IBM QRadar Security Analytics platform monitors network activity and log activity to provide end users with a holistic view of their system.
QRadar partnered with SAP to integrate SAP Enterprise Threat Detection (ETD). SAP ETD can detect and alert users of potential attacks within SAP systems by gathering and analyzing log data in real-time. QRadar receives these alerts, providing SOC analysts monitoring SAP deployments with the information to react accordingly.
Configuring QRadar to communicate with SAP Enterprise Threat Detection
IBM QRadar has provided a protocol source and a device support module (DSM) to enable this integration. The protocol source is the component which communicates with the SAP Enterprise Threat Detection Alert API. Whereas, the SAP Enterprise Threat Detection DSM parses the events received from the SAP Enterprise Threat Detection Alert API.
QRadar Log Source Configuration
A user must create a SAP Enterprise Threat Detection log source in QRadar to establish a connection between QRadar and the SAP ETD server. Once the connection is successful, QRadar will receive events from the SAP Enterprise Threat Detection server.
Patter Filter Configuration
A pattern filter allows a user to specify which patterns will be sent to QRadar. To define a pattern filter in SAP Enterprise Threat Detection, the user will create a filter name and select pattern filters to be added to the filter.
After a filter has been created, an associated filter id will be assigned to the filter. Users can then enter the filter Id into the QRadar log source configuration field “Pattern Filter Id”. The QRadar log source will request events from SAP ETD based on the patterns that were added to the filter.
Monitoring SAP ETD events in QRadar
When the connection from QRadar to SAP Enterprise Threat Detection is successful, the alerts triggered from SAP ETD are generated as events in QRadar. The generated events use the LEEF formatting allowing the SAP Enterprise Threat Detection DSM to parse information about the event.
The LEEF format is a name value pair format which is optimized for normalizing events in QRadar. The normalization process identifies key information from the event payload, such as the event name, event description, username, and a timestamp of when the alert was triggered.
Below is a sample event message received in QRadar for “Blacklisted transactions” Pattern filter from SAP ETD:
LEEF:1.0|SAP|ETD|1.0 SP5|Blacklistedtransactions (http://sap.com/secmon/basis)|devTime=2017-04-06T12:39:01.834Z devTimeFormat=YYYY-MM-dd’T’HH:mm:ss.SSSX cat=Access to Critical Resource PatternId=55824E81E1B0FE2BE10000000A4CF109 PatternType=FLAB AlertId=3387 sev=7 MinResultTimestamp=2017-04-06T12:38:04.000ZMaxResultTimestamp=2017-04-06T12:38:25.000Z Text=Measurement4 exceeded threshold 1 for (‘Network, Hostname, Initiator’ = ‘<hostname>’ / ‘System ID, Actor’= ‘<computer name>’ / ‘User Pseudonym, Acting’ = ’<username>’)Measurement=4 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> NetworkHostnameInitiator=<hostname> SystemIdActor=<computer name> UserPseudonymActing=<username>usrName=<username>
Events that were generated from SAP Enterprise Threat Detection are available for viewing in the Log Activity Tab in QRadar.
Viewing SAP ETD events in QRadar
Each individual event can be viewed in the event viewer UI where all normalized data associated with the event is displayed. In the example below, the Event Name “New Service Calls by Technical Users”, tells us which pattern was triggered and the associated low level category Suspicious Activity gives an idea of what type of event it is. A useful event description provided by SAP and custom rules that were triggered is also displayed to give users more information.
This integration between SAP Enterprise Threat Detection and QRadar provides users with an advanced analysis of identifying and analyzing alerts of potential attacks from SAP systems. It provides SOC analysts that are monitoring SAP deployments the ability to react to events triggered on QRadar when an alert is generated from suspicious activity on SAP systems. This is the value of combining SAP Enterprise Threat Detection and QRadar.