akamai: handle empty value placeholder (#15893)

Apparently Akamai use "{p}" to indicate an absent value for this field, so
remove it if it is present before handling headers.

The test sample was provided by the issue reporter and modified to match
test IP constraints.

Author: efd6

packages/akamai/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.28.2"
+  changes:
+    - description: Remove empty HTTP message headers placeholder.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15893
 - version: "2.28.1"
   changes:
     - description: Fixed time duration handling in request parameters to conform to API guidelines.

packages/akamai/data_stream/siem/_dev/test/pipeline/test-placeholder-json.log

@@ -0,0 +1 @@
+{"attackData":{"appliedAction":"tarpit","clientIP":"198.51.100.1","configId":"67217","policyId":"PNWD_110088","ruleActions":"bW9uaXRvcg%3d%3d%3bbW9uaXRvcg%3d%3d%3bbW9uaXRvcg%3d%3d%3bbW9uaXRvcg%3d%3d%3bbW9uaXRvcg%3d%3d%3bdGFycGl0","ruleData":"%3b%3b%3b%3b%3bQm90X0E5RDg0MDJFQ0NGQjY3N0NCMjBEMDlBRUNDODk5MkFE","ruleMessages":"TWlzc2luZyBDb29raWUgSGVhZGVy%3bTm9uLVBlcnNpc3RlbnQgSFRUUCBDb25uZWN0aW9u%3bQ2hyb21lIFNpZ25hdHVyZSBBbm9tYWx5%3bU2VjLUZldGNoLUhlYWRlciBNaXNzaW5n%3bTG93IEhlYWRlciBDb3VudA%3d%3d%3bVW5rbm93biBCb3RzIChCcm93c2VyIEltcGVyc29uYXRvcik%3d","ruleSelectors":"%3b%3b%3b%3b%3b","ruleTags":"QUtBTUFJL0JPVC9CSUQ%3d%3bQUtBTUFJL0JPVC9CSUQ%3d%3bQUtBTUFJL0JPVC9CSUQ%3d%3bQUtBTUFJL0JPVC9CSUQ%3d%3bQUtBTUFJL0JPVC9CSUQ%3d%3bQUtBTUFJL0JPVC9CSUQ%3d","ruleVersions":"MQ%3d%3d%3bMQ%3d%3d%3bMQ%3d%3d%3bMQ%3d%3d%3bMQ%3d%3d%3bMQ%3d%3d","rules":"MzkwNDAwNg%3d%3d%3bMzkwNDAwNw%3d%3d%3bMzkwNDAyMA%3d%3d%3bMzkwNDA1Mg%3d%3d%3bMzkwNDA1Mw%3d%3d%3bQk9ULUJST1dTRVItSU1QRVJTT05BVE9S"},"format":"json","geo":{"asn":"28573","city":"SOROCABA","continent":"SA","country":"BR","regionCode":"SP"},"httpMessage":{"bytes":"0","host":"vinrcl.safercar.gov","method":"GET","path":"/vin/","port":"443","protocol":"HTTP/1.1","query":"vin=1G1FD3DSXP0118247","requestHeaders":"Host%3a%20vinrcl.safercar.gov%0d%0aUser-Agent%3a%20Mozilla%2f5.0%20(Windows%20NT%2010.0%3b%20Win64%3b%20x64)%20AppleWebKit%2f537.36%20(KHTML,%20like%20Gecko)%20Chrome%2f112.0.0.0%20Safari%2f537.36%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml,application%2fxml%3bq%3d0.9,image%2favif,image%2fwebp,image%2fapng,%2f%3bq%3d0.8,application%2fsigned-exchange%3bv%3db3%3bq%3d0.7%0d%0aAccept-Language%3a%20zh-CN,zh%3bq%3d0.9,en%3bq%3d0.8%0d%0aCache-Control%3a%20no-cache%0d%0aConnection%3a%20close%0d%0aAccept-Encoding%3a%20gzip%0d%0a","requestId":"f3fe4c34","responseHeaders":"{p}","start":"1762365006","status":"200","tls":"tls1.3"},"identity":{"ja4":"t13d131000_f57a46bbacb6_e7c285222651","tlsFingerprintV2":"c6a4ce37a8dc4153","tlsFingerprintV3":"3~de293936a8dc4153"},"type":"akamai_siem","version":"1.0"}

packages/akamai/data_stream/siem/_dev/test/pipeline/test-placeholder-json.log-expected.json

@@ -0,0 +1,163 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2025-11-05T17:50:06.000Z",
+            "akamai": {
+                "siem": {
+                    "config_id": "67217",
+                    "policy_id": "PNWD_110088",
+                    "request": {
+                        "headers": {
+                            "Accept": "text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7",
+                            "Accept-Encoding": "gzip",
+                            "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8",
+                            "Cache-Control": "no-cache",
+                            "Connection": "close",
+                            "Host": "vinrcl.safercar.gov",
+                            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"
+                        }
+                    },
+                    "rule_actions": [
+                        "monitor",
+                        "tarpit"
+                    ],
+                    "rule_tags": [
+                        "akamai/bot/bid"
+                    ],
+                    "rules": [
+                        {
+                            "ruleActions": "monitor",
+                            "ruleMessages": "Missing Cookie Header",
+                            "ruleTags": "AKAMAI/BOT/BID",
+                            "ruleVersions": "1",
+                            "rules": "3904006"
+                        },
+                        {
+                            "ruleActions": "monitor",
+                            "ruleMessages": "Non-Persistent HTTP Connection",
+                            "ruleTags": "AKAMAI/BOT/BID",
+                            "ruleVersions": "1",
+                            "rules": "3904007"
+                        },
+                        {
+                            "ruleActions": "monitor",
+                            "ruleMessages": "Chrome Signature Anomaly",
+                            "ruleTags": "AKAMAI/BOT/BID",
+                            "ruleVersions": "1",
+                            "rules": "3904020"
+                        },
+                        {
+                            "ruleActions": "monitor",
+                            "ruleMessages": "Sec-Fetch-Header Missing",
+                            "ruleTags": "AKAMAI/BOT/BID",
+                            "ruleVersions": "1",
+                            "rules": "3904052"
+                        },
+                        {
+                            "ruleActions": "monitor",
+                            "ruleMessages": "Low Header Count",
+                            "ruleTags": "AKAMAI/BOT/BID",
+                            "ruleVersions": "1",
+                            "rules": "3904053"
+                        },
+                        {
+                            "ruleActions": "tarpit",
+                            "ruleData": "Bot_A9D8402ECCFB677CB20D09AECC8992AD",
+                            "ruleMessages": "Unknown Bots (Browser Impersonator)",
+                            "ruleTags": "AKAMAI/BOT/BID",
+                            "ruleVersions": "1",
+                            "rules": "BOT-BROWSER-IMPERSONATOR"
+                        }
+                    ]
+                }
+            },
+            "client": {
+                "address": "198.51.100.1",
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.1"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "network"
+                ],
+                "id": "f3fe4c34",
+                "kind": "event",
+                "original": "{\"attackData\":{\"appliedAction\":\"tarpit\",\"clientIP\":\"198.51.100.1\",\"configId\":\"67217\",\"policyId\":\"PNWD_110088\",\"ruleActions\":\"bW9uaXRvcg%3d%3d%3bbW9uaXRvcg%3d%3d%3bbW9uaXRvcg%3d%3d%3bbW9uaXRvcg%3d%3d%3bbW9uaXRvcg%3d%3d%3bdGFycGl0\",\"ruleData\":\"%3b%3b%3b%3b%3bQm90X0E5RDg0MDJFQ0NGQjY3N0NCMjBEMDlBRUNDODk5MkFE\",\"ruleMessages\":\"TWlzc2luZyBDb29raWUgSGVhZGVy%3bTm9uLVBlcnNpc3RlbnQgSFRUUCBDb25uZWN0aW9u%3bQ2hyb21lIFNpZ25hdHVyZSBBbm9tYWx5%3bU2VjLUZldGNoLUhlYWRlciBNaXNzaW5n%3bTG93IEhlYWRlciBDb3VudA%3d%3d%3bVW5rbm93biBCb3RzIChCcm93c2VyIEltcGVyc29uYXRvcik%3d\",\"ruleSelectors\":\"%3b%3b%3b%3b%3b\",\"ruleTags\":\"QUtBTUFJL0JPVC9CSUQ%3d%3bQUtBTUFJL0JPVC9CSUQ%3d%3bQUtBTUFJL0JPVC9CSUQ%3d%3bQUtBTUFJL0JPVC9CSUQ%3d%3bQUtBTUFJL0JPVC9CSUQ%3d%3bQUtBTUFJL0JPVC9CSUQ%3d\",\"ruleVersions\":\"MQ%3d%3d%3bMQ%3d%3d%3bMQ%3d%3d%3bMQ%3d%3d%3bMQ%3d%3d%3bMQ%3d%3d\",\"rules\":\"MzkwNDAwNg%3d%3d%3bMzkwNDAwNw%3d%3d%3bMzkwNDAyMA%3d%3d%3bMzkwNDA1Mg%3d%3d%3bMzkwNDA1Mw%3d%3d%3bQk9ULUJST1dTRVItSU1QRVJTT05BVE9S\"},\"format\":\"json\",\"geo\":{\"asn\":\"28573\",\"city\":\"SOROCABA\",\"continent\":\"SA\",\"country\":\"BR\",\"regionCode\":\"SP\"},\"httpMessage\":{\"bytes\":\"0\",\"host\":\"vinrcl.safercar.gov\",\"method\":\"GET\",\"path\":\"/vin/\",\"port\":\"443\",\"protocol\":\"HTTP/1.1\",\"query\":\"vin=1G1FD3DSXP0118247\",\"requestHeaders\":\"Host%3a%20vinrcl.safercar.gov%0d%0aUser-Agent%3a%20Mozilla%2f5.0%20(Windows%20NT%2010.0%3b%20Win64%3b%20x64)%20AppleWebKit%2f537.36%20(KHTML,%20like%20Gecko)%20Chrome%2f112.0.0.0%20Safari%2f537.36%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml,application%2fxml%3bq%3d0.9,image%2favif,image%2fwebp,image%2fapng,%2f%3bq%3d0.8,application%2fsigned-exchange%3bv%3db3%3bq%3d0.7%0d%0aAccept-Language%3a%20zh-CN,zh%3bq%3d0.9,en%3bq%3d0.8%0d%0aCache-Control%3a%20no-cache%0d%0aConnection%3a%20close%0d%0aAccept-Encoding%3a%20gzip%0d%0a\",\"requestId\":\"f3fe4c34\",\"responseHeaders\":\"{p}\",\"start\":\"1762365006\",\"status\":\"200\",\"tls\":\"tls1.3\"},\"identity\":{\"ja4\":\"t13d131000_f57a46bbacb6_e7c285222651\",\"tlsFingerprintV2\":\"c6a4ce37a8dc4153\",\"tlsFingerprintV3\":\"3~de293936a8dc4153\"},\"type\":\"akamai_siem\",\"version\":\"1.0\"}",
+                "start": "2025-11-05T17:50:06.000Z"
+            },
+            "http": {
+                "request": {
+                    "id": "f3fe4c34",
+                    "method": "GET"
+                },
+                "response": {
+                    "bytes": 0,
+                    "status_code": 200
+                },
+                "version": "1.1"
+            },
+            "network": {
+                "protocol": "http",
+                "transport": "tcp"
+            },
+            "observer": {
+                "type": "proxy",
+                "vendor": "akamai"
+            },
+            "related": {
+                "ip": [
+                    "198.51.100.1"
+                ]
+            },
+            "source": {
+                "address": "198.51.100.1",
+                "as": {
+                    "number": 64501,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": "198.51.100.1"
+            },
+            "url": {
+                "domain": "vinrcl.safercar.gov",
+                "full": "vinrcl.safercar.gov/vin/?vin=1G1FD3DSXP0118247",
+                "path": "/vin/",
+                "port": 443,
+                "query": "vin=1G1FD3DSXP0118247"
+            }
+        }
+    ]
+}

packages/akamai/data_stream/siem/elasticsearch/ingest_pipeline/default.yml

@@ -114,6 +114,10 @@ processors:
       tag: urldecode_httpMessage_responseHeaders
       field: json.httpMessage.responseHeaders
       ignore_missing: true
+  - remove:
+      tag: remove_http_message_response_headers_empty_placeholder
+      field: json.httpMessage.responseHeaders
+      if: ctx.json.httpMessage?.responseHeaders == "{p}"
   - kv:
       if: ctx.json.httpMessage?.responseHeaders != ""
       tag: kv_httpMessage_responseHeaders

packages/akamai/manifest.yml

@@ -1,6 +1,6 @@
 name: akamai
 title: Akamai
-version: "2.28.1"
+version: "2.28.2"
 description: Collect logs from Akamai with Elastic Agent.
 type: integration
 format_version: "3.0.2"