Akamai Guardicore Segmentation Integration Guide 🔗
Secureworks® Taegis™ XDR ingests Akamai Guardicore Segmentation (Guardicore) events delivered via syslog to a Taegis™ XDR Collector. Two delivery formats are supported, and you may choose either based on your environment:
- Guardicore Centra Data Exporter (CEF over syslog) — The Guardicore Centra UI’s built-in syslog exporter, emitting Common Event Format (CEF) messages. See Akamai Techdocs for more information.
- Akamai Unified Log Streamer (ULS) — Akamai’s open-source streaming tool, emitting JSON messages.
Both paths land in XDR with sensor type Akamai Guardicore and produce the same normalized event schemas. Follow whichever Akamai-supported path fits your deployment. Existing ULS integrations continue to work and don't need to be migrated.
Connectivity Requirements🔗
| Source | Destination | Port/Protocol |
|---|---|---|
| Guardicore Centra (Data Exporter) | XDR Collector (mgmt IP) | TCP or UDP / 514 |
| Akamai ULS | XDR Collector (mgmt IP) | TCP/601 |
Data Provided from Integration🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Akamai Guardicore Segmentation | Thirdparty | Netflow, Process |
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Detection Rules to generate detections based on normalized data from a data source.
Guardicore Centra Data Exporter (CEF) Configuration🔗
Configure the Data Exporter using Akamai’s Guardicore Centra documentation for your version. In the Centra UI, navigate to System > Integrations > Data Exporters and create exporters that send to the XDR Collector. Use the following settings so that messages are recognized and normalized by XDR:
- Message format:
CEF - Syslog host: XDR Collector management IP
- Syslog port:
514 - Syslog protocol:
TCPorUDP(TCP recommended)
Create one Data Exporter per event class you want to ingest. Enable the export verdicts and event types relevant to your deployment per Akamai’s documentation.
The XDR normalizer matches messages on the CEF header CEF:0|Guardicore|Centra|, so no additional CEF customization is required on the Centra side. The table below shows which Centra event classes are mapped into dedicated XDR schemas:
| Centra event class | Normalized into | Notes |
|---|---|---|
| Incident (e.g., Bad Reputation, Policy Violation, Reveal, Network Scan, Lateral Movement, etc.) |
thirdparty |
Security alerts. Recommended for detection and correlation. |
| Network Log | netflow, process |
Per-flow records with peer addresses, process path, and policy verdict. |
| Agent Log Event | generic |
Operational agent telemetry (KO downloads, profile pushes, mode changes). Available for search but not promoted into a security schema. |
| System Event | generic |
Centra management-level health and state messages. Available for search but not promoted into a security schema. |
| Audit Record | generic |
Centra admin/audit activity. Available for search but not promoted into a security schema. |
Tip
If you only need security telemetry, enabling Incident and Network Log exporters is sufficient. Enable the operational classes (Agent Log, System Event, Audit Record) only when you specifically want that data searchable in XDR, since these land in the generic schema rather than a dedicated one.
Akamai Unified Log Streamer (ULS) Configuration🔗
Alternatively, follow Akamai’s documentation for implementing Akamai Unified Log Streamer (ULS), then define a ULS OUTPUT that transmits Guardicore events to a XDR Collector via syslog using the parameters below.
Akamai ULS Configuration Parameters🔗
Shared ULS Environment Parameters🔗
Input Parameters🔗
- ULS_INPUT = GC
- ULS_FORMAT = JSON
Output Parameters🔗
- ULS_OUTPUT = TCP
- ULS_OUTPUT_HOST = XDR Collector IP
- ULS_OUTPUT_PORT = 601
Unique Guardicore NETLOG Environment Parameters🔗
Input Parameters🔗
- ULS_FEED = NETLOG
Output Parameters🔗
- ULS_TCPUDP_FORMAT =
'{"api_host": "{api_hostname}", "ulsfeed": "Akamai-{uls_input}-{uls_feed}", "event": %s}'
Unique Guardicore INCIDENT Environment Parameters🔗
Input Parameters🔗
- ULS_FEED = INCIDENT
Output Parameters🔗
- ULS_TCPUDP_FORMAT =
'{"api_host": "{api_hostname}", "ulsfeed": "Akamai-{uls_input}-{uls_feed}", "event": %s}'
Akamai Guardicore Segmentation events are now logging to XDR via Akamai ULS.
Example Query Language Searches🔗
To search for netflow events from the last 24 hours:
FROM netflow WHERE sensor_type = 'Akamai Guardicore' and EARLIEST=-24h
To search for process events from the last 24 hours:
FROM process WHERE sensor_type = 'Akamai Guardicore' and EARLIEST=-24h
To search for thirdparty events from the last 24 hours:
FROM thirdparty WHERE sensor_type = 'Akamai Guardicore' and EARLIEST=-24h