-
Notifications
You must be signed in to change notification settings - Fork 431
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'upstream/master' into update-geoip
- Loading branch information
Showing
59 changed files
with
7,008 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
dependencies: | ||
ecs: | ||
reference: [email protected] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# Akamai Integration | ||
|
||
The Akamai integration collects events from the Akamai API, specifically reading from the [Akamai SIEM API](https://techdocs.akamai.com/siem-integration/reference/api). | ||
|
||
## Logs | ||
|
||
### SIEM | ||
|
||
The Security Information and Event Management API allows you to capture security events generated on the Akamai platform in your SIEM application. | ||
|
||
Use this API to get security event data generated on the Akamai platform and correlate it with data from other sources in your SIEM solution. Capture security event data incrementally, or replay missed security events from the past 12 hours. You can store, query, and analyze the data delivered through this API on your end, then go back and adjust your Akamai security settings. If you’re coding your own SIEM connector, it needs to adhere to these specifications in order to pull in security events from Akamai Security Events Collector (ASEC) and process them properly. | ||
|
||
See https://techdocs.akamai.com/siem-integration/reference/api-get-started to setup your Akamai account and obtain your credentials | ||
|
||
{{fields "siem"}} | ||
|
||
{{event "siem"}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
version: '2.3' | ||
services: | ||
akamai: | ||
image: docker.elastic.co/observability/stream:v0.6.1 | ||
ports: | ||
- 8080 | ||
volumes: | ||
- ./files:/files:ro | ||
environment: | ||
PORT: 8080 | ||
command: | ||
- http-server | ||
- --addr=:8080 | ||
- --config=/files/config.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
rules: | ||
- path: /siem/v1/configs/aaaa | ||
methods: ["GET"] | ||
request_headers: | ||
authorization: ["EG1-HMAC-SHA256 client_token=qwerasdf;access_token=abcd;timestamp=\\d{8}T(\\d{2}:){2}\\d{2}\\+0000;nonce=[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12};signature=.*"] | ||
query_params: | ||
offset: "abcd" | ||
responses: | ||
- status_code: 200 | ||
body: |- | ||
{"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"52.91.36.10","configId":"14227","policyId":"qik1_26545","ruleActions":"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d","ruleData":"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX ","ruleMessages":"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 ","ruleSelectors":"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b","ruleTags":"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R ","ruleVersions":"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d","rules":"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ"},"geo":{"asn":"14618","city":"ASHBURN","continent":"288","country":"US","regionCode":"VA"},"httpMessage":{"bytes":"266","host":"www.hmapi.com","method":"GET","path":"/","port":"80","protocol":"HTTP/1.1","query":"option=com_jce%20telnet.exe","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"1158db1758e37bfe67b7c091","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150","start":"1491303422","status":"200"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} | ||
{"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"52.91.36.10","configId":"6724","policyId":"scoe_5426","ruleActions":"QUxFUlQ;REVOWQ==","ruleData":"YWxlcnQo;Y3VybA==","ruleMessages":"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=","ruleSelectors":"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=","ruleTags":"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND","ruleVersions":";","rules":"OTUwMDA0;OTkwMDEx"},"geo":{"asn":"12271","city":"NEWYORK","continent":"NA","country":"US","regionCode":"NY"},"httpMessage":{"bytes":"34523","host":"www.example.com","method":"POST","path":"/examples/1/","port":"80","protocol":"http/2","query":"a%3D..%2F..%2F..%2Fetc%2Fpasswd","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"2ab418ac8515f331","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml","start":"1470923133.026","status":"301","tls": "TLSv1.2"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} | ||
- path: /siem/v1/configs/aaaa | ||
methods: ["GET"] | ||
request_headers: | ||
authorization: ["EG1-HMAC-SHA256 client_token=qwerasdf;access_token=abcd;timestamp=\\d{8}T(\\d{2}:){2}\\d{2}\\+0000;nonce=[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12};signature=.*"] | ||
query_params: | ||
to: "{to:.*}" | ||
from: "{from:.*}" | ||
responses: | ||
- status_code: 200 | ||
body: |- | ||
{"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"52.91.36.10","configId":"14227","policyId":"qik1_26545","ruleActions":"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d","ruleData":"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX ","ruleMessages":"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 ","ruleSelectors":"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b","ruleTags":"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R ","ruleVersions":"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d","rules":"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ"},"geo":{"asn":"14618","city":"ASHBURN","continent":"288","country":"US","regionCode":"VA"},"httpMessage":{"bytes":"266","host":"www.hmapi.com","method":"GET","path":"/","port":"80","protocol":"HTTP/1.1","query":"option=com_jce%20telnet.exe","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"1158db1758e37bfe67b7c09","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150","start":"1491303422","status":"200"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} | ||
{"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"52.91.36.10","configId":"6724","policyId":"scoe_5426","ruleActions":"QUxFUlQ;REVOWQ==","ruleData":"YWxlcnQo;Y3VybA==","ruleMessages":"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=","ruleSelectors":"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=","ruleTags":"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND","ruleVersions":";","rules":"OTUwMDA0;OTkwMDEx"},"geo":{"asn":"12271","city":"NEWYORK","continent":"NA","country":"US","regionCode":"NY"},"httpMessage":{"bytes":"34523","host":"www.example.com","method":"POST","path":"/examples/1/","port":"80","protocol":"http/2","query":"a%3D..%2F..%2F..%2Fetc%2Fpasswd","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"2ab418ac8515f33","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml","start":"1470923133.026","status":"301","tls": "TLSv1.2"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} | ||
{"total":3,"offset":"abcd","limit":3} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# newer versions go on top | ||
- version: "0.1.0" | ||
changes: | ||
- description: initial release | ||
type: enhancement # can be one of: enhancement, bugfix, breaking-change | ||
link: https:/elastic/integrations/pull/1643 |
3 changes: 3 additions & 0 deletions
3
packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
{"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"52.91.36.10","configId":"14227","policyId":"qik1_26545","ruleActions":"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d","ruleData":"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX ","ruleMessages":"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 ","ruleSelectors":"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b","ruleTags":"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R ","ruleVersions":"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d","rules":"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ"},"geo":{"asn":"14618","city":"ASHBURN","continent":"288","country":"US","regionCode":"VA"},"httpMessage":{"bytes":"266","host":"www.hmapi.com","method":"GET","path":"/","port":"80","protocol":"HTTP/1.1","query":"option=com_jce%20telnet.exe","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"1158db1758e37bfe67b7c09","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150","start":"1491303422","status":"200"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} | ||
{"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"52.91.36.10","configId":"6724","policyId":"scoe_5426","ruleActions":"QUxFUlQ;REVOWQ==","ruleData":"YWxlcnQo;Y3VybA==","ruleMessages":"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=","ruleSelectors":"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=","ruleTags":"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND","ruleVersions":";","rules":"OTUwMDA0;OTkwMDEx"},"geo":{"asn":"12271","city":"NEWYORK","continent":"NA","country":"US","regionCode":"NY"},"httpMessage":{"bytes":"34523","host":"www.example.com","method":"POST","path":"/examples/1/","port":"80","protocol":"http/2","query":"a%3D..%2F..%2F..%2Fetc%2Fpasswd","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"2ab418ac8515f33","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml","start":"1470923133.026","status":"301","tls": "TLSv1.2"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} | ||
{"total":10000,"offset":"71cca;3phZmEdPj6YEqml0rvbdWDZGW3mCiJIwjyhkJfsLFM2gVYPgE8-N_0CiLI9gwH0_4OJ87xDQ3b-gIsx_kEBdf7aaC_AvDpG9fMxypeaCma10FKrY9VKE","limit":10000} |
5 changes: 5 additions & 0 deletions
5
packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log-config.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
fields: | ||
tags: | ||
- preserve_original_event | ||
dynamic_fields: | ||
event.ingested: "^.*$" |
Oops, something went wrong.