Akamai Guardicore Saas
Overview
Akamai Guardicore delivers application-centric microsegmentation and breach detection to prevent lateral movement across on-premises and cloud environments. With process-level visibility, dynamic policy orchestration and automated workflows, it enforces Zero Trust controls at scale. Simplify network segmentation, accelerate threat response and maintain continuous compliance for critical assets.
- Vendor: Akamai
- Supported environment: SaaS
- Detection based on: Alert, Telemetry
- Supported application or feature: see section below
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
Akamai Guardicore event types supported
Here is a list of all the Akamai Guardicore event types supported by this integration:
- Incident
- Audit log
- Network log
Configure
This setup guide will show you how to forward your Akamai Guardicore events to Sekoia.io.
Steps to follow
- Create an intake
- Set up the forwarding for Events
- Set up the forwarding for Network Logs
Create an intake
Go to the intake page and create a new intake from the format Akamai Guardicore. Copy the intake key.
Set up the forwarding for Events
- Log in to the Akamai Guardicore console
- In the left panel, go to
System>INTEGRATION>Data Exporters
- Click
+ Create Data Exporter
- Select
Events syslog Exporter - Type a name for the exporter configuration (e.g:
Sekoia.io Events exporter) -
In the
Connection optionssection:- Type
intake.sekoia.ioasSyslog host - Type
10514asSyslog port - Select
TCPasSyslog protocol - Enable
Use TLS
- Type
Warning
The previous domain works for the FRA1 region. For any other region, replace the domain “intake.sekoia.io” with your region’s Syslog-intake domain—for example:
intake.usa1.sekoia.io:10514
You can find your region’s domain here: https://docs.sekoia.io/getting_started/regions/
-
In the
Exporting optionssection:- Enable
Export incidents - Disable
Export Agent Logs - Enable
Audit Logs
- Enable
-
In the
Message formatsection:- Select
RFC5424asMessage format - Select
ISO8601 (including milliseconds)asFormat log timestamp - Click
Not suppliedon theRFC5424 structured dataoption -
In the dialog
- Paste:
SEKOIA@53288 intake_key="<YOUR_INTAKE_KEY_HERE>" - Replace
<YOUR_INTAKE_KEY_HERE>with the intake key created with the intake - Click
OK
- Paste:
-
Click
Test Connection - Click
Save
- Select
Set up the forwarding for Network logs
- Click
+ Create Data Exporter
- Select
Network Log syslog Exporter - Type a name for the exporter configuration (e.g:
Sekoia.io Network Log exporter) -
In the
Connection optionssection:- Type
intake.sekoia.ioasSyslog host - Type
10514asSyslog port - Select
TCPasSyslog protocol - Enable
Use TLS
- Type
Warning
The previous domain works for the FRA1 region. For any other region, replace the domain “intake.sekoia.io” with your region’s Syslog-intake domain—for example:
intake.usa1.sekoia.io:10514
You can find your region’s domain here: https://docs.sekoia.io/getting_started/regions/
-
In the
Exporting optionssection:- Click
+ Add - Create
export verdictsfor:AllowedBlockedAlertedAllowed and Encrypted
- Click
-
In the
Message formatsection:- Select
RFC5424asMessage format - Select
ISO8601 (including milliseconds)asFormat log timestamp - Click
Not suppliedon theRFC5424 structured dataoption -
In the dialog
- Paste:
SEKOIA@53288 intake_key="<YOUR_INTAKE_KEY_HERE>" - Replace
<YOUR_INTAKE_KEY_HERE>with the intake key created with the intake - Click
OK
- Paste:
-
Click
Test Connection - Click
Save
- Select
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
New audit log entry reported by the Guardicore Security Suite;;Username: admin;IP Address: 192.0.2.1;;Title: Run Data Exporter Integration Test Connections;;Description: None
New Audit log entry reported by the Guardicore Security Suite;;Username: admin;IP Address: 192.0.2.1;; Title: Adding new Syslog integration configuration; Description: Created label group Role: App (id: 7de50df5-f530-4752-9450-553cce25ebd2)
New audit log entry reported by the Guardicore Security Suite;;Username: None;IP Address: 192.0.2.1;;Title: Access to unknown resource;;Description: Access to resource: /api/login with status code: 404
New audit log entry reported by the Guardicore Security Suite;;Username: jdoe;IP Address: 192.0.2.1;;Title: Authentication success;;Description: User jdoe authenticated successfully
New test connection entry reported by the Guardicore Security Suite;;Username: None;IP Address: 192.0.2.10;;Title: Run Data Exporter Integration Test Connections;;Description: Test successful
New low severity security incident reported by the Guardicore Security Suite;;ID: 00000000-0000-0000-0000-000000000000;URL: https://lab.example.com/overview/incidents/00000000-0000-0000-0000-000000000000;;Description: A request was made to an IP address with a bad reputation;;Severity: low;Start Time: 2026-04-07T08:47Z;End Time: 2026-04-07T08:47Z;;Rule ID: No rule;Affected Assets:;192.0.2.1 (source);destination.test.org (destination);;Destination labels: Role: FE;Terraform: True;Worksite: Default;App: CRM;Environment: Development;os_name: Ubuntu 24.04.4 LTS;os_type: Linux;;Tags: Known Phishing, Known Malware;;Summary: ;1. IP address 198.51.100.50:22, communicating with asset destination.test.org (192.0.2.2), was identified as Known Malware and Known Phishing by Guardicore Reputation Service.;Direction: Inbound;
New network connection reported by the Guardicore Security Suite;ID: eac74b0a;Connection type: FAILED; Action: Blocked;Count: 1;Time: 2024-04-03T02:05:40.611Z;Source IP: 192.0.2.1;Source process name: Unknown Client;Source application name: Unknown Client;Destination IP: 192.0.2.2;Destination port: 22;Destination asset name: hostname.local;Destination user name: root;Destination process name: sshd;Destination process path: /usr/sbin/sshd;Destination process name: sshd;Protocol: TCP;Connection verdict: blocked_by_destination;Policy rule: 11234vs-4573-7432-7543-2342gsdf436; Incidents: 11124vs-2342-1231-6543-2342gsdf424
New network connection reported by the Guardicore Security Suite;ID: eac74b0a;Connection type: SUCCESSFUL; Action: Allowed;Count: 1;Time: 2024-04-03T02:05:40.611Z;Source IP: 192.0.2.5;Source process name: Unknown Client;Source application name: Unknown Client;Destination IP: 192.0.2.6;Destination port: 67;Destination asset name: hostname.local;Destination user name: root;Destination process name: sshd;Destination process path: /usr/sbin/dnsmasq;Destination process name: sshd;Protocol: UDP;Connection verdict: allowed;Policy rule: default; Incidents: 11124vs-2342-1231-6543-2342gsdf424
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Network device logs |
Akamai Guardicore logs network traffic |
Network protocol analysis |
Akamai Guardicore logs Network traffic |
Third-party application logs |
Akamai Guardicore logs audit activities and incidents |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert |
| Category | authentication, configuration, network, threat |
| Type | access, allowed, change, creation, deletion, denied, info, start |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "New audit log entry reported by the Guardicore Security Suite;;Username: admin;IP Address: 192.0.2.1;;Title: Run Data Exporter Integration Test Connections;;Description: None",
"event": {
"category": [
"configuration"
],
"dataset": "audit",
"type": [
"info"
]
},
"observer": {
"product": "Guardicore",
"type": "bastion",
"vendor": "Akamai"
},
"related": {
"ip": [
"192.0.2.1"
],
"user": [
"admin"
]
},
"source": {
"address": "192.0.2.1",
"ip": "192.0.2.1"
},
"user": {
"name": "admin"
}
}
{
"message": "New Audit log entry reported by the Guardicore Security Suite;;Username: admin;IP Address: 192.0.2.1;; Title: Adding new Syslog integration configuration; Description: Created label group Role: App (id: 7de50df5-f530-4752-9450-553cce25ebd2)",
"event": {
"category": [
"configuration"
],
"dataset": "audit",
"reason": "Created label group Role: App (id: 7de50df5-f530-4752-9450-553cce25ebd2)",
"type": [
"creation"
]
},
"observer": {
"product": "Guardicore",
"type": "bastion",
"vendor": "Akamai"
},
"related": {
"ip": [
"192.0.2.1"
],
"user": [
"admin"
]
},
"source": {
"address": "192.0.2.1",
"ip": "192.0.2.1"
},
"user": {
"name": "admin"
}
}
{
"message": "New audit log entry reported by the Guardicore Security Suite;;Username: None;IP Address: 192.0.2.1;;Title: Access to unknown resource;;Description: Access to resource: /api/login with status code: 404",
"event": {
"category": [
"configuration"
],
"dataset": "audit",
"reason": "Access to resource: /api/login with status code: 404",
"type": [
"access"
]
},
"observer": {
"product": "Guardicore",
"type": "bastion",
"vendor": "Akamai"
},
"related": {
"ip": [
"192.0.2.1"
]
},
"source": {
"address": "192.0.2.1",
"ip": "192.0.2.1"
}
}
{
"message": "New audit log entry reported by the Guardicore Security Suite;;Username: jdoe;IP Address: 192.0.2.1;;Title: Authentication success;;Description: User jdoe authenticated successfully",
"event": {
"category": [
"authentication"
],
"dataset": "audit",
"outcome": "success",
"reason": "User jdoe authenticated successfully",
"type": [
"start"
]
},
"observer": {
"product": "Guardicore",
"type": "bastion",
"vendor": "Akamai"
},
"related": {
"ip": [
"192.0.2.1"
],
"user": [
"jdoe"
]
},
"source": {
"address": "192.0.2.1",
"ip": "192.0.2.1"
},
"user": {
"name": "jdoe"
}
}
{
"message": "New test connection entry reported by the Guardicore Security Suite;;Username: None;IP Address: 192.0.2.10;;Title: Run Data Exporter Integration Test Connections;;Description: Test successful",
"event": {
"category": [
"network"
],
"dataset": "test",
"outcome": "success",
"reason": "Run Data Exporter Integration Test Connections",
"type": [
"info"
]
},
"observer": {
"product": "Guardicore",
"type": "bastion",
"vendor": "Akamai"
}
}
{
"message": "New low severity security incident reported by the Guardicore Security Suite;;ID: 00000000-0000-0000-0000-000000000000;URL: https://lab.example.com/overview/incidents/00000000-0000-0000-0000-000000000000;;Description: A request was made to an IP address with a bad reputation;;Severity: low;Start Time: 2026-04-07T08:47Z;End Time: 2026-04-07T08:47Z;;Rule ID: No rule;Affected Assets:;192.0.2.1 (source);destination.test.org (destination);;Destination labels: Role: FE;Terraform: True;Worksite: Default;App: CRM;Environment: Development;os_name: Ubuntu 24.04.4 LTS;os_type: Linux;;Tags: Known Phishing, Known Malware;;Summary: ;1. IP address 198.51.100.50:22, communicating with asset destination.test.org (192.0.2.2), was identified as Known Malware and Known Phishing by Guardicore Reputation Service.;Direction: Inbound;",
"event": {
"category": [
"threat"
],
"dataset": "incident",
"end": "2026-04-07T08:47:00Z",
"kind": "alert",
"reason": "1. IP address 198.51.100.50:22, communicating with asset destination.test.org (192.0.2.2), was identified as Known Malware and Known Phishing by Guardicore Reputation Service.",
"reference": "https://lab.example.com/overview/incidents/00000000-0000-0000-0000-000000000000",
"start": "2026-04-07T08:47:00Z",
"type": [
"info"
]
},
"@timestamp": "2026-04-07T08:47:00Z",
"akamai": {
"guardicore": {
"incident": {
"affected_assets": [
"192.0.2.1 (source)",
"destination.test.org (destination)"
],
"environment": "Development",
"id": "00000000-0000-0000-0000-000000000000",
"severity": "low"
}
}
},
"destination": {
"address": "destination.test.org",
"domain": "destination.test.org",
"registered_domain": "test.org",
"subdomain": "destination",
"top_level_domain": "org"
},
"host": {
"os": {
"full": "Ubuntu 24.04.4 LTS",
"type": "linux"
}
},
"network": {
"application": "CRM",
"direction": "inbound"
},
"observer": {
"product": "Guardicore",
"type": "bastion",
"vendor": "Akamai"
},
"related": {
"hosts": [
"destination.test.org"
],
"ip": [
"192.0.2.1"
]
},
"source": {
"address": "192.0.2.1",
"ip": "192.0.2.1"
}
}
{
"message": "New network connection reported by the Guardicore Security Suite;ID: eac74b0a;Connection type: FAILED; Action: Blocked;Count: 1;Time: 2024-04-03T02:05:40.611Z;Source IP: 192.0.2.1;Source process name: Unknown Client;Source application name: Unknown Client;Destination IP: 192.0.2.2;Destination port: 22;Destination asset name: hostname.local;Destination user name: root;Destination process name: sshd;Destination process path: /usr/sbin/sshd;Destination process name: sshd;Protocol: TCP;Connection verdict: blocked_by_destination;Policy rule: 11234vs-4573-7432-7543-2342gsdf436; Incidents: 11124vs-2342-1231-6543-2342gsdf424",
"event": {
"action": "Blocked",
"category": [
"network"
],
"dataset": "network",
"outcome": "failure",
"type": [
"denied"
]
},
"@timestamp": "2024-04-03T02:05:40.611000Z",
"akamai": {
"guardicore": {
"network": {
"connection_verdict": "blocked_by_destination",
"destination": {
"process": {
"name": "sshd",
"path": "/usr/sbin/sshd"
}
},
"id": "eac74b0a",
"incidents": [
"11124vs-2342-1231-6543-2342gsdf424"
]
}
}
},
"destination": {
"address": "hostname.local",
"domain": "hostname.local",
"ip": "192.0.2.2",
"port": 22,
"subdomain": "hostname",
"user": {
"name": "root"
}
},
"network": {
"application": "Unknown Client",
"transport": "tcp"
},
"observer": {
"product": "Guardicore",
"type": "bastion",
"vendor": "Akamai"
},
"process": {
"name": "Unknown Client"
},
"related": {
"hosts": [
"hostname.local"
],
"ip": [
"192.0.2.1",
"192.0.2.2"
],
"user": [
"root"
]
},
"rule": {
"id": "11234vs-4573-7432-7543-2342gsdf436"
},
"source": {
"address": "192.0.2.1",
"ip": "192.0.2.1"
}
}
{
"message": "New network connection reported by the Guardicore Security Suite;ID: eac74b0a;Connection type: SUCCESSFUL; Action: Allowed;Count: 1;Time: 2024-04-03T02:05:40.611Z;Source IP: 192.0.2.5;Source process name: Unknown Client;Source application name: Unknown Client;Destination IP: 192.0.2.6;Destination port: 67;Destination asset name: hostname.local;Destination user name: root;Destination process name: sshd;Destination process path: /usr/sbin/dnsmasq;Destination process name: sshd;Protocol: UDP;Connection verdict: allowed;Policy rule: default; Incidents: 11124vs-2342-1231-6543-2342gsdf424",
"event": {
"action": "Allowed",
"category": [
"network"
],
"dataset": "network",
"outcome": "success",
"type": [
"allowed"
]
},
"@timestamp": "2024-04-03T02:05:40.611000Z",
"akamai": {
"guardicore": {
"network": {
"connection_verdict": "allowed",
"destination": {
"process": {
"name": "sshd",
"path": "/usr/sbin/dnsmasq"
}
},
"id": "eac74b0a",
"incidents": [
"11124vs-2342-1231-6543-2342gsdf424"
]
}
}
},
"destination": {
"address": "hostname.local",
"domain": "hostname.local",
"ip": "192.0.2.6",
"port": 67,
"subdomain": "hostname",
"user": {
"name": "root"
}
},
"network": {
"application": "Unknown Client",
"transport": "udp"
},
"observer": {
"product": "Guardicore",
"type": "bastion",
"vendor": "Akamai"
},
"process": {
"name": "Unknown Client"
},
"related": {
"hosts": [
"hostname.local"
],
"ip": [
"192.0.2.5",
"192.0.2.6"
],
"user": [
"root"
]
},
"rule": {
"id": "default"
},
"source": {
"address": "192.0.2.5",
"ip": "192.0.2.5"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
akamai.guardicore.incident.affected_assets |
array |
List of assets affected by the security incident, including their roles (source or destination), as reported by akamai.guardicore. |
akamai.guardicore.incident.environment |
keyword |
Environment label associated with the destination asset involved in the incident (e.g., Development, Production, Staging). |
akamai.guardicore.incident.id |
keyword |
Unique identifier of the security incident reported by akamai.guardicore. |
akamai.guardicore.incident.severity |
keyword |
Severity level of the security incident as reported by akamai.guardicore (e.g., low, medium, high, critical). |
akamai.guardicore.network.connection_verdict |
keyword |
Final verdict of the network connection as determined by akamai.guardicore policy enforcement (e.g., blocked_by_destination, allowed_by_policy). |
akamai.guardicore.network.destination.process.name |
keyword |
Name of the process running on the destination asset that received the network connection. |
akamai.guardicore.network.destination.process.path |
keyword |
Full file system path of the process running on the destination asset that received the network connection. |
akamai.guardicore.network.id |
keyword |
Unique identifier of the network connection event reported by akamai.guardicore. |
akamai.guardicore.network.incidents |
array |
Identifiers of security incidents related to this network connection event, as reported by akamai.guardicore. |
destination.domain |
keyword |
The domain name of the destination. |
destination.ip |
ip |
IP address of the destination. |
destination.port |
long |
Port of the destination. |
destination.user.name |
keyword |
Short name or login of the user. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.dataset |
keyword |
Name of the dataset. |
event.end |
date |
event.end contains the date when the event ended or when the activity was last observed. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.outcome |
keyword |
The outcome of the event. The lowest level categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.reference |
keyword |
Event reference URL |
event.start |
date |
event.start contains the date when the event started or when the activity was first observed. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
host.os.full |
keyword |
Operating system name, including the version or code name. |
host.os.type |
keyword |
Which commercial OS family (one of: linux, macos, unix or windows). |
network.application |
keyword |
Application level protocol name. |
network.direction |
keyword |
Direction of the network traffic. |
network.transport |
keyword |
Protocol Name corresponding to the field iana_number. |
observer.product |
keyword |
The product name of the observer. |
observer.type |
keyword |
The type of the observer the data is coming from. |
observer.vendor |
keyword |
Vendor name of the observer. |
process.name |
keyword |
Process name. |
rule.id |
keyword |
Rule ID |
source.domain |
keyword |
The domain name of the source. |
source.ip |
ip |
IP address of the source. |
user.name |
keyword |
Short name or login of the user. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.
Troubleshooting
No event is received
In the Akamai Guardicore console, for each data exporter for Sekoia.io, check, in the Message format section:
- The intake is supplied in the
RFC5424 structured dataoption RFC5424is selected asMessage formatISO8601 (including milliseconds)is selected asFormat log timestamp