Data Source

Akamai DDoS Protection / WAF (SIEM Integration API). The connector polls the Akamai SIEM Integration API and ingests web application firewall security events. Supports multiple Akamai security configurations in parallel via the multi-connection UI.

Ingestion Mechanism

CCF (Codeless Connector Framework) with Akamai EdgeGrid HMAC-SHA-256 authentication. The CCF runtime computes a fresh signed Authorization header on every poll request. No Azure Function or customer-managed infrastructure required.

Events land in the AkamaiSIEMEvent Log Analytics table via DCR (stream: Custom-AkamaiSIEMEvent_CL). The DCR transformKql parses nested dynamic objects (attackData, geo, httpMessage, botData, clientData, identity, userRiskData) into flat columns.

Key ingested fields:

  • Attack context: ConfigId, PolicyId, ClientIp, AppliedAction, ClientReputation, RuleActions, RuleMessages, RuleTags, Rules
  • HTTP context: HttpRequestId, HttpPath, HttpMethod, HttpHost, HttpStatusCode, HttpBytes, HttpResponseBody
  • Geo context: GeoCountry, GeoCity, GeoContinent, GeoAsn, GeoRegionCode
  • Bot/risk context: BotScore, UserRiskScore

TimeGenerated is derived from httpMessage.start (Unix epoch); falls back to now() if absent.

Detection Surface Unlocked

With AkamaiSIEMEvent populated, detection engineers can build on:

  • Web application attacks blocked/alerted by Akamai WAF rules (AppliedAction = deny/alert)
  • Client reputation scoring for inbound IPs
  • Geographic clustering of attack sources
  • Slow POST attack detection (SlowPostAction, SlowPostRate)
  • Bot traffic identification (BotScore)
  • Correlation between attacker IPs seen in AkamaiSIEMEvent and other Sentinel data sources

No bundled Analytic Rules or Hunting Queries are included in this initial release. A parser alias function (parser_AkamaiSIEMEventAliasFunction.json) is provided.

Configuration Notes

Requires SIEM integration enabled in the Akamai Security Center per security configuration. Authentication uses three EdgeGrid credentials (client_token, access_token, client_secret) plus the API hostname from the .edgerc file. The connector is currently in Preview (isPreview: true).

Affected Files

Solutions/Akamai DDOS Protection/Data Connectors/AkamaiDDOSProtection_CCF/AkamaiDDOSProtection_ConnectorDefinition.json
Solutions/Akamai DDOS Protection/Data Connectors/AkamaiDDOSProtection_CCF/AkamaiDDOSProtection_DCR.json
Solutions/Akamai DDOS Protection/Data Connectors/AkamaiDDOSProtection_CCF/AkamaiDDOSProtection_PollerConfig.json
Solutions/Akamai DDOS Protection/Data Connectors/AkamaiDDOSProtection_CCF/table_AkamaiSIEMEvent.json
Solutions/Akamai DDOS Protection/Package/testParameters.json
Solutions/Akamai DDOS Protection/Parsers/parser_AkamaiSIEMEventAliasFunction.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_AkamaiDDOSProtection.json, createUiDefinition.json, mainTemplate.json)