Akamai Enterprise Application Access (EAA) Integration Guide
To integrate Akamai Enterprise Application Access (EAA) with Secureworks® Taegis™ XDR, you must follow Akamai’s guidance for implementing Akamai Unified Log Streamer (ULS). Akamai ULS is designed to simplify integrations with Extended Detection and Response (XDR) products, such as XDR. Once Akamai ULS has been implemented, you can configure Akamai ULS to send Akamai EAA events via syslog to a Taegis™ XDR Collector. Akamai EAA events are filtered and correlated in real-time for various security event observations.
Follow the instructions below to integrate and enable monitoring by XDR.
Connectivity Requirements ⫘
Source | Destination | Port/Protocol |
---|---|---|
Akamai ULS | XDR Collector (mgmt IP) | TCP/601 |
Data Provided from Integration ⫘
Antivirus | Auth | DHCP | DNS | Encrypt | File | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Akamai Enterprise Application Access (EAA) | D | D |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Akamai Requirements ⫘
The XDR integration with Akamai EAA requires Akamai’s Unified Log Streamer (ULS), which is available from Akamai. Follow Akamai’s documentation for implementing Akamai Unified Log Streamer (ULS).
Akamai Unified Log Streamer (ULS) Output Guidance ⫘
Upon implementing Akamai ULS, you must define a ULS OUTPUT to transmit Akamai EAA events to a XDR Collector via syslog. Use the following to define your parameters:
Akamai ULS Configuration Parameters ⫘
Shared ULS Environment Parameters ⫘
Input Parameters ⫘
- ULS_INPUT = EAA
- ULS_FORMAT = JSON
Output Parameters ⫘
- ULS_OUTPUT = TCP
- ULS_OUTPUT_HOST = XDR Collector IP
- ULS_OUTPUT_PORT = 601
Unique EAA Access Environment Parameters ⫘
Input Parameters ⫘
- ULS_FEED = ACCESS
Output Parameters ⫘
- ULS_TCPUDP_FORMAT =
'{"api_host": "{api_hostname}", "ulsfeed": "Akamai-{uls_input}-{uls_feed}", "event": %s}'
Unique EAA Admin Environment Parameters ⫘
Input Parameters ⫘
- ULS_FEED = ADMIN
Output Parameters ⫘
- ULS_TCPUDP_FORMAT =
'{"api_host": "{api_hostname}", "ulsfeed": "Akamai-{uls_input}-{uls_feed}", "event": %s}'
Akamai EAA events are now logging to XDR via Akamai ULS.
Example Query Language Searches ⫘
To search for auth
events from the last 24 hours:
`FROM auth WHERE sensor_type = 'Akamai EAA' and EARLIEST=-24h`
To search for http
events from the last 24 hours:
`FROM http WHERE sensor_type = 'Akamai EAA' and EARLIEST=-24h`