Guide
TrainingSupportCommunity

SIEM Integration

Suggest Edits

Use your favorite Security Information and Event Management (SIEM) solution to analyze security events generated from the ​Akamai​ platform. Capture, retain, and deliver security information and events to your SIEM app in near real time. If you use App & API Protector, Kona Site Defender, Client Reputation, Web Application Protector, Bot Manager, or Account Protector you can analyze security events generated on the ​Akamai​ platform alongside security events from other sources.

Use on-premises and cloud-based SIEM tools like Splunk, QRadar, and Arcsight, and more. You can control and protect the data feed with:

  • Event filtering
    You can filter the security events to collect in your SIEM by security configuration and security policy, which helps you focus on real threats.

  • Data retention
    The Collector stores security event data for 12 hours, enabling you to go back and capture missed events if necessary.

  • SIEM overload protection
    In your SIEM connector, you can define the maximum number of security events fetched in each request. This helps you avoid overloading the SIEM application.

  • Fetch interval
    You can define how often the SIEM connectors make a call to the SIEM API to fetch security event data.

How SIEM Integration works

The SIEM Integration Workflow

Each time a security policy triggers, the system generates a security event. The ​Akamai​ Security Events Collector captures these security events across edge servers and exposes a RESTful SIEM API for fetching these events.

You install the SIEM connector behind your corporate firewall. The connector makes periodic calls to the SIEM API to securely collect JSON event data in near real time from the ​Akamai​ Security Events Collector. The connector then converts these events into the proper format and sends the data to your SIEM software.

Set up SIEM integration

You set up SIEM integration in four basic steps:

Step 1: Turn on SIEM integration

  1. Visit ​Akamai Control Center​ and log in.

  2. In ​Control Center​, under WEB & DATA CENTER SECURITY, click Security Configuration.

  3. Open the security configuration (and the appropriate version of that configuration) for which you want to collect SIEM data.

  4. Click Advanced Settings and expand Data collection for SIEM Integrations.

  5. Click On to enable SIEM.

  6. Choose the security policies for which you want to export data. Select:

    • All Security policies if you want to send SIEM data for events that violate any or all security policies within the security configuration.

    • Specific security policies if you want data regarding one or more specific security policies. Select the appropriate policies from the dropdown list.

  7. If you use Account Protector and want to include the unencrypted Username, turn on the Include username checkbox. When you include username, anyone with access to your SIEM output can potentially see this value and its associated risk score.

  8. If you use Account Protector and want to include the unencrypted Origin User Id, turn on the Include Origin User Id checkbox. When you include origin user ID, anyone with access to your SIEM output can potentially see this value and its associated risk score.

  9. If you want to exclude events belonging to a specific protection type and action, click Add exception. Select the protection and the associated actions you don't want SIEM to collect. Then click Save.

    Presets are that all protection types and actions go to SIEM, except bot management. To send bot events too, click Add exception, click the bot management line's x to delete it and click Save.

    📘

    Why do I see a protection type and action I excluded in my SIEM results?

    If a collectible attack type occurs on the same web request, SIEM collects all event data for the request, which could include the type of event you excluded.

  10. Skip the SIEM Event Version field for now.

  11. Copy the value in the Web Security Configuration ID field. You’ll need this later in the configuration process.

  12. Push your security configuration changes to the production network. On the Security Configuration page, click Activate. Under Network, click Production, and then click Activate.

If you want to enable SIEM integration for additional security configurations, repeat the preceding process for each configuration before continuing to Step 2.

Step 2: Set up a user to manage SIEM

Add or assign a user to manage your SIEM APIs.

  1. In ​Control Center​, under ACCOUNT ADMIN, click Identity & access.

  2. On the Users and API Clients tab, find the user you want to assign the role to or click the Create user button.

  3. To assign the SIEM role to an existing user, open the user's account and click the Edit roles tab. Find the appropriate group, click the Roles dropdown, and select the Manage SIEM role. Click Submit.

    • To assign the SIEM role to a new user, click Create user. Enter basic information for the user and scroll down to the Assign Roles section. Find the appropriate group, click the Roles dropdown, and select the Manage SIEM role. Click Save.

      Note that only the Manage SIEM role has the proper permissions: don't assign this user any other role.

    • If you want to assign the Manage SIEM role for another group, select the group and repeat the preceding process. Note that, if you have multiple groups and users in your account, you must assign a user the Manage SIEM role for each group that contains a security configuration included in your SIEM results. This must be the same person you associate with the API credentials in Step 3.

📘

You can also use the Service Account API to create a unique user account for SIEM and only allow specific users to manage the client credentials for the service account.

Step 3: Provision SIEM API and get access tokens

To move data from the ​Akamai​ Security Events Collector to your system, the SIEM connector uses the ​Akamai​ SIEM API, a REST API service that requires authentication and authorization.

After you’ve enabled SIEM integration and assigned a user to the Manage SIEM role, you’re ready to provision credentials for the SIEM API. To do so, visit Create authentication credentials.

Follow the steps to provision the SIEM API for the user you assigned to manage SIEM. Copy and save the tokens you generate. You’ll need them to complete the final step.

Step 4: Install and configure your SIEM connector

Install your SIEM connector behind your firewall. SIEM connectors use our SIEM API to retrieve security events (in JSON format) from the ​Akamai​ Security Events Collector. The connector converts the JSON values to the data format your SIEM software uses, and then sends the events to that software. 

Connector setup depends upon the SIEM solution you use. Read on to learn about sample connectors and tools you can use to get started quickly.

Connectors and tools

Download the sample connector you want and follow the integration instructions. You can use the test client to help troubleshoot any issues.

ToolVersionDetailsDownload
Splunk sample connector1.4.20SIEM Splunk connectorDownload
CEF Syslog sample connector1.7.9SIEM CEF connectorDownload
SIEM Test ClientExecutable test client to run diagnostics for debugging purposes.See package readme fileDownload

Code your own connector

If your SIEM solution isn't supported by a sample connector, you can develop your own custom connector using the SIEM API. The API returns a list of JSON objects representing each security event. See the SIEM API for details.

If you write a connector of your own ​Akamai​ strongly recommends that you employ a standard JSON parser. This will help your connector deal with updates to the event JSON.

Support

Need additional assistance? Visit the SIEM Connectors Community page to get answers from Akamai engineers and other SIEM administrators.

Updated 3 months ago