Akamai Guardicore Segmentation Integration Guide 🔗
To integrate Akamai Guardicore Segmentation (Guardicore) with Secureworks® Taegis™ XDR, you must follow Akamai’s guidance for implementing Akamai Unified Log Streamer (ULS). Akamai ULS is designed to simplify integrations with Extended Detection and Response products, such as XDR. Once Akamai ULS has been implemented, you can configure Akamai ULS to send Guardicore events via syslog to a Taegis™ XDR Collector. Guardicore events are filtered and correlated in real-time for various security event observations.
Follow the instructions below to integrate and enable monitoring by XDR.
Connectivity Requirements🔗
| Source | Destination | Port/Protocol |
|---|---|---|
| Akamai ULS | XDR Collector (mgmt IP) | TCP/601 |
Data Provided from Integration🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Akamai Guardicore Segmentation | Thirdparty | Netflow, Process |
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Akamai Requirements🔗
The XDR integration with Akamai Guardicore Segmentation (Guardicore) requires Akamai’s Unified Log Streamer (ULS), which is available from Akamai. Follow Akamai’s documentation for implementing Akamai Unified Log Streamer (ULS).
Akamai Unified Log Streamer (ULS) Output Guidance🔗
Upon implementing Akamai ULS, you must define a ULS OUTPUT to transmit Guardicore events to a XDR Collector via syslog. Use the following to define your parameters:
Akamai ULS Configuration Parameters🔗
Shared ULS Environment Parameters🔗
Input Parameters🔗
- ULS_INPUT = GC
- ULS_FORMAT = JSON
Output Parameters🔗
- ULS_OUTPUT = TCP
- ULS_OUTPUT_HOST = XDR Collector IP
- ULS_OUTPUT_PORT = 601
Unique Guardicore NETLOG Environment Parameters🔗
Input Parameters🔗
- ULS_FEED = NETLOG
Output Parameters🔗
- ULS_TCPUDP_FORMAT =
'{"api_host": "{api_hostname}", "ulsfeed": "Akamai-{uls_input}-{uls_feed}", "event": %s}'
Unique Guardicore INCIDENT Environment Parameters🔗
Input Parameters🔗
- ULS_FEED = INCIDENT
Output Parameters🔗
- ULS_TCPUDP_FORMAT =
'{"api_host": "{api_hostname}", "ulsfeed": "Akamai-{uls_input}-{uls_feed}", "event": %s}'
Akamai Guardicore Segmentation events are now logging to XDR via Akamai ULS.
Example Query Language Searches🔗
To search for netflow events from the last 24 hours:
FROM netflow WHERE sensor_type = 'Akamai Guardicore' and EARLIEST=-24h
To search for process events from the last 24 hours:
FROM process WHERE sensor_type = 'Akamai Guardicore' and EARLIEST=-24h
To search for thirdparty events from the last 24 hours:
FROM thirdparty WHERE sensor_type = 'Akamai Guardicore' and EARLIEST=-24h