Akamai Event Viewer¶
About¶
Akamai Event Viewer is part of Akamai's suite of content delivery network (CDN) and cloud services. Specifically, it is used for monitoring and analyzing real-time streaming events. This tool provides insights into the performance and delivery of live or on-demand video streams, helping users to understand how their content is being consumed and to troubleshoot any issues that might arise during the streaming process.
Product Details¶
Vendor URL: Akamai
Product Type: Cloud Service
Product Tier: Tier III
Integration Method: API
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: AKAMAI_EVT_VWR
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| ACCOUNT_NAME | principal.user.company_name |
| ACCOUNT_STATUS | additional.fields |
| AccountID | principal.user.userid |
| action | security_result.action_details |
| Alert Condition (% Errors) | security_result.detection_fields |
| Alert definition id | security_result.detection_fields |
| Alert editor | principal.user.user_display_name |
| Alert id | security_result.rule_id |
| Alert name | security_result.rule_name |
| Alert Threshold | security_result.detection_fields |
| APPLICATION | target.application |
| ASSET_ID | target.resource.id |
| Auth Grants | target.user.attribute.permissions |
| authenticationMethod | extensions.auth.auth_details |
| authorized_users | additional.fields |
| base_url | target.url |
| Change ID | additional.fields |
| Client IP | principal.ip |
| client_description | security_result.summary |
| client_name | principal.user.userid |
| client_type | principal.user.role_name |
| Company Name | principal.user.company_name |
| configID | additional.fields |
| configVersion | additional.fields |
| CONTRACT_TYPE_ID | target.resource.attribute.labels |
| contractId | target.resource.attribute.labels |
| country_code | principal.location.country_or_region |
| CP Code | additional.fields |
| details | security_result.summary |
| Domain | target.asset.network_domain |
| domain | intermediary.asset.network_domain |
| Edge IP | intermediary.ip |
| target.user.email_addresses | |
| Email To | target.hostname |
| Email To | network.email.to |
| Email_Address | target.user.userid |
| entityId | intermediary.asset.asset_id |
| Errors | security_result.detection_fields |
| event_code | security_result.rule_name |
| eventDescription | metadata.description |
| eventId | metadata.product_log_id |
| eventName | security_result.description |
| eventTypeName | metadata.product_event_type |
| Filename | target.file.names |
| First_Name | target.user.first_name |
| From | network.email.from |
| Ghost IP | target.ip |
| Hits | security_result.detection_fields |
| Hostname | target.hostname |
| IS_INTERNAL_USER | additional.fields |
| IS_ON_HOME_ACCOUNT | additional.fields |
| Last_Name | target.user.last_name |
| message | security_result.summary |
| Metadata Type | target.resource.resource_subtype |
| method | additional.fields |
| Name | security_result.rule_name |
| netlist-id | target.resource.id |
| netlist-type | target.resource.resource_subtype |
| netlist-user | principal.user.userid |
| notBefore | network.tls.client.certificate.not_before |
| notOnOrAfter | network.tls.client.certificate.not_after |
| Operation | security_result.action_details |
| os | principal.platform |
| Phone | target.user.phone_numbers |
| Policy name | target.resource.name |
| Policy Set name | security_result.rule_name |
| Policy set type | target.resource.resource_subtype |
| policyID | security_result.rule_id |
| PortalUserName | principal.user.user_display_name |
| PROPERTY_NAME | target.resource.name |
| PROPERTY_VERSION | target.resource.attribute.labels |
| protections | target.resource.attribute.labels |
| pulsar_host | intermediary.hostname |
| pulsar_host | intermediary.ip |
| Purge action | security_result.action_details |
| Purge request | additional.fields |
| receivedUserId | target.user.userid |
| Request Path | target.url |
| requestId | network.session_id |
| Response Status Code | network.http.response_code |
| Service | target.application |
| serviceName | target.application |
| Subject | network.email.subject |
| Template id | security_result.detection_fields |
| Ticket Number | additional.fields |
| to | network.email.to |
| true_client_ip | principal.ip |
| Type | security_result.rule_type |
| username | principal.user.userid |
| username | principal.hostname |
| USERNAME | principal.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Activate configuration on production | USER_RESOURCE_CREATION |
| Activate configuration on staging | USER_RESOURCE_CREATION |
| Add new user | USER_CREATION |
| Copy new version | USER_RESOURCE_CREATION |
| Customer Notification Sent | EMAIL_TRANSACTION |
| Else | STATUS_UPDATE |
| FileManager 2.0 User Action | FILE_UNCATEGORIZED |
| login | USER_LOGIN |
| logout | USER_LOGOUT |
| Send activation email | USER_COMMUNICATION |
| Submit ARL File | FILE_UNCATEGORIZED |
| Update firewall protection | SETTING_MODIFICATION |
Log Sample¶
{"eventData":[{"key":"userIdAttributeName","value":"Email"},{"key":"method","value":"sp_init"},{"key":"authenticationMethod","value":"federate.example.com:saml2"},{"key":"requestId","value":"_123a1b3c-1234-1234-a123-123abc123abc"},{"key":"domain","value":"control.akamai.com"},{"key":"notOnOrAfter","value":"2024-09-04T19:50:04.878Z"},{"key":"entityId","value":"federate.example.com:saml2"},{"key":"details","value":"User jane.doe@example.com has been successfully logged in using federate.example.com:saml2 IDP"},{"key":"notBefore","value":"2024-09-04T19:40:04.878Z"},{"key":"pulsar_host","value":"10.168.118.46"},{"key":"arrivalDate","value":"2024-09-04T19:45:05.255529798Z"}],"eventId":"8fb9d470-a084-4529-a620-dafeb03cd09a","eventTime":"2024-09-04T19:45:05.439Z","eventType":{"eventDefinition":{"eventDefinitionId":"1048087","eventDescription":"A user successfully authenticated using Single Sign-on (SSO)","eventName":"Successful SSO Login"},"eventTypeId":"16","eventTypeName":"All Logins"},"impersonator":false,"username":"jane.doe@example.com"}
Sample Parsing¶
additional.fields["Method"] = "sp_init"
extensions.auth.auth_details = "federate.example.com:saml2"
extensions.auth.type = "SSO"
intermediary.asset.asset_id = "entityId: federate.example.com:saml2"
intermediary.asset.network_domain = "control.akamai.com"
intermediary.ip = "10.168.118.46"
metadata.description = "A user successfully authenticated using Single Sign-on (SSO)"
metadata.event_type = "USER_LOGIN"
metadata.log_type = "AKAMAI_EVT_VWR"
metadata.product_deployment_id = "16"
metadata.product_event_type = "All Logins"
metadata.product_log_id = "8fb9d470-a084-4529-a620-dafeb03cd09a"
metadata.product_name = "Event Viewer"
metadata.vendor_name = "Akamai"
network.session_id = "_123a1b3c-1234-1234-a123-123abc123abc"
network.tls.client.certificate.not_after.seconds = 1725479404
network.tls.client.certificate.not_after.nanos = 878000000
network.tls.client.certificate.not_before.seconds = 1725478804
network.tls.client.certificate.not_before.nanos = 878000000
principal.hostname = "jane.doe"
principal.user.userid = "jane.doe@example.com"
security_result.action = "ALLOW"
security_result.description = "Successful SSO Login"
security_result.summary = "User jane.doe@example.com has been successfully logged in using federate.example.com:saml2 IDP"
target.user.email_addresses = "jane.doe@example.com"
target.user.userid = "jane.doe@example.com"