SAP QRadar Integration – Sending SAP Security Events to QRadar using Leef Format

SAP QRadar integration including sending realtime SAP security events to QRadar can be accomplished by Enterprise Threat Monitor in a couple of steps. ETM has over 300 SAP specific threat detection cases built-in, which includes 0-day SAP attack signatures, common attacks such using debugging on SAP to bypass authorizations, and compliance related issues such as SAP account sharing or download of customer master data.

For connecting QRadar with SAP security events, Enterprise Threat Monitor uses the native interfaces of SAP and it analyzes the realtime SAP security events using its correlation engine. ETM then uses machine learning to eliminate false positives and noise.

Further configuration of customer specific Z* or Y* tables, reports and SAP transactions can be easily accomplished in the Enterprise Threat Monitor customizations screen.

The result is high quality offense information in IBM QRadar Leef format, which is ready to be consumed by QRadar.

How to Connect SAP to QRadar - Short Video

About ETM QRadar App

ESNC provides the ETM QRadar App for viewing SAP specific offenses in IBM QRadar and for viewing the User Behavior Analytics (UBA) specific to SAP applications. IBM QRadar version 7.2.6 and above are supported.

SAP QRadar Integration with ETM

Please contact us to get the latest version of the Enterprise Threat Monitor QRadar app.

Use cases for SAP Security Monitoring with QRadar

Enterprise Threat Monitor has more than 300 high quality threat monitoring cases preconfigured. These threat detection cases are professionally maintained and regularly updated. The threat monitoring cases are automatically updated without requiring any manual intervention.

Some of the use cases are listed below:

  • SAP debugging is misused for bypassing transaction authorizations
  • An unauthorized user assigned a critical SAP role or profile to another user
  • A user downloaded customer master data or payroll list to its PC
  • Sharing of SAP user accounts
  • Failed logons of multiple SAP users originating from the same workstation
  • A production SAP system is opened to modifications
  • An HR terminated employee’s SAP user account is used for connecting to an SAP system

Integration works as the following:

  • Download Enterprise Threat Monitor:
  • Follow the steps for connecting your SAP systems:
  • Use built-in SIEM wizard to add your QRadar system.
  • Import ETM log source extension, install ETM QRadar App, and configure event properties, QID mappings, and QRadar specific settings using ETM’s step-by-step guide.
  • DONE!

Detailed Steps:

The detailed steps are explained in Enterprise Threat Monitor SAP Events Integration Guide for IBM QRadar. Please contact us for obtaining a copy of it.


Enterprise Threat Monitor for SAP is validated by IBM for integration with QRadar. More information can be found at: