Fortinet black logo

External Systems Configuration Guide

SAP Enterprise Threat Detection (ETD)

SAP Enterprise Threat Detection (ETD)

Support Added: FortiSIEM 6.5.0

Vendor Version Tested: Not Provided

Vendor: SAP

Product: SAP Enterprise Threat Detection

Product Information: https://www.sap.com/products/enterprise-threat-detection.html

Configuration

To configure SAP Enterprise Threat Detection, take the following steps.

  1. Configure the FortiSIEM node with the HTTPS credential for receiving the HTTP(S) POST event by taking the following steps.

    1. Identity the FortiSIEM node receiving the events. Most likely, this will be the Collector.

    2. SSH to the Collector and run the command.

      htpasswd -b /etc/httpd/accounts/passwds <user> '<password>'

      Note: If the password contains special characters, it is advisable to encode the password in single quotes.

  2. Make sure the events are being pushed to the FortiSIEM node using the credentials in Step 1 via this REST API.

    https://<FSMNodeName>/rawupload?vendor=<vendor>&model=<model>&reptIp=<reptIp>&reptName=<reptHost>

    where FSNNodeName is the resolvable host name or FQDN in Step 1. The parameters Reporting Vendor (vendor), Reporting Model (model), Reporting Device (reptHost), and Reporting IP (reptIP) are needed to create a CMDB entry and populate events.

    Argument

    Description

    vendor The vendor of the product that the logs originated from.
    model The model of the product that the logs originated from.
    reptIp This is the reporting IP, or the source of the log. The value you specify here will populate the CMDB as a reporting device.
    reptName This is the reporting device name, or the hostname of the device sending the logs.

    Note: If the Model contains whitespace, such as “Model 24”, you must correctly encode spaces and other special characters in the URL parameters.

    HTTP Method: POST

    HTTP Body: log in json format

    Sample Curl to Send a JSON File

    This example is sending a SAP Enterprise Threat Detection log.

    curl -kv -u ‘user:password’ -d "@json_event.json" -X POST 'https://<FSMNodeName>/rawupload?vendor=SAP&model=ETD&reptIp=192.168.1.20&reptName=LogForwarder1'

    The above sends the JSON event stored in the file json_event.json to FortiSIEM. FortiSIEM then processes it, the resulting event should look like the following in Log Format, with an added header attached.

    Log Format
    [PH_DEV_MON_CUSTOM_JSON]:[reptVendor]=<vendor>,[reptModel]=<model>,[reptDevName]=<reptName>,[reptDevIpAddr]=<reptIp>,[json]=<JSON>

    Where <JSON> is the actual JSON log body posted to FortiSIEM.

  3. Query the events by using the Reporting Device Name or IP in Step 2 and Event Type, by taking the following steps.

    1. Go to the ANALYTICS tab.

    2. Run a query for the Reporting IP = ‘#.#.#.#’ for the last 10 minutes.

    3. Observe the raw event, it should be in the format of.

Sample Log

[PH_DEV_MON_CUSTOM_JSON]:[reptVendor]=SAP,[reptModel]=ETD,[reptDevName]=sap.edt.device,[reptDevIpAddr]=192.0.2.0,[json]={ "alerts": [ { "Version": "1.0", "AlertCreationTimestamp": "2021-09-21T07:45:45.420Z", "AlertId": 812125, "AlertSeverity": "MEDIUM", "AlertStatus": "FORWARDED", "AlertSource": { "EventLogType": "SystemLog", "SystemIdActor": "System25" }, "AlertSystemIds": [ "System25" ], "HostNames": [ "lab1" ], "Category": "Log Failure", "PatternId": "624F0A8BB948854F997942AC0EDB2102", "PatternType": "FLAB", "PatternName": "Low Log Amount per system", "PatternNameSpace": "http://demo", "PatternDescription": "", "MinTimestamp": "2021-09-21T07:44:39.522Z", "MaxTimestamp": "2021-09-21T07:44:39.522Z", "Text": "Measurement 48 exceeded threshold 50 for ('Event, Log Type' = 'SystemLog' / 'System ID, Actor' = 'System25')", "Score": 50, "UiLink": "http://192.0.2.10:80/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=62037185B38D5449999D57F465F1BBF6", "TriggeringEvents": [ { "Id": "C60C48EF7B4E4D848F45F1904820C2CC", "Timestamp": "2021-09-21T07:44:39.522Z", "TechnicalLogEntryType": "SM21_D01", "TechnicalNumber": "481537", "TechnicalTimestampOfInsertion": "2021-09-21T07:44:40.681Z", "CorrelationId": "120CD18982991EEA9AB8F87143C8DE88", "CorrelationSubId": "00000000000000000000000000000000", "EventCode": "D01", "EventSemantic": "Executable, Run, Cancel", "EventLogType": "SystemLog", "EventMessage": "LMDB_UPLOAD_ERRORS 011", "EventSeverityCode": "50", "EventSourceId": "192.0.2.104", "EventSourceType": "IP Address", "GenericRiskLevel": "3", "NetworkHostnameActor": "test-1", "NetworkHostnameInitiator": "0.0.0.0", "NetworkHostnameReporter": "test-1", "NetworkIPAddressInitiator": "0.0.0.0", "ServiceExecutableName": "00016", "ServiceExecutableType": "B", "ServiceInstanceName": "lab1_BLK_00", "ServiceProgramName": "RLMDB_UPLOAD_BACKGROUND", "ServiceTransactionName": "S000", "SystemIdActor": "System25", "SystemGroupIdActor": "BLN", "SystemGroupIdInitiator": "BLN", "SystemGroupIdIntermediary": "BLN", "SystemIdReporter": "System25", "SystemGroupIdReporter": "BLN", "SystemGroupIdTarget": "BLN", "SystemTypeActor": "ABBA", "SystemGroupTypeActor": "SAP", "SystemGroupTypeInitiator": "SAP", "SystemGroupTypeIntermediary": "SAP", "SystemTypeReporter": "ABBA", "SystemGroupTypeReporter": "SAP", "SystemGroupTypeTarget": "SAP", "UsernameDomainNameActing": "System25", "UsernameDomainTypeActing": "ABBA", "UserPseudonymActing": "BLK_BTC_SMP", "EventName": "ExecutableRunCancel", "EventNamespace": "http://sap.com/secmon", "TechnicalTimestampInteger": "1632210279522" }, { "Id": "765451B9772A4FA580059A7BAD7D149C", "Timestamp": "2021-09-21T07:44:39.522Z", "TechnicalLogEntryType": "SM21_E0A", "TechnicalNumber": "481536", "TechnicalTimestampOfInsertion": "2021-09-21T07:44:40.681Z", "CorrelationId": "120CD18982991EEA9AB8F87143C8DE88", "CorrelationSubId": "00000000000000000000000000000000", "EventCode": "E0A", "EventLogType": "SystemLog", "EventMessage": "&aRLMDB_UPLOAD_DISPLAY_LOG&b00000000000011498140", "EventSeverityCode": "9", "EventSourceId": "192.168.30.104", "EventSourceType": "IP Address", "GenericRiskLevel": "0", "NetworkHostnameActor": "test-1", "NetworkHostnameInitiator": "0.0.0.0", "NetworkHostnameReporter": "test-1", "NetworkIPAddressInitiator": "0.0.0.0", "ServiceExecutableName": "00016", "ServiceExecutableType": "B", "ServiceInstanceName": "lab1_BLK_00", "ServiceProgramName": "RLMDB_UPLOAD_BACKGROUND", "ServiceTransactionName": "S000", "SystemIdActor": "System25", "SystemGroupIdActor": "BLN", "SystemGroupIdInitiator": "BLN", "SystemGroupIdIntermediary": "BLN", "SystemIdReporter": "System25", "SystemGroupIdReporter": "BLN", "SystemGroupIdTarget": "BLN", "SystemTypeActor": "ABBA", "SystemGroupTypeActor": "SAP", "SystemGroupTypeInitiator": "SAP", "SystemGroupTypeIntermediary": "SAP", "SystemTypeReporter": "ABBA", "SystemGroupTypeReporter": "SAP", "SystemGroupTypeTarget": "SAP", "UsernameDomainNameActing": "System25", "UsernameDomainTypeActing": "ABBA", "UserPseudonymActing": "BLK_BTC_SMP", "TechnicalTimestampInteger": "1632210279522" } ] } ] }

SAP Enterprise Threat Detection (ETD)

Support Added: FortiSIEM 6.5.0

Vendor Version Tested: Not Provided

Vendor: SAP

Product: SAP Enterprise Threat Detection

Product Information: https://www.sap.com/products/enterprise-threat-detection.html

Configuration

To configure SAP Enterprise Threat Detection, take the following steps.

  1. Configure the FortiSIEM node with the HTTPS credential for receiving the HTTP(S) POST event by taking the following steps.

    1. Identity the FortiSIEM node receiving the events. Most likely, this will be the Collector.

    2. SSH to the Collector and run the command.

      htpasswd -b /etc/httpd/accounts/passwds <user> '<password>'

      Note: If the password contains special characters, it is advisable to encode the password in single quotes.

  2. Make sure the events are being pushed to the FortiSIEM node using the credentials in Step 1 via this REST API.

    https://<FSMNodeName>/rawupload?vendor=<vendor>&model=<model>&reptIp=<reptIp>&reptName=<reptHost>

    where FSNNodeName is the resolvable host name or FQDN in Step 1. The parameters Reporting Vendor (vendor), Reporting Model (model), Reporting Device (reptHost), and Reporting IP (reptIP) are needed to create a CMDB entry and populate events.

    Argument

    Description

    vendor The vendor of the product that the logs originated from.
    model The model of the product that the logs originated from.
    reptIp This is the reporting IP, or the source of the log. The value you specify here will populate the CMDB as a reporting device.
    reptName This is the reporting device name, or the hostname of the device sending the logs.

    Note: If the Model contains whitespace, such as “Model 24”, you must correctly encode spaces and other special characters in the URL parameters.

    HTTP Method: POST

    HTTP Body: log in json format

    Sample Curl to Send a JSON File

    This example is sending a SAP Enterprise Threat Detection log.

    curl -kv -u ‘user:password’ -d "@json_event.json" -X POST 'https://<FSMNodeName>/rawupload?vendor=SAP&model=ETD&reptIp=192.168.1.20&reptName=LogForwarder1'

    The above sends the JSON event stored in the file json_event.json to FortiSIEM. FortiSIEM then processes it, the resulting event should look like the following in Log Format, with an added header attached.

    Log Format
    [PH_DEV_MON_CUSTOM_JSON]:[reptVendor]=<vendor>,[reptModel]=<model>,[reptDevName]=<reptName>,[reptDevIpAddr]=<reptIp>,[json]=<JSON>

    Where <JSON> is the actual JSON log body posted to FortiSIEM.

  3. Query the events by using the Reporting Device Name or IP in Step 2 and Event Type, by taking the following steps.

    1. Go to the ANALYTICS tab.

    2. Run a query for the Reporting IP = ‘#.#.#.#’ for the last 10 minutes.

    3. Observe the raw event, it should be in the format of.

Sample Log

[PH_DEV_MON_CUSTOM_JSON]:[reptVendor]=SAP,[reptModel]=ETD,[reptDevName]=sap.edt.device,[reptDevIpAddr]=192.0.2.0,[json]={ "alerts": [ { "Version": "1.0", "AlertCreationTimestamp": "2021-09-21T07:45:45.420Z", "AlertId": 812125, "AlertSeverity": "MEDIUM", "AlertStatus": "FORWARDED", "AlertSource": { "EventLogType": "SystemLog", "SystemIdActor": "System25" }, "AlertSystemIds": [ "System25" ], "HostNames": [ "lab1" ], "Category": "Log Failure", "PatternId": "624F0A8BB948854F997942AC0EDB2102", "PatternType": "FLAB", "PatternName": "Low Log Amount per system", "PatternNameSpace": "http://demo", "PatternDescription": "", "MinTimestamp": "2021-09-21T07:44:39.522Z", "MaxTimestamp": "2021-09-21T07:44:39.522Z", "Text": "Measurement 48 exceeded threshold 50 for ('Event, Log Type' = 'SystemLog' / 'System ID, Actor' = 'System25')", "Score": 50, "UiLink": "http://192.0.2.10:80/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=62037185B38D5449999D57F465F1BBF6", "TriggeringEvents": [ { "Id": "C60C48EF7B4E4D848F45F1904820C2CC", "Timestamp": "2021-09-21T07:44:39.522Z", "TechnicalLogEntryType": "SM21_D01", "TechnicalNumber": "481537", "TechnicalTimestampOfInsertion": "2021-09-21T07:44:40.681Z", "CorrelationId": "120CD18982991EEA9AB8F87143C8DE88", "CorrelationSubId": "00000000000000000000000000000000", "EventCode": "D01", "EventSemantic": "Executable, Run, Cancel", "EventLogType": "SystemLog", "EventMessage": "LMDB_UPLOAD_ERRORS 011", "EventSeverityCode": "50", "EventSourceId": "192.0.2.104", "EventSourceType": "IP Address", "GenericRiskLevel": "3", "NetworkHostnameActor": "test-1", "NetworkHostnameInitiator": "0.0.0.0", "NetworkHostnameReporter": "test-1", "NetworkIPAddressInitiator": "0.0.0.0", "ServiceExecutableName": "00016", "ServiceExecutableType": "B", "ServiceInstanceName": "lab1_BLK_00", "ServiceProgramName": "RLMDB_UPLOAD_BACKGROUND", "ServiceTransactionName": "S000", "SystemIdActor": "System25", "SystemGroupIdActor": "BLN", "SystemGroupIdInitiator": "BLN", "SystemGroupIdIntermediary": "BLN", "SystemIdReporter": "System25", "SystemGroupIdReporter": "BLN", "SystemGroupIdTarget": "BLN", "SystemTypeActor": "ABBA", "SystemGroupTypeActor": "SAP", "SystemGroupTypeInitiator": "SAP", "SystemGroupTypeIntermediary": "SAP", "SystemTypeReporter": "ABBA", "SystemGroupTypeReporter": "SAP", "SystemGroupTypeTarget": "SAP", "UsernameDomainNameActing": "System25", "UsernameDomainTypeActing": "ABBA", "UserPseudonymActing": "BLK_BTC_SMP", "EventName": "ExecutableRunCancel", "EventNamespace": "http://sap.com/secmon", "TechnicalTimestampInteger": "1632210279522" }, { "Id": "765451B9772A4FA580059A7BAD7D149C", "Timestamp": "2021-09-21T07:44:39.522Z", "TechnicalLogEntryType": "SM21_E0A", "TechnicalNumber": "481536", "TechnicalTimestampOfInsertion": "2021-09-21T07:44:40.681Z", "CorrelationId": "120CD18982991EEA9AB8F87143C8DE88", "CorrelationSubId": "00000000000000000000000000000000", "EventCode": "E0A", "EventLogType": "SystemLog", "EventMessage": "&aRLMDB_UPLOAD_DISPLAY_LOG&b00000000000011498140", "EventSeverityCode": "9", "EventSourceId": "192.168.30.104", "EventSourceType": "IP Address", "GenericRiskLevel": "0", "NetworkHostnameActor": "test-1", "NetworkHostnameInitiator": "0.0.0.0", "NetworkHostnameReporter": "test-1", "NetworkIPAddressInitiator": "0.0.0.0", "ServiceExecutableName": "00016", "ServiceExecutableType": "B", "ServiceInstanceName": "lab1_BLK_00", "ServiceProgramName": "RLMDB_UPLOAD_BACKGROUND", "ServiceTransactionName": "S000", "SystemIdActor": "System25", "SystemGroupIdActor": "BLN", "SystemGroupIdInitiator": "BLN", "SystemGroupIdIntermediary": "BLN", "SystemIdReporter": "System25", "SystemGroupIdReporter": "BLN", "SystemGroupIdTarget": "BLN", "SystemTypeActor": "ABBA", "SystemGroupTypeActor": "SAP", "SystemGroupTypeInitiator": "SAP", "SystemGroupTypeIntermediary": "SAP", "SystemTypeReporter": "ABBA", "SystemGroupTypeReporter": "SAP", "SystemGroupTypeTarget": "SAP", "UsernameDomainNameActing": "System25", "UsernameDomainTypeActing": "ABBA", "UserPseudonymActing": "BLK_BTC_SMP", "TechnicalTimestampInteger": "1632210279522" } ] } ] }