3: Provision SIEM API and get access tokens
To move data from the Akamai Security Events Collector to your system, the SIEM connector uses the Akamai SIEM API, a REST API service that requires authentication and authorization.
After you’ve enabled SIEM integration and assigned a user to the Manage SIEM role, you’re ready to provision credentials for the SIEM API. To do so, visit Create authentication credentials.
Follow the steps to provision the SIEM API for the user you assigned to manage SIEM. Copy and save the tokens you generate. You’ll need them to complete the final step.
Step 4: Install and configure your SIEM connector
Install your SIEM connector behind your firewall. SIEM connectors use our SIEM API to retrieve security events (in JSON format) from the Akamai Security Events Collector. The connector converts the JSON values to the data format your SIEM software uses, and then sends the events to that software.
Connector setup depends upon the SIEM solution you use. Read on to learn about sample connectors and tools you can use to get started quickly.
Connectors and tools
Download the sample connector you want and follow the integration instructions. You can use the test client to help troubleshoot any issues.
|Splunk sample connector||1.4.18||SIEM Splunk connector|
|CEF Syslog sample connector||1.7.6||SIEM CEF connector||Download|
|SIEM Test Client||Executable test client to run diagnostics for debugging purposes.||See package readme file||Download|
Code your own connector
If your SIEM solution isn't supported by a sample connector, you can develop your own custom connector using the SIEM API. The API returns a list of JSON objects representing each security event. See the SIEM API for details.
If you write a connector of your own Akamai strongly recommends that you employ a standard JSON parser. This will help your connector deal with updates to the event JSON.
Need additional assistance? Visit the SIEM Connectors Community page to get answers from Akamai engineers and other SIEM administrators.
Updated 14 days ago