Skip to main content
Sumo Logic

Akamai Security Events

Akamai Security Events App allows you to visualize security events generated on the Akamai platform. The preconfigured dashboards provide insights into attack data, sources of attack, attack queries, geolocation of attack source, context on attack’s HTTP request, and rules triggered by the attack.

Log Types 

The Akamai Security Events App uses security events generated on the Akamai platform by leveraging the V1 SIEM API and Sumo Logic’s Akamai SIEM API Source.

Sample Log Message

{
  "type": "akamai_siem",
  "format": "json",
  "version": "1.0",
  "attackData": {
    "rule": "",
    "ruleVersion": "",
    "ruleMessage": "",
    "ruleTag": "",
    "ruleData": "",
    "ruleSelector": "",
    "ruleAction": "",
    "configId": "76756",
    "policyId": "prag_136180",
    "clientIP": "13.29.10.10"
  },
  "httpMessage": {
    "requestId": "2d442db6",
    "start": "1627663284",
    "protocol": "HTTP/1.1",
    "method": "GET",
    "host": "fierce.force.com",
    "port": "80",
    "path": "/",
    "query": "v=999999.9 union all select 0x31303235343830303536,0x31303235343830303536",
    "requestHeaders": {
      "Host": "fierce.force.com",
      "User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7",
      "Accept": "text/xml,application/xml,application/xhtml xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.",
      "Keep-Alive": "300",
      "Proxy-Connection": "keep-alive",
      "Content-Length": "2"
    },
    "status": "200",
    "bytes": "22726",
    "responseHeaders": "Server%3a%20Apache%2f2.4.29%20(Ubuntu)...tive-Regex-Time%3a%20681%0d%0aAkamai-X-Request-ID%3a%202d442db6%0d%0a"
  },
  "geo": {
    "continent": "NA",
    "country": "US",
    "city": "WESTFORD",
    "regionCode": "MA",
    "asn": "7922"
  }
}

Query sample 

_sourceCategory=<akamai-foo>
| json field=_raw "attackData.clientIP", "attackData.configId", "attackData.policyId", "attackData.ruleAction", "attackData.rule", "attackData.ruleMessage", "attackData.ruleSelector", "attackData.ruleTag", "attackData.ruleVersion", "httpMessage.start", "httpMessage.status" as client_ip, config_id, policy_id, rule_action, rule, rule_message, rule_selector, rule_tag, rule_version, time_epoch, http_response nodrop
| time_epoch * 1000 as time_epoch_ms
|formatDate(toLong(time_epoch_ms), "MM-dd-yyyyHH:mm:ss") as attack_date 
| json field=_raw "geo.city", "geo.continent", "geo.country", "geo.regionCode", "geo.asn" as city, continent, country, region_code, asn nodrop
|count by attack_date, client_ip, city, country, rule_action, rule, rule_message, rule_selector, rule_version, config_id, policy_id,http_response