Troubleshooting the SAP Enterprise Threat Detection Alert API
The SAP Enterprise Threat Detection DSM relies on the default pattern names of alerts to identify the events. Modifying the default patterns might result in events that appear as "Unknown".
Verify that the SAP Enterprise Threat Detection server login credentials are valid by following
- In a Web browser, enter the IP address or domain name of your SAP Enterprise Threat Detection server. For example, http://192.0.2.1:8003.
- Enter your user name and password.
Query the SAP Enterprise Threat Detection server to verify that the QRadar® product can receive events. Use the
following example as a starting point to create your query:
In the example, replace the following parameters with your own values:
The resulting query might look like this example:
- The address of the SAP Enterprise Threat Detection server you are trying to access.
- The current day's date in the YYYY-MM-DD format. Choose a date where you know that events came in; for example, 2017-10-15.
http://192.0.2.1:8003/sap/secmon/services/Alerts.xsjs?$query=AlertCreationTimestamp%20ge%202017-10-15T15:00:00.00Z&$format=LEEF&$batchSize=10If a problem exists with the query, it's unlikely that the QRadar product can successfully connect with SAP Enterprise Threat Detection.
Check that the server port is not blocked by a firewall.
Tip: If the port is blocked, contact your security or network administrator to open the port.