SIA Enterprise was formerly known as Enterprise Threat Protector (ETP).
More information at https://www.akamai.com/sia
- Introduction
- Prerequisites
- Install cli-etp
- Updating ETP CLI module
- Using a proxy
- Examples
- Reporting
- Frequently Asked Questions
- Troubleshooting
Secure Internet Access Enterprise (formerly ETP) comes with a full suite of APIs. API requires to implement code to be able to interact with the service.
That's where Akamai CLI greatly help, no longer code to wrote yourself, you can run very common operations directly from the command line.
You'll need the Akamai CLI, available on many platforms.
Please visit the Getting Started guide on developer.akamai.com.
The machine running Akamai CLI will require Python 3.6+, you can download it from https://python.org.
Installation is done via akamai install:
$ akamai install etp
Running this will take care of all the dependencies.
On Akamai Control Center, make sure you create an API user
with the ETP Configuration API (/etp-config) with READ-WRITE permission.
Upon user credential creation, you'll get a .edgerc file with 4 parameters.
You'll need to add a 5th line with the etp_config_id.
The value of the parameter is a integer you can obtain by navigating in Akamai Control Center:
- Select Enterprise Center from the left menu
- Navigate to Threat Protection
- Open Locations > Locations
- Extract the ETP Config ID integer from the URL as pictured:
Example of .edgerc file:
[default]
client_secret = client-secret-goes-here
host = akab-xxxx.luna.akamaiapis.net
access_token = your-access-token
client_token = your-client-token
etp_config_id = your-ETP-config-ID
To update to the latest version:
$ akamai update etp
Your organization may require to use a proxy server to reach to the public internet.
Use the --proxy option, and if you need to pass a specific private CA certificate you may
use the REQUESTS_CA_BUNDLE environment variable.
Example on a Unix based OS:
$ REQUESTS_CA_BUNDLE=~/ssl-proxying-certificate.pem akamai etp --proxy 127.0.0.1:8888 list get
Fetch the latest security events with the event command.
The events delivery pipeline is almost realtime, in order to not miss any event, we recommend to query events from 3 minutes ago or older.
If --start is not specified, we set it to 30 minutes ago
If --end is not specified, we set it to 3 minutes ago
Both argument expect a EPOCH timestamp.
$ akamai etp event threat
or Accceptable Use Policy
$ akamai etp event aup
You may want to use the blocking mode using --tail
$ akamai etp event aup --tail
You can also send the output to a specific file (appending mode) with --output:
$ akamai etp event aup --tail --output /tmp/etp_event_aup.json
When using the block mode, you can gracefully stop the command process:
- either manually with Control+C (Control-Break)
- or sending a SIG_TERM signal
You can also pipe the command to another process like your favorite JSON parser like jq or ConvertFrom-Json in Powershell.
$ akamai etp event aup --start 1576877365 --end 1576878265|jq .
Other event available are DNS activity (use dns) and Proxy Traffic (use proxy)
Get the lists available on the account
$ akamai etp list get
The result is a coma separated lines:
7721,Custom Deny list
11981,LOLCats Deny list
11603,Zero Trust Demo Deny list
14461,Social Media
14821,Allow List Domains
22206,Custom fileshare site
24204,ZTX Exception list
15704,Allow List
One FQDN
$ akamai etp list add 11603 www.badguys.com
One IP address
$ akamai etp list add 11603 12.34.56.78
Mix of multiple items
$ akamai etp list add 11603 12.34.56.78 www.badguys.com
Load item from a file
$ akamai etp list add 11603 @list.txt
You can use pipe command
$ cat list.txt | akamai etp list add 11603 @-
Or type in and hit Ctrl+D when done
$ akamai etp list add 11603 @-
You can replace 'add' by 'remove' in the example above to remove items from list.
$ akamai etp list deploy 11603
$ akamai etp ioc info akamaietpmalwaretest.com
$ akamai etp ioc changes akamaietpmalwaretest.com
$ akamai etp ioc timeseries akamaietpmalwaretest.com
List all the sub tenants in the account, with their respective ETP Config ID and name
$ akamai etp tenant list
# Command: akamai etp tenant list
# config_id, tenant_name
12345,Tenant A
23456,Tenant B
34567,Tenant C
45678,Tenant D
56789,Tenant E
Report number of active ETP clients for the last 30 days by sub-tenant.
You can specify the time interval passing EPOCH integer as --start and --end.
CSV output headers are sent to stderr, body with the rows are sent to stdout to allow to pipe commands.
$ akamai etp tenant clients
# Command: akamai etp tenant clients
# Report start: 1640721997
# Report end: 1643313997
# config_id, tenant_name, active_client_count
12345,Tenant A,10
23456,Tenant B,20
34567,Tenant C,30
45678,Tenant D,40
56789,Tenant E,50
Q: Can I use cli-etp to stream data to my SIEM?
A: Yes, you can use the file output and have the file monitor by a SIEM agent.
Alternatively check out Akamai Universal Log Streamer (ULS) which offer TCP, UDP, HTTP and File output with a lot of flexibility!
Will there be a cli-sia?
A: Maybe. We keep maintaining cli-etp and the project might be renamed to cli-sia at some point.
Make sure the API user has access to the ETP Config ID defined the .edgerc file, typically a mismatch will cause the 404 error.