Collect Akamai WAF logs

Supported in:

Google secops SIEM

This document explains how to export and ingest Akamai WAF logs into Google Security Operations using Google Cloud Storage or AWS S3. The parser handles the logs, supporting both syslog and CEF formats. It extracts fields like IP addresses, URLs, HTTP methods, response codes, user agents, and security rule information, mapping them to the Unified Data Model (UDM) for consistent representation. The parser also handles specific Akamai fields like attackData and clientReputation , performing necessary data transformations and enriching the UDM output.

Before you begin

Make sure you have the following prerequisites:

Google SecOps instance
Privileged access to Google Cloud or AWS
Privileged access to Akamai

Exporting and ingest Akamai WAF logs from Cloud Storage

This section outlines the initial step in the process: setting up the necessary storage for your Akamai WAF logs.

Create a Google Cloud Storage Bucket

Sign in to the Google Cloud console.
Go to the Cloud Storage Bucketspage.

Go to Buckets
Click Create.
On the Create a bucket page, enter your bucket information. After each of the following steps, click Continueto proceed to the next step:
1. In the Get startedsection, do the following:
  - Enter a unique name that meets the bucket name requirements (for example, akamai-waf-logs ).
  - To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloadssection, and then select Enable Hierarchical namespace on this bucket.
  Note: You can't enable hierarchical namespace on an existing bucket.
  - To add a bucket label, click the expander arrow to expand the Labelssection.
  - Click Add label, and specify a key and a value for your label.
2. In the Choose where to store your datasection, do the following:
  - Select a Location type.
  - Use the location type's drop-down menu to select a Locationwhere object data within your bucket will be permanently stored.
  Note: If you select the dual-regionlocation type, you can also choose to enable turbo replicationby using the relevant checkbox.
  - To set up cross-bucket replication, expand the Set up cross-bucket replicationsection.
3. In the Choose a storage class for your datasection, either select a default storage classfor the bucket, or select Autoclassfor automatic storage class management of your bucket's data.
4. In the Choose how to control access to objectssection, select notto enforce public access prevention, and select an access control modelfor your bucket's objects.
  
  Note: If public access prevention is already enforced by your project's organization policy, the Prevent public accesscheckbox is locked.
5. In the Choose how to protect object datasection, do the following:
  - Select any of the options under Data protectionthat you want to set for your bucket.
  - To choose how your object data will be encrypted, click the expander arrow labeled Data encryption, and select a Data encryption method.
Click Create.

Important: Make sure that the Google SecOps Service Accountis granted Reador Read & Writepermissions for this bucket.

Configure Permissions for Cloud Storage

Go to the Create service accountpage.

Go to Create service account
Select a Google Cloudproject.
Enter a service account nameto display in the Google Cloud console.

Note: The Google Cloud console generates a service account ID based on this name. Edit the ID if necessary. You can't change the ID later.
Click Create and continue.
Grant the roles/storage.adminon the bucket.
Click Doneto finish creating the service account.

Create and Download Google Cloud Service Account Key File

Go to the Service accountspage.

Go to Service accounts
Select a Google Cloudproject.
Click the email address of the newly created service account.
Click the Keystab.
Click the Add keymenu, then select Create new key.
Select JSONas the Key type and click Create.
- Clicking Createdownloads a service account key file. After you download the key file, you can't download it again.
- The downloaded key has the following format, where PRIVATE_KEY is the private portion of the public-private key pair.

Configure Akamai WAF to send logs to Cloud Storage

Sign in to the Akamai Control Center.
Go to the Securitysection.
Select Logs.
Configure a new Log Delivery:
- Log Source:Select your WAF configuration.
- Destination:Select Google Cloud Storage.
- Display name: Enter a unique name description.
- Bucket:Specify the name of the Cloud Storage bucket you created (for example, gs://akamai-waf-logs ).
- Project ID:Enter the unique ID of your Google Cloud project.
- Service Account Name: Enter the name of the service account you created earlier.
- Private Key:Enter the private_keyvalue from the JSON key you generated and downloaded earlier. (You should enter your private key in the in the PEM format with break (\n) symbols, for example -----BEGIN PRIVATE KEY-----\nprivate_key\n-----END PRIVATE KEY-----\n )
- Log Format:Choose the log format you want (for example, JSON).
- Push Frequency:Select the frequency you want for log delivery (for example, every 60 seconds ).
Click Validate & Saveto validate the connection to the destination, and save the details you provided.

Note: As part of the validation process, the system uses the provided access key identifier and secret to create a verification file in your Cloud Storagebucket, with a timestamp in the filename in the Akamai_access_verification_[TimeStamp].txt format. You can only see this file if the validation process is successful, and you have access to the Google Cloud Storage bucket that you are trying to send logs to.
Click Nextto go to the Summarytab.

Set up feeds

To configure a feed, follow these steps:

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed namefield, enter a name for the feed (for example, Akamai WAF Logs).
Select Google Cloud Storageas the Source type.
Select Akamai WAFas the Log type.
Click Get Service Accountas the Chronicle Service Account.
Click Next.
Specify values for the following input parameters:
- Storage Bucket URI: Google Cloud storage bucket URL (for example, gs://akamai-waf-logs ).
- URI Is A: Select Directory which includes subdirectories.
- Source deletion options: Select deletion option according to your preference.
Note: If you select the Delete transferred files or Delete transferred files and empty directories option, make sure that you granted appropriate permissions to the service account.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.

Export and ingest Akamai WAF logs from AWS S3

This section explains the initial steps of setting up your Amazon S3 bucket to receive and store Akamai WAF logs.

Configure Amazon S3 bucket

Create Amazon S3 bucketfollowing this user guide: Creating a bucket .
Save bucket Nameand Regionfor future reference.
Create a Userfollowing this user guide: Creating an IAM user .
Select the created User.
Select Security credentialstab.
Click Create Access Keyin section Access Keys.
Select Third-party serviceas Use case.
Click Next.
Optional: Add description tag.
Click Create access key.
Click Download CSV filefor save the Access Keyand Secret Access Keyfor future reference.
Click Done.
Select Permissionstab.
Click Add permissionsin section Permissions policies.
Select Add permissions.
Select Attach policies directly.
Search for AmazonS3FullAccesspolicy.
Select the policy.
Click Next.
Click Add permissions.

Configure Akamai WAF to send logs to Amazon S3

Sign in to the Akamai Control Center.
Go to the Securitysection.
Select Logs.
Configure a new Log Delivery:
- Log Source:Select your WAF configuration.
- Destination:Choose Amazon S3.
- S3 Bucket:Specify the name of the S3 bucket you created.
- Region:Select the AWS region where your S3 bucket is located.
- Access Key ID and Secret Access Key:Provide the credentials you generated.
- Log Format:Choose the log format you want (for example, JSON).
- Delivery Frequency:Select the frequency you want for log delivery (for example, every 5 minutes).
  
  Note: For continuous delivery, choose the most frequent option available.
Verify log delivery:
- After configuring LDS, monitor the S3 bucket for incoming log files.

Set up feeds from SIEM Settings > Feeds using AWS S3

To configure a feed, follow these steps:

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed namefield, enter a name for the feed (for example, Akamai WAF Logs).
Select Amazon S3as the Source type.
Select Akamai WAFas the Log type.
Click Next.
Specify values for the following input parameters:
- Region: the region where the Amazon S3 bucket is located.
- S3 URI: the bucket URI. s3:/BUCKET_NAME Replace the following:
  - BUCKET_NAME : the name of the bucket.
- URI is a: select URI TYPE according to log stream configuration: Single file| Directory| Directory which includes subdirectories.
- Source deletion options: select deletion option according to your preference.
Note: If you select the Delete transferred files or Delete transferred files and empty directories option, make sure that you granted appropriate permissions to the service account.
- Access Key ID: the User access key with access to the s3 bucket.
- Secret Access Key: the User secret key with access to the s3 bucket.
Click Next.
Review your new feed configuration in the Finalizescreen, and then click Submit.

UDM mapping table

Log Field (Ascending)	UDM Mapping	Logic
`attackData.clientIP`	`principal.ip` , `principal.asset.ip`	IP address of the client initiating the request. Extracted from `attackData.clientIP` field in the akamai_siem logs.
`attackData.configId`	`metadata.product_log_id`	Security configuration ID. Extracted from `attackData.configId` field in the akamai_siem logs. Also added as a detection_field in security_result object.
`attackData.policyId`	N/A	Used in parser logic to populate `security_result.summary` with the value `PolicyId:[value]` .
`attackData.ruleActions`	`security_result.action` , `security_result.action_details`	Actions taken based on the triggered rule. Extracted from `attackData.ruleActions` field in the akamai_siem logs. "deny" is mapped to BLOCK, other values ("alert", "monitor", "allow", "tarpit") are mapped to ALLOW. The original value is also stored in `action_details` .
`attackData.ruleData`	`security_result.detection_fields`	Data associated with the triggered rule. Extracted from `attackData.ruleData` field in the akamai_siem logs. Added to `security_result.detection_fields` with key "RuleData".
`attackData.ruleMessages`	`security_result.threat_name`	Messages associated with the triggered rule. Extracted from `attackData.ruleMessages` field in the akamai_siem logs.
`attackData.ruleSelectors`	`security_result.detection_fields`	Selectors associated with the triggered rule. Extracted from `attackData.ruleSelectors` field in the akamai_siem logs. Added to `security_result.detection_fields` with key "RuleSelector".
`attackData.ruleTags`	`security_result.category_details`	Tags associated with the triggered rule. Extracted from `attackData.ruleTags` field in the akamai_siem logs.
`attackData.ruleVersions`	`security_result.detection_fields`	Versions of the triggered rules. Extracted from `attackData.ruleVersions` field in the akamai_siem logs. Added to `security_result.detection_fields` with key "Rule Version".
`clientReputation`	`principal.labels`	Client reputation information. Extracted from `clientReputation` field in the akamai_siem logs. Added as a label to the principal with key "reputation".
`cliIP` , `cli_ip` , `principal_ip`	`principal.ip` , `principal.asset.ip`	Client IP address. Extracted from `cliIP` or `cli_ip` or `principal_ip` depending on the log format.
`cp`	`additional.fields`	CP Code. Extracted from `cp` field. Added to `additional.fields` with key "cp".
`eventId`	`metadata.product_log_id`	Event ID. Extracted from `eventId` field.
`eventTime` , `log_date`	`metadata.event_timestamp`	Event timestamp. Extracted from `eventTime` or parsed from `log_date` depending on the log format.
`eventType.eventDefinition.eventDefinitionId`	`target.resource.product_object_id`	Event definition ID. Extracted from `eventType.eventDefinition.eventDefinitionId` .
`eventType.eventDefinition.eventDescription`	`metadata.description`	Event description. Extracted from `eventType.eventDefinition.eventDescription` .
`eventType.eventDefinition.eventName`	`metadata.product_event_type`	Event name. Extracted from `eventType.eventDefinition.eventName` .
`eventType.eventTypeId`	`additional.fields`	Event type ID. Extracted from `eventType.eventTypeId` . Added to `additional.fields` with key "eventTypeId".
`eventType.eventTypeName`	`additional.fields`	Event type name. Extracted from `eventType.eventTypeName` . Added to `additional.fields` with key "eventTypeName".
`format`	N/A	Used by the parser to determine the log format.
`geo.asn`	`principal.location.name`	Autonomous System Number (ASN). Extracted from `geo.asn` or `AkamaiSiemASN` depending on the log format. The value is prefixed with "ASN ".
`geo.city`	`principal.location.city`	City. Extracted from `geo.city` or `AkamaiSiemCity` depending on the log format.
`geo.country`	`principal.location.country_or_region`	Country. Extracted from `geo.country` or `AkamaiSiemContinent` depending on the log format.
`httpMessage.bytes`	`network.sent_bytes`	Bytes sent in the HTTP message. Extracted from `httpMessage.bytes` .
`httpMessage.host`	`target.hostname` , `target.asset.hostname`	Hostname. Extracted from `httpMessage.host` or `reqHost` depending on the log format.
`httpMessage.method`	`network.http.method`	HTTP method. Extracted from `httpMessage.method` or `network_http_method` or `reqMethod` depending on the log format. Converted to uppercase.
`httpMessage.path`	`target.url`	Request path. Extracted from `httpMessage.path` or `target_url` or `reqPath` depending on the log format. If `httpMessage.query` is present, it's appended to the path with a "?" separator.
`httpMessage.port`	`target.port`	Port. Extracted from `httpMessage.port` or `reqPort` depending on the log format.
`httpMessage.protocol`	N/A	Used by the parser to determine the protocol.
`httpMessage.query`	N/A	Used in parser logic to append to `httpMessage.path` if present.
`httpMessage.requestId`	`network.session_id`	Request ID. Extracted from `httpMessage.requestId` or `reqId` depending on the log format.
`httpMessage.requestHeaders` , `AkamaiSiemRequestHeaders`	`additional.fields`	Request headers. Extracted from `httpMessage.requestHeaders` or `AkamaiSiemRequestHeaders` depending on the log format. Added to `additional.fields` with key "AkamaiSiemRequestHeaders".
`httpMessage.responseHeaders` , `AkamaiSiemResponseHeaders`	`additional.fields`	Response headers. Extracted from `httpMessage.responseHeaders` or `AkamaiSiemResponseHeaders` depending on the log format. Added to `additional.fields` with key "AkamaiSiemResponseHeaders".
`httpMessage.status` , `AkamaiSiemResponseStatus` , `network_http_response_code` , `statusCode`	`network.http.response_code`	HTTP response code. Extracted from `httpMessage.status` or `AkamaiSiemResponseStatus` or `network_http_response_code` or `statusCode` depending on the log format.
`httpMessage.tls` , `AkamaiSiemTLSVersion` , `tlsVersion`	`network.tls.version`	TLS version. Extracted from `httpMessage.tls` or `AkamaiSiemTLSVersion` or `tlsVersion` depending on the log format.
`httpMessage.useragent` , `network_http_user_agent` , `UA` , `useragent`	`network.http.user_agent`	User agent. Extracted from `httpMessage.useragent` or `network_http_user_agent` or `UA` or `useragent` depending on the log format.
`log_description`	`metadata.description`	Log description. Extracted from `log_description` .
`log_rule`	`security_result.rule_name`	Log rule. Extracted from `log_rule` .
`message`	N/A	The raw log message. Used by the parser for various extractions.
`network_http_referral_url`	`network.http.referral_url`	HTTP referral URL. Extracted from `network_http_referral_url` .
`proto`	N/A	Used in parser logic to populate `security_result.summary` if `attackData.policyId` is not present.
`reqHost`	`target.hostname` , `target.asset.hostname`	Request host. Extracted from `reqHost` .
`reqId`	`metadata.product_log_id` , `network.session_id`	Request ID. Extracted from `reqId` .
`reqMethod`	`network.http.method`	Request method. Extracted from `reqMethod` .
`reqPath`	`target.url`	Request path. Extracted from `reqPath` .
`reqPort`	`target.port`	Request port. Extracted from `reqPort` .
`rspContentType`	`target.file.mime_type`	Response content type. Extracted from `rspContentType` .
`securityRules`	`security_result.rule_name` , `security_result.about.resource.attribute.labels`	Security rules. Extracted from `securityRules` . The first part is mapped to `rule_name` , and the rest are added as labels with keys "non_deny_rules" and "deny_rule_format".
`statusCode`	`network.http.response_code`	Status code. Extracted from `statusCode` .
`state`	`principal.location.state` , `target.user.personal_address.state`	State. Extracted from `state` .
`tlsVersion`	`network.tls.version`	TLS version. Extracted from `tlsVersion` .
`type`	`metadata.product_event_type`	Event type. Extracted from `type` .
`UA`	`network.http.user_agent`	User agent. Extracted from `UA` .
`version`	`metadata.product_version` , `principal.asset.software.version`	Version. Extracted from `version` .
N/A	`metadata.event_timestamp`	The event timestamp is derived from the `_ts` field in akamai_lds logs, the `httpMessage.start` field in akamai_siem logs, or the `log_date` field in other formats.
N/A	`metadata.vendor_name`	Hardcoded to "Akamai".
N/A	`metadata.product_name`	Hardcoded to "Kona".
N/A	`metadata.log_type`	Hardcoded to "AKAMAI_WAF".
N/A	`network.application_protocol`	Set to "HTTP" for akamai_siem and akamai_lds logs, or "DNS" for other formats.
N/A	`security_result.severity`	Set to MEDIUM for "alert" action, CRITICAL for "deny" action, and HIGH for other actions.
N/A	`event.idm.read_only_udm.metadata.event_type`	Set to "NETWORK_HTTP" for most log formats, "GENERIC_EVENT" for events with `eventId` or `eventData` fields, or "STATUS_UPDATE" for events with `cli_ip` or `p_ip` but no `reqHost` .

Need more help? Get answers from Community members and Google SecOps professionals.