Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

SAP Enterprise Threat Detection Alert API Log Source Parameters for SAP Enterprise Threat Detection

 

If JSA does not automatically detect the log source, add a SAP Enterprise Threat Detection log source on the JSA Console by using the SAP Enterprise Threat Detection Alert API protocol.

When using the SAP Enterprise Threat Detection Alert API protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect SAP Enterprise Threat Detection Alert API events from SAP Enterprise Threat Detection:

Table 1: SAP Enterprise Threat Detection Alert API log source parameters for the SAP Enterprise Threat Detection DSM

Specification

Value

Log Source type

SAP Enterprise Threat Detection

Protocol Configuration

SAP Enterprise Threat Detection Alert API

Log Source Identifier

A unique identifier for the log source.

The Log Source Identifier can be any valid value, including the same value as the Log Source Name, and doesn't need to reference a specific server. If you configured multiple SAP Enterprise Threat Detection Alert API log sources, you might want to identify the first log source as SAPETD-1, the second log source as SAPETD-2, and the third log source as SAPETD-3.

Server URL

Specify the URL used to access the SAP Enterprise Threat Detection Alert API, including the port. For example, “http://192.0.2.1:8003” or “https:// 192.0.2.1:9443”.

Username/Password

Enter the user name and password that are required to access the SAP ETD server, and then confirm that you entered the password correctly. The confirmation password must be identical to the password you typed for the password parameter.

Note: SAP Enterprise Threat Detection has a login attempt limit of three attempts. If your account is locked because of multiple login attempts, you cannot connect JSA to the SAP Enterprise Threat Detection Server until the account is unlocked. Contact SAP Support for assistance.

Use Pattern Filter

Select this option to limit the query to only a specific pattern filter. Leave the field cleared to query for all the events.

Pattern Filter Id

The pattern filter Id that is used to filter the query. The field accepts a UUID that is created when a pattern filter is made.

The Filter Id is the UUID mentioned in the protocol parameters table for parameter Pattern Filter Id.

Use Proxy

If JSA accesses the SAP Enterprise Threat Detection Alert API by using a proxy, enable Use Proxy.

If the proxy requires authentication, configure the Proxy Hostname or IP, Proxy Port, Proxy Username and Proxy Fields.

If the proxy does not require authentication, configure the Proxy Hostname or IP and Proxy Port.

Automatically Acquire Server Certificate(s)

If you select Yes from the list, JSA automatically downloads the server certificate and begins trusting the target server. If No is selected, Yes does not attempt to retrieve any server certificates.

Note: If the SAP Enterprise Threat Detection Server is configured for HTTPS, a valid certificate is required. Either set this value to Yes or manually retrieve a certificate for the Log Source.

Recurrence

The time interval between log source queries to the SAP Enterprise Threat Detection Alert API for new events. The time interval can be in hours (H), minutes (M), or days (D). The default is 5 minutes (5M).

Throttle

The maximum number of events per second. The default is 5000.