splunk
Akamai SIEM Integration
Splunk Cloud
Overview
Details
It’s common for companies with mature security organizations to have a Security Operations Center (SOC) that leverages security information and event management (SIEM) tools. SIEM provides a centralized view for security teams to easily access and analyze security information from a large number of sources, and prioritize mitigation efforts based on risk profiles.
SIEM Integration is a comprehensive solution for capture, retention, and delivery of security information and events in real-time to SIEM applications. Customers using Kona Site Defender, Client Reputation, Web Application, or Bot Manager (BETA) can analyze security events generated on the Akamai platform and correlate them with security events generated from other sources.
System Requirements
Akamai’s Splunk Connector requires Oracle JRE 1.8+. Download the latest from the Oracle Java site (Java Platform, Standard Edition) or install it from a software distribution package on Linux.
You must have Java installed on the host running Splunk Enterprise https://java.com/en/download/
Also, check to make sure that splunk forwarder is NOT installed on your Splunk Enterprise host machine.
Proxy server
To access the SIEM API from behind a proxy server, ensure that your proxy:
whitelists the domains *.cloudsecurity.akamaiapis.net and *.luna.akamaiapis.net
does not interfere with HTTP request headers for those domains. If, due to a strict enterprise security policy, your proxy does change these headers, make sure that at a minimum you allow and don't change the Host and Authorization headers.
Hardware Requirements
This application is has been tested with the following operating systems:
CentOS 7
Windows Server 2012 R2
Mac OS X El Capitan Version 10.11.6
Some additional hardware requirements:
4 CPU cores
16 GB RAM
2GB Free Disk Space
SIEM Integration is a comprehensive solution for capture, retention, and delivery of security information and events in real-time to SIEM applications. Customers using Kona Site Defender, Client Reputation, Web Application, or Bot Manager (BETA) can analyze security events generated on the Akamai platform and correlate them with security events generated from other sources.
System Requirements
Akamai’s Splunk Connector requires Oracle JRE 1.8+. Download the latest from the Oracle Java site (Java Platform, Standard Edition) or install it from a software distribution package on Linux.
You must have Java installed on the host running Splunk Enterprise https://java.com/en/download/
Also, check to make sure that splunk forwarder is NOT installed on your Splunk Enterprise host machine.
Proxy server
To access the SIEM API from behind a proxy server, ensure that your proxy:
whitelists the domains *.cloudsecurity.akamaiapis.net and *.luna.akamaiapis.net
does not interfere with HTTP request headers for those domains. If, due to a strict enterprise security policy, your proxy does change these headers, make sure that at a minimum you allow and don't change the Host and Authorization headers.
Hardware Requirements
This application is has been tested with the following operating systems:
CentOS 7
Windows Server 2012 R2
Mac OS X El Capitan Version 10.11.6
Some additional hardware requirements:
4 CPU cores
16 GB RAM
2GB Free Disk Space
Detailed Documentation: https://techdocs.akamai.com/siem-integration/docs/siem-splunk-connector
Installation Instructions: https://techdocs.akamai.com/siem-integration/docs/siem-splunk-connector#install-the-splunk-connector
Splunk Cloud install instructions
Option 1(Victoria & Classic):
- Install Akamai add-on on an on-prem Heavy forwarder.
- Configure the heavy forwarder to forward events to your Splunk Cloud.
Option 2(Victoria):
- Install Akamai add-on on all of your Splunk Cloud indexers.
- You may install Akamai add-on on your search heads but make sure only on one search head data input is enabled.
- You need to have Java 8 (JRE 1.8) or above installed(& added to your PATH) in your search head that you have data input enabled.
- Please make sure when you create/edit the AKAMAI SIEM API data input that you use akamaisiem as the sourcetype, as this is how the props.conf has been configured.
Release Notes
Version 1.4.20
Jan. 5, 2024
Changes include: Fix json indexing for aggregated queries.
Version 1.4.19
June 13, 2023
Changes include: Add 2 new optional fields (username & originUserId) for UserRiskData.
Version 1.4.18
May 17, 2023
Version 1.4.18
Changes include: Make splunk server cert validation optional.
Version 1.4.17
Dec. 20, 2022
Version 1.4.17
Changes include: Upgrade splunk-java-sdk to latest v1.9.3.