QRadar XDR

  • 1.  SAP Integration

    Posted Tue July 16, 2019 05:00 AM
    Hello Community,

    Has someone experience with integrating SAP logs directly into QRadar without 3rd party tools?
    I am curious about the way to do it, the requirements and best practises.

    Thank You!

    ------------------------------
    Artur Gazda
    ------------------------------


  • 2.  RE: SAP Integration

    Posted Tue July 16, 2019 11:30 AM
    Hi Artur
    I'm facing the same problem and till now i have found 2 supported ways to do this.
    1- A third party application wich is not for free and not cheap (ETM).
    2- A module of SAP (ETD) wich send events to Qradar, to can interpretate this events you must:
    - Update your Protocol-Common RPM (Fixcentral)
    - Download the SAP ETD Alert API Threat Detection DSM RPM (Fixcentral)
    - Download de SAP Enterprise Threat Detection DSM RPM (Fixcentral), if you try to install this one first it will ask for the steps a mentioanted before, in the same order
    After did that you must configure your Qradar to receive the events from SAP.
    For more information refer to the next link : 
    https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_SAP_Enterprise_overview.html

    I would appreciate a feedback about what worked to you
    Thanks

    ------------------------------
    Johan López
    ------------------------------



  • 3.  RE: SAP Integration

    Posted Tue July 16, 2019 04:55 PM
    Hi guys,
    there's another custom way to get SAP logs. Export the logs from your database into a flat file, and push it to Qradar in syslog from the sap server. Or configure a file protocol in Qradar to grab the file. It's how we did it a few years ago, and it still works. I think we first integrated SAP on 7.2.6, and it's still runing ok on 7.3.1.

    They are some downside to this however, such as the number of query allowed on the database per hour. The SAP ETD module might be a better option. If some of you guys are able to do something with it, please share your findings.
    Thanks!

    ------------------------------
    Anthony Gayadeen, Videotron Ltd
    Montreal QC
    ------------------------------



  • 4.  RE: SAP Integration

    Posted Wed July 17, 2019 10:10 AM
    Hi Anthony
    Do you have more information about how to do that procedure? some guide o documentation?
    I would appreciate if you could bring us that information to try to replicate that custom way.
    Thanks

    ------------------------------
    Johan López
    ------------------------------



  • 5.  RE: SAP Integration

    Posted Thu July 18, 2019 04:42 AM
    Hi Anthony,
    Thank you for your response.
    I am very curious about the details.
    Like
    • which Logs/Log Files/Log Types did you include?
    • How did you automate the log export into a flat file?
    • Did you write your own DSM with own custom properties and own event mappings?
    • How did you include the SAP events into the existing rules and searches?

    Thank you very much, I will keep you updated!

    ------------------------------
    Artur Gazda
    ------------------------------



  • 6.  RE: SAP Integration

    Posted Thu July 18, 2019 04:36 AM
    Hello Johan,
    Thank you for your feedback.
    Have you already implemented one of those solutions?
    I think SAP ETD is also not for free and it already analyzes the logs.
    So I am wondering if it is forwarding the raw logs or just the alerts.
    If the SAP ETD DSM supports raw logs I would like to find a solution how to get them directly from the SAP servers.
    Otherwise we would need to build an own DSM.

    Let's keep in touch with each other regarding this topic ;-)



    ------------------------------
    Artur Gazda
    ------------------------------



  • 7.  RE: SAP Integration

    Posted Thu August 01, 2019 11:27 PM
    Hi guys,
    a few people asked me about our sap integration. I even got some messages in my inbox. Please give me some time to retrieve our solution documents, and I'll come back with more details on How To.

    Please do not expect too much details, since this information belongs to my employer. I will try to provide you with the maximum info I can share.

    Thanks!

    ------------------------------
    Anthony Gayadeen, Videotron Ltd
    Montreal QC
    ------------------------------



  • 8.  RE: SAP Integration

    Posted Wed August 07, 2019 09:24 AM
    Hi Anthony,

    Thank you very much, I think this is a hot topic for a number of QRadar users.
    As far as I know the SAP logs are only readable from SAP itself so I am very curious about your solution.

    Looking forward to hearing from you!

    ------------------------------
    Artur Gazda
    ------------------------------



  • 9.  RE: SAP Integration

    Posted Wed August 28, 2019 04:12 PM
    Hi all,
    thank you for your patience. My SAP admin, who worked with me on this SAP->Qradar integration, came back from a long vacations, and I finally went through the solutions document. Unfortunately, it's copyrighted, so I can't share any details from it. Although, I think I found something similar on the web that will help you start.
    https://wiki.scn.sap.com/wiki/display/SI/CCMS+Syslog
    https://www.consolut.com/en/s/sap-ides-access/d/s/doc/F-RSLG_WRITE_SYSLOG_ENTRY/

    Unfortunately, I can't provide more information than this. If you give your SAP admin this info, I'm sure he will be able to create the syslogs you need for QRadar. For your part, you'll need to create the DSM in Qradar to parse these logs. I'm sorry that I can't help you more than this. I hope you'll be able to find your way through.

    Regards,

    ------------------------------
    Anthony Gayadeen, Videotron Ltd
    Montreal QC
    ------------------------------



  • 10.  RE: SAP Integration

    Posted Wed July 21, 2021 11:20 AM
    This is a very nice one and gives in-depth information. I am really happy with the quality and presentation of the article. I'd really like to appreciate the efforts you get with writing this post. Thanks for sharing.
    SAP SD classes in pune

    SAP SD course in pune

    SAP SD training in pune

    ------------------------------
    pallavi patil
    ------------------------------