cef0.akamai.akamai_siem
- Juan Tomás Alonso Nieto (Unlicensed)
Introduction
The table cef0.akamai.akamai_siem identify events in CEF format generated by Akamai.
Tag structure
Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.
In this case, the valid data tables are:
| Tag | Data table |
|---|---|
cef0.akamai.akamai_siem | cef0.akamai.akamai_siem |
How is the data sent to Devo?
Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.
Log samples
The following is a sample log sent to the cef0.akamai.akamai_siem table. Find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
2021-11-12 12:20:04.859 localhost=127.0.0.1 CEF: 0|Akamai|akamai_siem|1.0|detect|Activity detected|5|act=alert app=HTTP/1.1 c6a2Label=Source IPv6 Address cs1=699991 cs1Label=Rules cs2=Request Missing / blank countryer-Agent and Accept Headers cs2Label=Rule Messages cs3Label=Rule Data cs4Label=Rule Selectors cs5Label=Client Reputation cs6Label=API ID devicePayloadId=80c0e9be dhost=www.host123.com dpt=443 flexString1=16500 flexString1Label=Security Config Id flexString2=UWWW_85582 flexString2Label=Firewall Policy Id out=1406 request=https://www.host123.com/xyzw.ico requestMethod=GET src=70.175.166.98 start=1615914867 AkamaiSiemRuleVersions=1 AkamaiSiemRuleTags=AKAMAI/BOT_DETECT_v1 AkamaiSiemTLSVersion=tls1.2 AkamaiSiemRequestHeaders=Host:+www.host123.com\\\\n AkamaiSiemResponseHeaders=Server:+nginx\\\\nContent-Type:+image/vnd.microsoft.icon\\\\nStrict-Transport-Security:+max-age\\\\=86400;+includeSubDomains\\\\nLast-Modified:+Sun,+07+Mar+2021+06:12:39+GMT\\\\nDate:+Tue,+16+Mar+2021+17:14:27+GMT\\\\nContent-Length:+1406\\\\nConnection:+keep-alive\\\\nSet-CoRegionie:+host123_SITE\\\\=A;+path\\\\=/;+domain\\\\=.www.host123.com;+secure\\\\nServer-Timing:+cdn-cache;+desc\\\\=HIT\\\\nServer-Timing:+edge;+dur\\\\=1\\\\nSet-CoRegionie:+akaalb_alb_www_host123\\\\=~op\\\\=WWW_host123_SITE_A:SiteA_Origin4\\\\|~rv\\\\=25~m\\\\=SiteA_Origin4:0\\\\|~os\\\\=6e40862a2abd586d46d773cd430ecffc~id\\\\=6627d20a82f3098bfff658a9cd8d7963;+path\\\\=/;+Secure;+SameSite\\\\=None\\nCache-Control:+max-age\\\\=86400,+public\\n AkamaiSiemResponseStatcountry=200 AkamaiSiemContinent=NA AkamaiSiemCountry=country AkamaiSiemCity=city123 AkamaiSiemRegion=Region AkamaiSiemASN=123456
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
|---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
priorityCode |
|
| |
cefTag |
|
| |
cefVersion |
|
| |
embDeviceVendor |
|
| |
embDeviceProduct |
|
| |
deviceVersion |
|
| |
signatureID |
|
| |
name |
|
| |
severity |
|
| |
_cefVer |
|
| |
act |
|
| |
app |
|
| |
c6a2Label |
|
| |
cs1Label |
|
| |
cs1 |
|
| |
cs2Label |
|
| |
cs2 |
|
| |
cs3Label |
|
| |
cs4Label |
|
| |
cs5Label |
|
| |
cs6Label |
|
| |
dhost |
|
| |
dpt |
|
| |
out |
|
| |
requestMethod |
|
| |
request |
|
| |
src |
|
| |
start |
|
| |
AkamaiSiemASN |
|
| |
AkamaiSiemCity |
|
| |
AkamaiSiemContinent |
|
| |
AkamaiSiemCountry |
|
| |
AkamaiSiemRegion |
|
| |
AkamaiSiemRequestHeaders |
|
| |
AkamaiSiemResponseHeaders |
|
| |
AkamaiSiemResponseStatcountry |
|
| |
AkamaiSiemRuleTags |
|
| |
AkamaiSiemRuleVersions |
|
| |
AkamaiSiemTLSVersion |
|
| |
devicePayloadId |
|
| |
flexString1 |
|
| |
flexString1Label |
|
| |
flexString2 |
|
| |
flexString2Label |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |