Configuring JSA to Collect Events from your SAP Enterprise Threat Detection System
Configure JSA to collect events from your SAP Enterprise Threat Detection (ETD) server.
To connect to the SAP Enterprise Threat Detection server by using the SAP Enterprise Threat Detection Alert API, the following requirements must be met:
The SAP Enterprise Threat Detection server must be configured to generate alert events.
You need the user name and password that is used to connect to the SAP Enterprise Threat Detection server.
Check that the server port is not blocked by a firewall.
- Log in to JSA and click the Admin tab.
- In the navigation menu, click Data Sources > Log Sources.
- In the Log Sources window, click Add.
- Give the log source a name and description
- From the Log Source Type list, select SAP Enterprise Threat Detection.
- From the Protocol Configuration list, select SAP Enterprise Threat Detection.
- Complete the log source parameters for SAP Enterprise
Threat Detection with the parameter information from the following
Table 1: SAP Enterprise Threat Detection log Source Parameters
Log Source type
SAP Enterprise Threat Detection
SAP Enterprise Threat Detection Alert API
Log Source Identifier
A unique identifier for the log source.
The Log Source Identifier can be any valid value, including the same value as the Log Source Name, and doesn't need to reference a specific server. If you configured multiple SAP Enterprise Threat Detection Alert API log sources, you might want to identify the first log source as SAPETD-1, the second log source as SAPETD-2, and the third log source as SAPETD-3.
Specify the URL used to access the SAP Enterprise Threat Detection Alert API, including the port. For example, “http://192.0.2.1:8003” or “https:// 192.0.2.1:9443”.
Enter the user name and password that are required to access the SAP ETD server, and then confirm that you entered the password correctly. The confirmation password must be identical to the password you typed for the password parameter.
Note: SAP Enterprise Threat Detection has a login attempt limit of three attempts. If your account is locked because of multiple login attempts, you cannot connect JSA to the SAP Enterprise Threat Detection Server until the account is unlocked. Contact SAP Support for assistance.
Use Pattern Filter
Select this option to limit the query to only a specific pattern filter. Leave the field cleared to query for all the events.
Pattern Filter Id
The pattern filter Id that is used to filter the query. The field accepts a UUID that is created when a pattern filter is made.
The Filter Id is the UUID mentioned in the protocol parameters table for parameter Pattern Filter Id.
If JSA accesses the SAP Enterprise Threat Detection Alert API by using a proxy, enable Use Proxy.
If the proxy requires authentication, configure the Proxy Hostname or IP, Proxy Port, Proxy Username and Proxy Fields.
If the proxy does not require authentication, configure the Proxy Hostname or IP and Proxy Port.
Automatically Acquire Server Certificate(s)
If you select Yes from the list, JSA automatically downloads the server certificate and begins trusting the target server. If No is selected, Yes does not attempt to retrieve any server certificates.
Note: If the SAP Enterprise Threat Detection Server is configured for HTTPS, a valid certificate is required. Either set this value to Yes or manually retrieve a certificate for the Log Source.
The time interval between log source queries to the SAP Enterprise Threat Detection Alert API for new events. The time interval can be in hours (H), minutes (M), or days (D). The default is 5 minutes (5M).
The maximum number of events per second. The default is 5000.
- Click Save.
- On the Admin tab, click Deploy Changes.