Akamai's Identity Cloud SIEM Integration supports two standard formats for information delivery: the Common Event Format (CEF) and the Log Event Extended Format (LEEF). Most SIEM platforms support at least one of these file formats. If your's does not, and if you are still interested in SIEM Integration, contact your Akamai representative.
The Common Event Format
The Common Event Format (CEF) was developed by ArcSight as a way to standardize event logging. A CEF file generated by Identity Cloud SIEM Integration looks similar to this:
CEF:0|Janrain|Janrain Identity Cloud|1.0|traditional_signin|Traditional Sign In|3|app=HTTPS cat=identity request=https://myapp.janrain.com/oauth/auth_native_traditional src=1.1.1.1 shost=host.domain.com requestClientApplication=Mozilla/5.0 (X11; Fedora; Linux x86_64) suid=2b565a0c-a863-11e7-abc4-cec278b6b50a rt=Jan 01 1979 18:00:00 spriv=user cs1=abc123abc123def456def456gh cs2=abc123abc123def456def456ghi789gh forward_headers=[{'name': 'header_name', 'value': 'header_value'}]
In turn, that file can be parsed as shown in the following table:
File Data |
CEF Field Name |
Description |
---|---|---|
CEF:0 |
CEF Version |
Common Event Format version number used to construct the data file. Analytics programs use the CEF Version when uploading and parsing a file. |
Janrain |
Device Vendor |
Vendor responsible for producing the CEF file. |
Janrain Identity Cloud |
Device Product |
Product that produced the CEF file. |
1.0 |
Device Version |
Version number of the product. |
traditional_signin |
Signature ID |
Unique identifier for the event. For a complete list of Akamai event types, see SIEM Event Types. |
Traditional Sign In |
Name |
Human readable – and understandable – name for the event. |
3 |
Severity |
Importance of the event. Severities can be any integer value from 0 to 10 (inclusive), with 0 representing the least important event and 10 the most important event. Severities are commonly grouped as follows: Severities 0-3 = Low; Severities 4-6 = Medium; Severities 7-8 = High; Severities 9-10 = Very High. |
app=HTTPS |
applicationProtocol |
Application level protocol associated with the event; for example, HTTP, HTTPS, Telnet, POP, IMAP, etc. |
cat=identity |
EventCategory |
Category assigned to the event by the product. There is no universal standard for event categories; categories are typically product-specific. |
request=https://myapp.janrain.com/oauth/ |
requestURL |
URL accessed at the time that the event occurred. |
src=1.1.1.1 |
sourceAddress |
IP address of the computer where the event occurred. |
shost=host.domain.com |
sourceHostName |
Fully qualified domain name of the computer where the event occurred. |
requestClientApplication=Mozilla/5.0 (X11; Fedora; Linux x86_64) |
requestClientApplication |
User agent for the client application employed when the event occurred. For Janrain events, the user agent typically identifies the web browser in use when the event took place. |
suid=2b565a0c-a863-11e7-abc4-cec278b6b50a |
sourceUserId |
UUID of the user responsible for the event. |
rt=Jan 01 1979 18:00:00 |
receiptTime |
Date and time when the event occurred. The datetime value is expressed using the format MMM DD YYYY HH:MM:SS (Month Day Year Hour:Minute:Seconds). |
spriv=user |
sourceUserPrivileges |
Role associated with the user responsible for the event. Allowed values are:
|
cs1=abc123abc123def456def456gh |
deviceCustomString1 |
ID of the Akamai application in use when the event occurred. |
cs2=abc123abc123def456def456ghi789gh |
deviceCustomString2 |
ID of the API client in use when the event occurred. |
forward_headers=[{'name': 'header_name', 'value': 'header_value'}] |
Message header information. |