Akamai WAF

  • Updated on Feb 18, 2026
  • Published on Mar 27, 2025
  • 6 minute(s) read
Prev Next

The Akamai Web Application Firewall (WAF) offers real-time protection for web applications by filtering and blocking malicious HTTP traffic. It safeguards sensitive data, prevents unauthorized access, and ensures continuous application performance. For more information, refer to Akamai’s official documentation.

Integration Methods: API, CEF Connector

Tables: Detection Finding (2004)

This integration supports the following events.

Event

Description

Security Events

Get all security events generated on the Akamai platform in your SIEM application.

This integration supports the following versions.

Akamai WAF Application Security API

v1.0

Akamai WAF SIEM Integration

v1.0

Akamai WAF SIEM CEF Connector

v1.0

This article describes two integration methods:

  • API

  • CEF Connector - This approach will require deploying a data collector and the Akamai CEF connector.

Prerequisites

  • The user should have SIEM role access to create API tokens to retrieve data successfully.

  • The user should have access to the DataBee console.

Additionally, for the Akamai CEF Connector integration, the following is required:

  • DataBee Data Collector

  • Installing the Akamai SIEM CEF Connector along with Java on a VM

Configuration Overview

  1. Generate client credentials with the required scopes.

  2. Add the Akamai WAF data feed in the DataBee console with the below parameters.

    DataBee Parameter

    Akamai WAF Parameter

    Access Token

    access token

    Client Token

    client token

    Client Secret

    client secret

    Base URL (<Instance>)

    host

    Config Id

    Web Security Configuration Id

Akamai WAF Configuration

Before configuring the data source in the DataBee UI, you need to set up an SIEM Integration, SIEM User and API Client in the Akamai WAF dashboard to obtain the necessary credentials. Follow these steps:

Turn on SIEM Integration

  1. Sign in to the Akamai Control Center Dashboard.
     

  2. Click the three horizontal lines in the top-left corner to open the sidebar.
     

  3. In the side bar menu, select Show all services option.
     

  4. In the Show all services side menu, under the WEB & DATA CENTER SECURITY category, click on Security Configurations.


  5. In the left sidebar, select the highlighted security configuration for which you want to collect SIEM data, and then click on Advanced Settings.
     

  6. Click on the Data collection for SIEM Integration dropdown.
     

  7. Within the dropdown configure the following

    • Toggle On to enable SIEM.

    • Select the security policies for data export based on your requirements: "All Security Policies" or "Specific Security Policies" (Refer to the documentation for more details.)

    • Copy the value from the Web Security Configuration ID field, as it will be needed later in the configuration process.
       

  8. Once all the requirements are configured, click Activate.
     

NOTE:

If you want to enable SIEM integration for additional security configurations, repeat the preceding process for each configuration before continuing to Step 2.

Set up a user to manage SIEM

  1. In the Control Center under ACCOUNT ADMIN, click on Identity & access.
     

  2. On the Users and API Clients tab, follow either of the following steps

    • Click the Create user button if you wish to configure a new user.

    • Locate the existing user to whom you want to assign the role. (Refer Documentation for more details).
       

  3. To assign the SIEM role to a new user, click Create User. Enter the user's basic information, then scroll down to the Assign Roles section. Find the appropriate group, click the Roles dropdown, and select the Manage SIEM role. Finally, click Submit.
     

    Note:

    Only the Manage SIEM role has the proper permissions: don't assign this role to any other user.

  4. To assign the SIEM role to an existing user, open the user's account and click the “Edit Roles” tab.
     

  5. Find the appropriate group, click the ‘Roles’ dropdown, and select the Manage SIEM role. Then, click Submit.
     

Provision SIEM API and get access tokens

  1. In the Control Center under ACCOUNT ADMIN, click Identity & access.
     

  2. Under Users and API Clients, click Create API client.
     

  3. Choose the Myself option if you have the Manage SIEM role or click on Another User to create an API client for another user. Click the dropdown for Select User and select the user account that has the Manage SIEM role. Then, click Quick to create an API client.
     

  4. The client tokens, including the Client Secret, Client Token, Access Token, and Host, will be displayed on the next page. Copy the credentials and download them for future use.
     

DataBee Data Collector

Note:

This is only needed when using the Akamai CEF Connector for data ingestion.  

If you are using API integration, skip this step.

Refer to https://docs.databee.buzz/docs/data-collector#configure-data-collector-in-databee for instructions

DataBee Feed Configuration (API Integration)

  1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
     

  2. Search for the Akamai WAF and click it as shown below.
     

  3. Click on the API Ingest option for collection method.
     

  4. Enter feed contact information and click Next.
     

  5. In the next dialog, enter the following:

    • Authorization Method: Akamai EdgeGrid

    • API Base URL: replace <instance> with your host.

    • Configuration ID: paste the Configuration ID.

    • Access Token: paste the Access Token.

    • Client Token: paste the Client Token.

    • Client Secret: paste the Secret.

    • Event Types: preselected for all the event types that integration pulls.

     

  6. Click on Submit.

DataBee Feed Integration (Akamai CEF Connector)

  1. Follow steps 1 & 2 from the previous section.

  2. Choose the Data Collector option for data ingestion

  1. Choose the TCP option

  2. Enter the feed contact information, and select a data collector from the drop down

  1. In the configuration section, ensure the following settings:

    1. Format: CEF

    2. Port: 546. This is the default value when configuring the CEF connector

  1. Click Submit

Akamai SIEM CEF Connector Configuration

The Akamai CEF connector will pull logs from Akamai WAF and send it DataBee. It needs to be installed on a VM that can reach the DataBee data collector. More information on the CEF connector can be found at https://techdocs.akamai.com/siem-integration/docs/siem-cef-connector.

  1. Download the latest CEF connector. Refer to this Akamai documentation link.

  2. Move and unzip the file to your desired location.

  3. Once CEF connector is installed, make sure that you have Java installed on the VM, as the CEF connector uses Java

  4. To install java on linux VM, run following 2 commands if java is not already installed.

    1. sudo apt update

    2. sudo apt install default-jdk

Network Note:

Make sure both the CEF connector and data collector are installed on the same network as they’ll need to communicate with each other to forward the security events. Also make sure that the port that is mentioned for sending the data is not blocked by firewall.

Configuring the CEF Connector

Before data collection starts, the following files need to be changed in the CEF connector with relevant information.

  • config/CEFConnector.properties

  • config/log4j2.xml

config/CEFConnector.properties file changes

CEF Connector Property

Value

akamai.data.requesturlhost

https://<host>

akamai.data.configs

Config Ids
Note: If there are multiple config ids for which you want to poll data, enter them semicolon (;) separated

akamai.data.limit

10000

akamai.data.timebased

Change value from false to true. If already true, keep it as is.

akamai.data.timebased.from

Timestamp in seconds from which you want to pull the data.
Note: As per Akamai, they return past 12 hours of data, so we recommend keeping this value as (current_time in seconds - 11 hours) in seconds.

Example:
If the current date is 11th Feb 2026 06:00:00 UTC, the time in seconds is 1770789600. So, the value here should be 1770789600 minus 39,600 seconds (which equals 11 hours).

akamai.data.accesstoken

Access Token

akamai.data.clienttoken

Client Token

akamai.data.clientsecret

Client Secret

akamai.data.baseurl

Host

config/log4j2.xml file changes

Log4j2 Property

Value

CEFHost

VM IP where data collector is installed

CEFPort

Port number added while configuring the feed in DataBee. Default - 546

Once the changes are complete, open a terminal and execute the following command:

nohup /bin/AkamaiCEFConnector.sh start &

Note

If the process is terminated, the commandline above will need to be executed again.

Troubleshooting Tips

API Integration

  • If you’re facing invalid_client or unauthorized_client issues this might be possibly due to incorrect credentials. Ensure the token is pasted correctly. Since you cannot view the token after the 1st time, re-create the token, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

  • If you are facing response code - 403 this might be possibly due to missing permissions. Ensure READ-WRITE access and Manage SIEM roles are assigned to only one user.

SIEM Connector Integration

  • Ensure that both the VMs are reachable by opening the terminal and executing a ping command.

  • Issues regarding log forwarding: refer to the DataBee troubleshooting document for detailed guidance.

  • CEF connector issues: , refer to cefconnector.log file present under /logs folder where the connector is installed.

  • Unauthorized error in cefconnector.log: Ensure the correct credentials value and they are not expired.

  • Make sure data source in DataBee is configured before configuring the CEF connector so that there is no data loss.