What is SAP SIEM?

SAP SIEM is integrating SAP security audit logs and relevant log sources in a security event management process.

How can I integrate my SAP systems with SIEM?

Enterprise Threat Monitor allows managing and reviewing SAP security events as they happen. For more information please visit https://www.enterprise-threat-monitor.com

ETM is validated by IBM for QRadar SAP integration and it is HP ArcSight certified for ArcSight connectivity to SAP. It also has a certified native app for Splunk.

SAP LogRhythm, SAP McAfee, SAP RSA Archer, SAP Alertlogic, SAP NetIQ Sentinel, SAP AlienVault, and SAP ServiceNow integration can be accomplished using Enterprise Threat Monitor in 3 easy steps.

You can download ETM from TryETM.com.

How does SAP SIEM integration work?

The real-time SAP threat detection using ETM works like this:

  1. The ETM application runs on an on-premise server, on Microsoft Azure cloud, or on the SAP Solution Manager and retrieves security-relevant events from the SAP systems using SAP’s RFC protocol or REST APIs. Events include SAP security logs, system logs, SAP change documents, transport records, user master data changes, SAP security configuration, ESNC’s fraud related analysis results and many others.
  2. ETM correlates these events via user behavior analysis and its SAP-specific attack signatures, including zero-day SAP security vulnerabilities. The attack correlation engine is developed based on information from ESNC’s research and its collaboration with its top clients. It learns and adapts, eliminating the false positives. The result is high quality, accurate threat assessment.
  3. The corresponding events can be viewed on the ETM portal, sent as email or it can be forwarded to your SIEM infrastructure.

SAP SIEM Overview: