Activating/Deactivating SIEM Delivery Feeds

To activate a SIEM feed, start by adding the Akamai account ID to the application in question (see the preceding artcle for more information), then use the //eventdelivery/activate endpoint to activate the application. For example, this command activates SIEM Event Delivery for the application with the application ID htb8fuhxnf8e38jrzub3c7pfrr:

curl -X POST \ \
  -H 'Authorization: Basic M2dmYmdycmE3dzI4MmhndHJ5cGZxeDlwemhxaGpnZDU6Y2dkY3A3bWhjeWszYmZocnl2d2NmY2c3NTdqdzRhb3E='

There are several things to keep in mind when running the preceding command:

  • You must use an API client that has owner credentials to the application where SIEM delivery is being enabled. API clients that don’t have the owner feature can’t activate or deactivate SIEM delivery.

  • The sample command shown a moment ago enables SIEM Event Delivery, but does not associate any public keys with the S3 bucket. Because of that, customers won’t be able to access the events that get routed to the S3 bucket, at least not until one or more public keys have been added to the bucket. Keys can be added any time after the application has been activated; they can also be added at the same time that the application is activated. For example, this command activates the application htb8fuhxnf8e38jrzub3c7pfrr and, in the same command, associates a public key with that application’s S3 bucket:
    curl -X POST \ \
      -H 'Authorization: Basic M2dmYmdycmE3dzI4MmhndHJ5cGZxlwemhxaGpnZDU6Y2dkY3A3bWhjeWszYmZocnl2d2NmY2c3NTdqdzRhb3E=' \
      -H 'Content-Type: application/json' \
      -H 'Postman-Token: e0f09f7a-2cae-4abe-af45-01363a75cc93' \
      -H 'cache-control: no-cache' \
      -d '
    If you add public keys when activating an application, keep in mind that you are limited to a maximum of 10 public keys per S3 bucket.
  • Activation of an application does not happen immediately. After you activate an application some backend provisioning (such as creating and configuring the S3 bucket) must take place before events can be delivered. That means it might take several minutes before an application is enabled for event delivery and before the application has an accessible S3 bucket. You can verify the status of an application at any point by calling the /eventdelivery/readStatus endpoint:
    curl -X GET \ \
      -H 'Authorization: Basic M2dmYmdycmE3dzI4MmhndHJ5cGZxeDlwemhxaGpnZDU6Y2dkY3A3bWhjeWszYmZocnl2d2NmY2c3NTdqdzRhb3E='

When your application is fully configured, and when event delivery has begun, you’ll see an API response similar to this:

     "status": "creation complete"

Tip. Here’s another way to check and see if activation is complete: go to the S3 bucket and look for the test event which is delivered to the S3 bucket as part of the activation process. That test event will look similar to this:

     "msts": 1562002027195,
      "id": "60ced9d7-8735-4b4d-a2eb-f144d9c6704f",
      "type": "eventdelivery_initial_activation_event",
     "message": {
        "app_id": "csz94t3wwngx8gy373zyv8m2xh"

If at any point you need to stop using the SIEM Event Delivery, you can do so by using the /eventdelivery/deactivate endpoint:

curl -X POST \ \
  -H 'Authorization: Basic M2dmYmdycmE3dzI4MmhndHJ5cGZxeDlwemhxaGpnZDU6Y2dkY3A3bWhjeWszYmZocnl2d2NmY2c3NTdqdzRhb3E='

When you deactivate SIEM Event Delivery service event messages will no longer be delivered to your S3 bucket. In addition, your SIEM event user account will be deleted; among other things, that means that you will not be able to use SFTP to access any files still in that bucket (because you no longer have a valid user account). Before you activate SIEM Event Delivery, you should verify that you have first used SFTP to download all the files that need to be downloaded.