Akamai Security Events
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
Akamai Security Events | Base Rule | General Security | Other Security |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
N/A | N/A | N/A | N/A |
N/A | N/A | N/A | Device Vendor |
N/A | <vendorinfo> | Text/String | Device Product |
N/A | <version> | Text/String | Device Version |
N/A | <vmid> | Text/String | Device Event Class ID |
N/A | <subject> | Text/String | Name |
N/A | <severity> | Number | Severity |
act | <action> | Text/String | appliedAction |
app | <protname> | Text/String | httpMessage.protocol |
c6a2 | N/A | N/A | IP v6 address of the source. Only populated if $attackData.clientIP is in IP v6 format. |
c6a2Label | N/A | N/A | N/A |
cs1 | N/A | N/A | Rule IDs of rules that triggered for this request. |
cs1Label | N/A | N/A | N/A |
cs2 | <reason> | Text/String | Messages of rules that triggered for this request |
cs2Label | N/A | N/A | N/A |
cs3 | N/A | N/A | User data of rules that triggered for this request. |
cs3Label | N/A | N/A | N/A |
cs4 | N/A | N/A | Selectors of rules that triggered for this request. |
cs4Label | N/A | N/A | N/A |
cs5 | N/A | N/A | Client IP scores for Client Reputation. |
cs5Label | N/A | N/A | N/A |
cs6 | N/A | N/A | API ID for API Protection. |
cs6Label | N/A | N/A | N/A |
devicePayloadId | N/A | N/A | Globally unique ID of the message. |
dhost | <dname> | Text/String | Value of the HOST header of the incoming client request. |
dpt | <dport> | Number | Port number used by the incoming request. Should be equal to the value of AK_IN_PORT |
flexString1 | N/A | N/A | ID of the Security Configuration applied to this request. |
flexString1Label | N/A | N/A | N/A |
flexString2 | <policy> | Text/String | ID of the Firewall Policy applied to this request . |
flexString2Label | N/A | N/A | N/A |
out | <bytesout> | Number | Content bytes served in the client response. |
request | <url> | Text/String | requestURL |
requestMethod | <command> | Text/String | HTTP method of the incoming request. |
src | <sip> | IP Address | IP address of the client that made the request. |
start | N/A | N/A | Time, in epoch format (and to millisecond precision), when the Edge Server initiated the connection for the message exchange being monitored. |
AkamaiSiemSlowPostAction | N/A | N/A | Action taken if a Slow POST attack is detected: either W for Warn or A for deny (abort). |
AkamaiSiemSlowPostRate | N/A | N/A | Recorded rate of a detected Slow POST attack. |
AkamaiSiemRuleVersions | N/A | N/A | Base64-encoded versions of rules that triggered for this request. |
AkamaiSiemRuleTags | N/A | N/A | Base64-encoded tags of rules that triggered for this request |
AkamaiSiemApiKey | N/A | N/A | API Key for API Protection. |
AkamaiSiemTLSVersion | N/A | N/A | TLS version, if applicable. |
AkamaiSiemRequestHeaders | N/A | N/A | All request headers collected. |
AkamaiSiemResponseHeaders | N/A | N/A | All response headers collected. |
AkamaiSiemResponseStatus | <responsecode> | Number | HTTP Response status sent to the client. |
AkamaiSiemContinent | N/A | N/A | 2-letter code for the continent that the IP address maps to. |
AkamaiSiemCountry | N/A | N/A | 2-letter ISO-3166 code for the country the IP address maps to. |
AkamaiSiemCity | N/A | N/A | City that the IP address maps to. |
AkamaiSiemRegion | N/A | N/A | 2-letter ISO-3166 code for the state, province, or region the IP address maps to. |
AkamaiSiemASN | N/A | N/A | Autonomous System Number (or numbers) that the IP address belongs to. |
AkamaiSiemUuid | N/A | N/A | Unique identifier of the user whose risk data is being provided. |
AkamaiSiemUsername | <login> | Text/String | The unencrypted username value. |
AkamaiSiemOriginUserId | N/A | N/A | The unencrypted Origin User Id value. |
AkamaiSiemStatus | <status> | Text/String | Status code indicating any errors that occurred when calculating the risk score. See the User Score Status section of this page for details. |
AkamaiSiemScore | N/A | N/A | Calculated risk scores. Scores range from 0 (no risk) to 100 (the highest possible risk). |
AkamaiSiemRisk | N/A | N/A | Indicators that increased the calculated risk score. For example, the value udfp represents the risk of the device fingerprint based on the user's behavioral profile. |
AkamaiSiemTrust | N/A | N/A | Indicators that were trusted. For example, the value ugp indicates that the user’s country or area is trusted. |
AkamaiSiemGeneral | N/A | N/A | Indicators of general behavior observed for relevant attributes. For example, duc_1h represents the number of users recorded on a specific device in the past hour. |
AkamaiSiemAllow | N/A | N/A | Indicates whether the user is on the allow list. A 0 indicates that the user was not on the list; a 1 indicates that the user was on the list. |
AkamaiAppBundleId | N/A | N/A | Unique identifier of the app bundle. An app bundle contains both the software itself and the accompanying configuration information. |
AkamaiAppVersion | N/A | N/A | Version number of the app. |
AkamaiTelemetryType | <object> | Number | Specifies the telemetry type in use. Allowed values are: 0 -- Web client (standard telemetry) |
AkamaiBotScore | N/A | N/A | Score assigned to the request by Botman Manager. |
AkamaiResponseSegment | N/A | N/A | Numeric response segment indicator. Segments are used to group and categorize bot scores. Allowed values are: 0 -- Human |
AkamaiSiemCustomData | N/A | N/A | Custom base-64-encoded value. The custom data size limit is 2KB. |