API
TrainingSupportCommunity

Get started

To configure this API for the first time:

  • You need different permissions to access API functions. You can manage these permissions in ​Control Center​. Learn more about the access control model.

  • Before you can use this API, you need to Create authentication credentials.

  • To enable this API, choose the API service named SIEM, and set the access level to READ-WRITE.

  • Ensure that the Manage SIEM user role is assigned to your account in Control Center. Follow the instructions in the Guide.

The connector you build should support accessing SIEM API based on the authentication scheme of the Akamai API protocol. Make sure the connector you build is configurable and able to authenticate itself to the API.

More specifically, the connector configuration needs to support these user-provided values:

  • Hostname (for API endpoint)
  • Client Token
  • Client Secret
  • Access Token

See this Java library that supports authentication of the API clients. Find more code samples that demonstrate the proper way to perform the authentication in the Akamai client libraries.

Also ensure that your SIEM solution takes at most 2 minutes to ingest all logs that you request in a single API call. After 2 minutes, edge servers stop sending the response which may give you incomplete data. This may also prevent you from getting the offset value in the [ResponseContext] (ref:responsecontext-1) object that appears at the end of each response. If you ever get an incomplete response, rerun this API's Fetch security events operation with the previously included offset value and a lower limit. This way you can get a full response with an updated offset value.

The SIEM API requires a unique security configuration ID (configId) for each security configuration for which you want to fetch security event data. You'll find these values in each security configuration's SIEM Integration section.

In order for the SIEM API to return security events, you need to first turn on SIEM Integration and enable data collection. Follow the instructions in the Guide to understand how to turn on SIEM Integration.

To get some sample connector code and debugging help, download the SIEM Test Client from the SIEM Integration Page. You can use this test client on the server where your third-party SIEM tool runs to confirm that you can fetch events using the SIEM API. See the test client's README file for details.

📘

Eventually, the SIEM API may apply simple rate limiting that caps the number of client requests. Requests in excess of that rate would result in a 429 error response. The API doesn't produce an X-RateLimit-Reset HTTP header, so it's solely up to the API client to throttle its request rate.

To access the SIEM API from behind a proxy server, ensure that your proxy:

  • allows the domains *.cloudsecurity.akamaiapis.net

  • doesn't interfere with HTTP request headers for those domains. If, due to a strict enterprise security policy, your proxy does change these headers, make sure that at a minimum you allow and don't change the Host and Authorization headers.

Note that some security event response values require decoding. Find details in the Configuration rule data section.

👍

Provide feedback or ask a question in the Akamai Developer Discussion Forum. You can also contact your ​Akamai​ account representative for support. We want to hear from you!