Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring JSA to Collect Events from your SAP Enterprise Threat Detection System

 

Configure JSA to collect events from your SAP Enterprise Threat Detection (ETD) server.

To connect to the SAP Enterprise Threat Detection server by using the SAP Enterprise Threat Detection Alert API, the following requirements must be met:

  • The SAP Enterprise Threat Detection server must be configured to generate alert events.

  • You need the user name and password that is used to connect to the SAP Enterprise Threat Detection server.

  • Check that the server port is not blocked by a firewall.

  1. Log in to JSA and click the Admin tab.
  2. In the navigation menu, click Data Sources > Log Sources.
  3. In the Log Sources window, click Add.
  4. Give the log source a name and description
  5. From the Log Source Type list, select SAP Enterprise Threat Detection.
  6. From the Protocol Configuration list, select SAP Enterprise Threat Detection.
  7. Complete the log source parameters for SAP Enterprise Threat Detection with the parameter information from the following table:

    Table 1: SAP Enterprise Threat Detection log Source Parameters

    Specification

    Value

    Log Source type

    SAP Enterprise Threat Detection

    Protocol Configuration

    SAP Enterprise Threat Detection Alert API

    Log Source Identifier

    A unique identifier for the log source.

    The Log Source Identifier can be any valid value, including the same value as the Log Source Name, and doesn't need to reference a specific server. If you configured multiple SAP Enterprise Threat Detection Alert API log sources, you might want to identify the first log source as SAPETD-1, the second log source as SAPETD-2, and the third log source as SAPETD-3.

    Server URL

    Specify the URL used to access the SAP Enterprise Threat Detection Alert API, including the port. For example, “http://192.0.2.1:8003” or “https:// 192.0.2.1:9443”.

    Username/Password

    Enter the user name and password that are required to access the SAP ETD server, and then confirm that you entered the password correctly. The confirmation password must be identical to the password you typed for the password parameter.

    Note: SAP Enterprise Threat Detection has a login attempt limit of three attempts. If your account is locked because of multiple login attempts, you cannot connect JSA to the SAP Enterprise Threat Detection Server until the account is unlocked. Contact SAP Support for assistance.

    Use Pattern Filter

    Select this option to limit the query to only a specific pattern filter. Leave the field cleared to query for all the events.

    Pattern Filter Id

    The pattern filter Id that is used to filter the query. The field accepts a UUID that is created when a pattern filter is made.

    The Filter Id is the UUID mentioned in the protocol parameters table for parameter Pattern Filter Id.

    Use Proxy

    If JSA accesses the SAP Enterprise Threat Detection Alert API by using a proxy, enable Use Proxy.

    If the proxy requires authentication, configure the Proxy Hostname or IP, Proxy Port, Proxy Username and Proxy Fields.

    If the proxy does not require authentication, configure the Proxy Hostname or IP and Proxy Port.

    Automatically Acquire Server Certificate(s)

    If you select Yes from the list, JSA automatically downloads the server certificate and begins trusting the target server. If No is selected, Yes does not attempt to retrieve any server certificates.

    Note: If the SAP Enterprise Threat Detection Server is configured for HTTPS, a valid certificate is required. Either set this value to Yes or manually retrieve a certificate for the Log Source.

    Recurrence

    The time interval between log source queries to the SAP Enterprise Threat Detection Alert API for new events. The time interval can be in hours (H), minutes (M), or days (D). The default is 5 minutes (5M).

    Throttle

    The maximum number of events per second. The default is 5000.

  8. Click Save.
  9. On the Admin tab, click Deploy Changes.