SAP Enterprise Threat Detection Alert API log source parameters for SAP Enterprise Threat Detection
If QRadar does not automatically detect the log source, add a SAP Enterprise Threat Detection log source on the QRadar Console by using the SAP Enterprise Threat Detection Alert API protocol.
When using the SAP Enterprise Threat Detection Alert API protocol, there are specific parameters that you must use.
Parameter | Value |
---|---|
Log Source type | SAP Enterprise Threat Detection |
Protocol Configuration | SAP Enterprise Threat Detection Alert API |
Log Source Identifier | A unique identifier for the log source. The Log Source Identifier can be any valid value, including the same value as the Log Source Name, and doesn't need to reference a specific server. If you configured multiple SAP Enterprise Threat Detection Alert API log sources, you might want to identify the first log source as SAPETD-1, the second log source as SAPETD-2, and the third log source as SAPETD-3. |
Server URL | Specify the URL used to access the SAP Enterprise Threat Detection Alert API, including the port. For example, “http://192.0.2.1:8003” or “https://192.0.2.1:9443”.s |
Username/Password | Enter the user name and password that are required to access the SAP ETD server, and then
confirm that you entered the password correctly. The confirmation password must be identical to the
password you typed for the password parameter. Important: SAP
Enterprise Threat Detection has a login attempt limit of three attempts. If your account is locked
because of multiple login attempts, you cannot connect QRadar to the SAP Enterprise
Threat Detection Server until the account is unlocked. Contact SAP Support for
assistance.
|
Use Pattern Filter | Select this option to limit the query to only a specific pattern filter. Leave the field cleared to query for all the events. |
Pattern Filter ID | The pattern filter Id that is used to filter the query. The field accepts a UUID that is
created when a pattern filter is made. The Filter ID is the UUID mentioned in the protocol parameters table for parameter Pattern Filter Id. |
Use Proxy | If QRadar accesses the
SAP Enterprise Threat Detection Alert API by using a proxy, enable Use Proxy. If the proxy requires authentication, configure the Proxy Hostname or IP, Proxy Port, Proxy Username, and Proxy fields. If the proxy does not require authentication, configure the Proxy Hostname or IP and Proxy Port. |
Automatically Acquire Server Certificates | If you choose Yes from the list, QRadar automatically downloads the
certificate and begins trusting the target server. If No is selected, QRadar does not attempt to
retrieve any server certificates. Note: If the SAP Enterprise Threat Detection Server is configured
for HTTPS, a valid certificate is required. Either set this value to Yes or
manually retrieve a certificate for the Log Source.
|
Recurrence | The time interval between log source queries to the SAP Enterprise Threat Detection Alert API for new events. The time interval can be in hours (H), minutes (M), or days (D). The default is 5 minutes (5M). |
Throttle | The maximum number of events per second. The default is 5000. |