SAP Splunk Integration – Viewing SAP Security Events on Splunk

SAP Splunk integration can be accomplished  by Enterprise Threat Monitor in a couple of steps. In this case, Enterprise Threat Monitor connects to SAP systems and analyzes realtime security events using its correlation engine.

The results are high quality events, which are ready to be consumed by Splunk using Splunk certified Enterprise Threat Monitor Splunk App. ETM uses the HTTP event connector of Splunk and supports load balancing, exponential retry and high availability options.

Use cases for SAP Security Monitoring with Splunk

Enterprise Threat Monitor has more than 300 high quality threat monitoring cases built-in and preconfigured.

The use cases include:

  • SAP debugging is misused for bypassing transaction authorizations
  • An unauthorized user assigned a critical SAP role or profile to another user
  • A user downloaded customer master data or payroll list to its PC
  • Sharing of SAP user accounts
  • Failed logons of multiple SAP users originating from the same workstation
  • A production SAP system is opened to modifications
  • An HR terminated employee’s SAP user account is used for connecting to an SAP system

SAP Splunk integration works as the following:

Detailed Steps:

The detailed steps are explained in Enterprise Threat Monitor SAP Events Integration Guide for Splunk Enterprise. Please contact us for obtaining a copy of it.