Collect Akamai WAF logs

Supported in:

Overview

This parser handles Akamai Web Application Firewall (WAF) logs, supporting both syslog and CEF formats. It extracts fields like IP addresses, URLs, HTTP methods, response codes, user agents, and security rule information, mapping them to the UDM for consistent representation. The parser also handles specific Akamai fields like attackData and clientReputation, performing necessary data transformations and enriching the UDM output.

Before you begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have privileged access to AWS IAM and S3.
  • Ensure that you have privileged access to Akamai.

Configure Amazon S3 bucket

  1. Create an Amazon S3 bucket following this user guide: Creating a bucket
  2. Save the bucket Name and Region for future reference.
  3. Create a User following this user guide: Creating an IAM user.
  4. Select the created User.
  5. Select the Security credentials tab.
  6. Click Create Access Key in the Access Keys section.
  7. Select Third-party service as the Use case.
  8. Click Next.
  9. Optional: Add a description tag.
  10. Click Create access key.
  11. Click Download .csv file. (Save Access Key and Secret Access Key for future reference).
  12. Click Done.
  13. Select the Permissions tab.
  14. Click Add permissions in the Permissions policies section.
  15. Select Add permissions.
  16. Select Attach policies directly.
  17. Search for the AmazonS3FullAccess policy.
  18. Select the policy.
  19. Click Next.
  20. Click Add permissions.

Configure Akamai WAF to send logs to Amazon S3

  1. Sign in to the Akamai Control Center.
  2. Go to the Security section.
  3. Select Logs.

  4. Configure a new Log Delivery:

    • Log Source: Select your WAF configuration.
    • Delivery Target: Choose Amazon S3.
    • S3 Bucket: Specify the name of the S3 bucket you created.
    • Region: Select the AWS region where your S3 bucket is located.
    • Access Key ID and Secret Access Key: Provide the credentials you generated.
    • Log Format: Choose the relevant log format (for example, JSON).
    • Delivery Frequency: Select the appropriate frequency for log delivery (for example, every 5 minutes).

  5. Verify log delivery:

    • After configuring LDS, monitor the S3 bucket for incoming log files.

Configure a feed in Google SecOps to ingest Akamai WAF logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, Akamai WAF Logs).
  4. Select Amazon S3 as the Source type.
  5. Select Akamai WAF as the Log type.
  6. Click Next.

  7. Specify values for the following input parameters:

    • Region: the region where the Amazon S3 bucket is located.
    • S3 URI: the bucket URI. s3:/BUCKET_NAME Replace the following:
      • BUCKET_NAME: the name of the bucket.
    • URI is a: select URI TYPE according to the log stream configuration: Single file | Directory | Directory which includes subdirectories.
    • Source deletion options: select the deletion option according to your preference.
    • Access Key ID: the User access key with access to the s3 bucket.
    • Secret Access Key: the User secret key with access to the s3 bucket.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label to be applied to the events from this feed.

  8. Click Next.

  9. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Log Field (Ascending) UDM Mapping Logic
attackData.clientIP principal.ip, principal.asset.ip IP address of the client initiating the request. Extracted from attackData.clientIP field in the akamai_siem logs.
attackData.configId metadata.product_log_id Security configuration ID. Extracted from attackData.configId field in the akamai_siem logs. Also added as a detection_field in security_result object.
attackData.policyId N/A Used in parser logic to populate security_result.summary with the value "PolicyId:[value]".
attackData.ruleActions security_result.action, security_result.action_details Actions taken based on the triggered rule. Extracted from attackData.ruleActions field in the akamai_siem logs. "deny" is mapped to BLOCK, other values ("alert", "monitor", "allow", "tarpit") are mapped to ALLOW. The original value is also stored in action_details.
attackData.ruleData security_result.detection_fields Data associated with the triggered rule. Extracted from attackData.ruleData field in the akamai_siem logs. Added to security_result.detection_fields with key "RuleData".
attackData.ruleMessages security_result.threat_name Messages associated with the triggered rule. Extracted from attackData.ruleMessages field in the akamai_siem logs.
attackData.ruleSelectors security_result.detection_fields Selectors associated with the triggered rule. Extracted from attackData.ruleSelectors field in the akamai_siem logs. Added to security_result.detection_fields with key "RuleSelector".
attackData.ruleTags security_result.category_details Tags associated with the triggered rule. Extracted from attackData.ruleTags field in the akamai_siem logs.
attackData.ruleVersions security_result.detection_fields Versions of the triggered rules. Extracted from attackData.ruleVersions field in the akamai_siem logs. Added to security_result.detection_fields with key "Rule Version".
clientReputation principal.labels Client reputation information. Extracted from clientReputation field in the akamai_siem logs. Added as a label to the principal with key "reputation".
cliIP, cli_ip, principal_ip principal.ip, principal.asset.ip Client IP address. Extracted from cliIP or cli_ip or principal_ip depending on the log format.
cp additional.fields CP Code. Extracted from cp field. Added to additional.fields with key "cp".
eventId metadata.product_log_id Event ID. Extracted from eventId field.
eventTime, log_date metadata.event_timestamp Event timestamp. Extracted from eventTime or parsed from log_date depending on the log format.
eventType.eventDefinition.eventDefinitionId target.resource.product_object_id Event definition ID. Extracted from eventType.eventDefinition.eventDefinitionId.
eventType.eventDefinition.eventDescription metadata.description Event description. Extracted from eventType.eventDefinition.eventDescription.
eventType.eventDefinition.eventName metadata.product_event_type Event name. Extracted from eventType.eventDefinition.eventName.
eventType.eventTypeId additional.fields Event type ID. Extracted from eventType.eventTypeId. Added to additional.fields with key "eventTypeId".
eventType.eventTypeName additional.fields Event type name. Extracted from eventType.eventTypeName. Added to additional.fields with key "eventTypeName".
format N/A Used by the parser to determine the log format.
geo.asn principal.location.name Autonomous System Number (ASN). Extracted from geo.asn or AkamaiSiemASN depending on the log format. The value is prefixed with "ASN ".
geo.city principal.location.city City. Extracted from geo.city or AkamaiSiemCity depending on the log format.
geo.country principal.location.country_or_region Country. Extracted from geo.country or AkamaiSiemContinent depending on the log format.
httpMessage.bytes network.sent_bytes Bytes sent in the HTTP message. Extracted from httpMessage.bytes.
httpMessage.host target.hostname, target.asset.hostname Hostname. Extracted from httpMessage.host or reqHost depending on the log format.
httpMessage.method network.http.method HTTP method. Extracted from httpMessage.method or network_http_method or reqMethod depending on the log format. Converted to uppercase.
httpMessage.path target.url Request path. Extracted from httpMessage.path or target_url or reqPath depending on the log format. If httpMessage.query is present, it's appended to the path with a "?" separator.
httpMessage.port target.port Port. Extracted from httpMessage.port or reqPort depending on the log format.
httpMessage.protocol N/A Used by the parser to determine the protocol.
httpMessage.query N/A Used in parser logic to append to httpMessage.path if present.
httpMessage.requestId network.session_id Request ID. Extracted from httpMessage.requestId or reqId depending on the log format.
httpMessage.requestHeaders, AkamaiSiemRequestHeaders additional.fields Request headers. Extracted from httpMessage.requestHeaders or AkamaiSiemRequestHeaders depending on the log format. Added to additional.fields with key "AkamaiSiemRequestHeaders".
httpMessage.responseHeaders, AkamaiSiemResponseHeaders additional.fields Response headers. Extracted from httpMessage.responseHeaders or AkamaiSiemResponseHeaders depending on the log format. Added to additional.fields with key "AkamaiSiemResponseHeaders".
httpMessage.status, AkamaiSiemResponseStatus, network_http_response_code, statusCode network.http.response_code HTTP response code. Extracted from httpMessage.status or AkamaiSiemResponseStatus or network_http_response_code or statusCode depending on the log format.
httpMessage.tls, AkamaiSiemTLSVersion, tlsVersion network.tls.version TLS version. Extracted from httpMessage.tls or AkamaiSiemTLSVersion or tlsVersion depending on the log format.
httpMessage.useragent, network_http_user_agent, UA, useragent network.http.user_agent User agent. Extracted from httpMessage.useragent or network_http_user_agent or UA or useragent depending on the log format.
log_description metadata.description Log description. Extracted from log_description.
log_rule security_result.rule_name Log rule. Extracted from log_rule.
message N/A The raw log message. Used by the parser for various extractions.
network_http_referral_url network.http.referral_url HTTP referral URL. Extracted from network_http_referral_url.
proto N/A Used in parser logic to populate security_result.summary if attackData.policyId is not present.
reqHost target.hostname, target.asset.hostname Request host. Extracted from reqHost.
reqId metadata.product_log_id, network.session_id Request ID. Extracted from reqId.
reqMethod network.http.method Request method. Extracted from reqMethod.
reqPath target.url Request path. Extracted from reqPath.
reqPort target.port Request port. Extracted from reqPort.
rspContentType target.file.mime_type Response content type. Extracted from rspContentType.
securityRules security_result.rule_name, security_result.about.resource.attribute.labels Security rules. Extracted from securityRules. The first part is mapped to rule_name, and the rest are added as labels with keys "non_deny_rules" and "deny_rule_format".
statusCode network.http.response_code Status code. Extracted from statusCode.
state principal.location.state, target.user.personal_address.state State. Extracted from state.
tlsVersion network.tls.version TLS version. Extracted from tlsVersion.
type metadata.product_event_type Event type. Extracted from type.
UA network.http.user_agent User agent. Extracted from UA.
version metadata.product_version, principal.asset.software.version Version. Extracted from version.
N/A metadata.event_timestamp The event timestamp is derived from the _ts field in akamai_lds logs, the httpMessage.start field in akamai_siem logs, or the log_date field in other formats.
N/A metadata.vendor_name Hardcoded to "Akamai".
N/A metadata.product_name Hardcoded to "Kona".
N/A metadata.log_type Hardcoded to "AKAMAI_WAF".
N/A network.application_protocol Set to "HTTP" for akamai_siem and akamai_lds logs, or "DNS" for other formats.
N/A security_result.severity Set to MEDIUM for "alert" action, CRITICAL for "deny" action, and HIGH for other actions.
N/A event.idm.read_only_udm.metadata.event_type Set to "NETWORK_HTTP" for most log formats, "GENERIC_EVENT" for events with eventId or eventData fields, or "STATUS_UPDATE" for events with cli_ip or p_ip but no reqHost.

Changes

2024-05-21

  • Enhancement
  • Mapped "rules.data" to "security_result.detection_fields".
  • Mapped "rules.action", "rules.selector", and "rules.version" to "security_result.action_details".
  • Mapped "rules.id" to "security_result.rule_id",
  • Mapped "rules.tag" to "security_result.category_details".
  • Mapped "rules.message" to "security_result.threat_name".

2024-03-01

  • Enhancement
  • Mapped "attackData.configId" to "metadata.product_log_id" and "security_result.detection_fields".

2023-10-27

  • Enhancement
  • Mapped "rule.id" to "security_result.rule_id".
  • When "httpMessage.host" is not present, changed value set in "metadata.event_type" from "NETWORK_HTTP" to "GENERIC_EVENT".
  • Added support to parse "attackData" when "attackData.rules" is an array.

2023-04-24

  • Enhancement
  • Parsed logs ingested in CEF format.

2023-04-04

  • Enhancement
  • Mapped 'reqHost' to 'target.hostname'.
  • Mapped 'reqPort' to 'target.port'.
  • Mapped 'reqPath' to 'target.url'.
  • Mapped 'reqId' to 'network.session_id'.
  • Mapped 'statusCode' to 'network.http.response_code'.
  • Mapped 'reqMethod' to 'network.http.method'.
  • Mapped 'UA' to 'network.http.user_agent'.
  • Mapped 'bytes' to 'network.sent_bytes'.
  • Mapped 'reqMethod' to 'network.http.method'.
  • Parsed failing logs in syslog format.
  • Added condition checks for 'attackData.rules' for proper parsing.
  • Modified 'metadata.event_type' to 'NETWORK_HTTP' from 'STATUS_UPDATE' wherever possible.

2022-08-12

  • Enhancement
  • Mapped "security_policy_id" to security_result.rule_name.
  • Mapped "non_deny_rules" to security_result.about.resource.attribute.labels.
  • Mapped "deny_rule_format" to security_result.about.resource.attribute.labels.

2022-11-07

  • Enhancement
  • update SecurityRules to check ["-"] also in data.

2022-06-14

  • Enhancement
  • Mapped security_rules to security_result.rule_name.
  • Mapped city to principal.location.city.
  • Mapped country to principal.location.country_or_region.
  • Mapped cli_ip to principal.ip.
  • Mapped state to target.user.personal_address.state.
  • Mapped version to metadata.product_version.
  • Mapped useragent to network.http.user_agent.

2022-06-14

  • Enhancement-
  • Mapped proto to security_result.summary.
  • Mapped securityRules to security_result.rule_name.
  • Mapped city to principal.location.city.
  • Mapped country to principal.location.country_or_region.
  • Mapped cliIP to principal.ip.
  • Mapped cp to event.idm.read_only_udm.additional.fields.
  • Mapped reqId to metadata.product_log_id.
  • Mapped rspContentType to target.file.mime_type.
  • Mapped state to target.user.personal_address.state.
  • Mapped version to principal.asset.software.version.

2022-03-23

  • Bugfix-Fix for failed to parse data with all match patterns.
  • Added mappings for new fields.
  • eventId mapped to metadata.product_log_id.
  • eventDefinitionId mapped to target.resource.product_object_id.
  • eventDescription mapped to metadata.description.
  • eventName mapped to metadata.product_event_type.
  • eventTypeName mapped to additional.fields.
  • eventTypeId mapped to additional.fields.
  • eventData mapped to additional.fields.