SAP ArcSight Integration – Sending SAP Security Events to ArcSight using CEF Format
SAP ArcSight integration including sending realtime SAP security events to ArcSight can be accomplished by Enterprise Threat Monitor in a couple of steps.
ETM has over 300 SAP specific threat detection cases built-in and preconfigured, which includes 0-day SAP attack signatures, common attacks such using debug/replace on SAP to bypass authorizations, and compliance related issues such as SAP account sharing or download of customer master data.
Further configuration of customer specific Z* or Y* tables, reports and SAP transactions can be easily configured in the Enterprise Threat Monitor customizations screen.
For connecting ArcSight with SAP security events, Enterprise Threat Monitor is used. ETM connects to SAP systems and analyzes realtime security events using its correlation engine. It then uses machine learning to eliminate false positives and noise.
The results are high quality offenses in HP ArcSight CEF format, which are ready to be consumed by ArcSight.
Use cases for SAP Security Monitoring with ArcSight
Enterprise Threat Monitor has more than 300 high quality threat monitoring cases built-in preconfigured. These threat detection cases are professionally maintained and updated. The updates are automatically distributed without requiring any manual intervention.
Some of the SAP threat detection use cases are listed below:
- SAP debug/replace is used for bypassing transaction authorizations
- An unauthorized user assigned SAP_ALL to another user
- A user downloaded customer master data or payroll to its workstation
- Shared usage of SAP user accounts
- Failed logons of multiple SAP users originating from the same terminal
- A production SAP system is opened to system changes
- A terminated employee’s SAP account is used for connecting to an SAP system
Integration works as the following:
- Download Enterprise Threat Monitor:
- Follow the steps for connecting your SAP systems:
- Use follow the detailed steps and use the built-in SIEM wizard to add your ArcSight system.
The detailed steps are explained in Enterprise Threat Monitor SAP Events Integration Guide for HP ArcSight. Please contact us for obtaining a copy of it.
ETM – ArcSight Support
Enterprise Threat Monitor for SAP supports HP ArcSight ESM versions from 4.0 onwards.