Akamai WAF SIEM
Akamai WAF SIEM Pack.#
This Integration is part of theAkamai Web Application Firewall (WAF) service.#
Get security event fromThis integration was integrated and tested with API version 1.0 of Akamai WAF SIEM.
#
Use Cases- Get security events from Akamai WAF.
- Analyze security events generated on the Akamai platform and correlate them with security events generated from other sources in Cortex XSOAR.
#
Detailed DescriptionA WAF (web application firewall) is a filter that protects against HTTP application attacks. It inspects HTTP traffic before it reaches your application and protects your server by filtering out threats that could damage your site functionality or compromise data.
#
API keys generating steps- Go to
WEB & DATA CENTER SECURITY
>Security Configuration
> choose your configuration >Advanced settings
> Enable SIEM integration. - Open Control panel and login with admin account.
- Open
identity and access management
menu. - Create a user with assigned roles
Manage SIEM
or make sure the admin has rights to manage SIEM. - Log in to the new account you created in the last step.
- Open
identity and access management
menu. - Create
new api client for me
. - Assign an API key to the relevant user group, and on the next page assign
Read/Write
access forSIEM
. - Save configuration and go to the API detail you created.
- Press
new credentials
and download or copy it. - Now use the credentials to configure Akamai WAF in Cortex XSOAR.
#
Configure Akamai WAF SIEM on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for Akamai WAF SIEM.
Click Add instance to create and configure a new integration instance.
Parameter Required Server URL (e.g., https://example.net) True Client token False Access token False Client secret False Config ids to fetch True Incident type False First fetch timestamp False Fetch limit False Limit on the number of incidents retrieved in a single fetch. Akamai Page size False The number of events to fetch per request to akamai (multiple requests are made for each fetch). If you're getting aggregated delays, increase the number. The maximum is 600,000. Trust any certificate (not secure) False Use system proxy settings False Click Test to validate the new instance.
#
CommandsYou can execute these commands from the CLI, as part of a script, or in a playbook.
#
Fetch Incidents#
akamai-siem-reset-offsetReset the last offset in case the offset is invalid.
#
Base Commandakamai-siem-reset-offset
#
InputThere are no input arguments for this command.
#
Context OutputThere is no context output for this command.
#
akamai-siem-get-eventsGet security events from Akamai WAF.
#
Base Commandakamai-siem-get-events
#
InputArgument Name | Description | Required |
---|---|---|
config_ids | Unique identifier for each security configuration. To report on more than one configuration, separate the integer identifiers with semicolons (;), for example: 12892;29182;82912. | Required |
offset | This token denotes the last message. If specified, this operation fetches only security events that have occurred from the offset. This is a required parameter for offset mode and you can’t use it in time-based requests | Optional |
limit | Defines the maximum number of security events returned per fetch. | Optional |
from_epoch | The start of a specified time range, expressed in Unix epoch seconds. | Optional |
to_epoch | The end of a specified time range, expressed in Unix epoch seconds. | Optional |
time_stamp | Timestamp of events (<number> <time unit> . For example, 12 hours, 7 days). | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Akamai.SIEM.AttackData.clientIP | String | IP address involved in the attack. |
Akamai.SIEM.AttackData.ConfigID | String | Unique identifier of the security configuration involved. |
Akamai.SIEM.AttackData.PolicyID | String | Unique identifier of the policy configuration involved. |
Akamai.SIEM.AttackData.Geo.Asn | String | Geographic ASN location of the IP address involved in the attack. |
Akamai.SIEM.AttackData.Geo.City | String | City of the IP address involved in the attack. |
Akamai.SIEM.AttackData.Geo.Continent | String | Continent of the IP address involved in the attack. |
Akamai.SIEM.AttackData.Geo.Country | String | Country of the IP address involved in the attack. |
Akamai.SIEM.AttackData.Geo.RegionCode | String | Region code of the IP address involved in the attack. |
Akamai.SIEM.AttackData.HttpMessage.Bytes | Number | HTTP messege size in bytes. |
Akamai.SIEM.AttackData.HttpMessage.Host | String | HTTP messege host. |
Akamai.SIEM.AttackData.HttpMessage.Method | String | HTTP messege method. |
Akamai.SIEM.AttackData.HttpMessage.Path | String | HTTP messege path. |
Akamai.SIEM.AttackData.HttpMessage.Port | String | HTTP messege port. |
Akamai.SIEM.AttackData.HttpMessage.Protocol | String | HTTP messege protocol. |
Akamai.SIEM.AttackData.HttpMessage.Query | String | HTTP messege query. |
Akamai.SIEM.AttackData.HttpMessage.RequestHeaders | String | HTTP messege request headers. |
Akamai.SIEM.AttackData.HttpMessage.RequestID | String | HTTP messege request ID. |
Akamai.SIEM.AttackData.HttpMessage.ResponseHeaders | String | HTTP message response headers. |
Akamai.SIEM.AttackData.HttpMessage.Start | Date | HTTP messege epoch start time. |
Akamai.SIEM.AttackData.HttpMessage.Status | Number | HTTP messege status code. |
IP.Address | String | IP address. |
IP.ASN | String | The autonomous system name for the IP address, for example: "AS8948". |
IP.Geo.Country | String | The country in which the IP address is located. |
#
Context Example#
Troubleshooting#
receiving 416 error code / aggregated delay when fetching events:This may be due to not querying for enough events per interval / request. The proposed solution in that case is to use the two parameters Fetch limit and Akamai Page size. Fetch limit is the number of total events we want to retrieve each fetch interval. Akamai Page size is the number of events we want to retrieve each request. Note that the suggested maximum for Akamai Page size is 200k. Meaning that an interval may execute multiple requests and therefore you should configure Akamai Page size < Fetch limit You should work to find the balance between them in a way that both the command, and the request won't get any timeout.
#
Known limitations#
The config ID can only be configured on one instance:Due to limitations from Akamai, the config ID can only be configured on one instance on the same machine or on different machines (i.e. the same config ID can't be configured both on dev and prod tenants or twice on the same tenant). Configuring on multiple machines may lead to duplications or missing events.