From 163a490e432d70fe2af555fc81228dd8091c4b12 Mon Sep 17 00:00:00 2001
From: Mike Schiessl <77062930+MikeSchiessl@users.noreply.github.com>
Date: Wed, 18 Aug 2021 15:46:50 +0200
Subject: [PATCH] Version 1.1.0 (#13)
## v1.1.0
|||
|---|---|
|Date|2021-08-18
|Kind|Bugfix / Feature
|Author|mschiess@akamai.com
- Features
- Added **DNS** and **PROXY** feeds to ETP Input (<3 Sara)
- Minor improvements
- Version number fix (Stated 0.9.0 instead of 1.x.x)
- debug "message" fix ( changed HTTP to HTTP(S) to avoid misunderstanding)
- documented workaround for discovered proxy issue
- enabled json highlighting in [Log_overview](./LOG_OVERVIEW.md)
- added better error guidance when basic stuff is unset (input / output)
- moved docker-compose from root dir to /docs
- added `read_only: true` to the docker-compose.yml files (security enhancement)
---
README.md | 10 +-
bin/config/global_config.py | 10 +-
bin/modules/UlsArgsParser.py | 4 +-
bin/modules/UlsInputCli.py | 4 +-
bin/modules/UlsOutput.py | 2 +-
bin/modules/UlsTools.py | 14 +
bin/uls.py | 3 +
docs/AKAMAI_API_CREDENTIALS.md | 2 +
docs/ARGUMENTS_ENV_VARS.md | 4 +-
docs/CHANGELOG.md | 17 +
docs/DOCKER-COMPOSE_USAGE.md | 12 +-
docs/FAQ.md | 18 +-
docs/LOG_OVERVIEW.md | 1098 ++++++++++++++++-
.../docker-compose}/README.md | 6 +-
.../docker-compose}/complex/README.md | 0
.../complex/docker-compose.yml | 5 +-
.../docker-compose}/complex/eaa-access.env | 0
.../docker-compose}/complex/etp-threat.env | 0
.../docker-compose}/complex/mfa-auth.env | 0
.../docker-compose}/examples/README.md | 0
.../examples/all_services_docker-compose.yml | 28 +-
.../examples/example_env_file.env | 6 +-
.../docker-compose}/simple/README.md | 0
.../docker-compose}/simple/docker-compose.yml | 3 +-
.../docker-compose}/simple/etp-threat.env | 0
25 files changed, 1206 insertions(+), 40 deletions(-)
mode change 100644 => 100755 bin/uls.py
rename {docker-compose => docs/docker-compose}/README.md (58%)
rename {docker-compose => docs/docker-compose}/complex/README.md (100%)
rename {docker-compose => docs/docker-compose}/complex/docker-compose.yml (84%)
rename {docker-compose => docs/docker-compose}/complex/eaa-access.env (100%)
rename {docker-compose => docs/docker-compose}/complex/etp-threat.env (100%)
rename {docker-compose => docs/docker-compose}/complex/mfa-auth.env (100%)
rename {docker-compose => docs/docker-compose}/examples/README.md (100%)
rename {docker-compose => docs/docker-compose}/examples/all_services_docker-compose.yml (66%)
rename {docker-compose => docs/docker-compose}/examples/example_env_file.env (91%)
rename {docker-compose => docs/docker-compose}/simple/README.md (100%)
rename {docker-compose => docs/docker-compose}/simple/docker-compose.yml (74%)
rename {docker-compose => docs/docker-compose}/simple/etp-threat.env (100%)
diff --git a/README.md b/README.md
index f191662..cfe15e1 100644
--- a/README.md
+++ b/README.md
@@ -38,16 +38,18 @@ It can be run directly as Python code, as a provided Docker container or through
- [Enterprise Threat Protectors (ETP)](https://www.akamai.com/us/en/products/security/enterprise-threat-protector.jsp)
- [THREAT](docs/LOG_OVERVIEW.md#threat-log-threat)
- [AUP](docs/LOG_OVERVIEW.md#accceptable-use-policy-logs-aup)
+ - [DNS](docs/LOG_OVERVIEW.md#dns)
+ - [PROXY](docs/LOG_OVERVIEW.md#proxy)
- [Akamai Phish-proof Multi Factor Authenticator (AKAMAI-MFA)](https://www.akamai.com/us/en/products/security/akamai-mfa.jsp)
- [AUTH](docs/LOG_OVERVIEW.md#authentication-logs-auth)
- [POLICY](docs/LOG_OVERVIEW.md#policy-logs-policy)
- Supported data outputs
- - TCP Socket (tcp://host:port)
- - UDP Socket (udp://host:port)
- - HTTP(S) URL (http(s)://host:port/path) (supporting Authentication)
- - RAW (>STDOUT)
+ - TCP Socket (tcp://host:port) `--output tcp`
+ - UDP Socket (udp://host:port) `--output udp`
+ - HTTP(S) URL (http(s)://host:port/path) (supporting Authentication) `--output http`
+ - RAW (>STDOUT) `--output raw`
- Operation types
diff --git a/bin/config/global_config.py b/bin/config/global_config.py
index 50835f8..0d9bd5b 100644
--- a/bin/config/global_config.py
+++ b/bin/config/global_config.py
@@ -1,7 +1,7 @@
#!/usr/bin/env python3
# Common global variables / constants
-__version__ = "0.9.0"
+__version__ = "1.1.0"
__tool_name_long__ = "Akamai Unified Log Streamer"
__tool_name_short__ = "ULS"
@@ -17,9 +17,13 @@
bin_eaa_cli = "ext/cli-eaa/bin/akamai-eaa"
# Available EAA CLI feeds
eaa_cli_feeds = ['ACCESS', 'ADMIN', 'CONHEALTH']
+
# ETP
-bin_etp_cli = "ext/cli-etp/bin/akamai-etp" # Path to the ETP CLI Executable
-etp_cli_feeds = ['THREAT', 'AUP'] # Available ETP CLI feeds
+ # Path to the ETP CLI Executable
+bin_etp_cli = "ext/cli-etp/bin/akamai-etp"
+ # Available ETP CLI feeds
+etp_cli_feeds = ['THREAT', 'AUP', 'DNS', 'PROXY']
+
# MFA
bin_mfa_cli = "ext/cli-mfa/bin/akamai-mfa" # Path to the MFA CLI Executable
mfa_cli_feeds = ['POLICY', 'AUTH'] # Available MFA CLI feeds
diff --git a/bin/modules/UlsArgsParser.py b/bin/modules/UlsArgsParser.py
index 003102b..8166093 100644
--- a/bin/modules/UlsArgsParser.py
+++ b/bin/modules/UlsArgsParser.py
@@ -70,7 +70,9 @@ def init():
dest='inproxy',
type=str,
default=(os.environ.get('ULS_INPUT_PROXY') or None),
- help="Use a proxy Server for the INPUT requests (fetching data from AKAMAI API'S)")
+ help=argparse.SUPPRESS)
+ # We're surpressing this for now, as the param does not seem to work (mschiess-20210818 - see EME-498)
+ #help="Use a proxy Server for the INPUT requests (fetching data from AKAMAI API'S)")
# RAWCMD
input_group.add_argument('--rawcmd',
action='store',
diff --git a/bin/modules/UlsInputCli.py b/bin/modules/UlsInputCli.py
index b7aedd9..6d7e5f1 100644
--- a/bin/modules/UlsInputCli.py
+++ b/bin/modules/UlsInputCli.py
@@ -43,10 +43,10 @@ def _feed_selector(self, feed, product_feeds):
if feed in product_feeds:
# feed matches the given list
aka_log.log.debug(f'{self.name} - selected feed: {feed}')
- elif not feed:
+ elif not feed or feed == "DEFAULT":
# Set default (first of feeds)
feed = product_feeds[0]
- aka_log.log.debug(f'{self.name} - using default feed: {feed}')
+ aka_log.log.warning(f'{self.name} - using default feed: {feed}')
else:
aka_log.log.critical(
f"{self.name} - Feed ({feed}) not available - Available: {product_feeds}")
diff --git a/bin/modules/UlsOutput.py b/bin/modules/UlsOutput.py
index 4054866..33eacb8 100644
--- a/bin/modules/UlsOutput.py
+++ b/bin/modules/UlsOutput.py
@@ -135,7 +135,7 @@ def connect(self, output_type: str, host: str, port: int,
f'Use --httpurl instead of --host / --port')
sys.exit(1)
else:
- aka_log.log.debug(f"{self.name} attempting to connect via HTTP to {http_url} ")
+ aka_log.log.debug(f"{self.name} attempting to connect via HTTP(S) to {http_url} ")
# Let'S do an options request
self.http_url = http_url
diff --git a/bin/modules/UlsTools.py b/bin/modules/UlsTools.py
index 7f2cf3b..a8a57cc 100644
--- a/bin/modules/UlsTools.py
+++ b/bin/modules/UlsTools.py
@@ -112,3 +112,17 @@ def uls_check_edgerc(configfile, configsection, configvalues):
else:
aka_log.log.debug(f"Required configuration value '{configvalue}' found.")
return 0
+
+
+def uls_check_args(input, output):
+ missing = None
+ if not input:
+ missing = "INPUT"
+ elif not output:
+ missing = "OUTPUT"
+ if missing:
+ aka_log.log.critical(f"Required argument / ENV var not set: {missing}")
+ aka_log.log.critical(f"Please run `bin/uls.py --help` for additional information")
+ sys.exit(1)
+ else:
+ return 0
\ No newline at end of file
diff --git a/bin/uls.py b/bin/uls.py
old mode 100644
new mode 100755
index 1a413d7..85ffca4
--- a/bin/uls.py
+++ b/bin/uls.py
@@ -62,6 +62,9 @@ def main():
# Load the LOG system
aka_log.init(uls_args.loglevel, uls_config.__tool_name_short__)
+ # Verify the given core params (at least input and output should be set)
+ UlsTools.uls_check_args(uls_args.input, uls_args.output)
+
# Check CLI Environment
UlsTools.uls_check_sys()
diff --git a/docs/AKAMAI_API_CREDENTIALS.md b/docs/AKAMAI_API_CREDENTIALS.md
index 357a68b..b4c5ee7 100644
--- a/docs/AKAMAI_API_CREDENTIALS.md
+++ b/docs/AKAMAI_API_CREDENTIALS.md
@@ -27,6 +27,8 @@ This document describes how to create Akamai API credentials and configure them
|Enterprise Application Access|EAA|HEALTH|[{OPEN} API / Enterprise Application Access](#eaa-open-api-for-connector-health-feed)|
|Enterprise Threat Protector|ETP|THREAT|[{OPEN} API / ETP Report](#etp-open-api-reporting)|
|Enterprise Threat Protector|ETP|AUP|[{OPEN} API / ETP Report](#etp-open-api-reporting)|
+|Enterprise Threat Protector|ETP|DNS|[{OPEN} API / ETP Report](#etp-open-api-reporting)|
+|Enterprise Threat Protector|ETP|PROXY|[{OPEN} API / ETP Report](#etp-open-api-reporting)|
|Akamai MFA|MFA|AUTH|[MFA Integration](#mfa-integration-for-logging)|
|Akamai MFA|MFA|POLICY|[MFA Integration](#mfa-integration-for-logging)|
diff --git a/docs/ARGUMENTS_ENV_VARS.md b/docs/ARGUMENTS_ENV_VARS.md
index 9806c4b..52f3aea 100644
--- a/docs/ARGUMENTS_ENV_VARS.md
+++ b/docs/ARGUMENTS_ENV_VARS.md
@@ -14,9 +14,9 @@ The following tables list all available command line parameters and their corres
|Parameter|Env - Var|Options|Default|Description|
|---|---|---|---|---|
|-i
--input | ULS_INPUT | 'EAA', 'ETP', 'MFA' | None | Specify the desired INPUT source |
-|--feed | ULS_FEED | EAA: 'ACCESS', 'ADMIN', 'CONHEALTH'
ETP: 'THREAT', 'AUP'
MFA: 'AUTH','POLICY' | None | Specify the desired INPUT feed |
+|--feed | ULS_FEED | EAA: 'ACCESS', 'ADMIN', 'CONHEALTH'
ETP: 'THREAT', 'AUP', 'DNS', 'PROXY'
MFA: 'AUTH','POLICY' | None | Specify the desired INPUT feed |
|--format | ULS_FORMAT | 'JSON', 'TEXT' | JSON | Specify the desired INPUT (=OUTPUT) format |
-|--inproxy
--inputproxy | ULS_INPUT_PROXY | HOST:PORT| None | Adjust proxy usage for INPUT data collection (cli) |
+|--inproxy
--inputproxy | ULS_INPUT_PROXY | HOST:PORT| None | Adjust proxy usage for INPUT data collection (cli)
There is a known issue in the usage, [please read more about it here](./FAQ.md#--inputproxy-proxy-does-not-work-as-expected)|
|--rawcmd | ULS_RAWCMD | \ | None | USE with caution /!\
This is meant only to be used when told by AKAMAI [Click here for more information](ADDITIONAL_FEATURES.md#rawcmd---rawcmd-feature)|
|--edgerc | ULS_EDGERC | /path/to/your/.edgerc | '~/.edgerc' | Specify the location of the .edgerc EDGE GRID AUTH file |
|--section | ULS_SECTION | edgerc_config_section | 'default' | Specify the desired section within the .edgerc file |
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 74db884..6ab9bdf 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -1,5 +1,22 @@
# Version History
+## v1.1.0
+|||
+|---|---|
+|Date|2021-08-18
+|Kind|Bugfix / Feature
+|Author|mschiess@akamai.com
+- Features
+ - Added **DNS** and **PROXY** feeds to ETP Input (<3 Sara)
+- Minor improvements
+ - Version number fix (Stated 0.9.0 instead of 1.x.x)
+ - debug "message" fix ( changed HTTP to HTTP(S) to avoid misunderstanding)
+ - documented workaround for discovered proxy issue
+ - enabled json highlighting in [Log_overview](./LOG_OVERVIEW.md)
+ - added better error guidance when basic stuff is unset (input / output)
+ - moved docker-compose from root dir to /docs
+ - added `read_only: true` to the docker-compose.yml files (security enhancement)
+
## v1.0.0
|||
|---|---|
diff --git a/docs/DOCKER-COMPOSE_USAGE.md b/docs/DOCKER-COMPOSE_USAGE.md
index 27e0b9f..1f3a7a6 100644
--- a/docs/DOCKER-COMPOSE_USAGE.md
+++ b/docs/DOCKER-COMPOSE_USAGE.md
@@ -52,8 +52,8 @@ docker compose up -d
This will run the "simple" use case in foreground.
The `docker-compose.yml` file will reference the `etp-threat.env` and provide the configuration from that file.
**Files:**
- - [docker-compose.yml](../docker-compose/simple/docker-compose.yml)
- - [etp-threat.env](../docker-compose/simple/etp-threat.env)
+ - [docker-compose.yml](docker-compose/simple/docker-compose.yml)
+ - [etp-threat.env](docker-compose/simple/etp-threat.env)
- Complex docker-compose setup delivering different streams to different endpoints
@@ -63,7 +63,7 @@ docker compose up -d
```
This triggers a more complex setup consisting out of 3 different data feeds.
**Files:**
- - [docker-compose.yml](../docker-compose/complex/docker-compose.yml)
- - [etp-threat.env](../docker-compose/complex/etp-threat.env)
- - [eaa-admin.env](../docker-compose/complex/eaa-access.env)
- - [eaa-access.env](../docker-compose/complex/eaa-access.env)
\ No newline at end of file
+ - [docker-compose.yml](docker-compose/complex/docker-compose.yml)
+ - [etp-threat.env](docker-compose/complex/etp-threat.env)
+ - [eaa-admin.env](docker-compose/complex/eaa-access.env)
+ - [eaa-access.env](docker-compose/complex/eaa-access.env)
\ No newline at end of file
diff --git a/docs/FAQ.md b/docs/FAQ.md
index 531ffc6..c4cc722 100644
--- a/docs/FAQ.md
+++ b/docs/FAQ.md
@@ -7,6 +7,7 @@
- [What command line Options are available ? ](#what-command-line-options-are-available-)
- [What environmental variables (ENV VARS) are available](#what-environmental-variables-env-vars-are-available-#)
- [--version does not show all versions](#ulspy---version-does-not-show-all-versions)
+- [--inputproxy does not work as expected](#--inputproxy-proxy-does-not-work-as-expected)
----
## FAQ
@@ -38,11 +39,22 @@ There is a dedicated document explaining the [command line parameters and enviro
There is a dedicated document explaining the [command line parameters and environment variables.](ARGUMENTS_ENV_VARS.md)
---
-<<<<<<< HEAD
### `uls.py --version` does not show all versions
This is (sadly) a known issue. It is a problem within some of the CLI's if no ".edgerc" file is provided. If you provide a `.edgerc`, the show is correct.
---
-=======
->>>>>>> 2d20b502da2fcc131088bf0498ddcf56a12d531d
+### `--inputproxy ` does not work as expected
+This is (sadly) a known issue.
+The good news is we do have a proper workaround for this.
+Instead of setting the Option `--inputproxy ` or the ENV var `ULS_INPUT_PROXY` do the following:
+
+Set the ENV following ENV vars to your environment / container.
+```text
+HTTP_PROXY=http://your.proxy.internal:3128"
+HTTPS_PROXY=http://your.proxy.internal:3128"
+NO_PROXY="localhost,127.0.0.1,::1"
+```
+Those can also be added to the .evn file when using docker / docker-compose.
+**Please ensure, you are ADDING YOUR SIEM HOST IP to the NO_PROXY line when the SIEM is internal to avoid issues**
+`NO_PROXY="localhost,127.0.0.1,::1,my_siem.host"`
\ No newline at end of file
diff --git a/docs/LOG_OVERVIEW.md b/docs/LOG_OVERVIEW.md
index 0c33c6b..44f5c96 100644
--- a/docs/LOG_OVERVIEW.md
+++ b/docs/LOG_OVERVIEW.md
@@ -17,7 +17,7 @@ Here are some examples (per product) and links to additional information.
## Enterprise Application Access
### Access Logs (ACCESS)
Additional information regarding the log fields can be found on [here](https://learn.akamai.com/en-us/webhelp/enterprise-application-access/eaa-logs-from-eaa-api-and-splunk/GUID-8F07B320-2DD7-4035-9A8E-4E7435DFA3EA.html)
-```text
+```json
{
"username": "user1",
"apphost": "vault.akamaidemo.net",
@@ -53,7 +53,7 @@ Additional information regarding the log fields can be found on [here](https://l
### Admin Logs (ADMIN)
Additional information regarding the log fields can be found on [here](https://learn.akamai.com/en-us/webhelp/enterprise-application-access/eaa-logs-from-eaa-api-and-splunk/GUID-F772F01C-46D1-411C-A41F-D4B780D998FB.html).
-```text
+```json
{
"datetime": "2021-07-23T05:54:40",
"username": "system",
@@ -66,7 +66,7 @@ Additional information regarding the log fields can be found on [here](https://l
### Connector Health (CONHEALTH)
Additional information regarding the log fields can be found on [here](https://learn.akamai.com/en-us/webhelp/enterprise-application-access/eaa-logs-from-eaa-api-and-splunk/GUID-A79FBF43-DE2C-405A-8900-0D77DC8CEAF4.html)
-```text
+```json
{
"connector_uuid": "cht3_GEjQWyMW9LEk7KQfg",
"name": "demo-v2-con-1-amer",
@@ -90,7 +90,7 @@ Additional information regarding the log fields can be found on [here](https://l
## Enterprise Threat Protector (ETP)
### Threat Log (THREAT)
Additional information regarding the log fields can be found on [here](https://developer.akamai.com/api/enterprise_security/enterprise_threat_protector_reporting/v3.html#threatevent)
-```text
+```json
{
"pageInfo": {
"totalRecords": 97913,
@@ -481,7 +481,7 @@ Additional information regarding the log fields can be found on [here](https://d
### Accceptable Use Policy Logs (AUP)
Additional information regarding the log fields can be found on [here](https://developer.akamai.com/api/enterprise_security/enterprise_threat_protector_reporting/v3.html#event)
-```text
+```json
{
"pageInfo": {
"totalRecords": 97913,
@@ -870,17 +870,1097 @@ Additional information regarding the log fields can be found on [here](https://d
}
```
+### DNS
+Additional information regarding the log fields can be found on [here](https://developer.akamai.com/api/enterprise_security/enterprise_threat_protector_reporting/v3.html#dnsactivityevent)
+```json
+{
+ "pageInfo": {
+ "totalRecords": 685134,
+ "pageNumber": 1,
+ "pageSize": 5
+ },
+ "dataRows": [
+ {
+ "id": "0",
+ "configId": "1041",
+ "hitCount": 1,
+ "alexaRanking": -1,
+ "query": {
+ "time": "2020-05-26T06:00:00Z",
+ "clientIp": "198.18.179.121",
+ "dnsIp": "198.18.193.241",
+ "domain": "1590448430.akamaietpmalwaretest.com.",
+ "queryType": "A",
+ "deviceId": "N/A",
+ "deviceName": "Not Available",
+ "resolved": [
+ {
+ "type": "A",
+ "response": "34.193.182.244",
+ "asn": "14618",
+ "asname": "aws"
+ }
+ ]
+ },
+ "event": {
+ "trigger": "null",
+ "siteId": "-1",
+ "siteName": "Unidentified IPs",
+ "policyId": "2240",
+ "policyName": "Default",
+ "confidenceName": "Unknown",
+ "actionId": "1",
+ "actionName": "Monitor",
+ "onRamp": "No",
+ "onrampType": "",
+ "internalClientIP": "N/A",
+ "clientRequestId": "",
+ "policyEvaluationSource": "dns",
+ "deepScanned": false
+ }
+ },
+ {
+ "id": "1",
+ "configId": "1041",
+ "hitCount": 1,
+ "alexaRanking": 1000,
+ "query": {
+ "time": "2020-05-26T06:00:00Z",
+ "clientIp": "172.25.174.232",
+ "dnsIp": "198.18.193.241",
+ "domain": "spocs.getpocket.com.",
+ "queryType": "A",
+ "deviceId": "c37a4c4e-a7cd-400f-820d-b82762c52975",
+ "deviceName": "BOS-WPX5E",
+ "resolved": [
+ {
+ "type": "A",
+ "response": "50.16.145.165",
+ "asn": "14618",
+ "asname": "aws"
+ },
+ {
+ "type": "A",
+ "response": "35.169.67.87",
+ "asn": "14618",
+ "asname": "aws"
+ },
+ {
+ "type": "A",
+ "response": "52.202.154.119",
+ "asn": "14618",
+ "asname": "aws"
+ },
+ {
+ "type": "A",
+ "response": "52.204.41.228",
+ "asn": "14618",
+ "asname": "aws"
+ }
+ ]
+ },
+ "event": {
+ "trigger": "null",
+ "siteId": "51284",
+ "siteName": "E2E WIN 174.232 site",
+ "policyId": "38307",
+ "policyName": "E2E-CML-test",
+ "confidenceName": "Unknown",
+ "actionId": "6",
+ "actionName": "Classify",
+ "onRamp": "Yes",
+ "onrampType": "etp-client",
+ "internalClientIP": "N/A",
+ "clientRequestId": "00019313",
+ "policyEvaluationSource": "dns",
+ "deepScanned": false
+ }
+ },
+ {
+ "id": "2",
+ "configId": "1041",
+ "hitCount": 1,
+ "alexaRanking": 1000000,
+ "query": {
+ "time": "2020-05-26T06:00:00Z",
+ "clientIp": "172.25.162.210",
+ "dnsIp": "198.18.193.241",
+ "domain": "cme-linuscmewlhrwlhr-013-wlhr-public.wbx2.com.",
+ "queryType": "A",
+ "deviceId": "dc475a9e-c192-4b0b-a34e-a95c0f8dfcad",
+ "deviceName": "WIN81-ENT-210",
+ "resolved": [
+ {
+ "type": "A",
+ "response": "62.109.242.31",
+ "asn": "13445",
+ "asname": "N/A"
+ }
+ ]
+ },
+ "event": {
+ "trigger": "null",
+ "siteId": "5003",
+ "siteName": "Off Network ETP Clients",
+ "policyId": "32965",
+ "policyName": "Westford OFF Network policy",
+ "confidenceName": "Unknown",
+ "actionId": "10",
+ "actionName": "Bypass",
+ "onRamp": "No",
+ "onrampType": "",
+ "internalClientIP": "N/A",
+ "clientRequestId": "00019274",
+ "policyEvaluationSource": "dns",
+ "deepScanned": false
+ }
+ },
+ {
+ "id": "3",
+ "configId": "1041",
+ "hitCount": 1,
+ "alexaRanking": -1,
+ "query": {
+ "time": "2020-05-26T06:00:00Z",
+ "clientIp": "198.18.179.121",
+ "dnsIp": "198.18.193.241",
+ "domain": "1590447770.akamaietpmalwaretest.com.",
+ "queryType": "A",
+ "deviceId": "N/A",
+ "deviceName": "Not Available",
+ "resolved": [
+ {
+ "type": "A",
+ "response": "34.193.182.244",
+ "asn": "14618",
+ "asname": "aws"
+ }
+ ]
+ },
+ "event": {
+ "trigger": "null",
+ "siteId": "-1",
+ "siteName": "Unidentified IPs",
+ "policyId": "2240",
+ "policyName": "Default",
+ "confidenceName": "Unknown",
+ "actionId": "1",
+ "actionName": "Monitor",
+ "onRamp": "No",
+ "onrampType": "",
+ "internalClientIP": "N/A",
+ "clientRequestId": "",
+ "policyEvaluationSource": "dns",
+ "deepScanned": false
+ }
+ },
+ {
+ "id": "4",
+ "configId": "1041",
+ "hitCount": 1,
+ "alexaRanking": 1000000,
+ "query": {
+ "time": "2020-05-26T06:00:00Z",
+ "clientIp": "198.18.179.159",
+ "dnsIp": "198.18.193.241",
+ "domain": "e6589.dscb.akamaiedge.net.",
+ "queryType": "A",
+ "deviceId": "630ace6b-4f26-41df-b411-cd652512cb04",
+ "deviceName": "Lab-Mac-19818179159.local",
+ "resolved": [
+ {
+ "type": "A",
+ "response": "23.204.70.172",
+ "asn": "20940",
+ "asname": "qwest"
+ }
+ ]
+ },
+ "event": {
+ "trigger": "null",
+ "siteId": "51277",
+ "siteName": "E2E Mac 179.159 site",
+ "policyId": "38307",
+ "policyName": "E2E-CML-test",
+ "confidenceName": "Unknown",
+ "actionId": "10",
+ "actionName": "Bypass",
+ "onRamp": "No",
+ "onrampType": "",
+ "internalClientIP": "N/A",
+ "clientRequestId": "00032083",
+ "policyEvaluationSource": "dns",
+ "deepScanned": false
+ }
+ }
+ ]
+}
+```
+
+### PROXY
+Additional information regarding the log fields can be found on [here](https://developer.akamai.com/api/enterprise_security/enterprise_threat_protector_reporting/v3.html#proxytraffictransaction)
+```json
+{
+ "pageInfo": {
+ "totalRecords": 44583,
+ "pageNumber": 1,
+ "pageSize": 5
+ },
+ "dataRows": [
+ {
+ "id": "0",
+ "l7Protocol": "HTTP",
+ "isEvent": true,
+ "request": {
+ "startTime": 1590474813791,
+ "connectionId": "0x3706B3124FAFAF8C9574",
+ "domain": "statsfe2.ws.microsoft.com.",
+ "uri": "/ReportingWebService/ReportingWebService.asmx",
+ "method": "POST",
+ "clientPort": 48176,
+ "destinationIP": "52.183.47.176",
+ "destinationPort": 80,
+ "uuid": "1b72e77c-254a-4ba9-a456-2a1b4407d65b",
+ "clientIp": "172.25.162.210",
+ "queryStrings": [],
+ "headers": [
+ {
+ "name": "Cache-Control",
+ "value": "no-cache"
+ },
+ {
+ "name": "Content-Length",
+ "value": "2369"
+ },
+ {
+ "name": "Content-Type",
+ "value": "text/xml; charset=utf-8"
+ },
+ {
+ "name": "Host",
+ "value": "statsfe2.ws.microsoft.com"
+ },
+ {
+ "name": "Pragma",
+ "value": "no-cache"
+ },
+ {
+ "name": "User-Agent",
+ "value": "Windows-Update-Agent/7.9.9600.19670 Client-Protocol/1.21 EtpClient:3.0.0"
+ },
+ {
+ "name": "X-Forwarded-For",
+ "value": "172.25.162.210, 172.25.162.210"
+ }
+ ]
+ },
+ "response": {
+ "endTime": 1590474813793,
+ "hash": "",
+ "headers": []
+ },
+ "event": {
+ "correlatedSinkholeEvents": [
+ {
+ "sinkholeId": "ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11",
+ "eventId": "1590113794976#ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11#28301",
+ "sourcePort": 48022,
+ "destinationPort": 80,
+ "l4Protocol": "TCP",
+ "hostname": "akamaietpcnctest.com",
+ "userAgent": "curl/7.47.0",
+ "l7Protocol": "HTTP",
+ "eventTime": "2020-05-22T02:16:34Z",
+ "url": "/",
+ "sinkholeName": "ETP_DNS_SINKHOLE",
+ "hitCount": 1,
+ "configId": 1041,
+ "internalIP": "198.18.179.187",
+ "sinkholeIP": "172.25.162.242",
+ "machineNames": [
+ "N/A"
+ ]
+ }
+ ],
+ "trigger": "null",
+ "detectionTime": "2020-05-26T06:33:33Z",
+ "detectionType": "inline",
+ "siteId": "5003",
+ "siteName": "Off Network ETP Clients",
+ "policyId": "32965",
+ "policyName": "Westford OFF Network policy",
+ "listId": "-1",
+ "listName": "unknown",
+ "categoryId": "73",
+ "categoryName": "73",
+ "confidenceId": "-1",
+ "confidenceName": "Unknown",
+ "actionId": "4",
+ "actionName": "Block - Error Page",
+ "blockDescription": "The URL hosts malware.",
+ "reason": "Acceptable use policy",
+ "severityId": 0,
+ "severityLevel": "Unclassified",
+ "onrampType": "etp_offnet_client",
+ "internalClientIP": "172.25.162.210",
+ "clientRequestId": "dc475a9e-c192-4b0b-a34e-a95c0f8dfcad-15904747363383674-1195",
+ "deepscanReportPath": "",
+ "httpVersion": "1.1",
+ "httpUserAgent": "Windows-Update-Agent/7.9.9600.19670 Client-Protocol/1.21 EtpClient:3.0.0",
+ "deviceId": "dc475a9e-c192-4b0b-a34e-a95c0f8dfcad",
+ "deviceName": "WIN81-ENT-210",
+ "deepScanned": false,
+ "matchedGroups": [],
+ "listIdentifiers": [
+ {
+ "listId": -1,
+ "categoryId": 73,
+ "confidenceId": -1,
+ "threatId": 0,
+ "listName": "unknown",
+ "categoryName": "73",
+ "confidenceName": "Unknown",
+ "threatName": "Unclassified"
+ }
+ ]
+ },
+ "userIdentity": {
+ "encryptedUserID": "",
+ "encryptedUserName": "",
+ "groups": []
+ }
+ },
+ {
+ "id": "1",
+ "l7Protocol": "HTTPS",
+ "isEvent": false,
+ "request": {
+ "startTime": 1590474750161,
+ "connectionId": "0x3706B30F4FAEB4B27FB1",
+ "domain": "statics.teams.cdn.office.net.",
+ "uri": "/evergreen-assets/icons/1x1-000000ff.png",
+ "method": "GET",
+ "clientPort": 34656,
+ "destinationIP": "2600:1409:d000::17df:3490",
+ "destinationPort": 443,
+ "uuid": "38c91e98-37fc-40f0-876e-ba60104b4d35",
+ "clientIp": "172.25.174.232",
+ "queryStrings": [
+ {
+ "name": "cb",
+ "value": "1590474712726"
+ }
+ ],
+ "headers": [
+ {
+ "name": "Accept",
+ "value": "image/webp,image/apng,image/*,*/*;q=0.8"
+ },
+ {
+ "name": "Accept-Encoding",
+ "value": "gzip, deflate, br"
+ },
+ {
+ "name": "Accept-Language",
+ "value": "en-US"
+ },
+ {
+ "name": "Connection",
+ "value": "keep-alive"
+ },
+ {
+ "name": "Host",
+ "value": "statics.teams.cdn.office.net"
+ },
+ {
+ "name": "Referer",
+ "value": "https://teams.microsoft.com/_"
+ },
+ {
+ "name": "User-Agent",
+ "value": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.12058 Chrome/69.0.3497.128 Electron/4.2.12 Safari/537.36"
+ }
+ ]
+ },
+ "response": {
+ "endTime": 1590474750226,
+ "hash": "",
+ "headers": [
+ {
+ "name": "Access-Control-Allow-Origin",
+ "value": "*"
+ },
+ {
+ "name": "Cache-Control",
+ "value": "public, max-age=604777"
+ },
+ {
+ "name": "Connection",
+ "value": "keep-alive"
+ },
+ {
+ "name": "Content-Length",
+ "value": "68"
+ },
+ {
+ "name": "Content-MD5",
+ "value": "5E5+z+yZNWYywTzT6qPiUA=="
+ },
+ {
+ "name": "Content-Type",
+ "value": "image/png"
+ },
+ {
+ "name": "Date",
+ "value": "Tue, 26 May 2020 06:32:30 GMT"
+ },
+ {
+ "name": "ETag",
+ "value": "\"0x8D6D3F4152295F5\""
+ },
+ {
+ "name": "Last-Modified",
+ "value": "Wed, 08 May 2019 20:30:59 GMT"
+ },
+ {
+ "name": "Server",
+ "value": "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0"
+ }
+ ]
+ },
+ "event": {
+ "correlatedSinkholeEvents": [
+ {
+ "sinkholeId": "ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11",
+ "eventId": "1590113794976#ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11#28301",
+ "sourcePort": 48022,
+ "destinationPort": 80,
+ "l4Protocol": "TCP",
+ "hostname": "akamaietpcnctest.com",
+ "userAgent": "curl/7.47.0",
+ "l7Protocol": "HTTP",
+ "eventTime": "2020-05-22T02:16:34Z",
+ "url": "/",
+ "sinkholeName": "ETP_DNS_SINKHOLE",
+ "hitCount": 1,
+ "configId": 1041,
+ "internalIP": "198.18.179.187",
+ "sinkholeIP": "172.25.162.242",
+ "machineNames": [
+ "N/A"
+ ]
+ }
+ ],
+ "trigger": "null",
+ "detectionTime": "2020-05-26T06:32:30Z",
+ "detectionType": "N/A",
+ "siteId": "51284",
+ "siteName": "E2E WIN 174.232 site",
+ "policyId": "0",
+ "policyName": "0",
+ "listId": "-1",
+ "listName": "unknown",
+ "categoryId": "104",
+ "categoryName": "104",
+ "confidenceId": "-1",
+ "confidenceName": "Unknown",
+ "actionId": "5",
+ "actionName": "Allow",
+ "blockDescription": "The URL hosts malware.",
+ "reason": "Acceptable use policy",
+ "severityId": 0,
+ "severityLevel": "Unclassified",
+ "onrampType": "etp_client",
+ "internalClientIP": "172.25.174.232",
+ "clientRequestId": "c37a4c4e-a7cd-400f-820d-b82762c52975-15904747127323964-48715",
+ "deepscanReportPath": "",
+ "httpVersion": "1.1",
+ "httpUserAgent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.12058 Chrome/69.0.3497.128 Electron/4.2.12 Safari/537.36 EtpClient:3.0.0",
+ "deviceId": "c37a4c4e-a7cd-400f-820d-b82762c52975",
+ "deviceName": "BOS-WPX5E",
+ "deepScanned": false,
+ "matchedGroups": [],
+ "listIdentifiers": [
+ {
+ "listId": -1,
+ "categoryId": 104,
+ "confidenceId": -1,
+ "threatId": 0,
+ "listName": "unknown",
+ "categoryName": "104",
+ "confidenceName": "Unknown",
+ "threatName": "Unclassified"
+ }
+ ]
+ },
+ "userIdentity": {
+ "encryptedUserID": "",
+ "encryptedUserName": "",
+ "groups": []
+ }
+ },
+ {
+ "id": "2",
+ "l7Protocol": "HTTPS",
+ "isEvent": false,
+ "request": {
+ "startTime": 1590474718273,
+ "connectionId": "0x3706B3154FAE37181163A",
+ "domain": "clickstream-killswitch.hd-personalization-prod.gcp.example.com.",
+ "uri": "/clickstream-killswitch/v1/detail",
+ "method": "GET",
+ "clientPort": 42380,
+ "destinationIP": "130.211.21.250",
+ "destinationPort": 443,
+ "uuid": "a1d7f692-c932-466a-82f6-e4e85bba7864",
+ "clientIp": "172.25.174.232",
+ "queryStrings": [],
+ "headers": [
+ {
+ "name": "Accept",
+ "value": "*/*"
+ },
+ {
+ "name": "Accept-Encoding",
+ "value": "gzip, deflate, br"
+ },
+ {
+ "name": "Accept-Language",
+ "value": "en-US,en;q=0.9"
+ },
+ {
+ "name": "Connection",
+ "value": "keep-alive"
+ },
+ {
+ "name": "content-type",
+ "value": "application/json"
+ },
+ {
+ "name": "Host",
+ "value": "clickstream-killswitch.hd-personalization-prod.gcp.example.com"
+ },
+ {
+ "name": "Origin",
+ "value": "https://www.example.com"
+ },
+ {
+ "name": "Referer",
+ "value": "https://www.example.com/"
+ },
+ {
+ "name": "User-Agent",
+ "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36"
+ }
+ ]
+ },
+ "response": {
+ "endTime": 1590474718348,
+ "hash": "",
+ "headers": [
+ {
+ "name": "Access-Control-Allow-Origin",
+ "value": "https://www.example.com"
+ },
+ {
+ "name": "Content-Length",
+ "value": "1329"
+ },
+ {
+ "name": "Content-Type",
+ "value": "application/json;charset=UTF-8"
+ },
+ {
+ "name": "Date",
+ "value": "Tue, 26 May 2020 06:31:57 GMT"
+ },
+ {
+ "name": "Vary",
+ "value": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers"
+ },
+ {
+ "name": "Via",
+ "value": "1.1 google"
+ }
+ ]
+ },
+ "event": {
+ "correlatedSinkholeEvents": [
+ {
+ "sinkholeId": "ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11",
+ "eventId": "1590113794976#ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11#28301",
+ "sourcePort": 48022,
+ "destinationPort": 80,
+ "l4Protocol": "TCP",
+ "hostname": "akamaietpcnctest.com",
+ "userAgent": "curl/7.47.0",
+ "l7Protocol": "HTTP",
+ "eventTime": "2020-05-22T02:16:34Z",
+ "url": "/",
+ "sinkholeName": "ETP_DNS_SINKHOLE",
+ "hitCount": 1,
+ "configId": 1041,
+ "internalIP": "198.18.179.187",
+ "sinkholeIP": "172.25.162.242",
+ "machineNames": [
+ "N/A"
+ ]
+ }
+ ],
+ "trigger": "null",
+ "detectionTime": "2020-05-26T06:31:58Z",
+ "detectionType": "N/A",
+ "siteId": "51284",
+ "siteName": "E2E WIN 174.232 site",
+ "policyId": "0",
+ "policyName": "0",
+ "listId": "-1",
+ "listName": "unknown",
+ "categoryId": "55",
+ "categoryName": "Streaming Websites",
+ "confidenceId": "-1",
+ "confidenceName": "Unknown",
+ "actionId": "5",
+ "actionName": "Allow",
+ "blockDescription": "The URL hosts malware.",
+ "reason": "Acceptable use policy",
+ "severityId": 0,
+ "severityLevel": "Unclassified",
+ "onrampType": "etp_client",
+ "internalClientIP": "172.25.174.232",
+ "clientRequestId": "c37a4c4e-a7cd-400f-820d-b82762c52975-15904746798952196-48708",
+ "deepscanReportPath": "",
+ "httpVersion": "1.1",
+ "httpUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 EtpClient:3.0.0",
+ "deviceId": "c37a4c4e-a7cd-400f-820d-b82762c52975",
+ "deviceName": "BOS-WPX5E",
+ "deepScanned": false,
+ "matchedGroups": [],
+ "listIdentifiers": [
+ {
+ "listId": -1,
+ "categoryId": 55,
+ "confidenceId": -1,
+ "threatId": 0,
+ "listName": "unknown",
+ "categoryName": "Streaming Websites",
+ "confidenceName": "Unknown",
+ "threatName": "Unclassified"
+ },
+ {
+ "listId": -1,
+ "categoryId": 73,
+ "confidenceId": -1,
+ "threatId": 0,
+ "listName": "unknown",
+ "categoryName": "73",
+ "confidenceName": "Unknown",
+ "threatName": "Unclassified"
+ }
+ ]
+ },
+ "userIdentity": {
+ "encryptedUserID": "",
+ "encryptedUserName": "",
+ "groups": []
+ }
+ },
+ {
+ "id": "3",
+ "l7Protocol": "HTTPS",
+ "isEvent": true,
+ "request": {
+ "startTime": 1590474706144,
+ "connectionId": "0x3706B3154FAE084111637",
+ "domain": "c.go-mpulse.net.",
+ "uri": "/api/config.json",
+ "method": "GET",
+ "clientPort": 41176,
+ "destinationIP": "2600:1409:d000:38e::11a6",
+ "destinationPort": 443,
+ "uuid": "8e86b32f-9a83-4162-a008-3e2c58b09f87",
+ "clientIp": "172.25.174.232",
+ "queryStrings": [
+ {
+ "name": "key",
+ "value": "FDSGP-LEB9B-T8Y2A-5V5ED-9WX2T"
+ },
+ {
+ "name": "d",
+ "value": "www.akamai.com"
+ },
+ {
+ "name": "t",
+ "value": "5301582"
+ },
+ {
+ "name": "v",
+ "value": "1.667.0"
+ },
+ {
+ "name": "if",
+ "value": ""
+ },
+ {
+ "name": "sl",
+ "value": "0"
+ },
+ {
+ "name": "si",
+ "value": "876aebf5-a115-47de-973b-9ac2ba2cdd1c-qaqswv"
+ },
+ {
+ "name": "r",
+ "value": ""
+ },
+ {
+ "name": "bcn",
+ "value": "%2F%2F173e2548.akstat.io%2F"
+ },
+ {
+ "name": "acao",
+ "value": ""
+ },
+ {
+ "name": "ak.ai",
+ "value": "593889"
+ }
+ ],
+ "headers": [
+ {
+ "name": "Accept",
+ "value": "*/*"
+ },
+ {
+ "name": "Accept-Encoding",
+ "value": "gzip, deflate, br"
+ },
+ {
+ "name": "Accept-Language",
+ "value": "en-US,en;q=0.9"
+ },
+ {
+ "name": "Connection",
+ "value": "keep-alive"
+ },
+ {
+ "name": "Host",
+ "value": "c.go-mpulse.net"
+ },
+ {
+ "name": "Origin",
+ "value": "https://www.akamai.com"
+ },
+ {
+ "name": "User-Agent",
+ "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36"
+ }
+ ]
+ },
+ "response": {
+ "endTime": 1590474706146,
+ "hash": "",
+ "headers": []
+ },
+ "event": {
+ "correlatedSinkholeEvents": [
+ {
+ "sinkholeId": "ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11",
+ "eventId": "1590113794976#ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11#28301",
+ "sourcePort": 48022,
+ "destinationPort": 80,
+ "l4Protocol": "TCP",
+ "hostname": "akamaietpcnctest.com",
+ "userAgent": "curl/7.47.0",
+ "l7Protocol": "HTTP",
+ "eventTime": "2020-05-22T02:16:34Z",
+ "url": "/",
+ "sinkholeName": "ETP_DNS_SINKHOLE",
+ "hitCount": 1,
+ "configId": 1041,
+ "internalIP": "198.18.179.187",
+ "sinkholeIP": "172.25.162.242",
+ "machineNames": [
+ "N/A"
+ ]
+ }
+ ],
+ "trigger": "null",
+ "detectionTime": "2020-05-26T06:31:46Z",
+ "detectionType": "inline",
+ "siteId": "51284",
+ "siteName": "E2E WIN 174.232 site",
+ "policyId": "38307",
+ "policyName": "E2E-CML-test",
+ "listId": "-1",
+ "listName": "unknown",
+ "categoryId": "31",
+ "categoryName": "Chat Site",
+ "confidenceId": "-1",
+ "confidenceName": "Unknown",
+ "actionId": "4",
+ "actionName": "Block - Error Page",
+ "blockDescription": "The URL hosts malware.",
+ "reason": "Acceptable use policy",
+ "severityId": 0,
+ "severityLevel": "Unclassified",
+ "onrampType": "etp_client",
+ "internalClientIP": "172.25.174.232",
+ "clientRequestId": "c37a4c4e-a7cd-400f-820d-b82762c52975-15904746699129224-48707",
+ "deepscanReportPath": "",
+ "httpVersion": "1.1",
+ "httpUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 EtpClient:3.0.0",
+ "deviceId": "c37a4c4e-a7cd-400f-820d-b82762c52975",
+ "deviceName": "BOS-WPX5E",
+ "deepScanned": false,
+ "matchedGroups": [],
+ "listIdentifiers": [
+ {
+ "listId": -1,
+ "categoryId": 31,
+ "confidenceId": -1,
+ "threatId": 0,
+ "listName": "unknown",
+ "categoryName": "Chat Site",
+ "confidenceName": "Unknown",
+ "threatName": "Unclassified"
+ }
+ ]
+ },
+ "userIdentity": {
+ "encryptedUserID": "",
+ "encryptedUserName": "",
+ "groups": []
+ }
+ },
+ {
+ "id": "4",
+ "l7Protocol": "HTTPS",
+ "isEvent": false,
+ "request": {
+ "startTime": 1590474688053,
+ "connectionId": "0x3706B3124FADC2CF9570",
+ "domain": "d.la1-c2-ia4.salesforceliveagent.com.",
+ "uri": "/chat/rest/Visitor/Availability.jsonp",
+ "method": "GET",
+ "clientPort": 43149,
+ "destinationIP": "13.110.63.55",
+ "destinationPort": 443,
+ "uuid": "7b33eedd-8b7d-463b-80d9-996b74a0a9ee",
+ "clientIp": "172.25.174.232",
+ "queryStrings": [
+ {
+ "name": "sid",
+ "value": "409d47de-bf85-433c-9c88-79add325835a"
+ },
+ {
+ "name": "r",
+ "value": "906"
+ },
+ {
+ "name": "Availability.prefix",
+ "value": "Visitor"
+ },
+ {
+ "name": "Availability.ids",
+ "value": "[5730f000000HhB2,5730f000000HhAJ,5730f000000HhAY]"
+ },
+ {
+ "name": "callback",
+ "value": "liveagent._.handlePing"
+ },
+ {
+ "name": "deployment_id",
+ "value": "5720f0000009HUh"
+ },
+ {
+ "name": "org_id",
+ "value": "00DA0000000Hu5a"
+ },
+ {
+ "name": "version",
+ "value": "43"
+ }
+ ],
+ "headers": [
+ {
+ "name": "Accept",
+ "value": "*/*"
+ },
+ {
+ "name": "Accept-Encoding",
+ "value": "gzip, deflate, br"
+ },
+ {
+ "name": "Accept-Language",
+ "value": "en-US,en;q=0.9"
+ },
+ {
+ "name": "Connection",
+ "value": "keep-alive"
+ },
+ {
+ "name": "Host",
+ "value": "d.la1-c2-ia4.salesforceliveagent.com"
+ },
+ {
+ "name": "User-Agent",
+ "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36"
+ }
+ ]
+ },
+ "response": {
+ "endTime": 1590474688139,
+ "hash": "",
+ "headers": [
+ {
+ "name": "Access-Control-Allow-Origin",
+ "value": "*"
+ },
+ {
+ "name": "Cache-Control",
+ "value": "no-cache"
+ },
+ {
+ "name": "Connection",
+ "value": "close"
+ },
+ {
+ "name": "Content-Encoding",
+ "value": "gzip"
+ },
+ {
+ "name": "Content-Type",
+ "value": "text/javascript"
+ },
+ {
+ "name": "Expires",
+ "value": "-1"
+ },
+ {
+ "name": "Pragma",
+ "value": "no-cache"
+ },
+ {
+ "name": "X-Content-Type-Options",
+ "value": "nosniff"
+ }
+ ]
+ },
+ "event": {
+ "correlatedSinkholeEvents": [
+ {
+ "sinkholeId": "ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11",
+ "eventId": "1590113794976#ac4bde1e-7d3d-4ff5-9cf8-772df0b1ce11#28301",
+ "sourcePort": 48022,
+ "destinationPort": 80,
+ "l4Protocol": "TCP",
+ "hostname": "akamaietpcnctest.com",
+ "userAgent": "curl/7.47.0",
+ "l7Protocol": "HTTP",
+ "eventTime": "2020-05-22T02:16:34Z",
+ "url": "/",
+ "sinkholeName": "ETP_DNS_SINKHOLE",
+ "hitCount": 1,
+ "configId": 1041,
+ "internalIP": "198.18.179.187",
+ "sinkholeIP": "172.25.162.242",
+ "machineNames": [
+ "N/A"
+ ]
+ }
+ ],
+ "trigger": "null",
+ "detectionTime": "2020-05-26T06:31:28Z",
+ "detectionType": "N/A",
+ "siteId": "51284",
+ "siteName": "E2E WIN 174.232 site",
+ "policyId": "0",
+ "policyName": "0",
+ "listId": "-1",
+ "listName": "unknown",
+ "categoryId": "73",
+ "categoryName": "73",
+ "confidenceId": "-1",
+ "confidenceName": "Unknown",
+ "actionId": "5",
+ "actionName": "Allow",
+ "blockDescription": "The URL hosts malware.",
+ "reason": "Acceptable use policy",
+ "severityId": 0,
+ "severityLevel": "Unclassified",
+ "onrampType": "etp_client",
+ "internalClientIP": "172.25.174.232",
+ "clientRequestId": "c37a4c4e-a7cd-400f-820d-b82762c52975-15904746509095241-48705",
+ "deepscanReportPath": "",
+ "httpVersion": "1.1",
+ "httpUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 EtpClient:3.0.0",
+ "deviceId": "c37a4c4e-a7cd-400f-820d-b82762c52975",
+ "deviceName": "BOS-WPX5E",
+ "deepScanned": false,
+ "matchedGroups": [],
+ "listIdentifiers": [
+ {
+ "listId": -1,
+ "categoryId": 73,
+ "confidenceId": -1,
+ "threatId": 0,
+ "listName": "unknown",
+ "categoryName": "73",
+ "confidenceName": "Unknown",
+ "threatName": "Unclassified"
+ }
+ ]
+ },
+ "userIdentity": {
+ "encryptedUserID": "",
+ "encryptedUserName": "",
+ "groups": []
+ }
+ }
+ ]
+}
+```
+
## Akamai MFA
Additional information regarding the log fields can be found on [here](https://learn.akamai.com/en-us/webhelp/enterprise-mfa/akamai-mfa-logs-from-splunk-application/GUID-0F17296F-90F3-483E-AFDE-F98FBC51A8AC.html).
### Authentication Logs (AUTH)
Authentication Events Example:
-```text
-{"uuid": "aud_JfNqdl6zSByrU0ovrbJ6m", "created_at": "2021-03-23T19:36:20.047688", "browser_ip": "49.207.58.115", "app_id": "app_3IyJXh2U9Jiws6bvxcf8X", "device": "push", "auth_method": "push", "user_id": "user_6Hy1v24DZIr8b0UHYi5dv3", "username": "nityagi", "is_success": true, "device_metadata": "Android", "receipt": "", "browser_type": "Chrome", "browser_version": "88.0.4324", "browser_os": "MacOS", "browser_os_version": "10.15.7", "device_os": "android", "device_os_version": "10.0.0", "browser_geo_location": "BANGALORE KA, IN", "device_geo_location": "BANGALORE KA, IN", "device_ip": "49.207.58.115"}
+```json
+{
+ "uuid": "aud_JfNqdl6zS23456623434",
+ "created_at": "2021-03-23T19:36:20.047688",
+ "browser_ip": "49.103.18.124",
+ "app_id": "app_3IyJXh2345345345345f8X",
+ "device": "push",
+ "auth_method": "push",
+ "user_id": "user_6Hy1v241221541i5dv3",
+ "username": "mschiess",
+ "is_success": true,
+ "device_metadata": "Android",
+ "receipt": "",
+ "browser_type": "Chrome",
+ "browser_version": "88.0.4324",
+ "browser_os": "MacOS",
+ "browser_os_version": "10.15.7",
+ "device_os": "android",
+ "device_os_version": "10.0.0",
+ "browser_geo_location": "BANGALORE KA, IN",
+ "device_geo_location": "BANGALORE KA, IN",
+ "device_ip": "49.103.18.124"
+}
```
### Policy Logs (POLICY)
Policy Denied Events Example:
-```text
-{"id": "aud_5mRypRCazgr8ucRJtICVJt", "created_at": "2021-03-23T17:20:50.524672", "user_id": "user_3CbCStOKG0uGdjRILocuxW", "principal_id": "Tenant", "policy_id": "policy_5iMncPFO8euHE8JRviQL4j", "policy_attribute_name": "Existing User"}
+```json
+{
+ "id": "aud_5mRypRCa3456789VJt",
+ "created_at": "2021-03-23T17:20:50.524672",
+ "user_id": "user_3CbCStOKG0uGdjRILocuxW",
+ "principal_id": "Tenant",
+ "policy_id": "policy_5iMncPFO2345678QL4j",
+ "policy_attribute_name": "Existing User"
+}
```
\ No newline at end of file
diff --git a/docker-compose/README.md b/docs/docker-compose/README.md
similarity index 58%
rename from docker-compose/README.md
rename to docs/docker-compose/README.md
index fc4b153..ae79a21 100644
--- a/docker-compose/README.md
+++ b/docs/docker-compose/README.md
@@ -2,8 +2,8 @@
Within this directory, we provide some `docker compose` examples including example files.
The docker-compose.yml controls the docker - relevant attributes like mounting the `.edgerc` file into the container.
-The `.env` files control the ULS via dedicated [ENVIRONMENTAL VARIABLES](../docs/ARGUMENTS_ENV_VARS.md).
+The `.env` files control the ULS via dedicated [ENVIRONMENTAL VARIABLES](../ARGUMENTS_ENV_VARS.md).
-The [simple](./simple/README.md) directory provides a simple example running ULS via `docker compose`
-The [complex](./complex/README.md) directory provides a more "real world" example combining multiple feeds and different outputs.
+The [simple](simple/README.md) directory provides a simple example running ULS via `docker compose`
+The [complex](complex/README.md) directory provides a more "real world" example combining multiple feeds and different outputs.
The [example](examples/README.md) directory provides different configuration snippets.
diff --git a/docker-compose/complex/README.md b/docs/docker-compose/complex/README.md
similarity index 100%
rename from docker-compose/complex/README.md
rename to docs/docker-compose/complex/README.md
diff --git a/docker-compose/complex/docker-compose.yml b/docs/docker-compose/complex/docker-compose.yml
similarity index 84%
rename from docker-compose/complex/docker-compose.yml
rename to docs/docker-compose/complex/docker-compose.yml
index 0438549..ca5d012 100644
--- a/docker-compose/complex/docker-compose.yml
+++ b/docs/docker-compose/complex/docker-compose.yml
@@ -8,6 +8,7 @@ services:
- type: bind
source: /path/to/your/.edgerc
target: /opt/akamai-uls/.edgerc
+ read_only: true
eaa-access:
image: akamai/uls:latest
restart: always
@@ -16,6 +17,7 @@ services:
- type: bind
source: /path/to/your/.edgerc
target: /opt/akamai-uls/.edgerc
+ read_only: true
eaa-admin:
image: akamai/uls:latest
restart: always
@@ -23,4 +25,5 @@ services:
volumes:
- type: bind
source: /path/to/your/.edgerc
- target: /opt/akamai-uls/.edgerc
\ No newline at end of file
+ target: /opt/akamai-uls/.edgerc
+ read_only: true
\ No newline at end of file
diff --git a/docker-compose/complex/eaa-access.env b/docs/docker-compose/complex/eaa-access.env
similarity index 100%
rename from docker-compose/complex/eaa-access.env
rename to docs/docker-compose/complex/eaa-access.env
diff --git a/docker-compose/complex/etp-threat.env b/docs/docker-compose/complex/etp-threat.env
similarity index 100%
rename from docker-compose/complex/etp-threat.env
rename to docs/docker-compose/complex/etp-threat.env
diff --git a/docker-compose/complex/mfa-auth.env b/docs/docker-compose/complex/mfa-auth.env
similarity index 100%
rename from docker-compose/complex/mfa-auth.env
rename to docs/docker-compose/complex/mfa-auth.env
diff --git a/docker-compose/examples/README.md b/docs/docker-compose/examples/README.md
similarity index 100%
rename from docker-compose/examples/README.md
rename to docs/docker-compose/examples/README.md
diff --git a/docker-compose/examples/all_services_docker-compose.yml b/docs/docker-compose/examples/all_services_docker-compose.yml
similarity index 66%
rename from docker-compose/examples/all_services_docker-compose.yml
rename to docs/docker-compose/examples/all_services_docker-compose.yml
index 8ea40fc..a6e5c2d 100644
--- a/docker-compose/examples/all_services_docker-compose.yml
+++ b/docs/docker-compose/examples/all_services_docker-compose.yml
@@ -9,6 +9,7 @@ services:
- type: bind
source: /path/to/your/.edgerc
target: /opt/akamai-uls/.edgerc
+ read_only: true
# AUP
etp-aup:
image: akamai/uls:latest
@@ -18,6 +19,27 @@ services:
- type: bind
source: /path/to/your/.edgerc
target: /opt/akamai-uls/.edgerc
+ read_only: true
+ # DNS
+ etp-aup:
+ image: akamai/uls:latest
+ restart: always
+ env_file: etp-dns.env
+ volumes:
+ - type: bind
+ source: /path/to/your/.edgerc
+ target: /opt/akamai-uls/.edgerc
+ read_only: true
+ # PROXY
+ etp-aup:
+ image: akamai/uls:latest
+ restart: always
+ env_file: etp-proxy.env
+ volumes:
+ - type: bind
+ source: /path/to/your/.edgerc
+ target: /opt/akamai-uls/.edgerc
+ read_only: true
# EAA
# ACCESS
eaa-access:
@@ -28,6 +50,7 @@ services:
- type: bind
source: /path/to/your/.edgerc
target: /opt/akamai-uls/.edgerc
+ read_only: true
# ADMIN
eaa-admin:
image: akamai/uls:latest
@@ -37,6 +60,7 @@ services:
- type: bind
source: /path/to/your/.edgerc
target: /opt/akamai-uls/.edgerc
+ read_only: true
# MFA
# AUTH
mfa-auth:
@@ -47,6 +71,7 @@ services:
- type: bind
source: /path/to/your/.edgerc
target: /opt/akamai-uls/.edgerc
+ read_only: true
# POLICY
mfa-policy:
image: akamai/uls:latest
@@ -55,4 +80,5 @@ services:
volumes:
- type: bind
source: /path/to/your/.edgerc
- target: /opt/akamai-uls/.edgerc
\ No newline at end of file
+ target: /opt/akamai-uls/.edgerc
+ read_only: true
\ No newline at end of file
diff --git a/docker-compose/examples/example_env_file.env b/docs/docker-compose/examples/example_env_file.env
similarity index 91%
rename from docker-compose/examples/example_env_file.env
rename to docs/docker-compose/examples/example_env_file.env
index 2c7bc45..d62c333 100644
--- a/docker-compose/examples/example_env_file.env
+++ b/docs/docker-compose/examples/example_env_file.env
@@ -10,17 +10,17 @@ ULS_LOGLEVEL=DEBUG
ULS_INPUT=ETP
# THE INPUT FEED
# EAA: [ ADMIN | ACCESS]
- # ETP: [ THREAT | AUP ]
+ # ETP: [ THREAT | AUP | DNS | PROXY]
# MFA: [ POLICY | AUTH ]
ULS_FEED=THREAT
- # INPUT FORRMAT
+ # INPUT FORMAT
ULS_FORMAT=JSON
# LOCATION OF THE AKAMAI .EDGERC FILE
ULS_EDGERC='/opt/akamai-uls/.edgerc'
# RELEVANT SECTION WITHIN THE EDGERC FILE
ULS_SECTION=default
# PROXY TO ACCESS AKAMAI API'S WHILE FETCHING THE LOGS
- #ULS_INPUT_PROXY='None'
+ #ULS_INPUT_PROXY='None' (known issue - see FAQ.md)
# OUTPUT CONFIGURATION
# OUTPUT PATH [ TCP / UDP / HTTP ]
diff --git a/docker-compose/simple/README.md b/docs/docker-compose/simple/README.md
similarity index 100%
rename from docker-compose/simple/README.md
rename to docs/docker-compose/simple/README.md
diff --git a/docker-compose/simple/docker-compose.yml b/docs/docker-compose/simple/docker-compose.yml
similarity index 74%
rename from docker-compose/simple/docker-compose.yml
rename to docs/docker-compose/simple/docker-compose.yml
index 3fe72f1..80f915a 100644
--- a/docker-compose/simple/docker-compose.yml
+++ b/docs/docker-compose/simple/docker-compose.yml
@@ -7,4 +7,5 @@ services:
volumes:
- type: bind
source: /path/to/your/.edgerc
- target: /opt/akamai-uls/.edgerc
\ No newline at end of file
+ target: /opt/akamai-uls/.edgerc
+ read_only: true
\ No newline at end of file
diff --git a/docker-compose/simple/etp-threat.env b/docs/docker-compose/simple/etp-threat.env
similarity index 100%
rename from docker-compose/simple/etp-threat.env
rename to docs/docker-compose/simple/etp-threat.env