SIEM Splunk connector

Suggest Edits
Combine Splunk and Akamai to gain insights into attacks. Watch the Analytics-
driven Cloud Security at Scale with Splunk and Akamai video to learn more.

The sample Splunk connector is a Splunk add-on that captures security events
from the Akamai Security Events Collector, which exposes a RESTful API that
lets the connector pull events in JSON format. Akamai's Splunk add-on
converts security event data from JSON into CIM format. The resulting data
can then be imported into and analyzed by Splunk.

Install the Splunk connector

System requirements
• Akamai Splunk Connector requires Oracle JRE 1.8+. Download the
latest from the Oracle Java site (Java Platform, Standard Edition) or
install it from a software distribution package on Linux.
• Java is already installed on the host running Splunk Enterprise.
• KVStore is already installed on the host machine where you want to
install your connector.
• Verify that splunk forwarder is not installed on your Splunk
Enterprise host machine.

Hardware requirements
This application has been tested with the following operating systems:
 • CentOS 7
• Windows Server 2012 R2
• Mac OS X El Capitan Version 10.11.6

Some additional hardware requirements:

• 4 CPU cores
• 16 GB RAM
• 2GB Free Disk Space

Proxy server
To access the SIEM API from behind a proxy server, ensure that your proxy:

• Allows the
domains *.cloudsecurity.akamaiapis.net and *.luna.akamaiapis.
net.
• Doesn't interfere with HTTP request headers for those domains. If,
due to a strict enterprise security policy, your proxy changes these
headers, make sure that, at a minimum, you allow and don't change
the Host and Authorization headers.

Install
1. Go to https://splunkbase.splunk.com/app/4310/ and download
the connector.

Tip: On Splunkbase, subscribe to this connector to be notified of

future updates.

2. In Splunk, in the upper left of the screen, click the Splunk icon.

3. Next to Apps at the top of the navigation bar, click the gear icon.

4. Click Install app from file.

5. Click Choose File.

6. Browse to and select akamai-siem-integration_x.tgz (x being the

latest version available) and then click Open.

7. Click Upload.

8. Restart Splunk.
You see Akamai SIEM API (Security Information and Event
 Management):

9. From the menu, click Settings > Data Inputs.

10.Click the Akamai Security Incident Event Manager API.

11.Click New and complete the following fields:

o Name. Enter any name you want for the input.

o Hostname. Enter the host URL copied when you provisioned
the SIEM API.
o Security Configuration(s). Enter the Configuration ID
copied when you enabled SIEM in Akamai Control Center
o Client Token, Client Secret, and Access Token. Enter the
values copied when you provisioned the SIEM API.
o proxy_host. Enter the proxy host name of your proxy server.
o proxy_port. Enter the port number you use to connect to
your proxy server.
o Initial Epoch Time and Final Epoch Time. Leave these
fields blank. If you encounter an issue with your events, you
can later use these fields to retrieve security event data for a
specific time period.
o Limit. To limit the number of security events pulled with
each API call, enter an integer value here. If not specified, the
API retrieves a maximum of 150,000 records per call.
o log level. Specifies the message types that are logged. By
default, the log level is set to INFO, but you can change it
to WARN, ERROR, FATAL, or DEBUG to get more data for
certain situations. For example, if you have a problem with
the connector, use DEBUG to get more detailed messages that
will help you troubleshoot.
 o Interval. Number of seconds between fetch requests.
Enter 60 unless you have entered values in both the Initial
Epoch Time and Final Epoch Time fields to retrieve security
events for a specified time period. In that case, leave
the Interval field blank. If it takes more than 60 seconds to
fetch the data, increase the interval value to the amount of
seconds you need to complete the task.
o disable_splunk_cert_check. Check this box to disable splunk
server certificate validation. Do so only if you are not able to
import splunk server certificate to your local java keystore.
This provides a temporary workaround until splunk-sdk-java
maintainers fix this
issue: https://github.com/splunk/splunk-sdk-
java/issues/213

12.Return to the Splunk homepage and click Akamai SIEM.

If you see data then setup was successful:

13.If you don't see data, go to the menu and click Debug > Akamai
Logging dashboard.
You see Akamai SIEM Errors on the right:
 In the event of a fatal error that prevents data collection, review the
logs and take corrective action. This log is also available in
/{splunk_home}/var/log/splunk. Read how to retrieve past
security events.

14.To search for SIEM data in Splunk, use the search app. To use this
app, fom the Splunk homepage click Search and Reporting
app and enter the query sourcetype="akamaisiem".
👍

We strongly recommend installing the Splunk add-on app Lookup File Editor
from within Splunk Apps. You need this add-on to switch retrieval mode .
After a data input has been enabled, you can't edit that input and then run it
again. Instead, you must disable the input, clone it, make changes to the clone,
then run the new, cloned input.

SIEM API data format for Splunk

CIM mapping list
Event Type Source Object Event Type Field or CIM Mapping
Type Type Expression Models
AkamaiSecurity akamai FIELD attackData.clientIP Vulnerabilities
ConfigEvent siem ALIAS Malware Attacks
All changes
Proxy
 Event Type Source Object Event Type Field or CIM Mapping
Type Type Expression Models
AkamaiSecurity akama FIELD httpsMessage.bytes Vulnerabilities
ConfigEvent isiem ALIAS Malware Attacks
All changes
Proxy

Attack data
Field Description Example Note
configId ID of the Security 6724
Configuration applied
to the request.
policyId ID of the Firewall scoe_5426
policy applied to the
request.
clientIP IP address of the client
that made the request.
slowPostAction Action taken if a Slow W
POST attack is
detected: W for Warn
or A for deny (abort).
slowPostRate Recorded rate of a 10
detected Slow POST
attack.
rules Base64-encoded rule OTUwMDA0;O TkwMDEx Represents
IDs of rules triggered [950004, 99001
for the request.
ruleVersions Base64-encoded ; Represents
versions of rules [, ]
triggered for the
request.
ruleMessages Base64-encoded Q3Jvc3Mtc2 l0ZSBTY3 J pcHRpbmcgK Represents a Cro
FhTUykgQXR 0YWNr; UmV xdWVzdCBJb
messages of rules that mRpY2F0ZXM gYW4 gYXV0 b21hdGVkIH Scripting (XSS)
triggered for this Byb2 dyYW0 gZXhwbG9yZ WQgdGhlIHN Request indicate
request pdGU automated progra
the site.
ruleTags Base64-encoded tags V0VCX0FUVE FDSy9YU1M= ;QV VUT01B Represents
VElPTi9NSV ND [WEB_ATTACK/
of rules that triggered
XSS,AUTOMATION
for the request.
See WAF rules l
 Field Description Example Note
ruleData Base64-encoded user YWxlcnQo;Y 3VybA== Represents
data of rules that [alert(, curl]
triggered for this
request.
ruleSelectors Base64-encoded QVJHUzph;U kVRVUVTVF9 IRU FERVJT Represents
OlVzZXItQW dlbnQ= [ARGS:a, REQUE
selectors of rules that
User-Agent]
triggered for the
request.
ruleActions Base64-encoded QUxFUlQ;RE VOWQ== Represents
actions of rules that [ALERT, DENY]
triggered for the
request.
clientReputation Client IP scores for ID=172.19.185.64; WEBATCK=9;
DOSATCK=9
Client Reputation
apiId API ID for API API_41
Protection.
apiKey API Key for API bkayZOMvuy 8aZOhIgxq94
K9Oe7Y70Hw 55
Protection.

HTTP message data

Name Description Exa
requestId Globally unique ID of the message. 2ab418ac85

start Time, in epoch format (and to millisecond precision) when the Edge 1470923133
Server initiated the connection for the message exchange being
monitored.
protocol Protocol of the transaction being monitored. http/2

tls TLS version, if applicable. Should be equal to AK_TLS_VERSION. TLSv1.2

method Method of the incoming request. POST

host Value of the incoming client request's HOST header. www.exampl

port Port number used by the incoming request. Should be equal to the 80
value of AK_IN_PORT.
path Path used in the incoming URI from the client, not including query /examples/
strings.
query Query strings passed in the incoming URI from the client. a=../../..

requestHeaders All request headers collected.

 Name Description Exa
status HTTP Response status sent to the client. 301

bytes Bytes served in the client response. 34523

responseHeaders All response headers collected.

Geo data
Name Description
continent 2-letter code for the continent that the IP address maps to.
country 2-letter ISO-3166 code for the country the IP address maps to.
city City that the IP address maps to.
regionCode 2-letter ISO-3166 code for the state, province, or region the IP address maps to.
asn Autonomous System Number (or numbers) that the IP address belongs to.

userRiskData object
User information included in an event if: 1) you are using Account Protector
and 2) the event occurs on a protected endpoint. If a client request is denied,
user risk information might not be calculated and included in the event,
depending on when that denial took place.

Name Description Example

uuid Unique identifier of the user whose risk data is being 813d54f4-0821-4o0a-a2pp6-
provided. 0101dd0ec23u
status Status code indicating any errors that might have 0
occurred when calculating the risk score. See
the User Score Status section of this page for details.
username The unencrypted username, provided at login by the jsmith@example.com
user.
originUserId The unencrypted user ID, provided by the origin. jsmith007
score Calculated risk scores. Scores range from 0 (no risk) 75
to 100 (the highest possible risk).
risk Indicators that increased the calculated risk score. udfp:1325gdg4g4343g/M
For example, the value udfp represents the risk of
the device fingerprint based on the user's behavioral
profile.
 Name Description Example
trust Indicators that were trusted. For example, the ugp:US
value ugp indicates that the user’s country or area is
trusted.
general Indicators of general behavior observed for relevant duc_1h:10
attributes. For example, duc_1h represents the
number of users recorded on a specific device in the
past hour..
allow Indicates whether the user is on the allow list. 0
A 0 indicates that the user was not on the list;
a 1 indicates that the user was on the list.

clientData object
This data is included only if you are running Botman Premier and the request
is matched as a resource purpose with bot protection enabled.

Name Description
appBundleId Unique identifier of the app bundle. An app bundle contains both the software itself
and the accompanying configuration information.
appVersion Version number of the app.
telemetryType Specifies the telemetry type in use. Allowed values are:

• 0 -- Web client (standard telemetry)

• 1 -- Web client (inline telemetry)
• 2 -- Native app (SDK)

sdkVersion Version number of the software developer's kit.

botData object
Akamai Bot Manager information associated with the event. This data is
included only if you are running Botman Premier and the request is matched
as a resource purpose with bot protection enabled.

Name Description
botScore Score assigned to the request by Botman Manager.
 Name Description
responseSegment Numeric response segment indicator. Segments are used to group and categorize bot
scores. Allowed values are:

• 0 -- Human
• 1 -- Cautious response
• 2 -- Strict response
• 3 -- Aggressive response
• 4 -- Safeguard

Custom data
Name Value
custom Base64-encoded custom value. The size limit for custom data is 2KB.

Environment variables
Splunk connector v1.4.14 introduced a feature where customers have the
choice to provide connection and socket timeouts. The customer can provide
timeout values of their choice by making use of the environment
variables AKAMAI_SIEM_HTTP_CONNECTION_TIMEOUT and AKAMAI_SIE
M_HTTP_SOCKET_TIMEOUT. Both these variables expect respective
timeouts to be provided in seconds. Note that you'll need to restart Splunk for
these changes to take effect.

Retrieve past security events using the

Splunk connector
The Akamai Splunk connector offers 2 modes of operation:

• Offset-based. The most commonly used mode: the connector

automatically logs security events as they’re collected. The
connector operates in offset mode when the Initial Epoch
Time and Final Epoch Time fields are blank.
• Time-based. Enables you to retrieve only the events that occurred
with a specified time period (requires the use of the Initial Epoch
Time field and, optionally, the Final Epoch Time field). For
 example, if your SIEM connection is disrupted you can retrieve any
(or all) security events that occurred within the last 12 hours.

To retrieve missing/past security events, switch from an offset-based to a

time-based feed:

1. Open your Splunk connector’s configuration and, in the Initial

Epoch Time field, enter the start time (in epoch format) of the
period for which you want to review security event data.
2. (Optional) In the Final Epoch Time enter the end time for that
period (in epoch format). The time window you set can be any
interval within the 12 hours preceding the present moment. If this
field is left blank, the connector pulls events up to the present and
continues to log events as they’re collected.
3. To return the connector to offset mode, clear the Initial Epoch
Time and Final Epoch Time fields and save your changes.

If regular offset event collection occurred within the time window, you may
see duplicate data in Splunk.

Don't see the data you expected? When you set the Initial Epoch
Time and Final Epoch Time fields to retrieve security events for a specific
time period, the connector makes only one call to the API. If the number of
events in the specified time window exceeds the value in the Limit field (or
the default limit of 150,000) the connector won't retrieve data. As a
workaround, decrease the time period for retrieving events; for example, you
might need to make one API call to retrieve events that occurred in the first 6
hours of your time period, and a second API call to retrieve events that
occurred in the final 6 hours of your time period.

Update the sample Splunk connector

To be notified when a new version of the connector is released, go to
the Splunkbase page for the SIEM connector app, and click Subscribe. When
there's new release, Splunkbase notifies you via email. You can then upgrade
directly from within your Splunk server web admin page by doing the
following:

1. Open Splunk.
2. Next to Apps at the top of the navigation bar, click the gear icon.
3. On the apps page, you see that the Akamai SIEM Integration app has
a new release. Click Update.
4. Accept the license agreement.
 5. Download and install. You may need to restart Splunk following the
installation.

Updated 3 months ago