Skip to main content

General Documents

Onboard Akamai API Security Events to Cyware Respond

Category: Cyware Product

Cyware Products Used:

  • Respond 

  • Orchestrate 

Third-party Integrations Used:

  • Akamai API Security: API Security gives you full visibility into your entire API estate through continuous discovery and real-time analysis.

  • Enrichment Tools: Enrich threat intelligence using tools such as AbuseIPDB.

Problem Statement

Security teams need a streamlined approach to processing and responding to threat events identified by Akamai API Security. These events should be integrated into a centralized system like Respond to enhance visibility and improve incident response capabilities.

Solution

Automatically retrieve threat events from Akamai SIA, extract and enrich Indicators of Compromise (IOCs), and onboard enriched incidents into Respond for detailed analysis and response.

Usecase_3.png
How do we solve this problem?

  1. Retrieve Threat Events: The playbook connects to Akamai API Security to retrieve the latest threat events automatically. These events include critical information such as threat detection time, type, and impacted assets.

  2. Extract IOCs: From the retrieved events, the playbook extracts Indicators of Compromise (IOCs), including suspicious IP addresses, domain names, and URLs flagged as potential threats.

  3. Enrich IOCs: Each IOC is enriched through AbuseIPDB and external threat intelligence feeds to gather additional contexts, such as known malicious activity and historical data.

  4. Create CFTR Incident: A new incident is created in CFTR for each high-priority event. This incident includes all enriched IOC details, providing comprehensive context and threat metadata for analysts.

  5. Onboard Contextualized Incident: The playbook checks for related incidents already present in CFTR. It updates these incidents with new findings if the existing context is found, ensuring threat management and response continuity. It also creates a relationship between the 2 incidents.

  6. Block Indicators on WAF: Block the discovered indicators on our web application Firewall.

  7. Block Indicators on EDR: Block the discovered indicators on our endpoint management system.

  8. Add to Watchlist: Add the indicators to SIEM watchlists if needed.

  9. Update Created Incident: Update the created incident with the key metadata.

Benefits
Centralized Threat Management

Consolidates threat events and contextual data within Respond, offering a comprehensive view for security analysts.

Enhanced Incident Context

Provides richer context through IOC enrichment, allowing for more accurate threat prioritization and response actions.

Automated Workflow

Reduces manual integration tasks, freeing analysts to focus on threat investigation and remediation.

Improved Response Efficiency

Facilitates quicker decision-making with thoroughly contextualized threat data, expediting incident response processes.