Ingesting Akamai Audit Logs into Microsoft Sentinel using Azure Function Apps

 

Introduction

Akamai provides extensive audit logs that can be valuable for security monitoring and compliance. To integrate Akamai Audit logs with Microsoft Sentinel, we can use Azure Function Apps to retrieve logs via the Akamai EdgeGrid API and send them to Log Analytics Workspace. 

In this guide, we will walk through deploying an Azure Function App that fetches Akamai Audit Logs and ingests them into Microsoft Sentinel. 

Prerequisites

Before starting, ensure you have: 

• An active Azure subscription with Microsoft Sentinel enabled. 

• Akamai API credentials (EdgeGrid authentication: client_token, client_secret, and access_token). 

• A Log Analytics Workspace (LAW) where logs will be ingested. 

• Azure Function App deployed via VS Code. 

• Python installed locally (Use the VSCode for the local deployment). 

High-Level Architecture

1. Azure Function App calls Akamai API to fetch audit logs.
2. Logs are parsed and sent to Microsoft Sentinel via Log Analytics API request to Azure Function App.
3. Scheduled Execution ensures logs are fetched periodically. 

 

Step 1: Create an Azure Function App 

To deploy an Azure Function App via VS Code: 

1. Install the Azure Functions extension for VS Code.
2. Install Azure Core Tools:
   • npm install -g azure-functions-core-tools@4 --unsafe-perm true
3. Create a Python-based Function App:
4. func init AkamaiLogsFunction --python
5. cd AkamaiLogsFunction
   • func new --name FetchAkamaiLogs --template "HTTP trigger" --authlevel "anonymous" 

 

Step 2: Install Required Python Packages 

In your Function App directory, install the required dependencies: 

pip install requests akamai.edgegrid 

pip freeze > requirements.txt 

 

Step 3: Configure Environment Variables 

Instead of hardcoding API credentials, store them in Azure Function App settings: 

1. Go to Azure Portal > Function App.
2. Navigate to Configuration > Application settings.
3. Add the following environment variables:
   • AKAMAI_CLIENT_TOKEN 
   • AKAMAI_CLIENT_SECRET 
   • AKAMAI_ACCESS_TOKEN 
   • WORKSPACE_ID (Log Analytics Workspace ID) 
   • SHARED_KEY (Log Analytics Shared Key) 

 

Step 4: Implement the Azure Function Code 

Create AkamaiLogFetcher.py with the following code: 

import azure.functions as func 

import logging 

import requests 

from akamai.edgegrid import EdgeGridAuth 

from urllib.parse import urljoin 

import os 

 

app = func.FunctionApp() 

 

# Azure Function HTTP Trigger 

@app.function_name(name="AkamaiLogFetcher") 

@app.route(route="fetchlogs", auth_level=func.AuthLevel.ANONYMOUS) 

def fetch_logs(req: func.HttpRequest) -> func.HttpResponse: 

    logging.info("Processing Akamai log fetch request...") 

 

    # Akamai API credentials (move these to Azure App Settings for security) 

    baseurl = 'https://YOURBASEHOSTURL.luna.akamaiapis.net/' 

    client_token = os.getenv("AKAMAI_CLIENT_TOKEN", "xxxxxxxxxxxxxx") 

    client_secret = os.getenv("AKAMAI_CLIENT_SECRET", "xxxxxxxxxxxxx") 

    access_token = os.getenv("AKAMAI_ACCESS_TOKEN", "xxxxxxxxxxxxxx") 

 

    # Initialize session with authentication 

    session = requests.Session() 

    session.auth = EdgeGridAuth( 

        client_token=client_token, 

        client_secret=client_secret, 

        access_token=access_token 

    ) 

 

  try: 

        # Call Akamai API 

        response = session.get(urljoin(baseurl, '/events/v3/events')) 

        response.raise_for_status()  # Raise an error for HTTP errors 

 

        # Return response as JSON 

        return func.HttpResponse(response.text, mimetype="application/json", status_code=response.status_code) 

 

    except requests.exceptions.RequestException as e: 

        logging.error(f"Error fetching logs: {e}") 

        return func.HttpResponse(f"Failed to fetch logs: {str(e)}", status_code=500) 

 

Step 5: Deploy the Function to Azure 

Run the following command to deploy the function: 

func azure functionapp publish <YourFunctionAppName> 

 

Step 6: Setting Up the Logic App Workflow 

1. Create a new Logic App in Azure:
   • Navigate to the Azure Portal -> Logic Apps -> Create.
   • Choose Consumption Plan and select your preferred region.
   • Click Review + Create, then Create. 
2. Add an HTTP Trigger:
   • Select Recurrence as the trigger.
   • Configure it to run every 10 minutes.
3. Configure the HTTP Action to Fetch Logs from Akamai Function App API:
   • Use the HTTP action in Logic Apps.
   • Set the method to GET.
   • Enter the Function App URL.
   • Add the required headers (content type).
   • 
4. Parse the JSON Response:
   • Use the "Parse JSON" action to structure the response.
   • Define the schema using a sample response from Akamai Audit Logs.
5. Send Logs to Microsoft Sentinel:
   • Use the "Azure Log Analytics - Send Data" action.
   • Map the Akamai Audit log fields to the Log Analytics schema.
   • Select the appropriate Custom Table in Log Analytics or use CommonSecurityLog. 
   • JSON Request body for Send Logs trigger
     • 
   • Completed Logic App will look like this:
     • 

Step 7: Testing and Validation

1. Run a test execution of the Logic App.
2. Check the Logic Apps run history to ensure successful Function App calls and data ingestion.
3. Verify logs in Sentinel:
   • Navigate to Microsoft Sentinel -> Logs.
   • Run a KQL query:
4. RadwareEvents_CL | where TimeGenerated > ago(10m)
   • 

      

Summary

This guide demonstrated how to use Azure Function Apps and Logic Apps to fetch Akamai Audit Logs via API and send them to Microsoft Sentinel. The serverless approach ensures efficient log collection without requiring dedicated infrastructure.