Ingest Akamai security logs and events
Latest Dynatrace Preview
Dynatrace integration with Akamai allows users to unify and contextualize security findings across tools and products, enabling central prioritization, visualization, and automation.
Akamai products generate security events and detect suspicious network activity. Dynatrace observes the runtime entities protected by those products. Ingesting security events from Akamai products helps users analyze those logs and findings in the context of their runtime production environments.
How it works
Dynatrace integration with Akamai is an extension running on Dynatrace ActiveGate. Once you enable and configure the Dynatrace Akamai extension
-
It periodically reaches out to Akamai SIEM API and fetches the security events.
-
The raw data is ingested into Dynatrace as logs. If security event extraction is configured, detection events are ingested in addition to the logs mapped to the Dynatrace semantic conventions.
-
Data is stored as follows:
- Logs are stored in the
default_logsbucket - Security events are stored in the
default_security_custom_eventsbucket
For details, see Built-in Grail buckets.
- Logs are stored in the
Additional integrations
In addition to the extension, you have the following integration options:
Prerequisites
See below for the Akamai and Dynatrace requirements.
Akamai requirements
Create authentication credentials with the proper permissions
Dynatrace requirements
-
ActiveGate version 1.300+
-
Permissions: For a list of permissions required, go to Dynatrace Hub
, select Extensions 
, and display Technical information. -
Generate an access token with the
openpipeline.events_securityscope.
Get started
-
In Dynatrace, search for Akamai and select Install.
-
Follow the on-screen instructions to configure the extension.
-
Verify configuration by running the following queries in Notebooks:
-
For security logs:
fetch logs| filter log.source=="Akamai SIEM" -
For finding events (if you configured the extension to extract detection events):
fetch events| filter dt.system.bucket == "default_security_custom_events"| filter event.kind == "SECURITY_EVENT"AND event.provider=="Akamai"
-
-
Once the extension is installed and working, you can access and manage it in Dynatrace via the Extensions
app. For details, see Extensions 2.0 concepts.
Use cases
With the ingested data, you can accomplish various use cases, such as
- Visualize and analyze security findings
- Automate and orchestrate security findings
- Analyze network logs and detections Coming soon
Frequently asked questions (FAQ)
Which data model is used for the security logs and events coming from Akamai SIEM integration?
Which extension fields are added on top of the core fields of the events ingested from Akamai?
-
The
geonamespace maps the corresponding geolocation information of the actor detected in the log. -
The
httpnamespace maps the corresponding HTTP request fields from the monitored transaction. -
The
urlnamespace maps the corresponding web application/URL accessed as the target of the monitored transaction. -
The
akamainamespace extracts several Akamai-specific fields for user convenience on top of the original JSON content, which is stored in thelog.contentfield.
Some extracted fields from which you can benefit include:
-
akamai.config.id -
akamai.attackdata.*
Which metrics are extracted automatically with the Akamai extension?
log.akamai-siem.volumetric-activitylog.akamai-siem.deny_countlog.akamai-siem.alert_countlog.akamai-siem.monitor_countlog.akamai-siem.total-eventslog.akamai-siem.slow-posts