From 163a490e432d70fe2af555fc81228dd8091c4b12 Mon Sep 17 00:00:00 2001 From: Mike Schiessl <77062930+MikeSchiessl@users.noreply.github.com> Date: Wed, 18 Aug 2021 15:46:50 +0200 Subject: [PATCH] Version 1.1.0 (#13) ## v1.1.0 ||| |---|---| |Date|2021-08-18 |Kind|Bugfix / Feature |Author|mschiess@akamai.com - Features - Added **DNS** and **PROXY** feeds to ETP Input (<3 Sara) - Minor improvements - Version number fix (Stated 0.9.0 instead of 1.x.x) - debug "message" fix ( changed HTTP to HTTP(S) to avoid misunderstanding) - documented workaround for discovered proxy issue - enabled json highlighting in [Log_overview](./LOG_OVERVIEW.md) - added better error guidance when basic stuff is unset (input / output) - moved docker-compose from root dir to /docs - added `read_only: true` to the docker-compose.yml files (security enhancement) --- README.md | 10 +- bin/config/global_config.py | 10 +- bin/modules/UlsArgsParser.py | 4 +- bin/modules/UlsInputCli.py | 4 +- bin/modules/UlsOutput.py | 2 +- bin/modules/UlsTools.py | 14 + bin/uls.py | 3 + docs/AKAMAI_API_CREDENTIALS.md | 2 + docs/ARGUMENTS_ENV_VARS.md | 4 +- docs/CHANGELOG.md | 17 + docs/DOCKER-COMPOSE_USAGE.md | 12 +- docs/FAQ.md | 18 +- docs/LOG_OVERVIEW.md | 1098 ++++++++++++++++- .../docker-compose}/README.md | 6 +- .../docker-compose}/complex/README.md | 0 .../complex/docker-compose.yml | 5 +- .../docker-compose}/complex/eaa-access.env | 0 .../docker-compose}/complex/etp-threat.env | 0 .../docker-compose}/complex/mfa-auth.env | 0 .../docker-compose}/examples/README.md | 0 .../examples/all_services_docker-compose.yml | 28 +- .../examples/example_env_file.env | 6 +- .../docker-compose}/simple/README.md | 0 .../docker-compose}/simple/docker-compose.yml | 3 +- .../docker-compose}/simple/etp-threat.env | 0 25 files changed, 1206 insertions(+), 40 deletions(-) mode change 100644 => 100755 bin/uls.py rename {docker-compose => docs/docker-compose}/README.md (58%) rename {docker-compose => docs/docker-compose}/complex/README.md (100%) rename {docker-compose => docs/docker-compose}/complex/docker-compose.yml (84%) rename {docker-compose => docs/docker-compose}/complex/eaa-access.env (100%) rename {docker-compose => docs/docker-compose}/complex/etp-threat.env (100%) rename {docker-compose => docs/docker-compose}/complex/mfa-auth.env (100%) rename {docker-compose => docs/docker-compose}/examples/README.md (100%) rename {docker-compose => docs/docker-compose}/examples/all_services_docker-compose.yml (66%) rename {docker-compose => docs/docker-compose}/examples/example_env_file.env (91%) rename {docker-compose => docs/docker-compose}/simple/README.md (100%) rename {docker-compose => docs/docker-compose}/simple/docker-compose.yml (74%) rename {docker-compose => docs/docker-compose}/simple/etp-threat.env (100%) diff --git a/README.md b/README.md index f191662..cfe15e1 100644 --- a/README.md +++ b/README.md @@ -38,16 +38,18 @@ It can be run directly as Python code, as a provided Docker container or through - [Enterprise Threat Protectors (ETP)](https://www.akamai.com/us/en/products/security/enterprise-threat-protector.jsp) - [THREAT](docs/LOG_OVERVIEW.md#threat-log-threat) - [AUP](docs/LOG_OVERVIEW.md#accceptable-use-policy-logs-aup) + - [DNS](docs/LOG_OVERVIEW.md#dns) + - [PROXY](docs/LOG_OVERVIEW.md#proxy) - [Akamai Phish-proof Multi Factor Authenticator (AKAMAI-MFA)](https://www.akamai.com/us/en/products/security/akamai-mfa.jsp) - [AUTH](docs/LOG_OVERVIEW.md#authentication-logs-auth) - [POLICY](docs/LOG_OVERVIEW.md#policy-logs-policy) - Supported data outputs - - TCP Socket (tcp://host:port) - - UDP Socket (udp://host:port) - - HTTP(S) URL (http(s)://host:port/path) (supporting Authentication) - - RAW (>STDOUT) + - TCP Socket (tcp://host:port) `--output tcp` + - UDP Socket (udp://host:port) `--output udp` + - HTTP(S) URL (http(s)://host:port/path) (supporting Authentication) `--output http` + - RAW (>STDOUT) `--output raw` - Operation types diff --git a/bin/config/global_config.py b/bin/config/global_config.py index 50835f8..0d9bd5b 100644 --- a/bin/config/global_config.py +++ b/bin/config/global_config.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # Common global variables / constants -__version__ = "0.9.0" +__version__ = "1.1.0" __tool_name_long__ = "Akamai Unified Log Streamer" __tool_name_short__ = "ULS" @@ -17,9 +17,13 @@ bin_eaa_cli = "ext/cli-eaa/bin/akamai-eaa" # Available EAA CLI feeds eaa_cli_feeds = ['ACCESS', 'ADMIN', 'CONHEALTH'] + # ETP -bin_etp_cli = "ext/cli-etp/bin/akamai-etp" # Path to the ETP CLI Executable -etp_cli_feeds = ['THREAT', 'AUP'] # Available ETP CLI feeds + # Path to the ETP CLI Executable +bin_etp_cli = "ext/cli-etp/bin/akamai-etp" + # Available ETP CLI feeds +etp_cli_feeds = ['THREAT', 'AUP', 'DNS', 'PROXY'] + # MFA bin_mfa_cli = "ext/cli-mfa/bin/akamai-mfa" # Path to the MFA CLI Executable mfa_cli_feeds = ['POLICY', 'AUTH'] # Available MFA CLI feeds diff --git a/bin/modules/UlsArgsParser.py b/bin/modules/UlsArgsParser.py index 003102b..8166093 100644 --- a/bin/modules/UlsArgsParser.py +++ b/bin/modules/UlsArgsParser.py @@ -70,7 +70,9 @@ def init(): dest='inproxy', type=str, default=(os.environ.get('ULS_INPUT_PROXY') or None), - help="Use a proxy Server for the INPUT requests (fetching data from AKAMAI API'S)") + help=argparse.SUPPRESS) + # We're surpressing this for now, as the param does not seem to work (mschiess-20210818 - see EME-498) + #help="Use a proxy Server for the INPUT requests (fetching data from AKAMAI API'S)") # RAWCMD input_group.add_argument('--rawcmd', action='store', diff --git a/bin/modules/UlsInputCli.py b/bin/modules/UlsInputCli.py index b7aedd9..6d7e5f1 100644 --- a/bin/modules/UlsInputCli.py +++ b/bin/modules/UlsInputCli.py @@ -43,10 +43,10 @@ def _feed_selector(self, feed, product_feeds): if feed in product_feeds: # feed matches the given list aka_log.log.debug(f'{self.name} - selected feed: {feed}') - elif not feed: + elif not feed or feed == "DEFAULT": # Set default (first of feeds) feed = product_feeds[0] - aka_log.log.debug(f'{self.name} - using default feed: {feed}') + aka_log.log.warning(f'{self.name} - using default feed: {feed}') else: aka_log.log.critical( f"{self.name} - Feed ({feed}) not available - Available: {product_feeds}") diff --git a/bin/modules/UlsOutput.py b/bin/modules/UlsOutput.py index 4054866..33eacb8 100644 --- a/bin/modules/UlsOutput.py +++ b/bin/modules/UlsOutput.py @@ -135,7 +135,7 @@ def connect(self, output_type: str, host: str, port: int, f'Use --httpurl instead of --host / --port') sys.exit(1) else: - aka_log.log.debug(f"{self.name} attempting to connect via HTTP to {http_url} ") + aka_log.log.debug(f"{self.name} attempting to connect via HTTP(S) to {http_url} ") # Let'S do an options request self.http_url = http_url diff --git a/bin/modules/UlsTools.py b/bin/modules/UlsTools.py index 7f2cf3b..a8a57cc 100644 --- a/bin/modules/UlsTools.py +++ b/bin/modules/UlsTools.py @@ -112,3 +112,17 @@ def uls_check_edgerc(configfile, configsection, configvalues): else: aka_log.log.debug(f"Required configuration value '{configvalue}' found.") return 0 + + +def uls_check_args(input, output): + missing = None + if not input: + missing = "INPUT" + elif not output: + missing = "OUTPUT" + if missing: + aka_log.log.critical(f"Required argument / ENV var not set: {missing}") + aka_log.log.critical(f"Please run `bin/uls.py --help` for additional information") + sys.exit(1) + else: + return 0 \ No newline at end of file diff --git a/bin/uls.py b/bin/uls.py old mode 100644 new mode 100755 index 1a413d7..85ffca4 --- a/bin/uls.py +++ b/bin/uls.py @@ -62,6 +62,9 @@ def main(): # Load the LOG system aka_log.init(uls_args.loglevel, uls_config.__tool_name_short__) + # Verify the given core params (at least input and output should be set) + UlsTools.uls_check_args(uls_args.input, uls_args.output) + # Check CLI Environment UlsTools.uls_check_sys() diff --git a/docs/AKAMAI_API_CREDENTIALS.md b/docs/AKAMAI_API_CREDENTIALS.md index 357a68b..b4c5ee7 100644 --- a/docs/AKAMAI_API_CREDENTIALS.md +++ b/docs/AKAMAI_API_CREDENTIALS.md @@ -27,6 +27,8 @@ This document describes how to create Akamai API credentials and configure them |Enterprise Application Access|EAA|HEALTH|[{OPEN} API / Enterprise Application Access](#eaa-open-api-for-connector-health-feed)| |Enterprise Threat Protector|ETP|THREAT|[{OPEN} API / ETP Report](#etp-open-api-reporting)| |Enterprise Threat Protector|ETP|AUP|[{OPEN} API / ETP Report](#etp-open-api-reporting)| +|Enterprise Threat Protector|ETP|DNS|[{OPEN} API / ETP Report](#etp-open-api-reporting)| +|Enterprise Threat Protector|ETP|PROXY|[{OPEN} API / ETP Report](#etp-open-api-reporting)| |Akamai MFA|MFA|AUTH|[MFA Integration](#mfa-integration-for-logging)| |Akamai MFA|MFA|POLICY|[MFA Integration](#mfa-integration-for-logging)| diff --git a/docs/ARGUMENTS_ENV_VARS.md b/docs/ARGUMENTS_ENV_VARS.md index 9806c4b..52f3aea 100644 --- a/docs/ARGUMENTS_ENV_VARS.md +++ b/docs/ARGUMENTS_ENV_VARS.md @@ -14,9 +14,9 @@ The following tables list all available command line parameters and their corres |Parameter|Env - Var|Options|Default|Description| |---|---|---|---|---| |-i
--input | ULS_INPUT | 'EAA', 'ETP', 'MFA' | None | Specify the desired INPUT source | -|--feed | ULS_FEED | EAA: 'ACCESS', 'ADMIN', 'CONHEALTH'
ETP: 'THREAT', 'AUP'
MFA: 'AUTH','POLICY' | None | Specify the desired INPUT feed | +|--feed | ULS_FEED | EAA: 'ACCESS', 'ADMIN', 'CONHEALTH'
ETP: 'THREAT', 'AUP', 'DNS', 'PROXY'
MFA: 'AUTH','POLICY' | None | Specify the desired INPUT feed | |--format | ULS_FORMAT | 'JSON', 'TEXT' | JSON | Specify the desired INPUT (=OUTPUT) format | -|--inproxy
--inputproxy | ULS_INPUT_PROXY | HOST:PORT| None | Adjust proxy usage for INPUT data collection (cli) | +|--inproxy
--inputproxy | ULS_INPUT_PROXY | HOST:PORT| None | Adjust proxy usage for INPUT data collection (cli)
There is a known issue in the usage, [please read more about it here](./FAQ.md#--inputproxy-proxy-does-not-work-as-expected)| |--rawcmd | ULS_RAWCMD | \ | None | USE with caution /!\
This is meant only to be used when told by AKAMAI [Click here for more information](ADDITIONAL_FEATURES.md#rawcmd---rawcmd-feature)| |--edgerc | ULS_EDGERC | /path/to/your/.edgerc | '~/.edgerc' | Specify the location of the .edgerc EDGE GRID AUTH file | |--section | ULS_SECTION | edgerc_config_section | 'default' | Specify the desired section within the .edgerc file | diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 74db884..6ab9bdf 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -1,5 +1,22 @@ # Version History +## v1.1.0 +||| +|---|---| +|Date|2021-08-18 +|Kind|Bugfix / Feature +|Author|mschiess@akamai.com +- Features + - Added **DNS** and **PROXY** feeds to ETP Input (<3 Sara) +- Minor improvements + - Version number fix (Stated 0.9.0 instead of 1.x.x) + - debug "message" fix ( changed HTTP to HTTP(S) to avoid misunderstanding) + - documented workaround for discovered proxy issue + - enabled json highlighting in [Log_overview](./LOG_OVERVIEW.md) + - added better error guidance when basic stuff is unset (input / output) + - moved docker-compose from root dir to /docs + - added `read_only: true` to the docker-compose.yml files (security enhancement) + ## v1.0.0 ||| |---|---| diff --git a/docs/DOCKER-COMPOSE_USAGE.md b/docs/DOCKER-COMPOSE_USAGE.md index 27e0b9f..1f3a7a6 100644 --- a/docs/DOCKER-COMPOSE_USAGE.md +++ b/docs/DOCKER-COMPOSE_USAGE.md @@ -52,8 +52,8 @@ docker compose up -d This will run the "simple" use case in foreground. The `docker-compose.yml` file will reference the `etp-threat.env` and provide the configuration from that file. **Files:** - - [docker-compose.yml](../docker-compose/simple/docker-compose.yml) - - [etp-threat.env](../docker-compose/simple/etp-threat.env) + - [docker-compose.yml](docker-compose/simple/docker-compose.yml) + - [etp-threat.env](docker-compose/simple/etp-threat.env) - Complex docker-compose setup delivering different streams to different endpoints @@ -63,7 +63,7 @@ docker compose up -d ``` This triggers a more complex setup consisting out of 3 different data feeds. **Files:** - - [docker-compose.yml](../docker-compose/complex/docker-compose.yml) - - [etp-threat.env](../docker-compose/complex/etp-threat.env) - - [eaa-admin.env](../docker-compose/complex/eaa-access.env) - - [eaa-access.env](../docker-compose/complex/eaa-access.env) \ No newline at end of file + - [docker-compose.yml](docker-compose/complex/docker-compose.yml) + - [etp-threat.env](docker-compose/complex/etp-threat.env) + - [eaa-admin.env](docker-compose/complex/eaa-access.env) + - [eaa-access.env](docker-compose/complex/eaa-access.env) \ No newline at end of file diff --git a/docs/FAQ.md b/docs/FAQ.md index 531ffc6..c4cc722 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -7,6 +7,7 @@ - [What command line Options are available ? ](#what-command-line-options-are-available-) - [What environmental variables (ENV VARS) are available](#what-environmental-variables-env-vars-are-available-#) - [--version does not show all versions](#ulspy---version-does-not-show-all-versions) +- [--inputproxy does not work as expected](#--inputproxy-proxy-does-not-work-as-expected) ---- ## FAQ @@ -38,11 +39,22 @@ There is a dedicated document explaining the [command line parameters and enviro There is a dedicated document explaining the [command line parameters and environment variables.](ARGUMENTS_ENV_VARS.md) --- -<<<<<<< HEAD ### `uls.py --version` does not show all versions This is (sadly) a known issue. It is a problem within some of the CLI's if no ".edgerc" file is provided. If you provide a `.edgerc`, the show is correct. --- -======= ->>>>>>> 2d20b502da2fcc131088bf0498ddcf56a12d531d +### `--inputproxy ` does not work as expected +This is (sadly) a known issue. +The good news is we do have a proper workaround for this. +Instead of setting the Option `--inputproxy ` or the ENV var `ULS_INPUT_PROXY` do the following: + +Set the ENV following ENV vars to your environment / container. +```text +HTTP_PROXY=http://your.proxy.internal:3128" +HTTPS_PROXY=http://your.proxy.internal:3128" +NO_PROXY="localhost,127.0.0.1,::1" +``` +Those can also be added to the .evn file when using docker / docker-compose. +**Please ensure, you are ADDING YOUR SIEM HOST IP to the NO_PROXY line when the SIEM is internal to avoid issues** +`NO_PROXY="localhost,127.0.0.1,::1,my_siem.host"` \ No newline at end of file diff --git a/docs/LOG_OVERVIEW.md b/docs/LOG_OVERVIEW.md index 0c33c6b..44f5c96 100644 --- a/docs/LOG_OVERVIEW.md +++ b/docs/LOG_OVERVIEW.md @@ -17,7 +17,7 @@ Here are some examples (per product) and links to additional information. ## Enterprise Application Access ### Access Logs (ACCESS) Additional information regarding the log fields can be found on [here](https://learn.akamai.com/en-us/webhelp/enterprise-application-access/eaa-logs-from-eaa-api-and-splunk/GUID-8F07B320-2DD7-4035-9A8E-4E7435DFA3EA.html) -```text +```json { "username": "user1", "apphost": "vault.akamaidemo.net", @@ -53,7 +53,7 @@ Additional information regarding the log fields can be found on [here](https://l ### Admin Logs (ADMIN) Additional information regarding the log fields can be found on [here](https://learn.akamai.com/en-us/webhelp/enterprise-application-access/eaa-logs-from-eaa-api-and-splunk/GUID-F772F01C-46D1-411C-A41F-D4B780D998FB.html). -```text +```json { "datetime": "2021-07-23T05:54:40", "username": "system", @@ -66,7 +66,7 @@ Additional information regarding the log fields can be found on [here](https://l ### Connector Health (CONHEALTH) Additional information regarding the log fields can be found on [here](https://learn.akamai.com/en-us/webhelp/enterprise-application-access/eaa-logs-from-eaa-api-and-splunk/GUID-A79FBF43-DE2C-405A-8900-0D77DC8CEAF4.html) -```text +```json { "connector_uuid": "cht3_GEjQWyMW9LEk7KQfg", "name": "demo-v2-con-1-amer", @@ -90,7 +90,7 @@ Additional information regarding the log fields can be found on [here](https://l ## Enterprise Threat Protector (ETP) ### Threat Log (THREAT) Additional information regarding the log fields can be found on [here](https://developer.akamai.com/api/enterprise_security/enterprise_threat_protector_reporting/v3.html#threatevent) -```text +```json { "pageInfo": { "totalRecords": 97913, @@ -481,7 +481,7 @@ Additional information regarding the log fields can be found on [here](https://d ### Accceptable Use Policy Logs (AUP) Additional information regarding the log fields can be found on [here](https://developer.akamai.com/api/enterprise_security/enterprise_threat_protector_reporting/v3.html#event) -```text +```json { "pageInfo": { "totalRecords": 97913, @@ -870,17 +870,1097 @@ Additional information regarding the log fields can be found on [here](https://d } ``` +### DNS +Additional information regarding the log fields can be found on [here](https://developer.akamai.com/api/enterprise_security/enterprise_threat_protector_reporting/v3.html#dnsactivityevent) +```json +{ + "pageInfo": { + "totalRecords": 685134, + "pageNumber": 1, + "pageSize": 5 + }, + "dataRows": [ + { + "id": "0", + "configId": "1041", + "hitCount": 1, + "alexaRanking": -1, + "query": { + "time": "2020-05-26T06:00:00Z", + "clientIp": "198.18.179.121", + "dnsIp": "198.18.193.241", + "domain": "1590448430.akamaietpmalwaretest.com.", + "queryType": "A", + "deviceId": "N/A", + "deviceName": "Not Available", + "resolved": [ + { + "type": "A", + "response": "34.193.182.244", + "asn": "14618", + "asname": "aws" + } + ] + }, + "event": { + "trigger": "null", + "siteId": "-1", + "siteName": "Unidentified IPs", + "policyId": "2240", + "policyName": "Default", + "confidenceName": "Unknown", + "actionId": "1", + "actionName": "Monitor", + "onRamp": "No", + "onrampType": "", + "internalClientIP": "N/A", + "clientRequestId": "", + "policyEvaluationSource": "dns", + "deepScanned": false + } + }, + { + "id": "1", + "configId": "1041", + "hitCount": 1, + "alexaRanking": 1000, + "query": { + "time": "2020-05-26T06:00:00Z", + "clientIp": "172.25.174.232", + "dnsIp": "198.18.193.241", + "domain": "spocs.getpocket.com.", + "queryType": "A", + "deviceId": "c37a4c4e-a7cd-400f-820d-b82762c52975", + "deviceName": "BOS-WPX5E", + "resolved": [ + { + "type": "A", + "response": "50.16.145.165", + "asn": "14618", + "asname": "aws" + }, + { + "type": "A", + "response": "35.169.67.87", + "asn": "14618", + "asname": "aws" + }, + { + "type": "A", + "response": "52.202.154.119", + "asn": "14618", + "asname": "aws" + }, + { + "type": "A", + "response": "52.204.41.228", + "asn": "14618", + "asname": "aws" + } + ] + }, + "event": { + "trigger": "null", + "siteId": "51284", + "siteName": "E2E WIN 174.232 site", + "policyId": "38307", + "policyName": "E2E-CML-test", + "confidenceName": "Unknown", + "actionId": "6", + "actionName": "Classify", + "onRamp": "Yes", + "onrampType": "etp-client", + "internalClientIP": "N/A", + "clientRequestId": "00019313", + "policyEvaluationSource": "dns", + "deepScanned": false + } + }, + { + "id": "2", + "configId": "1041", + "hitCount": 1, + "alexaRanking": 1000000, + "query": { + "time": "2020-05-26T06:00:00Z", + "clientIp": "172.25.162.210", + "dnsIp": "198.18.193.241", + "domain": "cme-linuscmewlhrwlhr-013-wlhr-public.wbx2.com.", + "queryType": "A", + "deviceId": "dc475a9e-c192-4b0b-a34e-a95c0f8dfcad", + "deviceName": "WIN81-ENT-210", + "resolved": [ + { + "type": "A", + "response": "62.109.242.31", + "asn": "13445", + "asname": "N/A" + } + ] + }, + "event": { + "trigger": "null", + "siteId": "5003", + "siteName": "Off Network ETP Clients", + "policyId": "32965", + "policyName": "Westford OFF Network policy", + "confidenceName": "Unknown", + "actionId": "10", + "actionName": "Bypass", + "onRamp": "No", + "onrampType": "", + "internalClientIP": "N/A", + "clientRequestId": "00019274", + "policyEvaluationSource": "dns", + "deepScanned": false + } + }, + { + "id": "3", + "configId": "1041", + "hitCount": 1, + "alexaRanking": -1, + "query": { + "time": "2020-05-26T06:00:00Z", + "clientIp": "198.18.179.121", + "dnsIp": "198.18.193.241", + "domain": "1590447770.akamaietpmalwaretest.com.", + "queryType": "A", + "deviceId": "N/A", + "deviceName": "Not Available", + "resolved": [ + { + "type": "A", + "response": "34.193.182.244", + "asn": "14618", + "asname": "aws" + } + ] + }, + "event": { + "trigger": "null", + "siteId": "-1", + "siteName": "Unidentified IPs", + "policyId": "2240", + "policyName": "Default", + "confidenceName": "Unknown", + "actionId": "1", + "actionName": "Monitor", + "onRamp": "No", + "onrampType": "", + "internalClientIP": "N/A", + "clientRequestId": "", + "policyEvaluationSource": "dns", + "deepScanned": false + } + }, + { + "id": "4", + "configId": "1041", + "hitCount": 1, + "alexaRanking": 1000000, + "query": { + "time": "2020-05-26T06:00:00Z", + "clientIp": "198.18.179.159", + "dnsIp": "198.18.193.241", + "domain": "e6589.dscb.akamaiedge.net.", + "queryType": "A", + "deviceId": "630ace6b-4f26-41df-b411-cd652512cb04", + "deviceName": "Lab-Mac-19818179159.local", + "resolved": [ + { + "type": "A", + "response": "23.204.70.172", + "asn": "20940", + "asname": "qwest" + } + ] + }, + "event": { + "trigger": "null", + "siteId": "51277", + "siteName": "E2E Mac 179.159 site", + "policyId": "38307", + "policyName": "E2E-CML-test", + "confidenceName": "Unknown", + "actionId": "10", + "actionName": "Bypass", + "onRamp": "No", + "onrampType": "", + "internalClientIP": "N/A", + "clientRequestId": "00032083", + "policyEvaluationSource": "dns", + "deepScanned": false + } + } + ] +} +``` + +### PROXY +Additional information regarding the log fields can be found on [here](https://developer.akamai.com/api/enterprise_security/enterprise_threat_protector_reporting/v3.html#proxytraffictransaction) +```json +{ + "pageInfo": { + "totalRecords": 44583, + "pageNumber": 1, + "pageSize": 5 + }, + "dataRows": [ + { + "id": "0", + "l7Protocol": "HTTP", + "isEvent": true, + "request": { + "startTime": 1590474813791, + "connectionId": "0x3706B3124FAFAF8C9574", + "domain": "statsfe2.ws.microsoft.com.", + "uri": "/ReportingWebService/ReportingWebService.asmx", + "method": "POST", + "clientPort": 48176, + "destinationIP": "52.183.47.176", + "destinationPort": 80, + "uuid": "1b72e77c-254a-4ba9-a456-2a1b4407d65b", + "clientIp": "172.25.162.210", + "queryStrings": [], + "headers": [ + { + "name": "Cache-Control", + "value": "no-cache" + }, + { + "name": "Content-Length", + "value": "2369" + }, + { + "name": "Content-Type", + "value": "text/xml; charset=utf-8" + }, + { + "name": "Host", + "value": "statsfe2.ws.microsoft.com" + }, + { + "name": "Pragma", + "value": "no-cache" + }, + { + "name": "User-Agent", + "value": "Windows-Update-Agent/7.9.9600.19670 Client-Protocol/1.21 EtpClient:3.0.0" + }, + { + "name": "X-Forwarded-For", + "value": "172.25.162.210, 172.25.162.210" + } + ] + }, + "response": { + "endTime": 1590474813793, + "hash": "", + "headers": [] + }, + "event": { + "correlatedSinkholeEvents": [ + { + "sinkholeId": "ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11", + "eventId": "1590113794976#ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11#28301", + "sourcePort": 48022, + "destinationPort": 80, + "l4Protocol": "TCP", + "hostname": "akamaietpcnctest.com", + "userAgent": "curl/7.47.0", + "l7Protocol": "HTTP", + "eventTime": "2020-05-22T02:16:34Z", + "url": "/", + "sinkholeName": "ETP_DNS_SINKHOLE", + "hitCount": 1, + "configId": 1041, + "internalIP": "198.18.179.187", + "sinkholeIP": "172.25.162.242", + "machineNames": [ + "N/A" + ] + } + ], + "trigger": "null", + "detectionTime": "2020-05-26T06:33:33Z", + "detectionType": "inline", + "siteId": "5003", + "siteName": "Off Network ETP Clients", + "policyId": "32965", + "policyName": "Westford OFF Network policy", + "listId": "-1", + "listName": "unknown", + "categoryId": "73", + "categoryName": "73", + "confidenceId": "-1", + "confidenceName": "Unknown", + "actionId": "4", + "actionName": "Block - Error Page", + "blockDescription": "The URL hosts malware.", + "reason": "Acceptable use policy", + "severityId": 0, + "severityLevel": "Unclassified", + "onrampType": "etp_offnet_client", + "internalClientIP": "172.25.162.210", + "clientRequestId": "dc475a9e-c192-4b0b-a34e-a95c0f8dfcad-15904747363383674-1195", + "deepscanReportPath": "", + "httpVersion": "1.1", + "httpUserAgent": "Windows-Update-Agent/7.9.9600.19670 Client-Protocol/1.21 EtpClient:3.0.0", + "deviceId": "dc475a9e-c192-4b0b-a34e-a95c0f8dfcad", + "deviceName": "WIN81-ENT-210", + "deepScanned": false, + "matchedGroups": [], + "listIdentifiers": [ + { + "listId": -1, + "categoryId": 73, + "confidenceId": -1, + "threatId": 0, + "listName": "unknown", + "categoryName": "73", + "confidenceName": "Unknown", + "threatName": "Unclassified" + } + ] + }, + "userIdentity": { + "encryptedUserID": "", + "encryptedUserName": "", + "groups": [] + } + }, + { + "id": "1", + "l7Protocol": "HTTPS", + "isEvent": false, + "request": { + "startTime": 1590474750161, + "connectionId": "0x3706B30F4FAEB4B27FB1", + "domain": "statics.teams.cdn.office.net.", + "uri": "/evergreen-assets/icons/1x1-000000ff.png", + "method": "GET", + "clientPort": 34656, + "destinationIP": "2600:1409:d000::17df:3490", + "destinationPort": 443, + "uuid": "38c91e98-37fc-40f0-876e-ba60104b4d35", + "clientIp": "172.25.174.232", + "queryStrings": [ + { + "name": "cb", + "value": "1590474712726" + } + ], + "headers": [ + { + "name": "Accept", + "value": "image/webp,image/apng,image/*,*/*;q=0.8" + }, + { + "name": "Accept-Encoding", + "value": "gzip, deflate, br" + }, + { + "name": "Accept-Language", + "value": "en-US" + }, + { + "name": "Connection", + "value": "keep-alive" + }, + { + "name": "Host", + "value": "statics.teams.cdn.office.net" + }, + { + "name": "Referer", + "value": "https://teams.microsoft.com/_" + }, + { + "name": "User-Agent", + "value": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.12058 Chrome/69.0.3497.128 Electron/4.2.12 Safari/537.36" + } + ] + }, + "response": { + "endTime": 1590474750226, + "hash": "", + "headers": [ + { + "name": "Access-Control-Allow-Origin", + "value": "*" + }, + { + "name": "Cache-Control", + "value": "public, max-age=604777" + }, + { + "name": "Connection", + "value": "keep-alive" + }, + { + "name": "Content-Length", + "value": "68" + }, + { + "name": "Content-MD5", + "value": "5E5+z+yZNWYywTzT6qPiUA==" + }, + { + "name": "Content-Type", + "value": "image/png" + }, + { + "name": "Date", + "value": "Tue, 26 May 2020 06:32:30 GMT" + }, + { + "name": "ETag", + "value": "\"0x8D6D3F4152295F5\"" + }, + { + "name": "Last-Modified", + "value": "Wed, 08 May 2019 20:30:59 GMT" + }, + { + "name": "Server", + "value": "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0" + } + ] + }, + "event": { + "correlatedSinkholeEvents": [ + { + "sinkholeId": "ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11", + "eventId": "1590113794976#ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11#28301", + "sourcePort": 48022, + "destinationPort": 80, + "l4Protocol": "TCP", + "hostname": "akamaietpcnctest.com", + "userAgent": "curl/7.47.0", + "l7Protocol": "HTTP", + "eventTime": "2020-05-22T02:16:34Z", + "url": "/", + "sinkholeName": "ETP_DNS_SINKHOLE", + "hitCount": 1, + "configId": 1041, + "internalIP": "198.18.179.187", + "sinkholeIP": "172.25.162.242", + "machineNames": [ + "N/A" + ] + } + ], + "trigger": "null", + "detectionTime": "2020-05-26T06:32:30Z", + "detectionType": "N/A", + "siteId": "51284", + "siteName": "E2E WIN 174.232 site", + "policyId": "0", + "policyName": "0", + "listId": "-1", + "listName": "unknown", + "categoryId": "104", + "categoryName": "104", + "confidenceId": "-1", + "confidenceName": "Unknown", + "actionId": "5", + "actionName": "Allow", + "blockDescription": "The URL hosts malware.", + "reason": "Acceptable use policy", + "severityId": 0, + "severityLevel": "Unclassified", + "onrampType": "etp_client", + "internalClientIP": "172.25.174.232", + "clientRequestId": "c37a4c4e-a7cd-400f-820d-b82762c52975-15904747127323964-48715", + "deepscanReportPath": "", + "httpVersion": "1.1", + "httpUserAgent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.12058 Chrome/69.0.3497.128 Electron/4.2.12 Safari/537.36 EtpClient:3.0.0", + "deviceId": "c37a4c4e-a7cd-400f-820d-b82762c52975", + "deviceName": "BOS-WPX5E", + "deepScanned": false, + "matchedGroups": [], + "listIdentifiers": [ + { + "listId": -1, + "categoryId": 104, + "confidenceId": -1, + "threatId": 0, + "listName": "unknown", + "categoryName": "104", + "confidenceName": "Unknown", + "threatName": "Unclassified" + } + ] + }, + "userIdentity": { + "encryptedUserID": "", + "encryptedUserName": "", + "groups": [] + } + }, + { + "id": "2", + "l7Protocol": "HTTPS", + "isEvent": false, + "request": { + "startTime": 1590474718273, + "connectionId": "0x3706B3154FAE37181163A", + "domain": "clickstream-killswitch.hd-personalization-prod.gcp.example.com.", + "uri": "/clickstream-killswitch/v1/detail", + "method": "GET", + "clientPort": 42380, + "destinationIP": "130.211.21.250", + "destinationPort": 443, + "uuid": "a1d7f692-c932-466a-82f6-e4e85bba7864", + "clientIp": "172.25.174.232", + "queryStrings": [], + "headers": [ + { + "name": "Accept", + "value": "*/*" + }, + { + "name": "Accept-Encoding", + "value": "gzip, deflate, br" + }, + { + "name": "Accept-Language", + "value": "en-US,en;q=0.9" + }, + { + "name": "Connection", + "value": "keep-alive" + }, + { + "name": "content-type", + "value": "application/json" + }, + { + "name": "Host", + "value": "clickstream-killswitch.hd-personalization-prod.gcp.example.com" + }, + { + "name": "Origin", + "value": "https://www.example.com" + }, + { + "name": "Referer", + "value": "https://www.example.com/" + }, + { + "name": "User-Agent", + "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" + } + ] + }, + "response": { + "endTime": 1590474718348, + "hash": "", + "headers": [ + { + "name": "Access-Control-Allow-Origin", + "value": "https://www.example.com" + }, + { + "name": "Content-Length", + "value": "1329" + }, + { + "name": "Content-Type", + "value": "application/json;charset=UTF-8" + }, + { + "name": "Date", + "value": "Tue, 26 May 2020 06:31:57 GMT" + }, + { + "name": "Vary", + "value": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers" + }, + { + "name": "Via", + "value": "1.1 google" + } + ] + }, + "event": { + "correlatedSinkholeEvents": [ + { + "sinkholeId": "ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11", + "eventId": "1590113794976#ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11#28301", + "sourcePort": 48022, + "destinationPort": 80, + "l4Protocol": "TCP", + "hostname": "akamaietpcnctest.com", + "userAgent": "curl/7.47.0", + "l7Protocol": "HTTP", + "eventTime": "2020-05-22T02:16:34Z", + "url": "/", + "sinkholeName": "ETP_DNS_SINKHOLE", + "hitCount": 1, + "configId": 1041, + "internalIP": "198.18.179.187", + "sinkholeIP": "172.25.162.242", + "machineNames": [ + "N/A" + ] + } + ], + "trigger": "null", + "detectionTime": "2020-05-26T06:31:58Z", + "detectionType": "N/A", + "siteId": "51284", + "siteName": "E2E WIN 174.232 site", + "policyId": "0", + "policyName": "0", + "listId": "-1", + "listName": "unknown", + "categoryId": "55", + "categoryName": "Streaming Websites", + "confidenceId": "-1", + "confidenceName": "Unknown", + "actionId": "5", + "actionName": "Allow", + "blockDescription": "The URL hosts malware.", + "reason": "Acceptable use policy", + "severityId": 0, + "severityLevel": "Unclassified", + "onrampType": "etp_client", + "internalClientIP": "172.25.174.232", + "clientRequestId": "c37a4c4e-a7cd-400f-820d-b82762c52975-15904746798952196-48708", + "deepscanReportPath": "", + "httpVersion": "1.1", + "httpUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 EtpClient:3.0.0", + "deviceId": "c37a4c4e-a7cd-400f-820d-b82762c52975", + "deviceName": "BOS-WPX5E", + "deepScanned": false, + "matchedGroups": [], + "listIdentifiers": [ + { + "listId": -1, + "categoryId": 55, + "confidenceId": -1, + "threatId": 0, + "listName": "unknown", + "categoryName": "Streaming Websites", + "confidenceName": "Unknown", + "threatName": "Unclassified" + }, + { + "listId": -1, + "categoryId": 73, + "confidenceId": -1, + "threatId": 0, + "listName": "unknown", + "categoryName": "73", + "confidenceName": "Unknown", + "threatName": "Unclassified" + } + ] + }, + "userIdentity": { + "encryptedUserID": "", + "encryptedUserName": "", + "groups": [] + } + }, + { + "id": "3", + "l7Protocol": "HTTPS", + "isEvent": true, + "request": { + "startTime": 1590474706144, + "connectionId": "0x3706B3154FAE084111637", + "domain": "c.go-mpulse.net.", + "uri": "/api/config.json", + "method": "GET", + "clientPort": 41176, + "destinationIP": "2600:1409:d000:38e::11a6", + "destinationPort": 443, + "uuid": "8e86b32f-9a83-4162-a008-3e2c58b09f87", + "clientIp": "172.25.174.232", + "queryStrings": [ + { + "name": "key", + "value": "FDSGP-LEB9B-T8Y2A-5V5ED-9WX2T" + }, + { + "name": "d", + "value": "www.akamai.com" + }, + { + "name": "t", + "value": "5301582" + }, + { + "name": "v", + "value": "1.667.0" + }, + { + "name": "if", + "value": "" + }, + { + "name": "sl", + "value": "0" + }, + { + "name": "si", + "value": "876aebf5-a115-47de-973b-9ac2ba2cdd1c-qaqswv" + }, + { + "name": "r", + "value": "" + }, + { + "name": "bcn", + "value": "%2F%2F173e2548.akstat.io%2F" + }, + { + "name": "acao", + "value": "" + }, + { + "name": "ak.ai", + "value": "593889" + } + ], + "headers": [ + { + "name": "Accept", + "value": "*/*" + }, + { + "name": "Accept-Encoding", + "value": "gzip, deflate, br" + }, + { + "name": "Accept-Language", + "value": "en-US,en;q=0.9" + }, + { + "name": "Connection", + "value": "keep-alive" + }, + { + "name": "Host", + "value": "c.go-mpulse.net" + }, + { + "name": "Origin", + "value": "https://www.akamai.com" + }, + { + "name": "User-Agent", + "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" + } + ] + }, + "response": { + "endTime": 1590474706146, + "hash": "", + "headers": [] + }, + "event": { + "correlatedSinkholeEvents": [ + { + "sinkholeId": "ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11", + "eventId": "1590113794976#ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11#28301", + "sourcePort": 48022, + "destinationPort": 80, + "l4Protocol": "TCP", + "hostname": "akamaietpcnctest.com", + "userAgent": "curl/7.47.0", + "l7Protocol": "HTTP", + "eventTime": "2020-05-22T02:16:34Z", + "url": "/", + "sinkholeName": "ETP_DNS_SINKHOLE", + "hitCount": 1, + "configId": 1041, + "internalIP": "198.18.179.187", + "sinkholeIP": "172.25.162.242", + "machineNames": [ + "N/A" + ] + } + ], + "trigger": "null", + "detectionTime": "2020-05-26T06:31:46Z", + "detectionType": "inline", + "siteId": "51284", + "siteName": "E2E WIN 174.232 site", + "policyId": "38307", + "policyName": "E2E-CML-test", + "listId": "-1", + "listName": "unknown", + "categoryId": "31", + "categoryName": "Chat Site", + "confidenceId": "-1", + "confidenceName": "Unknown", + "actionId": "4", + "actionName": "Block - Error Page", + "blockDescription": "The URL hosts malware.", + "reason": "Acceptable use policy", + "severityId": 0, + "severityLevel": "Unclassified", + "onrampType": "etp_client", + "internalClientIP": "172.25.174.232", + "clientRequestId": "c37a4c4e-a7cd-400f-820d-b82762c52975-15904746699129224-48707", + "deepscanReportPath": "", + "httpVersion": "1.1", + "httpUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 EtpClient:3.0.0", + "deviceId": "c37a4c4e-a7cd-400f-820d-b82762c52975", + "deviceName": "BOS-WPX5E", + "deepScanned": false, + "matchedGroups": [], + "listIdentifiers": [ + { + "listId": -1, + "categoryId": 31, + "confidenceId": -1, + "threatId": 0, + "listName": "unknown", + "categoryName": "Chat Site", + "confidenceName": "Unknown", + "threatName": "Unclassified" + } + ] + }, + "userIdentity": { + "encryptedUserID": "", + "encryptedUserName": "", + "groups": [] + } + }, + { + "id": "4", + "l7Protocol": "HTTPS", + "isEvent": false, + "request": { + "startTime": 1590474688053, + "connectionId": "0x3706B3124FADC2CF9570", + "domain": "d.la1-c2-ia4.salesforceliveagent.com.", + "uri": "/chat/rest/Visitor/Availability.jsonp", + "method": "GET", + "clientPort": 43149, + "destinationIP": "13.110.63.55", + "destinationPort": 443, + "uuid": "7b33eedd-8b7d-463b-80d9-996b74a0a9ee", + "clientIp": "172.25.174.232", + "queryStrings": [ + { + "name": "sid", + "value": "409d47de-bf85-433c-9c88-79add325835a" + }, + { + "name": "r", + "value": "906" + }, + { + "name": "Availability.prefix", + "value": "Visitor" + }, + { + "name": "Availability.ids", + "value": "[5730f000000HhB2,5730f000000HhAJ,5730f000000HhAY]" + }, + { + "name": "callback", + "value": "liveagent._.handlePing" + }, + { + "name": "deployment_id", + "value": "5720f0000009HUh" + }, + { + "name": "org_id", + "value": "00DA0000000Hu5a" + }, + { + "name": "version", + "value": "43" + } + ], + "headers": [ + { + "name": "Accept", + "value": "*/*" + }, + { + "name": "Accept-Encoding", + "value": "gzip, deflate, br" + }, + { + "name": "Accept-Language", + "value": "en-US,en;q=0.9" + }, + { + "name": "Connection", + "value": "keep-alive" + }, + { + "name": "Host", + "value": "d.la1-c2-ia4.salesforceliveagent.com" + }, + { + "name": "User-Agent", + "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" + } + ] + }, + "response": { + "endTime": 1590474688139, + "hash": "", + "headers": [ + { + "name": "Access-Control-Allow-Origin", + "value": "*" + }, + { + "name": "Cache-Control", + "value": "no-cache" + }, + { + "name": "Connection", + "value": "close" + }, + { + "name": "Content-Encoding", + "value": "gzip" + }, + { + "name": "Content-Type", + "value": "text/javascript" + }, + { + "name": "Expires", + "value": "-1" + }, + { + "name": "Pragma", + "value": "no-cache" + }, + { + "name": "X-Content-Type-Options", + "value": "nosniff" + } + ] + }, + "event": { + "correlatedSinkholeEvents": [ + { + "sinkholeId": "ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11", + "eventId": "1590113794976#ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11#28301", + "sourcePort": 48022, + "destinationPort": 80, + "l4Protocol": "TCP", + "hostname": "akamaietpcnctest.com", + "userAgent": "curl/7.47.0", + "l7Protocol": "HTTP", + "eventTime": "2020-05-22T02:16:34Z", + "url": "/", + "sinkholeName": "ETP_DNS_SINKHOLE", + "hitCount": 1, + "configId": 1041, + "internalIP": "198.18.179.187", + "sinkholeIP": "172.25.162.242", + "machineNames": [ + "N/A" + ] + } + ], + "trigger": "null", + "detectionTime": "2020-05-26T06:31:28Z", + "detectionType": "N/A", + "siteId": "51284", + "siteName": "E2E WIN 174.232 site", + "policyId": "0", + "policyName": "0", + "listId": "-1", + "listName": "unknown", + "categoryId": "73", + "categoryName": "73", + "confidenceId": "-1", + "confidenceName": "Unknown", + "actionId": "5", + "actionName": "Allow", + "blockDescription": "The URL hosts malware.", + "reason": "Acceptable use policy", + "severityId": 0, + "severityLevel": "Unclassified", + "onrampType": "etp_client", + "internalClientIP": "172.25.174.232", + "clientRequestId": "c37a4c4e-a7cd-400f-820d-b82762c52975-15904746509095241-48705", + "deepscanReportPath": "", + "httpVersion": "1.1", + "httpUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 EtpClient:3.0.0", + "deviceId": "c37a4c4e-a7cd-400f-820d-b82762c52975", + "deviceName": "BOS-WPX5E", + "deepScanned": false, + "matchedGroups": [], + "listIdentifiers": [ + { + "listId": -1, + "categoryId": 73, + "confidenceId": -1, + "threatId": 0, + "listName": "unknown", + "categoryName": "73", + "confidenceName": "Unknown", + "threatName": "Unclassified" + } + ] + }, + "userIdentity": { + "encryptedUserID": "", + "encryptedUserName": "", + "groups": [] + } + } + ] +} +``` + ## Akamai MFA Additional information regarding the log fields can be found on [here](https://learn.akamai.com/en-us/webhelp/enterprise-mfa/akamai-mfa-logs-from-splunk-application/GUID-0F17296F-90F3-483E-AFDE-F98FBC51A8AC.html). ### Authentication Logs (AUTH) Authentication Events Example: -```text -{"uuid": "aud_JfNqdl6zSByrU0ovrbJ6m", "created_at": "2021-03-23T19:36:20.047688", "browser_ip": "49.207.58.115", "app_id": "app_3IyJXh2U9Jiws6bvxcf8X", "device": "push", "auth_method": "push", "user_id": "user_6Hy1v24DZIr8b0UHYi5dv3", "username": "nityagi", "is_success": true, "device_metadata": "Android", "receipt": "", "browser_type": "Chrome", "browser_version": "88.0.4324", "browser_os": "MacOS", "browser_os_version": "10.15.7", "device_os": "android", "device_os_version": "10.0.0", "browser_geo_location": "BANGALORE KA, IN", "device_geo_location": "BANGALORE KA, IN", "device_ip": "49.207.58.115"} +```json +{ + "uuid": "aud_JfNqdl6zS23456623434", + "created_at": "2021-03-23T19:36:20.047688", + "browser_ip": "49.103.18.124", + "app_id": "app_3IyJXh2345345345345f8X", + "device": "push", + "auth_method": "push", + "user_id": "user_6Hy1v241221541i5dv3", + "username": "mschiess", + "is_success": true, + "device_metadata": "Android", + "receipt": "", + "browser_type": "Chrome", + "browser_version": "88.0.4324", + "browser_os": "MacOS", + "browser_os_version": "10.15.7", + "device_os": "android", + "device_os_version": "10.0.0", + "browser_geo_location": "BANGALORE KA, IN", + "device_geo_location": "BANGALORE KA, IN", + "device_ip": "49.103.18.124" +} ``` ### Policy Logs (POLICY) Policy Denied Events Example: -```text -{"id": "aud_5mRypRCazgr8ucRJtICVJt", "created_at": "2021-03-23T17:20:50.524672", "user_id": "user_3CbCStOKG0uGdjRILocuxW", "principal_id": "Tenant", "policy_id": "policy_5iMncPFO8euHE8JRviQL4j", "policy_attribute_name": "Existing User"} +```json +{ + "id": "aud_5mRypRCa3456789VJt", + "created_at": "2021-03-23T17:20:50.524672", + "user_id": "user_3CbCStOKG0uGdjRILocuxW", + "principal_id": "Tenant", + "policy_id": "policy_5iMncPFO2345678QL4j", + "policy_attribute_name": "Existing User" +} ``` \ No newline at end of file diff --git a/docker-compose/README.md b/docs/docker-compose/README.md similarity index 58% rename from docker-compose/README.md rename to docs/docker-compose/README.md index fc4b153..ae79a21 100644 --- a/docker-compose/README.md +++ b/docs/docker-compose/README.md @@ -2,8 +2,8 @@ Within this directory, we provide some `docker compose` examples including example files. The docker-compose.yml controls the docker - relevant attributes like mounting the `.edgerc` file into the container. -The `.env` files control the ULS via dedicated [ENVIRONMENTAL VARIABLES](../docs/ARGUMENTS_ENV_VARS.md). +The `.env` files control the ULS via dedicated [ENVIRONMENTAL VARIABLES](../ARGUMENTS_ENV_VARS.md). -The [simple](./simple/README.md) directory provides a simple example running ULS via `docker compose` -The [complex](./complex/README.md) directory provides a more "real world" example combining multiple feeds and different outputs. +The [simple](simple/README.md) directory provides a simple example running ULS via `docker compose` +The [complex](complex/README.md) directory provides a more "real world" example combining multiple feeds and different outputs. The [example](examples/README.md) directory provides different configuration snippets. diff --git a/docker-compose/complex/README.md b/docs/docker-compose/complex/README.md similarity index 100% rename from docker-compose/complex/README.md rename to docs/docker-compose/complex/README.md diff --git a/docker-compose/complex/docker-compose.yml b/docs/docker-compose/complex/docker-compose.yml similarity index 84% rename from docker-compose/complex/docker-compose.yml rename to docs/docker-compose/complex/docker-compose.yml index 0438549..ca5d012 100644 --- a/docker-compose/complex/docker-compose.yml +++ b/docs/docker-compose/complex/docker-compose.yml @@ -8,6 +8,7 @@ services: - type: bind source: /path/to/your/.edgerc target: /opt/akamai-uls/.edgerc + read_only: true eaa-access: image: akamai/uls:latest restart: always @@ -16,6 +17,7 @@ services: - type: bind source: /path/to/your/.edgerc target: /opt/akamai-uls/.edgerc + read_only: true eaa-admin: image: akamai/uls:latest restart: always @@ -23,4 +25,5 @@ services: volumes: - type: bind source: /path/to/your/.edgerc - target: /opt/akamai-uls/.edgerc \ No newline at end of file + target: /opt/akamai-uls/.edgerc + read_only: true \ No newline at end of file diff --git a/docker-compose/complex/eaa-access.env b/docs/docker-compose/complex/eaa-access.env similarity index 100% rename from docker-compose/complex/eaa-access.env rename to docs/docker-compose/complex/eaa-access.env diff --git a/docker-compose/complex/etp-threat.env b/docs/docker-compose/complex/etp-threat.env similarity index 100% rename from docker-compose/complex/etp-threat.env rename to docs/docker-compose/complex/etp-threat.env diff --git a/docker-compose/complex/mfa-auth.env b/docs/docker-compose/complex/mfa-auth.env similarity index 100% rename from docker-compose/complex/mfa-auth.env rename to docs/docker-compose/complex/mfa-auth.env diff --git a/docker-compose/examples/README.md b/docs/docker-compose/examples/README.md similarity index 100% rename from docker-compose/examples/README.md rename to docs/docker-compose/examples/README.md diff --git a/docker-compose/examples/all_services_docker-compose.yml b/docs/docker-compose/examples/all_services_docker-compose.yml similarity index 66% rename from docker-compose/examples/all_services_docker-compose.yml rename to docs/docker-compose/examples/all_services_docker-compose.yml index 8ea40fc..a6e5c2d 100644 --- a/docker-compose/examples/all_services_docker-compose.yml +++ b/docs/docker-compose/examples/all_services_docker-compose.yml @@ -9,6 +9,7 @@ services: - type: bind source: /path/to/your/.edgerc target: /opt/akamai-uls/.edgerc + read_only: true # AUP etp-aup: image: akamai/uls:latest @@ -18,6 +19,27 @@ services: - type: bind source: /path/to/your/.edgerc target: /opt/akamai-uls/.edgerc + read_only: true + # DNS + etp-aup: + image: akamai/uls:latest + restart: always + env_file: etp-dns.env + volumes: + - type: bind + source: /path/to/your/.edgerc + target: /opt/akamai-uls/.edgerc + read_only: true + # PROXY + etp-aup: + image: akamai/uls:latest + restart: always + env_file: etp-proxy.env + volumes: + - type: bind + source: /path/to/your/.edgerc + target: /opt/akamai-uls/.edgerc + read_only: true # EAA # ACCESS eaa-access: @@ -28,6 +50,7 @@ services: - type: bind source: /path/to/your/.edgerc target: /opt/akamai-uls/.edgerc + read_only: true # ADMIN eaa-admin: image: akamai/uls:latest @@ -37,6 +60,7 @@ services: - type: bind source: /path/to/your/.edgerc target: /opt/akamai-uls/.edgerc + read_only: true # MFA # AUTH mfa-auth: @@ -47,6 +71,7 @@ services: - type: bind source: /path/to/your/.edgerc target: /opt/akamai-uls/.edgerc + read_only: true # POLICY mfa-policy: image: akamai/uls:latest @@ -55,4 +80,5 @@ services: volumes: - type: bind source: /path/to/your/.edgerc - target: /opt/akamai-uls/.edgerc \ No newline at end of file + target: /opt/akamai-uls/.edgerc + read_only: true \ No newline at end of file diff --git a/docker-compose/examples/example_env_file.env b/docs/docker-compose/examples/example_env_file.env similarity index 91% rename from docker-compose/examples/example_env_file.env rename to docs/docker-compose/examples/example_env_file.env index 2c7bc45..d62c333 100644 --- a/docker-compose/examples/example_env_file.env +++ b/docs/docker-compose/examples/example_env_file.env @@ -10,17 +10,17 @@ ULS_LOGLEVEL=DEBUG ULS_INPUT=ETP # THE INPUT FEED # EAA: [ ADMIN | ACCESS] - # ETP: [ THREAT | AUP ] + # ETP: [ THREAT | AUP | DNS | PROXY] # MFA: [ POLICY | AUTH ] ULS_FEED=THREAT - # INPUT FORRMAT + # INPUT FORMAT ULS_FORMAT=JSON # LOCATION OF THE AKAMAI .EDGERC FILE ULS_EDGERC='/opt/akamai-uls/.edgerc' # RELEVANT SECTION WITHIN THE EDGERC FILE ULS_SECTION=default # PROXY TO ACCESS AKAMAI API'S WHILE FETCHING THE LOGS - #ULS_INPUT_PROXY='None' + #ULS_INPUT_PROXY='None' (known issue - see FAQ.md) # OUTPUT CONFIGURATION # OUTPUT PATH [ TCP / UDP / HTTP ] diff --git a/docker-compose/simple/README.md b/docs/docker-compose/simple/README.md similarity index 100% rename from docker-compose/simple/README.md rename to docs/docker-compose/simple/README.md diff --git a/docker-compose/simple/docker-compose.yml b/docs/docker-compose/simple/docker-compose.yml similarity index 74% rename from docker-compose/simple/docker-compose.yml rename to docs/docker-compose/simple/docker-compose.yml index 3fe72f1..80f915a 100644 --- a/docker-compose/simple/docker-compose.yml +++ b/docs/docker-compose/simple/docker-compose.yml @@ -7,4 +7,5 @@ services: volumes: - type: bind source: /path/to/your/.edgerc - target: /opt/akamai-uls/.edgerc \ No newline at end of file + target: /opt/akamai-uls/.edgerc + read_only: true \ No newline at end of file diff --git a/docker-compose/simple/etp-threat.env b/docs/docker-compose/simple/etp-threat.env similarity index 100% rename from docker-compose/simple/etp-threat.env rename to docs/docker-compose/simple/etp-threat.env