Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
Akamai Security Events |
Base Rule |
General Security |
Other Security |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
N/A |
N/A |
N/A |
|
N/A |
N/A |
N/A |
Device Vendor |
|
N/A |
<vendorinfo> |
Text/String |
Device Product |
|
N/A |
<version> |
Text/String |
Device Version |
|
N/A |
<vmid> |
Text/String |
Device Event Class ID |
|
N/A |
<subject> |
Text/String |
Name |
|
N/A |
<severity> |
Number |
Severity |
|
act |
<action> |
Text/String |
appliedAction |
|
app |
<protname> |
Text/String |
httpMessage.protocol |
|
c6a2 |
N/A |
N/A |
IP v6 address of the source. Only populated if $attackData.clientIP is in IP v6 format. |
|
c6a2Label |
N/A |
N/A |
N/A |
|
cs1 |
N/A |
N/A |
Rule IDs of rules that triggered for this request. |
|
cs1Label |
N/A |
N/A |
N/A |
|
cs2 |
<reason> |
Text/String |
Messages of rules that triggered for this request |
|
cs2Label |
N/A |
N/A |
N/A |
|
cs3 |
N/A |
N/A |
User data of rules that triggered for this request. |
|
cs3Label |
N/A |
N/A |
N/A |
|
cs4 |
N/A |
N/A |
Selectors of rules that triggered for this request. |
|
cs4Label |
N/A |
N/A |
N/A |
|
cs5 |
N/A |
N/A |
Client IP scores for Client Reputation. |
|
cs5Label |
N/A |
N/A |
N/A |
|
cs6 |
N/A |
N/A |
API ID for API Protection. |
|
cs6Label |
N/A |
N/A |
N/A |
|
devicePayloadId |
N/A |
N/A |
Globally unique ID of the message. |
|
dhost |
<dname> |
Text/String |
Value of the HOST header of the incoming client request. |
|
dpt |
<dport> |
Number |
Port number used by the incoming request. Should be equal to the value of AK_IN_PORT |
|
flexString1 |
N/A |
N/A |
ID of the Security Configuration applied to this request. |
|
flexString1Label |
N/A |
N/A |
N/A |
|
flexString2 |
<policy> |
Text/String |
ID of the Firewall Policy applied to this request . |
|
flexString2Label |
N/A |
N/A |
N/A |
|
out |
<bytesout> |
Number |
Content bytes served in the client response. |
|
request |
<url> |
Text/String |
requestURL |
|
requestMethod |
<command> |
Text/String |
HTTP method of the incoming request. |
|
src |
<sip> |
IP Address |
IP address of the client that made the request. |
|
start |
N/A |
N/A |
Time, in epoch format (and to millisecond precision), when the Edge Server initiated the connection for the message exchange being monitored. |
|
AkamaiSiemSlowPostAction |
N/A |
N/A |
Action taken if a Slow POST attack is detected: either W for Warn or A for deny (abort). |
|
AkamaiSiemSlowPostRate |
N/A |
N/A |
Recorded rate of a detected Slow POST attack. |
|
AkamaiSiemRuleVersions |
N/A |
N/A |
Base64-encoded versions of rules that triggered for this request. |
|
AkamaiSiemRuleTags |
N/A |
N/A |
Base64-encoded tags of rules that triggered for this request |
|
AkamaiSiemApiKey |
N/A |
N/A |
API Key for API Protection. |
|
AkamaiSiemTLSVersion |
N/A |
N/A |
TLS version, if applicable. |
|
AkamaiSiemRequestHeaders |
N/A |
N/A |
All request headers collected. |
|
AkamaiSiemResponseHeaders |
N/A |
N/A |
All response headers collected. |
|
AkamaiSiemResponseStatus |
<responsecode> |
Number |
HTTP Response status sent to the client. |
|
AkamaiSiemContinent |
N/A |
N/A |
2-letter code for the continent that the IP address maps to. |
|
AkamaiSiemCountry |
N/A |
N/A |
2-letter ISO-3166 code for the country the IP address maps to. |
|
AkamaiSiemCity |
N/A |
N/A |
City that the IP address maps to. |
|
AkamaiSiemRegion |
N/A |
N/A |
2-letter ISO-3166 code for the state, province, or region the IP address maps to. |
|
AkamaiSiemASN |
N/A |
N/A |
Autonomous System Number (or numbers) that the IP address belongs to. |
|
AkamaiSiemUuid |
N/A |
N/A |
Unique identifier of the user whose risk data is being provided. |
|
AkamaiSiemUsername |
<login> |
Text/String |
The unencrypted username value. |
|
AkamaiSiemOriginUserId |
N/A |
N/A |
The unencrypted Origin User Id value. |
|
AkamaiSiemStatus |
<status> |
Text/String |
Status code indicating any errors that occurred when calculating the risk score. See the User Score Status section of this page for details. |
|
AkamaiSiemScore |
N/A |
N/A |
Calculated risk scores. Scores range from 0 (no risk) to 100 (the highest possible risk). |
|
AkamaiSiemRisk |
N/A |
N/A |
Indicators that increased the calculated risk score. For example, the value udfp represents the risk of the device fingerprint based on the user's behavioral profile. |
|
AkamaiSiemTrust |
N/A |
N/A |
Indicators that were trusted. For example, the value ugp indicates that the user’s country or area is trusted. |
|
AkamaiSiemGeneral |
N/A |
N/A |
Indicators of general behavior observed for relevant attributes. For example, duc_1h represents the number of users recorded on a specific device in the past hour. |
|
AkamaiSiemAllow |
N/A |
N/A |
Indicates whether the user is on the allow list. A 0 indicates that the user was not on the list; a 1 indicates that the user was on the list. |
|
AkamaiAppBundleId |
N/A |
N/A |
Unique identifier of the app bundle. An app bundle contains both the software itself and the accompanying configuration information. |
|
AkamaiAppVersion |
N/A |
N/A |
Version number of the app. |
|
AkamaiTelemetryType |
<object> |
Number |
Specifies the telemetry type in use. Allowed values are: 0 -- Web client (standard telemetry)
|
|
AkamaiBotScore |
N/A |
N/A |
Score assigned to the request by Botman Manager. |
|
AkamaiResponseSegment |
N/A |
N/A |
Numeric response segment indicator. Segments are used to group and categorize bot scores. Allowed values are: 0 -- Human
|
|
AkamaiSiemCustomData |
N/A |
N/A |
Custom base-64-encoded value. The custom data size limit is 2KB. |