SAP Enterprise Threat Detection Alert API log source parameters for SAP Enterprise Threat Detection

If QRadar does not automatically detect the log source, add a SAP Enterprise Threat Detection log source on the QRadar Console by using the SAP Enterprise Threat Detection Alert API protocol.

When using the SAP Enterprise Threat Detection Alert API protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect SAP Enterprise Threat Detection Alert API events from SAP Enterprise Threat Detection:
Table 1. SAP Enterprise Threat Detection Alert API log source parameters for the SAP Enterprise Threat Detection DSM
Parameter Value
Log Source type SAP Enterprise Threat Detection
Protocol Configuration SAP Enterprise Threat Detection Alert API
Log Source Identifier A unique identifier for the log source.

The Log Source Identifier can be any valid value, including the same value as the Log Source Name, and doesn't need to reference a specific server. If you configured multiple SAP Enterprise Threat Detection Alert API log sources, you might want to identify the first log source as SAPETD-1, the second log source as SAPETD-2, and the third log source as SAPETD-3.

Server URL Specify the URL used to access the SAP Enterprise Threat Detection Alert API, including the port. For example, “http://192.0.2.1:8003” or “https://192.0.2.1:9443”.s
Username/Password Enter the user name and password that are required to access the SAP ETD server, and then confirm that you entered the password correctly. The confirmation password must be identical to the password you typed for the password parameter.
Important: SAP Enterprise Threat Detection has a login attempt limit of three attempts. If your account is locked because of multiple login attempts, you cannot connect QRadar to the SAP Enterprise Threat Detection Server until the account is unlocked. Contact SAP Support for assistance.
Use Pattern Filter Select this option to limit the query to only a specific pattern filter. Leave the field cleared to query for all the events.
Pattern Filter ID The pattern filter Id that is used to filter the query. The field accepts a UUID that is created when a pattern filter is made.

The Filter ID is the UUID mentioned in the protocol parameters table for parameter Pattern Filter Id.

Use Proxy If QRadar accesses the SAP Enterprise Threat Detection Alert API by using a proxy, enable Use Proxy.

If the proxy requires authentication, configure the Proxy Hostname or IP, Proxy Port, Proxy Username, and Proxy fields.

If the proxy does not require authentication, configure the Proxy Hostname or IP and Proxy Port.

Automatically Acquire Server Certificates If you choose Yes from the list, QRadar automatically downloads the certificate and begins trusting the target server. If No is selected, QRadar does not attempt to retrieve any server certificates.
Note: If the SAP Enterprise Threat Detection Server is configured for HTTPS, a valid certificate is required. Either set this value to Yes or manually retrieve a certificate for the Log Source.
Recurrence The time interval between log source queries to the SAP Enterprise Threat Detection Alert API for new events. The time interval can be in hours (H), minutes (M), or days (D). The default is 5 minutes (5M).
Throttle The maximum number of events per second. The default is 5000.