How to Connect SAP Enterprise Threat Detection to Splunk Enterprise Security
The announcement of the newest version Enterprise Threat Detection 2.1 was made on December 3, 2019 in a recent blog by Michael Schmitt, the Enterprise Threat Detection Product Manager.
Of interest to those customers currently using Splunk Enterprise Security, the recent announcement included a new feature in ETD 2.1 to issue alerts to Splunk Enterprise Security for real time collaboration between SAP Security teams using Enterprise Threat Detection and IT Security teams using Splunk Enterprise Security.
This out of the box connector can be easily set up in Enterprise Threat Detection and Splunk in order to facilitate collaboration between the SAP Security teams and the Splunk Enterprise Security teams as described in my earlier blog, dated November 21, 2019.
This announced connectivity is an added feature that provides two-way communication with the publishing of an alert to Splunk Enterprise Security for further investigation into the event at the infrastructure level. There is also an out of the box connector available to Enterprise Threat Detection from Splunk Enterprise Security when it finds suspicious behavior at the infrastructure layer.
Here is how an alert from Splunk looks in Enterprise Threat Detection:
Let’s break this down a bit further. First, let’s look at an alert published by Enterprise Threat Detection to Splunk.
When an attack detection pattern is triggered in Enterprise Threat Detection, an alert is issued with an alert identifier – it looks like this:
We can see here that the alert has a unique identifier and was triggered due to the Brute Force Attack Detection Pattern. We can also see the network host name initiator – WDFN33984083A who is the bad actor in this case. We also see the system that was acted upon identified as System ID, Actor and System ID Y13/222.
In Enterprise Threat Detection, we can see that the initiator, WDFN33984083A was able to access monitored data (sensitive data which turned out to be intellectual property – the pump architecture plans) and was able to download data as a result of the successful brute force attack:
These details will be published through the alert publishing feature to Splunk Enterprise Security. Enterprise Threat Detection supports JSON, CEF, or LEEF formats. In this case, a fully formed JSON record was published to Splunk Enterprise Security:
Here we can see that the information sent to Splunk Enterprise Security includes the Alert Identifier, the Attack Detection Pattern that was triggered that would be of interest to Splunk, the timestamps, severity level, terminal id and more.
Splunk Enterprise Security pulls in the information from the Alert and incorporates this information into the Splunk Enterprise Security in the Incident Review area:
This information is now able to be correlated with Splunk Enterprise Security. Information is available related to activities regarding this endpoint, IP addresses and current threats or active compromise in the environment.
Additional information, including a risk score to prioritize the event, can be found in the Splunk Enterprise Security solution.
In Splunk, visibility into the SAP application and the reported attack is found along with additional information which is correlated in Splunk Enterprise Security. This supporting information includes the history related to this event and user, the phase of the Mitre Attack Kill Chain, tactics and techniques used along with a description to help the security analyst understand what needs to be done.
Splunk Enterprise Security can assist in threat hunting activities to further track down the issue:
How to enable SAP Enterprise Threat Detection to send alerts to Splunk?
The system can be set up through the Admin function of Enterprise Threat Detection using the Settings selection and then selecting Manage Alert Processing. The triggering events can then be sent to Splunk and this threat information can be consumed by Splunk Enterprise Security. To refine the alert, a pattern filter can be set up to only send critical alerts. More information is available in the Enterprise Threat Detection documentation. The SAP and Splunk security teams can work together to determine the correct solution set up options. Notice the JSON set up option in the screen below:
Once the set up is complete for Enterprise Threat Detection, alerts will be published to the Splunk HTTP Event Collector (HEC).
To ensure the events will be properly recognized in Splunk Enterprise Security, the Splunk HTTP Event Collector (HEC) must be enabled and the event collector token must be received. A user must be set up with the EtdSecExpert role for SAP Enterprise Threat Detection. More set up information is in the official Splunk documentation.
Other set up options in Enterprise Threat Detection, include starting the SAP HANA XS tool and creating an extension to define the host and port of the Splunk HTTP Event Collector tool. Choose the basic authentication options available and alerts will soon be sent to Splunk Event Collector every minute!
To view the alerts in Splunk, search on sapetd_alert.
Look out for more information soon on how to leverage Splunk Enterprise Security and SAP Enterprise Threat Detection together!