您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

将 Akamai 安全事件收集器连接到 Azure SentinelConnect your Akamai Security Events collector to Azure Sentinel

重要

Akamai 安全事件连接器目前为预览版。The Akamai Security Events connector is currently in PREVIEW. 请参阅 Microsoft Azure 预览版的补充使用条款,了解适用于 beta 版、预览版或其他尚未正式发布的 Azure 功能的其他法律条款。See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

本文介绍如何将 Akamai 安全事件收集器连接到 Azure Sentinel。This article explains how to connect your Akamai Security Events collector to Azure Sentinel. 使用 Akamai 安全事件数据连接器,可以轻松地将 Akamai 日志与 Azure Sentinel 连接,这样,你就可以在工作簿中查看数据,可以查询这些数据以创建自定义警报,并且可以整合这些数据来改进调查。The Akamai Security Events data connector allows you to easily connect your Akamai logs with Azure Sentinel, so that you can view the data in workbooks, query it to create custom alerts, and incorporate it to improve investigation. Akamai 安全事件收集器和 Azure Sentinel 之间的集成使用了 CEF 格式的 Syslog、基于 Linux 的日志转发器以及 Log Analytics 代理。Integration between the Akamai Security Events collector and Azure Sentinel makes use of CEF-formatted Syslog, a Linux-based log forwarder, and the Log Analytics agent. 它还使用了基于 Kusto 函数的定制日志分析程序。It also uses a custom-built log parser based on a Kusto function.

备注

数据将会存储在运行 Azure Sentinel 的工作区的地理位置。Data will be stored in the geographic location of the workspace on which you are running Azure Sentinel.

先决条件Prerequisites

  • 必须有 Azure Sentinel 工作区的读取和写入权限。You must have read and write permissions on your Azure Sentinel workspace.

  • 必须有工作区的共享密钥的读取权限。You must have read permissions to shared keys for the workspace. 详细了解工作区密钥Learn more about workspace keys.

将 Akamai 安全事件日志发送到 Azure SentinelSend Akamai Security Events logs to Azure Sentinel

若要将其日志拉取到 Azure Sentinel 中,请将 Akamai 安全事件收集器配置为将 CEF 格式的 Syslog 消息发送到基于 Linux 的日志转发服务器(运行 rsyslog 或 syslog-ng)。To get its logs into Azure Sentinel, configure your Akamai Security Events collector to send Syslog messages in CEF format to a Linux-based log forwarding server (running rsyslog or syslog-ng). 此服务器上将会安装 Log Analytics 代理,该代理会将这些日志转发到 Azure Sentinel 工作区。This server will have the Log Analytics agent installed on it, and the agent forwards the logs to your Azure Sentinel workspace.

  1. 在 Azure Sentinel 导航菜单中,选择“数据连接器”。In the Azure Sentinel navigation menu, select Data connectors.

  2. 从“数据连接器”库中,选择“Akamai 安全事件(预览版)”,然后选择“打开连接器页” 。From the Data connectors gallery, select Akamai Security Events (Preview), and then Open connector page.

  3. 按照“配置”下的“说明”选项卡中的说明进行操作 :Follow the instructions in the Instructions tab, under Configuration:

    1. 在“1.Linux Syslog 代理配置”下 - 如果尚未运行日志转发器,或者需要其他日志转发器,请执行此步骤。Under 1. Linux Syslog agent configuration - Do this step if you don't already have a log forwarder running, or if you need another one. 有关调整大小的信息、更多详细说明以及深入介绍,请参阅 Azure Sentinel 文档中的步骤 1:部署日志转发器See STEP 1: Deploy the log forwarder in the Azure Sentinel documentation for sizing information, more detailed instructions, and in-depth explanation.

    2. 在“2.将通用事件格式(CEF)日志转发到 Syslog 代理”下 - 按照 Akamai 的说明来配置 SIEM 集成设置 CEF 连接器Under 2. Forward Common Event Format (CEF) logs to Syslog agent - Follow Akamai's instructions to configure SIEM integration and to set up a CEF connector. 此连接器使用 SIEM OPEN API 以接近实时的方式从 Akamai 解决方案接收安全事件,并将这些事件从 JSON 转换为 CEF 格式。This connector receives security events from your Akamai solutions in near real time using the SIEM OPEN API, and converts them from JSON into CEF format.

      此配置应该包含以下元素:This configuration should include the following elements:

      • 日志目标 – 日志转发服务器的主机名和/或 IP 地址Log destination – the hostname and/or IP address of your log forwarding server
      • 协议和端口 – TCP 514(如果使用建议的其他协议和端口,请确保在日志转发服务器上的 syslog 守护程序中进行并行更改)Protocol and port – TCP 514 (if recommended otherwise, be sure to make the parallel change in the syslog daemon on your log forwarding server)
      • 日志格式 – CEFLog format – CEF
      • 日志类型 – 所有可用类型Log types – all available
    3. 在“3.验证连接”下 - 通过复制连接器页上的命令并在日志转发器上运行该命令来验证数据引入。Under 3. Validate connection - Verify data ingestion by copying the command on the connector page and running it on your log forwarder. 有关更多详细说明和介绍,请参阅 Azure Sentinel 文档中的步骤 3:验证连接性See STEP 3: Validate connectivity in the Azure Sentinel documentation for more detailed instructions and explanation.

      可能需要长达 20 分钟的时间,日志才会开始显示在 Log Analytics 中。It may take up to 20 minutes until your logs start to appear in Log Analytics.

查找数据Find your data

在成功建立连接后,数据会出现在“CommonSecurityLog”表的“Azure Sentinel”部分下的“日志”中 。After a successful connection is established, the data appears in Logs, under the Azure Sentinel section, in the CommonSecurityLog table.

此数据连接器必须依赖于基于 Kusto 函数的分析程序才能按预期方式工作。This data connector depends on a parser based on a Kusto Function to work as expected. 请使用以下步骤来设置要在查询和工作簿中使用的 AkamaiSIEMEvent Kusto 函数。Use the following steps to set up the AkamaiSIEMEvent Kusto Function to use in queries and workbooks.

  1. 从 Azure Sentinel 导航菜单中选择“日志”。From the Azure Sentinel navigation menu, select Logs.

  2. 复制以下查询并将其粘贴到查询窗口。Copy the following query and paste it into the query window.

    CommonSecurityLog 
    | where DeviceVendor == 'Akamai'
    | where DeviceProduct == 'akamai_siem'
    | extend EventVendor = 'Akamai'
    | extend EventProduct = 'akamai_siem'
    | extend EventProductVersion = '1.0'
    | extend EventId = DeviceEventClassID
    | extend EventCategory = Activity
    | extend EventSeverity = LogSeverity
    | extend DvcAction = DeviceAction
    | extend NetworkApplicationProtocol = ApplicationProtocol
    | extend Ipv6Src = DeviceCustomIPv6Address2
    | extend RuleName = DeviceCustomString1
    | extend RuleMessages = DeviceCustomString2
    | extend RuleData = DeviceCustomString3
    | extend RuleSelectors = DeviceCustomString4
    | extend ClientReputation = DeviceCustomString5
    | extend ApiId = DeviceCustomString6
    | extend RequestId = DevicePayloadId
    | extend DstDvcHostname = DestinationHostName
    | extend DstPortNumber = DestinationPort
    | extend ConfigId = FlexString1
    | extend PolicyId = FlexString2
    | extend NetworkBytes = SentBytes
    | extend UrlOriginal = RequestURL
    | extend HttpRequestMethod = RequestMethod
    | extend SrcIpAddr = SourceIP
    | extend EventStartTime = datetime(1970-01-01) + tolong(extract(@'.*start=(.*?);', 1, AdditionalExtensions)) * 1s 
    | extend SlowPostAction = extract(@'.*AkamaiSiemSlowPostAction=(.*?);', 1, AdditionalExtensions)
    | extend SlowPostRate = extract(@'.*AkamaiSiemSlowPostRate=(.*?);', 1, AdditionalExtensions)
    | extend RuleVersions = extract(@'.*AkamaiSiemRuleVersions=,?(.*?);', 1, AdditionalExtensions)
    | extend RuleTags = extract(@'.*AkamaiSiemRuleTags=(.*?);', 1, AdditionalExtensions)
    | extend ApiKey = extract(@'.*AkamaiSiemApiKey=(.*?);', 1, AdditionalExtensions)
    | extend Tls = extract(@'.*AkamaiSiemTLSVersion=(.*?);', 1, AdditionalExtensions)
    | extend RequestHeaders = extract(@'.*AkamaiSiemRequestHeaders=;?(.*?);', 1, AdditionalExtensions)
    | extend ResponseHeaders = extract(@'.*AkamaiSiemResponseHeaders=(.*?);', 1, AdditionalExtensions)
    | extend HttpStatusCode = extract(@'.*AkamaiSiemResponseStatus=(.*?);', 1, AdditionalExtensions)
    | extend GeoContinent = extract(@'.*AkamaiSiemContinent=(.*?);', 1, AdditionalExtensions)
    | extend SrcGeoCountry = extract(@'.*AkamaiSiemCountry=(.*?);', 1, AdditionalExtensions)
    | extend SrcGeoCity = extract(@'.*AkamaiSiemCity=(.*?);', 1, AdditionalExtensions)
    | extend SrcGeoRegion = extract(@'.*AkamaiSiemRegion=(.*?);', 1, AdditionalExtensions)
    | extend GeoAsn = extract(@'.*AkamaiSiemASN=(\d+)', 1, AdditionalExtensions)
    | extend Custom = extract(@'.*AkamaiSiemCusomData=(.*?)', 1, AdditionalExtensions)
    | project TimeGenerated
            , EventVendor
            , EventProduct
            , EventProductVersion
            , EventStartTime
            , EventId
            , EventCategory
            , EventSeverity
            , DvcAction
            , NetworkApplicationProtocol
            , Ipv6Src
            , RuleName
            , RuleMessages
            , RuleData
            , RuleSelectors
            , ClientReputation
            , ApiId
            , RequestId
            , DstDvcHostname
            , DstPortNumber
            , ConfigId
            , PolicyId
            , NetworkBytes
            , UrlOriginal
            , HttpRequestMethod
            , SrcIpAddr
            , SlowPostAction
            , SlowPostRate
            , RuleVersions
            , RuleTags
            , ApiKey
            , Tls
            , RequestHeaders
            , ResponseHeaders
            , HttpStatusCode
            , GeoContinent
            , SrcGeoCountry
            , SrcGeoCity
            , SrcGeoRegion
            , GeoAsn
            , Custom
    
  3. 单击“保存”下拉菜单,然后单击“保存” 。Click the Save drop-down, and click Save. 在“保存”面板中,In the Save panel,

    1. 在“名称”下输入“AkamaiSIEMEvent” 。Under Name, enter AkamaiSIEMEvent.

    2. 在“另存为”下选择“函数” 。Under Save as, choose Function.

    3. 在“函数别名”下,输入“AkamaiSIEMEvent” 。Under Function Alias, enter AkamaiSIEMEvent.

    4. 在“类别”下输入“函数” 。Under Category, enter Functions.

    5. 单击“保存” 。Click Save.

    函数应用通常需要 10 到 15 分钟的时间才能激活。Function Apps typically take between 10 and 15 minutes to activate.

现在可以在查询窗口的顶行中输入 AkamaiSIEMEvent 来查询 Akamai 数据了。Now you're ready to query Akamai data, by entering AkamaiSIEMEvent in the top line of the query window.

有关更多查询示例,请参阅连接器页中的“后续步骤”选项卡。See the Next steps tab in the connector page for more query samples.

后续步骤Next steps

本文档介绍了如何将 Akamai 安全事件连接到 Azure Sentinel。In this document, you learned how to connect Akamai Security Events to Azure Sentinel. 要详细了解 Azure Sentinel,请参阅以下文章:To learn more about Azure Sentinel, see the following articles: