Skip to main content

Akamai WAF SIEM

This Integration is part of the Akamai WAF SIEM Pack.#

Get security event from Akamai Web Application Firewall (WAF) service.#

This integration was integrated and tested with API version 1.0 of Akamai WAF SIEM.

Use Cases#

  • Get security events from Akamai WAF.
  • Analyze security events generated on the Akamai platform and correlate them with security events generated from other sources in Cortex XSOAR.

Detailed Description#

A WAF (web application firewall) is a filter that protects against HTTP application attacks. It inspects HTTP traffic before it reaches your application and protects your server by filtering out threats that could damage your site functionality or compromise data.

API keys generating steps#

  1. Go to WEB & DATA CENTER SECURITY > Security Configuration > choose your configuration > Advanced settings > Enable SIEM integration.
  2. Open Control panel and login with admin account.
  3. Open identity and access management menu.
  4. Create a user with assigned roles Manage SIEM or make sure the admin has rights to manage SIEM.
  5. Log in to the new account you created in the last step.
  6. Open identity and access management menu.
  7. Create new api client for me.
  8. Assign an API key to the relevant user group, and on the next page assign Read/Write access for SIEM.
  9. Save configuration and go to the API detail you created.
  10. Press new credentials and download or copy it.
  11. Now use the credentials to configure Akamai WAF in Cortex XSOAR.

Configure Akamai WAF SIEM on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Akamai WAF SIEM.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Server URL (e.g., https://example.net)True
    Client tokenFalse
    Access tokenFalse
    Client secretFalse
    Config ids to fetchTrue
    Incident typeFalse
    First fetch timestampFalse
    Fetch limitFalseLimit on the number of incidents retrieved in a single fetch.
    Akamai Page sizeFalseThe number of events to fetch per request to akamai (multiple requests are made for each fetch). If you're getting aggregated delays, increase the number. The maximum is 600,000.
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the new instance.

Commands#

You can execute these commands from the CLI, as part of a script, or in a playbook.

Fetch Incidents#

[
{
"name": "Akamai SIEM: 50170",
"occurred": "2019-12-10T18:28:27Z",
"rawJSON": {
"type": "akamai_siem",
"format": "json",
"version": "1.0",
"attackData": {
"configId": "50170",
...
}
}
},
{
"name": "Akamai SIEM: 50170",
"occurred": "2019-12-10T18:28:26Z",
"rawJSON": {
"type": "akamai_siem",
"format": "json",
"version": "1.0",
"attackData": {
"configId": "50170",
...
}
}
}
]

akamai-siem-reset-offset#


Reset the last offset in case the offset is invalid.

Base Command#

akamai-siem-reset-offset

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

akamai-siem-get-events#


Get security events from Akamai WAF.

Base Command#

akamai-siem-get-events

Input#

Argument NameDescriptionRequired
config_idsUnique identifier for each security configuration. To report on more than one configuration, separate the integer identifiers with semicolons (;), for example: 12892;29182;82912.Required
offsetThis token denotes the last message. If specified, this operation fetches only security events that have occurred from the offset. This is a required parameter for offset mode and you can’t use it in time-based requestsOptional
limitDefines the maximum number of security events returned per fetch.Optional
from_epochThe start of a specified time range, expressed in Unix epoch seconds.Optional
to_epochThe end of a specified time range, expressed in Unix epoch seconds.Optional
time_stampTimestamp of events (<number> <time unit>. For example, 12 hours, 7 days).Optional

Context Output#

PathTypeDescription
Akamai.SIEM.AttackData.clientIPStringIP address involved in the attack.
Akamai.SIEM.AttackData.ConfigIDStringUnique identifier of the security configuration involved.
Akamai.SIEM.AttackData.PolicyIDStringUnique identifier of the policy configuration involved.
Akamai.SIEM.AttackData.Geo.AsnStringGeographic ASN location of the IP address involved in the attack.
Akamai.SIEM.AttackData.Geo.CityStringCity of the IP address involved in the attack.
Akamai.SIEM.AttackData.Geo.ContinentStringContinent of the IP address involved in the attack.
Akamai.SIEM.AttackData.Geo.CountryStringCountry of the IP address involved in the attack.
Akamai.SIEM.AttackData.Geo.RegionCodeStringRegion code of the IP address involved in the attack.
Akamai.SIEM.AttackData.HttpMessage.BytesNumberHTTP messege size in bytes.
Akamai.SIEM.AttackData.HttpMessage.HostStringHTTP messege host.
Akamai.SIEM.AttackData.HttpMessage.MethodStringHTTP messege method.
Akamai.SIEM.AttackData.HttpMessage.PathStringHTTP messege path.
Akamai.SIEM.AttackData.HttpMessage.PortStringHTTP messege port.
Akamai.SIEM.AttackData.HttpMessage.ProtocolStringHTTP messege protocol.
Akamai.SIEM.AttackData.HttpMessage.QueryStringHTTP messege query.
Akamai.SIEM.AttackData.HttpMessage.RequestHeadersStringHTTP messege request headers.
Akamai.SIEM.AttackData.HttpMessage.RequestIDStringHTTP messege request ID.
Akamai.SIEM.AttackData.HttpMessage.ResponseHeadersStringHTTP message response headers.
Akamai.SIEM.AttackData.HttpMessage.StartDateHTTP messege epoch start time.
Akamai.SIEM.AttackData.HttpMessage.StatusNumberHTTP messege status code.
IP.AddressStringIP address.
IP.ASNStringThe autonomous system name for the IP address, for example: "AS8948".
IP.Geo.CountryStringThe country in which the IP address is located.
Context Example#
{
"Akamai": {
"SIEM": [
{
"AttackData": {
"ClientIP": "8.8.8.8",
"ConfigID": "50170",
"PolicyID": "1234_89452",
"RuleActions": [
"alert",
"deny"
],
"RuleMessages": [
"Custom_RegEX_Rule",
"No Accept Header AND No User Agent Header"
],
"RuleTags": [
"example",
"No-AH-UA"
],
"Rules": [
"642118",
"642119"
]
},
"Geo": {
"Asn": "16509",
"City": "FRANKFURT",
"Continent": "EU",
"Country": "DE",
"RegionCode": "HE"
},
"HttpMessage": {
"Bytes": "296",
"Host": "wordpress.panw.ninja",
"Method": "POST",
"Path": "/wp-cron.php",
"Port": "80",
"Protocol": "HTTP/1.1",
"RequestHeaders": "Host",
"RequestId": "87bb604",
"ResponseHeaders": "Server",
"Start": "1576746102",
"Status": "403"
}
},
{
"AttackData": {
"ClientIP": "8.8.8.8",
"ConfigID": "50170",
"PolicyID": "1234_89452",
"RuleActions": [
"alert",
"deny"
],
"RuleMessages": [
"Custom_RegEX_Rule",
"No Accept Header AND No User Agent Header"
],
"RuleTags": [
"example",
"No-AH-UA"
],
"Rules": [
"642118",
"642119"
]
},
"Geo": {
"Asn": "16509",
"City": "FRANKFURT",
"Continent": "EU",
"Country": "DE",
"RegionCode": "HE"
},
"HttpMessage": {
"Bytes": "296",
"Host": "wordpress.panw.ninja",
"Method": "POST",
"Path": "/wp-cron.php",
"Port": "80",
"Protocol": "HTTP/1.1",
"RequestHeaders": "Header",
"RequestId": "32e63ee2",
"ResponseHeaders": "Server",
"Start": "1576746179",
"Status": "403"
}
}
]
},
"IP": [
{
"ASN": "5650",
"Address": "8.8.8.8",
"Geo": {
"Country": "US"
}
},
{
"ASN": "5650",
"Address": "8.8.8.8",
"Geo": {
"Country": "US"
}
}
]
}

Troubleshooting#

receiving 416 error code / aggregated delay when fetching events:#

This may be due to not querying for enough events per interval / request. The proposed solution in that case is to use the two parameters Fetch limit and Akamai Page size. Fetch limit is the number of total events we want to retrieve each fetch interval. Akamai Page size is the number of events we want to retrieve each request. Note that the suggested maximum for Akamai Page size is 200k. Meaning that an interval may execute multiple requests and therefore you should configure Akamai Page size < Fetch limit You should work to find the balance between them in a way that both the command, and the request won't get any timeout.

Known limitations#

The config ID can only be configured on one instance:#

Due to limitations from Akamai, the config ID can only be configured on one instance on the same machine or on different machines (i.e. the same config ID can't be configured both on dev and prod tenants or twice on the same tenant). Configuring on multiple machines may lead to duplications or missing events.