IBM Security QRadar

Hello Community,

Has someone experience with integrating SAP logs directly into QRadar without 3rd party tools?
I am curious about the way to do it, the requirements and best practises.

Thank You!

------------------------------
Artur Gazda
------------------------------

Hi Artur
I'm facing the same problem and till now i have found 2 supported ways to do this.
1- A third party application wich is not for free and not cheap (ETM).
2- A module of SAP (ETD) wich send events to Qradar, to can interpretate this events you must:
- Update your Protocol-Common RPM (Fixcentral)
- Download the SAP ETD Alert API Threat Detection DSM RPM (Fixcentral)
- Download de SAP Enterprise Threat Detection DSM RPM (Fixcentral), if you try to install this one first it will ask for the steps a mentioanted before, in the same order
After did that you must configure your Qradar to receive the events from SAP.
For more information refer to the next link : 
https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_SAP_Enterprise_overview.html

I would appreciate a feedback about what worked to you
Thanks

------------------------------
Johan López
------------------------------

Original Message:
Sent: Tue July 16, 2019 05:00 AM
From: Artur Gazda
Subject: SAP Integration

Hello Community,

Has someone experience with integrating SAP logs directly into QRadar without 3rd party tools?
I am curious about the way to do it, the requirements and best practises.

Thank You!

------------------------------
Artur Gazda
------------------------------

Hi guys,
there's another custom way to get SAP logs. Export the logs from your database into a flat file, and push it to Qradar in syslog from the sap server. Or configure a file protocol in Qradar to grab the file. It's how we did it a few years ago, and it still works. I think we first integrated SAP on 7.2.6, and it's still runing ok on 7.3.1.

They are some downside to this however, such as the number of query allowed on the database per hour. The SAP ETD module might be a better option. If some of you guys are able to do something with it, please share your findings.
Thanks!

------------------------------
Anthony Gayadeen, Videotron Ltd
Montreal QC
------------------------------

Original Message:
Sent: Tue July 16, 2019 11:30 AM
From: Johan López
Subject: SAP Integration

Hi Artur
I'm facing the same problem and till now i have found 2 supported ways to do this.
1- A third party application wich is not for free and not cheap (ETM).
2- A module of SAP (ETD) wich send events to Qradar, to can interpretate this events you must:
- Update your Protocol-Common RPM (Fixcentral)
- Download the SAP ETD Alert API Threat Detection DSM RPM (Fixcentral)
- Download de SAP Enterprise Threat Detection DSM RPM (Fixcentral), if you try to install this one first it will ask for the steps a mentioanted before, in the same order
After did that you must configure your Qradar to receive the events from SAP.
For more information refer to the next link : 
https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_SAP_Enterprise_overview.html

I would appreciate a feedback about what worked to you
Thanks

------------------------------
Johan López

Original Message:
Sent: Tue July 16, 2019 05:00 AM
From: Artur Gazda
Subject: SAP Integration

Hello Community,

Has someone experience with integrating SAP logs directly into QRadar without 3rd party tools?
I am curious about the way to do it, the requirements and best practises.

Thank You!

------------------------------
Artur Gazda
------------------------------

Hi Anthony
Do you have more information about how to do that procedure? some guide o documentation?
I would appreciate if you could bring us that information to try to replicate that custom way.
Thanks

------------------------------
Johan López
------------------------------

Original Message:
Sent: Tue July 16, 2019 04:55 PM
From: Anthony Gayadeen
Subject: SAP Integration

Hi guys,
there's another custom way to get SAP logs. Export the logs from your database into a flat file, and push it to Qradar in syslog from the sap server. Or configure a file protocol in Qradar to grab the file. It's how we did it a few years ago, and it still works. I think we first integrated SAP on 7.2.6, and it's still runing ok on 7.3.1.

They are some downside to this however, such as the number of query allowed on the database per hour. The SAP ETD module might be a better option. If some of you guys are able to do something with it, please share your findings.
Thanks!

------------------------------
Anthony Gayadeen, Videotron Ltd
Montreal QC

Original Message:
Sent: Tue July 16, 2019 11:30 AM
From: Johan López
Subject: SAP Integration

Hi Artur
I'm facing the same problem and till now i have found 2 supported ways to do this.
1- A third party application wich is not for free and not cheap (ETM).
2- A module of SAP (ETD) wich send events to Qradar, to can interpretate this events you must:
- Update your Protocol-Common RPM (Fixcentral)
- Download the SAP ETD Alert API Threat Detection DSM RPM (Fixcentral)
- Download de SAP Enterprise Threat Detection DSM RPM (Fixcentral), if you try to install this one first it will ask for the steps a mentioanted before, in the same order
After did that you must configure your Qradar to receive the events from SAP.
For more information refer to the next link : 
https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_SAP_Enterprise_overview.html

I would appreciate a feedback about what worked to you
Thanks

------------------------------
Johan López

Original Message:
Sent: Tue July 16, 2019 05:00 AM
From: Artur Gazda
Subject: SAP Integration

Hello Community,

Has someone experience with integrating SAP logs directly into QRadar without 3rd party tools?
I am curious about the way to do it, the requirements and best practises.

Thank You!

------------------------------
Artur Gazda
------------------------------

Hi Anthony,
Thank you for your response.
I am very curious about the details.
Like

• which Logs/Log Files/Log Types did you include?
• How did you automate the log export into a flat file?
• Did you write your own DSM with own custom properties and own event mappings?
• How did you include the SAP events into the existing rules and searches?

Thank you very much, I will keep you updated!

------------------------------
Artur Gazda
------------------------------

Original Message:
Sent: Tue July 16, 2019 04:55 PM
From: Anthony Gayadeen
Subject: SAP Integration

Hi guys,
there's another custom way to get SAP logs. Export the logs from your database into a flat file, and push it to Qradar in syslog from the sap server. Or configure a file protocol in Qradar to grab the file. It's how we did it a few years ago, and it still works. I think we first integrated SAP on 7.2.6, and it's still runing ok on 7.3.1.

They are some downside to this however, such as the number of query allowed on the database per hour. The SAP ETD module might be a better option. If some of you guys are able to do something with it, please share your findings.
Thanks!

------------------------------
Anthony Gayadeen, Videotron Ltd
Montreal QC

Original Message:
Sent: Tue July 16, 2019 11:30 AM
From: Johan López
Subject: SAP Integration

Hi Artur
I'm facing the same problem and till now i have found 2 supported ways to do this.
1- A third party application wich is not for free and not cheap (ETM).
2- A module of SAP (ETD) wich send events to Qradar, to can interpretate this events you must:
- Update your Protocol-Common RPM (Fixcentral)
- Download the SAP ETD Alert API Threat Detection DSM RPM (Fixcentral)
- Download de SAP Enterprise Threat Detection DSM RPM (Fixcentral), if you try to install this one first it will ask for the steps a mentioanted before, in the same order
After did that you must configure your Qradar to receive the events from SAP.
For more information refer to the next link : 
https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_SAP_Enterprise_overview.html

I would appreciate a feedback about what worked to you
Thanks

------------------------------
Johan López

Original Message:
Sent: Tue July 16, 2019 05:00 AM
From: Artur Gazda
Subject: SAP Integration

Hello Community,

Has someone experience with integrating SAP logs directly into QRadar without 3rd party tools?
I am curious about the way to do it, the requirements and best practises.

Thank You!

------------------------------
Artur Gazda
------------------------------

Hello Johan,
Thank you for your feedback.
Have you already implemented one of those solutions?
I think SAP ETD is also not for free and it already analyzes the logs.
So I am wondering if it is forwarding the raw logs or just the alerts.
If the SAP ETD DSM supports raw logs I would like to find a solution how to get them directly from the SAP servers.
Otherwise we would need to build an own DSM.

Let's keep in touch with each other regarding this topic ;-)



------------------------------
Artur Gazda
------------------------------

Original Message:
Sent: Tue July 16, 2019 11:30 AM
From: Johan López
Subject: SAP Integration

Hi Artur
I'm facing the same problem and till now i have found 2 supported ways to do this.
1- A third party application wich is not for free and not cheap (ETM).
2- A module of SAP (ETD) wich send events to Qradar, to can interpretate this events you must:
- Update your Protocol-Common RPM (Fixcentral)
- Download the SAP ETD Alert API Threat Detection DSM RPM (Fixcentral)
- Download de SAP Enterprise Threat Detection DSM RPM (Fixcentral), if you try to install this one first it will ask for the steps a mentioanted before, in the same order
After did that you must configure your Qradar to receive the events from SAP.
For more information refer to the next link : 
https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_SAP_Enterprise_overview.html

I would appreciate a feedback about what worked to you
Thanks

------------------------------
Johan López

Original Message:
Sent: Tue July 16, 2019 05:00 AM
From: Artur Gazda
Subject: SAP Integration

Hello Community,

Has someone experience with integrating SAP logs directly into QRadar without 3rd party tools?
I am curious about the way to do it, the requirements and best practises.

Thank You!

------------------------------
Artur Gazda
------------------------------

Hi guys,
a few people asked me about our sap integration. I even got some messages in my inbox. Please give me some time to retrieve our solution documents, and I'll come back with more details on How To.

Please do not expect too much details, since this information belongs to my employer. I will try to provide you with the maximum info I can share.

Thanks!

------------------------------
Anthony Gayadeen, Videotron Ltd
Montreal QC
------------------------------

Original Message:
Sent: Thu July 18, 2019 04:36 AM
From: Artur Gazda
Subject: SAP Integration

Hello Johan,
Thank you for your feedback.
Have you already implemented one of those solutions?
I think SAP ETD is also not for free and it already analyzes the logs.
So I am wondering if it is forwarding the raw logs or just the alerts.
If the SAP ETD DSM supports raw logs I would like to find a solution how to get them directly from the SAP servers.
Otherwise we would need to build an own DSM.

Let's keep in touch with each other regarding this topic ;-)



------------------------------
Artur Gazda

Original Message:
Sent: Tue July 16, 2019 11:30 AM
From: Johan López
Subject: SAP Integration

Hi Artur
I'm facing the same problem and till now i have found 2 supported ways to do this.
1- A third party application wich is not for free and not cheap (ETM).
2- A module of SAP (ETD) wich send events to Qradar, to can interpretate this events you must:
- Update your Protocol-Common RPM (Fixcentral)
- Download the SAP ETD Alert API Threat Detection DSM RPM (Fixcentral)
- Download de SAP Enterprise Threat Detection DSM RPM (Fixcentral), if you try to install this one first it will ask for the steps a mentioanted before, in the same order
After did that you must configure your Qradar to receive the events from SAP.
For more information refer to the next link : 
https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_SAP_Enterprise_overview.html

I would appreciate a feedback about what worked to you
Thanks

------------------------------
Johan López

Original Message:
Sent: Tue July 16, 2019 05:00 AM
From: Artur Gazda
Subject: SAP Integration

Hello Community,

Has someone experience with integrating SAP logs directly into QRadar without 3rd party tools?
I am curious about the way to do it, the requirements and best practises.

Thank You!

------------------------------
Artur Gazda
------------------------------

Hi Anthony,

Thank you very much, I think this is a hot topic for a number of QRadar users.
As far as I know the SAP logs are only readable from SAP itself so I am very curious about your solution.

Looking forward to hearing from you!

------------------------------
Artur Gazda
------------------------------

Original Message:
Sent: Thu August 01, 2019 11:27 PM
From: Anthony Gayadeen
Subject: SAP Integration

Hi guys,
a few people asked me about our sap integration. I even got some messages in my inbox. Please give me some time to retrieve our solution documents, and I'll come back with more details on How To.

Please do not expect too much details, since this information belongs to my employer. I will try to provide you with the maximum info I can share.

Thanks!

------------------------------
Anthony Gayadeen, Videotron Ltd
Montreal QC

Original Message:
Sent: Thu July 18, 2019 04:36 AM
From: Artur Gazda
Subject: SAP Integration

Hello Johan,
Thank you for your feedback.
Have you already implemented one of those solutions?
I think SAP ETD is also not for free and it already analyzes the logs.
So I am wondering if it is forwarding the raw logs or just the alerts.
If the SAP ETD DSM supports raw logs I would like to find a solution how to get them directly from the SAP servers.
Otherwise we would need to build an own DSM.

Let's keep in touch with each other regarding this topic ;-)



------------------------------
Artur Gazda

Original Message:
Sent: Tue July 16, 2019 11:30 AM
From: Johan López
Subject: SAP Integration

Hi Artur
I'm facing the same problem and till now i have found 2 supported ways to do this.
1- A third party application wich is not for free and not cheap (ETM).
2- A module of SAP (ETD) wich send events to Qradar, to can interpretate this events you must:
- Update your Protocol-Common RPM (Fixcentral)
- Download the SAP ETD Alert API Threat Detection DSM RPM (Fixcentral)
- Download de SAP Enterprise Threat Detection DSM RPM (Fixcentral), if you try to install this one first it will ask for the steps a mentioanted before, in the same order
After did that you must configure your Qradar to receive the events from SAP.
For more information refer to the next link : 
https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_SAP_Enterprise_overview.html

I would appreciate a feedback about what worked to you
Thanks

------------------------------
Johan López

Original Message:
Sent: Tue July 16, 2019 05:00 AM
From: Artur Gazda
Subject: SAP Integration

Hello Community,

Has someone experience with integrating SAP logs directly into QRadar without 3rd party tools?
I am curious about the way to do it, the requirements and best practises.

Thank You!

------------------------------
Artur Gazda
------------------------------

Hi all,
thank you for your patience. My SAP admin, who worked with me on this SAP->Qradar integration, came back from a long vacations, and I finally went through the solutions document. Unfortunately, it's copyrighted, so I can't share any details from it. Although, I think I found something similar on the web that will help you start.
https://wiki.scn.sap.com/wiki/display/SI/CCMS+Syslog
https://www.consolut.com/en/s/sap-ides-access/d/s/doc/F-RSLG_WRITE_SYSLOG_ENTRY/

Unfortunately, I can't provide more information than this. If you give your SAP admin this info, I'm sure he will be able to create the syslogs you need for QRadar. For your part, you'll need to create the DSM in Qradar to parse these logs. I'm sorry that I can't help you more than this. I hope you'll be able to find your way through.

Regards,

------------------------------
Anthony Gayadeen, Videotron Ltd
Montreal QC
------------------------------

Original Message:
Sent: Wed August 07, 2019 09:23 AM
From: Artur Gazda
Subject: SAP Integration

Hi Anthony,

Thank you very much, I think this is a hot topic for a number of QRadar users.
As far as I know the SAP logs are only readable from SAP itself so I am very curious about your solution.

Looking forward to hearing from you!

------------------------------
Artur Gazda

Original Message:
Sent: Thu August 01, 2019 11:27 PM
From: Anthony Gayadeen
Subject: SAP Integration

Hi guys,
a few people asked me about our sap integration. I even got some messages in my inbox. Please give me some time to retrieve our solution documents, and I'll come back with more details on How To.

Please do not expect too much details, since this information belongs to my employer. I will try to provide you with the maximum info I can share.

Thanks!

------------------------------
Anthony Gayadeen, Videotron Ltd
Montreal QC

Original Message:
Sent: Thu July 18, 2019 04:36 AM
From: Artur Gazda
Subject: SAP Integration

Hello Johan,
Thank you for your feedback.
Have you already implemented one of those solutions?
I think SAP ETD is also not for free and it already analyzes the logs.
So I am wondering if it is forwarding the raw logs or just the alerts.
If the SAP ETD DSM supports raw logs I would like to find a solution how to get them directly from the SAP servers.
Otherwise we would need to build an own DSM.

Let's keep in touch with each other regarding this topic ;-)



------------------------------
Artur Gazda

Original Message:
Sent: Tue July 16, 2019 11:30 AM
From: Johan López
Subject: SAP Integration

Hi Artur
I'm facing the same problem and till now i have found 2 supported ways to do this.
1- A third party application wich is not for free and not cheap (ETM).
2- A module of SAP (ETD) wich send events to Qradar, to can interpretate this events you must:
- Update your Protocol-Common RPM (Fixcentral)
- Download the SAP ETD Alert API Threat Detection DSM RPM (Fixcentral)
- Download de SAP Enterprise Threat Detection DSM RPM (Fixcentral), if you try to install this one first it will ask for the steps a mentioanted before, in the same order
After did that you must configure your Qradar to receive the events from SAP.
For more information refer to the next link : 
https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_SAP_Enterprise_overview.html

I would appreciate a feedback about what worked to you
Thanks

------------------------------
Johan López

Original Message:
Sent: Tue July 16, 2019 05:00 AM
From: Artur Gazda
Subject: SAP Integration

Hello Community,

Has someone experience with integrating SAP logs directly into QRadar without 3rd party tools?
I am curious about the way to do it, the requirements and best practises.

Thank You!

------------------------------
Artur Gazda
------------------------------

This is a very nice one and gives in-depth information. I am really happy with the quality and presentation of the article. I'd really like to appreciate the efforts you get with writing this post. Thanks for sharing.
SAP SD classes in pune

SAP SD course in pune

SAP SD training in pune

------------------------------
pallavi patil
------------------------------

Original Message:
Sent: Tue July 16, 2019 05:00 AM
From: Artur Gazda
Subject: SAP Integration

Hello Community,

Has someone experience with integrating SAP logs directly into QRadar without 3rd party tools?
I am curious about the way to do it, the requirements and best practises.

Thank You!

------------------------------
Artur Gazda
------------------------------