Akamai WAF SIEM

Get security event from Akamai Web Application Firewall (WAF) service. This integration was integrated and tested with API version 1.0 of Akamai WAF SIEM

Use Cases

  • Get security events from Akamai WAF.
  • Analyze security events generated on the Akamai platform and correlate them with security events generated from other sources in Demisto

Detailed Description

A WAF (web application firewall) is a filter that protects against HTTP application attacks. It inspects HTTP traffic before it reaches your application and protects your server by filtering out threats that could damage your site functionality or compromise data.

API keys generating steps

  1. Go to `WEB & DATA CENTER SECURITY`>`Security Configuration`>choose you configuration>`Advanced settings`> Enable SIEM integration.
  2. Open Control panel and login with admin account.
  3. Open identity and access management menu.
  4. Create user with assign roles Manage SIEM or make sure the admin has rights for manage SIEM.
  5. Log in to new account you created in the last step.
  6. Open identity and access management menu.
  7. Create new api client for me
  8. Assign API key to the relevant users group, and assign on next page Read/Write access for SIEM .
  9. Save configuration and go to API detail you created.
  10. Press new credentials and download or copy it.
  11. Now use the credentials for configure Akamai WAF in Demisto

Configure Akamai WAF SIEM on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Akamai WAF SIEM.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g. https://example.net)
    • Client token
    • Access token
    • Client secret
    • Config ids to fetch (can have multiple seperated by semi commas ';')
    • Incident type
    • First fetch timestamp (for example 12 hours, 7 days)
    • Fetch limit
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the new instance.

Fetch Incidents

    [
      {
        "name": "Akamai SIEM: 50170",
        "occurred": "2019-12-10T18:28:27Z",
        "rawJSON": {
          "type": "akamai_siem",
          "format": "json",
          "version": "1.0",
          "attackData": {
            "configId": "50170",
            "policyId": "1234",
            "clientIP": "8.8.8.8",
            "rules": "test",
            "ruleVersions": "",
            "ruleMessages": "Test",
            "ruleTags": "Test",
            "ruleData": "",
            "ruleSelectors": "",
            "ruleActions": "Test"
          },
          "httpMessage": {
            "requestId": "3fbce3e",
            "start": "1576002507",
            "protocol": "HTTP/1.1",
            "method": "HEAD",
            "host": "google.com",
            "port": "80",
            "path": "index",
            "requestHeaders": "Test",
            "status": "403",
            "bytes": "0",
            "responseHeaders": "Server"
          },
          "geo": {
            "continent": "NA",
            "country": "US",
            "city": "LOSANGELES",
            "regionCode": "CA",
            "asn": "5650"
          }
        }
      },
      {
        "name": "Akamai SIEM: 50170",
        "occurred": "2019-12-10T18:28:26Z",
        "rawJSON": {
          "type": "akamai_siem",
          "format": "json",
          "version": "1.0",
          "attackData": {
            "configId": "50170",
            "policyId": "1234",
            "clientIP": "8.8.8.8",
            "rules": "test",
            "ruleVersions": "",
            "ruleMessages": "Test",
            "ruleTags": "Test",
            "ruleData": "",
            "ruleSelectors": "",
            "ruleActions": "Test"
          },
          "httpMessage": {
            "requestId": "3fbd757",
            "start": "1576002506",
            "protocol": "HTTP/1.1",
            "method": "HEAD",
            "host": "google.com",
            "port": "80",
            "path": "index",
            "requestHeaders": "Test",
            "status": "403",
            "bytes": "0",
            "responseHeaders": "Server"
          },
          "geo": {
            "continent": "NA",
            "country": "US",
            "city": "LOSANGELES",
            "regionCode": "CA",
            "asn": "5650"
          }
        }
      }
    ]

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get security events from Akamai WAF: akamai-siem-get-events

1. akamai-siem-get-events


Get security events from Akamai WAF

Base Command

akamai-siem-get-events

Input
Argument Name Description Required
config_ids Unique identifier for each security configuration. To report on more than one configuration, separate integer identifiers with semicolons, e.g. 12892;29182;82912. Required
offset This token denotes the last message. If specified, this operation fetches only security events that have occurred from offset. This is a required parameter for offset mode and you can’t use it in time-based requests. Optional
limit Defines the approximate maximum number of security events each fetch returns Optional
from_epoch The start of a specified time range, expressed in Unix epoch seconds. Optional
to_epoch The end of a specified time range, expressed in Unix epoch seconds. Optional
timestamp timestamp (for example 12 hours, 7 days of events Optional

Allowed query parameters combinations:

  1. offset - Since a prior request.
  2. offset, limit - Since a prior request, limited.
  3. from - Since a point in time.
  4. from, limit - Since a point in time, limited.
  5. from, to - Over a range of time.
  6. from, to, limit - Over a range of time, limited.
Context Output
Path Type Description
Akamai.SIEM.AttackData.clientIP String IP involved in the attack.
Akamai.SIEM.AttackData.ConfigID String Unique identifier of security configuration involved
Akamai.SIEM.AttackData.PolicyID String Unique identifier of Policy configuration involved
Akamai.SIEM.AttackData.PolicyID String Policy ID trigered
Akamai.SIEM.AttackData.Geo.Asn String Geographic ASN location of involved IP
Akamai.SIEM.AttackData.Geo.City String City of involved IP
Akamai.SIEM.AttackData.Geo.Continent String Continent of involved IP
Akamai.SIEM.AttackData.Geo.Country String Country of involved IP
Akamai.SIEM.AttackData.Geo.RegionCode String Region code of involved IP
Akamai.SIEM.AttackData.HttpMessage.Bytes Number HTTP messege size in bytes
Akamai.SIEM.AttackData.HttpMessage.Host String HTTP messege host
Akamai.SIEM.AttackData.HttpMessage.Method String HTTP messege method
Akamai.SIEM.AttackData.HttpMessage.Path String HTTP messege path
Akamai.SIEM.AttackData.HttpMessage.Port String HTTP messege port
Akamai.SIEM.AttackData.HttpMessage.Protocol String HTTP messege protocol
Akamai.SIEM.AttackData.HttpMessage.Query String HTTP messege query
Akamai.SIEM.AttackData.HttpMessage.RequestHeaders String HTTP messege request headers
Akamai.SIEM.AttackData.HttpMessage.RequestID String HTTP messege request ID
Akamai.SIEM.AttackData.HttpMessage.ResponseHeaders String HTTP messege respose headers
Akamai.SIEM.AttackData.HttpMessage.Start Date HTTP messege epoch start time
Akamai.SIEM.AttackData.HttpMessage.Status Number HTTP messege status code
IP.Address String IP address
IP.ASN String The autonomous system name for the IP address, for example: "AS8948"."
IP.Geo.Country String The country in which the IP address is located

Command Example

!akamai-siem-get-events config_ids="50170" period="3 hours"

Context Example
{
  "Akamai": {
    "SIEM": [
        {
            "AttackData": {
                "ClientIP": "8.8.8.8",
                "ConfigID": "50170",
                "PolicyID": "1234_89452",
                "RuleActions": [
                    "alert",
                    "deny"
                ],
                "RuleMessages": [
                    "Custom_RegEX_Rule",
                    "No Accept Header AND No User Agent Header"
                ],
                "RuleTags": [
                    "example",
                    "No-AH-UA"
                ],
                "Rules": [
                    "642118",
                    "642119"
                ]
            },
            "Geo": {
                "Asn": "16509",
                "City": "FRANKFURT",
                "Continent": "EU",
                "Country": "DE",
                "RegionCode": "HE"
            },
            "HttpMessage": {
                "Bytes": "296",
                "Host": "wordpress.demisto.ninja",
                "Method": "POST",
                "Path": "/wp-cron.php",
                "Port": "80",
                "Protocol": "HTTP/1.1",
                "RequestHeaders": "Host",
                "RequestId": "87bb604",
                "ResponseHeaders": "Server",
                "Start": "1576746102",
                "Status": "403"
            }
        },
        {
            "AttackData": {
                "ClientIP": "8.8.8.8",
                "ConfigID": "50170",
                "PolicyID": "1234_89452",
                "RuleActions": [
                    "alert",
                    "deny"
                ],
                "RuleMessages": [
                    "Custom_RegEX_Rule",
                    "No Accept Header AND No User Agent Header"
                ],
                "RuleTags": [
                    "example",
                    "No-AH-UA"
                ],
                "Rules": [
                    "642118",
                    "642119"
                ]
            },
            "Geo": {
                "Asn": "16509",
                "City": "FRANKFURT",
                "Continent": "EU",
                "Country": "DE",
                "RegionCode": "HE"
            },
            "HttpMessage": {
                "Bytes": "296",
                "Host": "wordpress.demisto.ninja",
                "Method": "POST",
                "Path": "/wp-cron.php",
                "Port": "80",
                "Protocol": "HTTP/1.1",
                "RequestHeaders": "Header",
                "RequestId": "32e63ee2",
                "ResponseHeaders": "Server",
                "Start": "1576746179",
                "Status": "403"
            }
        }
    ]
  },
  "IP": [
    {
      "ASN": "5650",
      "Address": "8.8.8.8",
      "Geo": {
        "Country": "US"
      }
    },
    {
      "ASN": "5650",
      "Address": "8.8.8.8",
      "Geo": {
        "Country": "US"
      }
    }
  ]
}

Akamai SIEM - Attacks list

Attacking IP Config ID Date occured Location Policy ID Rule actions Rule messages Rules
3.124.101.138 50170 2019-12-19T09:00:42Z Country: DE
City: FRANKFURT
1234_89452 alert,
deny
Custom_RegEX_Rule,
No Accept Header AND No User Agent Header
642118,
642119
3.124.101.138 50170 2019-12-19T09:01:42Z Country: DE
City: FRANKFURT
1234_89452 alert,
deny
Custom_RegEX_Rule,
No Accept Header AND No User Agent Header
642118,
642119