The SAP Enterprise Threat Detection DSM relies on the default pattern names of alerts to
identify the events. Modifying the default patterns might result in events that appear as
"Unknown".
Procedure
-
Verify that the SAP Enterprise Threat Detection server login credentials are valid by following
these steps:
-
In a Web browser, enter the IP address or domain name of your SAP Enterprise Threat Detection
server. For example, http://192.0.2.1:8003.
-
Enter your user name and password.
-
Query the SAP Enterprise Threat Detection server to verify that the QRadar® product can receive events. Use the
following example as a starting point to create your query:
<Server_URL>/sap/secmon/services/Alerts.xsjs?$query=AlertCreationTimestamp%20ge%20<Date>T15:00:00.00Z&$format=LEEF&$batchSize=10
In the example, replace the following parameters with your own values:
- <Server_URL>
- The address of the SAP Enterprise Threat Detection server you are trying to access.
- <Date>
- The current day's date in the YYYY-MM-DD format. Choose a date where you know that events came
in; for example, 2017-10-15.
The resulting query might look like this
example:
http://192.0.2.1:8003/sap/secmon/services/Alerts.xsjs?$query=AlertCreationTimestamp%20ge%202017-10-15T15:00:00.00Z&$format=LEEF&$batchSize=10
If a problem exists with the query, it's unlikely that the QRadar product can successfully connect with
SAP Enterprise Threat Detection.
-
Check that the server port is not blocked by a firewall.
Tip: If the port is blocked, contact your security or network administrator to open the
port.