SAP Splunk Integration – Viewing SAP Security Events on Splunk
SAP Splunk integration can be accomplished by Enterprise Threat Monitor in a couple of steps. In this case, Enterprise Threat Monitor connects to SAP systems and analyzes realtime security events using its correlation engine.
The results are high quality events, which are ready to be consumed by Splunk using Splunk certified Enterprise Threat Monitor Splunk App. ETM uses the HTTP event connector of Splunk and supports load balancing, exponential retry and high availability options.
Use cases for SAP Security Monitoring with Splunk
Enterprise Threat Monitor has more than 300 high quality threat monitoring cases built-in and preconfigured.
The use cases include:
- SAP debugging is misused for bypassing transaction authorizations
- An unauthorized user assigned a critical SAP role or profile to another user
- A user downloaded customer master data or payroll list to its PC
- Sharing of SAP user accounts
- Failed logons of multiple SAP users originating from the same workstation
- A production SAP system is opened to modifications
- An HR terminated employee’s SAP user account is used for connecting to an SAP system
SAP Splunk integration works as the following:
- Download Enterprise Threat Monitor:
- Follow the steps for connecting your SAP systems:
- Download and install ETM Splunk app
- Use built-in SIEM wizard to add your Splunk system and send test data
The detailed steps are explained in Enterprise Threat Monitor SAP Events Integration Guide for Splunk Enterprise. Please contact us for obtaining a copy of it.