Akamai App & API Protector

Owned by Aparna Rr
Sept 04, 2024
4 min read

About the Device

App & API Protector is a single solution for web application firewall, bot mitigation, API security, and DDoS, including Layer 7 DDoS protection. Quickly identify vulnerabilities and mitigate threats across the most complicated web and API architectures. The leading attack detection solution on the market, App & API Protector is easy to implement and use, with automatic security updates and holistic visibility into traffic and attacks.

Device Information

 Entity

Particulars

 Entity

Particulars

Vendor Name

Akamai

Product Name

App & API Protector (WAF)

Type of Device

Cloud

Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log collection method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log collection method

Akamai WAF

AKAMAI_WAF

Vendor Prop API - JSON

CyberHub

Device Configuration

Pre-Requisite:

  1. Make sure that you have access to your Akamai Luna Control center (https://control.akamai.com) to configure and provision the SIEM integration

Step 1: Turn on SIEM integration

  1. Visit https://control.akamai.com/ and log in.

  2. In ​Control Center​, in WEB & DATA CENTER SECURITY, click Security Configuration.

  3. Open the security configuration (and the appropriate version of that configuration) for which you want to collect SIEM data.

  4. Click Advanced Settings and expand Data collection for SIEM Integrations.

  5. Click On to enable SIEM.

  6. Choose the security policies for which you want to export data.

    • Select All Security policies if you want to send SIEM data for events that violate any or all security policies within the security configuration.

    • Select Specific security policies if you want data regarding one or more specific security policies. Select the appropriate policies from the dropdown list.

  7. To include events generated by Bot Manager, set Include Bot Manager Events to Yes. To exclude Bot Manager events, choose No. To include Bot Manager Events, you also need to switch your security configuration to use the Bot Score detection set

  8. To include events generated by Account Protector, set Include user-risk-only events to Yes. To exclude those events, choose No. This options adds user-risk events that trigger account protection detections alone. When a request triggers both account protection and web application rules, SIEM generates a security even which inclused both. Turn this option on to get all user-risk events

  9. If you use Account Protector and want to include the unencrypted Username, set Include username to Yes. To exclude the username, choose No. When you include username, anyone with access to your SIEM output can potentially see this value and its associated risk score.

  10. Skip the SIEM Event Version field for now.

  11. Copy the value in the Web Security Configuration ID field. You’ll need this later in the configuration process.

  12. Push your security configuration changes to the production network. On the Security Configuration page, click Activate. Under Network, click Production, and then click Activate.

If you want to enable SIEM integration for additional security configurations, repeat the preceding process for each configuration before continuing to Step 2.

Step 2: Set up a user to manage SIEM

Add or assign a user to manage your SIEM APIs.

  1. In ​Control Center​, under ACCOUNT ADMIN, click Identity & access.

  2. On the Users and API Clients tab, find the user you want to assign the role to or click the Create user button.

  3. To assign the SIEM role to an existing user, open the user's account and click the Edit roles tab. Find the appropriate group, click the Roles dropdown, and select the Manage SIEM role. Click Submit.

    • To assign the SIEM role to a new user, click Create user. Enter basic information for the user and scroll down to the Assign Roles section. Find the appropriate group, click the Roles dropdown, and select the Manage SIEM role. Click Save.

      Note: Only the Manage SIEM role has the proper permissions: don't assign this user any other role.

    • If you want to assign the Manage SIEM role for another group, select the group and repeat the preceding process. Note that, if you have multiple groups and users in your account, you must assign a user the Manage SIEM role for each group that contains a security configuration included in your SIEM results. This must be the same person you associate with the API credentials in Step 3.

You can also use the Service Account API to create a unique user account for SIEM and only allow specific users to manage the client credentials for the service account.

Step 3: Provision SIEM API and get access tokens:

  1. In Control Center, select ☰ > ACCOUNT ADMIN > Identity & access.

  2. In Users and API Clients, click Create API client.

  3. Click Quick to create an API client with access levels, group roles, and permissions identical to your current login.

  4. Click Show additional details to verify the APIs you can access.
    Enter the API service's name in the Filter field to verify that it's included and that you have the proper level of access.

  1. Click Hide additional details to return to the Details and Credentials information.

  2. Click Download in the Credentials section.

  1. You will get Host, Client Token, Client Secret & Access Token in this file. You also need to provide Security Configuration Key also along with the this file to AMxDR on-boarding team.

Integration Parameters

Property

Default Value

Description

Property

Default Value

Description

Host

*.cloudsecurity.akamaiapis.net

The Host value is generated during the SIEM API provisioning in the Akamai Luna Control Center.

Access Token

 

Access Token is used to authorize API client access for retrieving the security events. This token can be found after you provision the Akamai SIEM OAPI.

Client Token

 

Client Token paired with Client Secret to make the client credentials. This token can be found after you provision the Akamai SIEM API.

Client Secret

 

Client Secret paired with Client Token to make the client credentials. This token can be found after you provision the Akamai SIEM API.

Security Configuration ID

 

Security Configuration ID is the ID for each security configuration that you want to retrieve security events for. This ID can be found in the SIEM Integration section of your Akamai Luna portal. You can specify multiple configuration IDs in a comma-separated list. For example: 4123,4125.

About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.