Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Troubleshooting the SAP Enterprise Threat Detection Alert API

 

The SAP Enterprise Threat Detection DSM relies on the default pattern names of alerts to identify the events. Modifying the default patterns might result in events that appear as "Unknown".

  1. Verify that the SAP Enterprise Threat Detection server login credentials are valid by following these steps:
    1. In a Web browser, enter the IP address or domain name of your SAP Enterprise Threat Detection server. For example, http://192.0.2.1:8003.

    2. Enter your user name and password

  2. Query the SAP Enterprise Threat Detection server to verify that JSA can receive events. Use the following example as a starting point to create your query:

    <Server_URL>/sap/secmon/services/Alerts.xsjs?$ query=AlertCreationTimestamp%20ge%20<Date>T15:00:00.00Z&$format=LEEF&$batchSize=10

    <Server_URL> - The address of the SAP Enterprise Threat Detection server you are trying to access.

    <Date> - The current day's date in the YYYY-MM-DD format. Choose a date where you know that events came in; for example, 2017-10-15.

    The resulting query might look like this example:

    http://192.0.2.1:8003/sap/secmon/services/Alerts.xsjs?$query=AlertCreationTimestamp %20ge%202017-10-15T15:00:00.00Z&$format=LEEF&$batchSize=10

    In the example, replace the following parameters with your own values:

    If a problem exists with the query, it's unlikely that JSA can successfully connect with SAP Enterprise Threat Detection.

  3. Check that the server port is not blocked by a firewall.Note

    If the port is blocked, contact your security or network administrator to open the port.