-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
# Version History ## v1.3.5 ||| |---|---| |Date|2022-04-06 |Kind| Bugfix release |Author|[email protected], [email protected] - **Minor improvements** - More QRADAR log source type definitions (thx to bitonio) - Added docker-compose ETP - Tenant example
- Loading branch information
1 parent
425b77d
commit 73432fc
Showing
13 changed files
with
195 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,13 @@ | ||
# Version History | ||
## v1.3.3 | ||
## v1.3.5 | ||
||| | ||
|---|---| | ||
|Date|2022-02-28 | ||
|Date|2022-04-06 | ||
|Kind| Bugfix release | ||
|Author|[email protected] | ||
- **Bugfix** | ||
- Adopted to new MFA CLI Version (only single feed "EVENT" available anymore) | ||
- Amended new dates to the file headers | ||
- Added volume to dockerfile as data storage for "autoresume" | ||
|Author|[email protected], [email protected] | ||
- **Minor improvements** | ||
- More QRADAR log source type definitions (thx to bitonio) | ||
- Added docker-compose ETP - Tenant example | ||
|
||
## v1.3.4 | ||
||| | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
#!/bin/bash | ||
# | ||
# Description | ||
# ----------- | ||
# Creates a sample file to test against QRadar DSM Editor. | ||
# | ||
# Requirements | ||
# ------------ | ||
# - Akamai CLI with eaa modules | ||
# - Credentials in the default section of the ~/.edgerc file | ||
|
||
# Adjust how far back you want the log to go | ||
# It will vary based on your EAA account activity | ||
START=$(( $(date +%s) - 7 * 24 * 60 * 60 )) | ||
|
||
shuf() { awk 'BEGIN {srand(); OFMT="%.17f"} {print rand(), $0}' "$@" | | ||
sort -k1,1n | cut -d ' ' -f2-; } | ||
|
||
tmp_dir=$(mktemp -d -t ak-uls-qradar-XXXXXXXXXX) | ||
echo "Working in temporary directory $tmp_dir" | ||
|
||
function print_usage() { | ||
echo "Usage:" | ||
echo "$0 [eaa|etp]" | ||
} | ||
|
||
case "$1" in | ||
|
||
"eaa") | ||
echo "Fetching access events..." | ||
akamai eaa log admin --start $START --json --output $tmp_dir/eaa_admin.json | ||
echo "Fetching admin audit events..." | ||
akamai eaa log access --start $START --json --output $tmp_dir/eaa_access.json | ||
echo "Fetching connector health events..." | ||
akamai eaa connector list --perf --json > $tmp_dir/eaa_conhealth.json | ||
|
||
cat $tmp_dir/eaa_admin.json | shuf | head -n 50 > $tmp_dir/eaa_admin_min.json | ||
cat $tmp_dir/eaa_access.json | shuf | head -n 50 > $tmp_dir/eaa_access_min.json | ||
cat $tmp_dir/eaa_conhealth.json | shuf > $tmp_dir/eaa_conhealth_min.json | ||
|
||
cat $tmp_dir/eaa_admin_min.json $tmp_dir/eaa_access_min.json $tmp_dir/eaa_conhealth_min.json | shuf > eaa_feeds_combined_sample.json | ||
|
||
stat eaa_feeds_combined_sample.json | ||
echo "File 'eaa_feeds_combined_sample.json' created in the current directory ($(pwd))." | ||
;; | ||
|
||
"etp") | ||
# Window for ETP is 1 hour since we have a lot of logs in the lab | ||
START=$(( $(date +%s) - 1 * 60 * 60 )) | ||
event_types=( "dns" "proxy" "aup" "threat" ) | ||
for event_type in "${event_types[@]}" | ||
do | ||
echo "Fetching ${event_type} events..." | ||
akamai etp event --start $START --output "$tmp_dir/etp_${event_type}.json" ${event_type} | ||
cat "$tmp_dir/etp_${event_type}.json" | shuf | head -n 50 > "$tmp_dir/etp_min_${event_type}.json" | ||
if [ "$2" == "preview" ]; then | ||
echo "# START PREVIEW ${event_type}" | ||
head -n1 "$tmp_dir/etp_min_${event_type}.json" | ||
echo "# END PREVIEW ${event_type}" | ||
fi | ||
done | ||
for event_type in "${event_types[@]}" | ||
do | ||
cat $tmp_dir/etp_min_*.json | shuf > etp_feeds_combined_sample.json | ||
done | ||
;; | ||
|
||
*) | ||
print_usage | ||
exit 1 | ||
;; | ||
|
||
esac | ||
|
||
rm -v -rf $tmp_dir |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
[etp_tenant1] | ||
client_secret = … | ||
host = akab-….luna.akamaiapis.net | ||
access_token = akab-… | ||
client_token = akab-… | ||
etp_config_id = 123 | ||
|
||
[etp_tenant2] | ||
; same first 4 credentials (client_secret, host, access_token, client_token) as etp_tenant1 | ||
client_secret = … | ||
host = akab-….luna.akamaiapis.net | ||
access_token = akab-… | ||
client_token = akab-… | ||
etp_config_id = 456 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# ULS DOCKER ETP-TENANT EXAMPLES | ||
|
||
Enterprise Threat Protector (ETP) allows customers and partners to manage multiple ETP tenants each coming with separated data feeds. | ||
|
||
See [Akamai ETP multi-tenancy documentation](https://techdocs.akamai.com/etp/docs/delegated-tenant-access#multi-tenancy) for more details. | ||
|
||
ULS can be configured to be a data hub to fetch and distribute these feeds from multiple tenants into one or multiple destinations. | ||
|
||
This directory contains configuration examples (for simple copy & paste usage) that illustrate ETP multi-tenant feature. | ||
|
||
## docker-compose.yml | ||
|
||
[This file](docker-compose.yml) contains examples for 2 different ETP tenants collecting the same "threat" feed. | ||
|
||
## ENV files | ||
The files contains all available ENV VARS explained in a single file. | ||
Tenant 1 [etp-threat-tenant-1.env](./etp-threat-tenant-1.env) | ||
Tenant 2 [etp-threat-tenant-2.env](./etp-threat-tenant-2.env) | ||
|
||
## EDGERC example | ||
|
||
This is a sample `.edgerc` file explaining the ["ETP Multi Tenant support"](./.edgerc-example) |
20 changes: 20 additions & 0 deletions
20
docs/examples/docker-compose/etp-tenants/docker-compose.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
version: "3.0" | ||
services: | ||
etp-threat-tenant-1: | ||
image: akamai/uls:latest | ||
restart: always | ||
env_file: etp-threat-tenant-1.env | ||
volumes: | ||
- type: bind | ||
source: /path/to/your/.edgerc | ||
target: /opt/akamai-uls/.edgerc | ||
read_only: true | ||
etp-threat-tenant-2: | ||
image: akamai/uls:latest | ||
restart: always | ||
env_file: etp-threat-tenant-2.env | ||
volumes: | ||
- type: bind | ||
source: /path/to/your/.edgerc | ||
target: /opt/akamai-uls/.edgerc | ||
read_only: true |
20 changes: 20 additions & 0 deletions
20
docs/examples/docker-compose/etp-tenants/etp-threat-tenant-1.env
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# This is a sample ENV file for ULS ETP - Threat logs TENANT 1(output via HTTP to SPLUNK) | ||
|
||
# GENERIC Config | ||
ULS_LOGLEVEL=INFO | ||
|
||
# TENANT SELECTION | ||
ULS_SECTION="etp_tenant1" | ||
|
||
# INPUT CONFIGURATION | ||
ULS_INPUT=ETP | ||
ULS_FEED=THREAT | ||
ULS_FORMAT=JSON | ||
ULS_EDGERC=/opt/akamai-uls/.edgerc | ||
|
||
# OUTPUT CONFIGURATION | ||
ULS_OUTPUT=HTTP | ||
ULS_HTTP_URL=https://127.0.0.1:8088/services/collector/event | ||
ULS_HTTP_AUTH_HEADER={"Authorization": "Splunk xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"} | ||
ULS_HTTP_INSECURE="True" | ||
ULS_HTTP_FORMAT={"event": %s} |
20 changes: 20 additions & 0 deletions
20
docs/examples/docker-compose/etp-tenants/etp-threat-tenant-2.env
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# This is a sample ENV file for ULS ETP - Threat logs TENANT 2(output via HTTP to SPLUNK) | ||
|
||
# GENERIC Config | ||
ULS_LOGLEVEL=INFO | ||
|
||
# TENANT SELECTION | ||
ULS_SECTION="etp_tenant2" | ||
|
||
# INPUT CONFIGURATION | ||
ULS_INPUT=ETP | ||
ULS_FEED=THREAT | ||
ULS_FORMAT=JSON | ||
ULS_EDGERC=/opt/akamai-uls/.edgerc | ||
|
||
# OUTPUT CONFIGURATION | ||
ULS_OUTPUT=HTTP | ||
ULS_HTTP_URL=https://127.0.0.1:8088/services/collector/event | ||
ULS_HTTP_AUTH_HEADER={"Authorization": "Splunk xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"} | ||
ULS_HTTP_INSECURE="True" | ||
ULS_HTTP_FORMAT={"event": %s} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters