Data Source
Akamai DDoS Protection / WAF (SIEM Integration API). The connector polls the Akamai SIEM Integration API and ingests web application firewall security events. Supports multiple Akamai security configurations in parallel via the multi-connection UI.
Ingestion Mechanism
CCF (Codeless Connector Framework) with Akamai EdgeGrid HMAC-SHA-256 authentication. The CCF runtime computes a fresh signed Authorization header on every poll request. No Azure Function or customer-managed infrastructure required.
Events land in the AkamaiSIEMEvent Log Analytics table via DCR (stream: Custom-AkamaiSIEMEvent_CL). The DCR transformKql parses nested dynamic objects (attackData, geo, httpMessage, botData, clientData, identity, userRiskData) into flat columns.
Key ingested fields:
- Attack context: ConfigId, PolicyId, ClientIp, AppliedAction, ClientReputation, RuleActions, RuleMessages, RuleTags, Rules
- HTTP context: HttpRequestId, HttpPath, HttpMethod, HttpHost, HttpStatusCode, HttpBytes, HttpResponseBody
- Geo context: GeoCountry, GeoCity, GeoContinent, GeoAsn, GeoRegionCode
- Bot/risk context: BotScore, UserRiskScore
TimeGenerated is derived from httpMessage.start (Unix epoch); falls back to now() if absent.
Detection Surface Unlocked
With AkamaiSIEMEvent populated, detection engineers can build on:
- Web application attacks blocked/alerted by Akamai WAF rules (AppliedAction = deny/alert)
- Client reputation scoring for inbound IPs
- Geographic clustering of attack sources
- Slow POST attack detection (SlowPostAction, SlowPostRate)
- Bot traffic identification (BotScore)
- Correlation between attacker IPs seen in AkamaiSIEMEvent and other Sentinel data sources
No bundled Analytic Rules or Hunting Queries are included in this initial release. A parser alias function (parser_AkamaiSIEMEventAliasFunction.json) is provided.
Configuration Notes
Requires SIEM integration enabled in the Akamai Security Center per security configuration. Authentication uses three EdgeGrid credentials (client_token, access_token, client_secret) plus the API hostname from the .edgerc file. The connector is currently in Preview (isPreview: true).
Affected Files
Solutions/Akamai DDOS Protection/Data Connectors/AkamaiDDOSProtection_CCF/AkamaiDDOSProtection_ConnectorDefinition.json
Solutions/Akamai DDOS Protection/Data Connectors/AkamaiDDOSProtection_CCF/AkamaiDDOSProtection_DCR.json
Solutions/Akamai DDOS Protection/Data Connectors/AkamaiDDOSProtection_CCF/AkamaiDDOSProtection_PollerConfig.json
Solutions/Akamai DDOS Protection/Data Connectors/AkamaiDDOSProtection_CCF/table_AkamaiSIEMEvent.json
Solutions/Akamai DDOS Protection/Package/testParameters.json
Solutions/Akamai DDOS Protection/Parsers/parser_AkamaiSIEMEventAliasFunction.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_AkamaiDDOSProtection.json, createUiDefinition.json, mainTemplate.json)