Provisioning SIEM Event Delivery is remarkably easy; after all, there are only four steps (with the fourth step being optional). All you need to do is:
- Add your Akamai account ID to each Identity Cloud application that you want to enable for SIEM events. The presence (or absence) of the account ID lets the general event delivery system know whether SIEM events should be collected for a given application.
- Use an API call to activate SIEM Event Delivery for an application. You can also use a similar API call to deactivate SIEM Event Delivery for an application.
- Add your public keys to the Amazon S3 bucket created as your SIEM delivery point. Public keys are used to grant access to the S3 bucket (with permission to download and to delete files). Each S3 bucket can be provisioned with a maximum of 10 public keys.
- Remove unwanted events from the SIEM delivery feed (optional). By default, all whitelisted SIEM events are included in your SIEM delivery feeds. There might be times, however, when this qualifies as a case of “too much information.” If so, you can use the event delivery APIs to remove (blacklist) specified event types from an application event feed. If you later change your mind, you can use the APIs to add those same events back to your delivery feed.
The SIEM Event provisioning process is described in more detail in the following sections of this documentation.