SAP Enterprise Threat Detection (ETD) is a powerful security solution designed to provide real-time monitoring and threat analysis for SAP environments. However, to unlock its full potential, ETD must be properly connected to various SAP systems within the enterprise landscape. Establishing this connection enables ETD to collect and analyze security-related log data, helping detect suspicious activities and potential cyber threats effectively.
This article explains how to connect SAP ETD to SAP systems, outlining key components, data sources, and configuration steps involved in the integration process.
Connecting ETD to SAP systems allows for comprehensive visibility into user activities, system changes, and security events across the SAP landscape. It facilitates:
- Real-time collection of log data from multiple SAP components
- Detection of unusual or unauthorized behaviors
- Compliance monitoring and audit readiness
- Centralized security event management
SAP ETD typically integrates with the following SAP system types:
- SAP NetWeaver Application Servers: The primary platform for SAP business applications generating detailed security logs.
- SAP HANA Databases: Collects database-level audit and trace logs.
- SAP Business Suite Systems: ERP, CRM, SRM, etc., producing business-related security events.
- SAP Solution Manager: Provides centralized logging and system monitoring.
- Non-SAP Systems: For holistic security, ETD can also connect to third-party systems generating relevant security logs.
SAP NetWeaver AS provides built-in audit logging that records user activities, system changes, and authorization checks.
- Configure Audit Configuration in the NetWeaver system to capture relevant events.
- Enable forwarding of audit logs to ETD via the Syslog or File Export mechanisms.
- ETD’s Data Collector retrieves these logs for analysis.
For SAP HANA systems:
- Activate Audit Policies in SAP HANA to capture database access and changes.
- Configure HANA to send audit logs to ETD using syslog or file-based export.
- ETD ingests and indexes these logs for threat detection.
SAP Solution Manager can act as a central logging system by collecting logs from multiple SAP systems and forwarding them to ETD.
- Set up Log Forwarding from Solution Manager to ETD.
- Use standard integration adapters or APIs to transmit logs securely.
¶ 4. Syslog and File-Based Log Collection
ETD supports both syslog and file-based log collection methods:
- Syslog: Configure SAP systems or intermediate log collectors to send logs via syslog protocol to ETD.
- File Transfer: Logs can be exported to a shared directory that ETD monitors and imports.
- Enable and configure audit logging in SAP NetWeaver and HANA systems.
- Define the scope of logged events relevant to security.
- Configure log forwarding via syslog or file export from SAP systems.
- For syslog, ensure network connectivity and correct port configurations to ETD collectors.
- Deploy ETD Data Collector Agents on relevant servers or configure ETD to receive logs directly.
- Define log sources and specify formats to parse incoming log data correctly.
¶ Step 4: Validate Log Reception and Parsing
- Monitor ETD dashboards to verify logs from SAP systems are arriving and being indexed.
- Adjust parsing rules or add custom correlation rules as needed.
- Run sample scenarios to confirm that ETD can detect security-relevant events from connected SAP systems.
- Regularly update audit configurations in SAP systems to capture emerging threat indicators.
- Secure log transmission channels using encryption and authentication.
- Monitor log volumes to optimize ETD performance.
- Integrate ETD alerts with existing Security Operations Center (SOC) tools.
- Periodically review and tune ETD correlation rules for false positives and new threats.
Connecting SAP Enterprise Threat Detection to SAP systems is a critical step in establishing a secure SAP environment. By effectively collecting and analyzing logs from SAP NetWeaver, SAP HANA, Solution Manager, and other sources, ETD provides actionable insights to detect and respond to threats proactively.
Proper configuration, continuous monitoring, and adherence to best practices ensure that ETD serves as a powerful tool in the enterprise security arsenal, safeguarding SAP landscapes against evolving cyber threats.