Fortinet black logo

SAP Enterprise Threat Detection

SAP Enterprise Threat Detection v1.1.0

1.1.0
Copy Link
Copy Doc ID 8858e75a-6569-11ed-96f0-fa163e15d75b:441

About the connector

SAP Enterprise Threat Detection helps you to identify the real attacks as they are happening and analyze the threats quickly enough to neutralize them before the occurrence of any serious damage.

This document provides information about the SAP Enterprise Threat Detection connector, which facilitates automated interactions, with the SAP Enterprise Threat Detection server using FortiSOAR™ playbooks. Add the SAP Enterprise Threat Detection connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving alerts from SAP Enterprise Threat Detection.

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alerts from SAP Enterprise Threat Detection. Currently, "alerts " in SAP Enterprise Threat Detection are mapped to "alerts" in FortiSOAR™. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 1.1.0

FortiSOAR™ Version Tested on: 7.2.2-1098

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.1.0

The following enhancements have been made to the SAP Enterprise Threat Detection in version 1.1.0:

  • Rebranded the SAP ETD connector to SAP Enterprise Threat Detection.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-sap-etd

Prerequisites to configuring the connector

  • You must have the Hostname of the SAP Enterprise Threat Detection server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on the SAP Enterprise Threat Detection server.

Minimum Permissions Required

  • Not applicable

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the SAP Enterprise Threat Detection connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server Address The hostname of the SAP Enterprise Threat Detection server to which you will connect and perform automated operations to which you will connect and perform automated operations.
Username Username to access the SAP Enterprise Threat Detection endpoint to which you will connect and perform the automated operations.
Password Password to access the SAP Enterprise Threat Detection endpoint to which you will connect and perform the automated operations.
Port Port number used to access the SAP Enterprise Threat Detection server to which you will connect and perform the automated operations. By default, this is set to 443.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:

Function Description Annotation and Category
Get Alerts Retrieves alerts from SAP Enterprise Threat Detection in the JSON or LEEF format based on input parameters that you have specified. get_alert
Investigation

operation: Get Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Query The query using which you want to retrieve alerts from SAP Enterprise Threat Detection. You can use the following parameters in this query: AlertId, which is a unique and increasing integer number, and AlertCreationTimestamp, which is the timestamp in the UTC format. You can use the following operators in the query: "eq", "lt", "gt", "ge", or "le". The AlertId and AlertCreationTimestamp parameters can be combined using "and". For example, AlertId eq 20 and AlertCreationTimestamp ge 2015-11-22T22:00:00.00Z
Response Format Select the format in which you want to want this operation to return the format. You can choose between JSON or LEEF.
Limit The maximum number of results, per page, that this operation should return. By default, the default batch size is 50.
Pattern Filter The ID of a pattern filter using which you want to retrieve alerts from SAP Enterprise Threat Detection. A pattern filter is a set of patterns for which alerts are pulled from SAP Enterprise Threat Detection. You can define a pattern filter on the Settings user interface accessed from the launchpad of SAP Enterprise Threat Detection.
Include Events Select this option to include the triggering events in the operation's response. By default, it is cleared, i.e., triggering events are excluded from the operation's response.
Include TestAlerts Select this option (default) to include alerts whose status is set as "TestResult" in the operation's response.
Auto Confirm Select this option to confirm the successful retrieval of alerts from SAP Enterprise Threat Detection by changing the status of the alert Forwarded.
Note: The status of alerts whose status is set as "Forwarded" cannot be changed any further.

Output

The output contains the following populated JSON schema:
{
"Version": "",
"AlertCreationTimestamp": "",
"AlertId": "",
"AlertSeverity": "",
"AlertStatus": "",
"AlertSource": {
"NetworkIPAddressInitiator": "",
"ServiceFunctionName": "",
"ServiceRequestLine": "",
"SystemIdActor": ""
},
"AlertSystemIds": [],
"HostNames": [],
"Category": "",
"PatternId": "",
"PatternType": "",
"PatternName": "",
"PatternNameSpace": "",
"PatternDescription": "",
"MinTimestamp": "",
"MaxTimestamp": "",
"Text": "",
"Score": "",
"UiLink": "",
"TriggeringEvents": [
{
"Id": "",
"Timestamp": "",
"TechnicalLogEntryType": "",
"TechnicalNumber": "",
"TechnicalTimestampOfInsertion": "",
"CorrelationId": "",
"CorrelationSubId": "",
"EventCode": "",
"EventSemantic": "",
"EventLogType": "",
"EventSourceId": "",
"EventSourceType": "",
"GenericOrder": "",
"GenericScore": "",
"GenericSessionId": "",
"NetworkHostnameActor": "",
"NetworkHostnameInitiator": "",
"NetworkIPAddressInitiator": "",
"NetworkPortActor": "",
"NetworkPortInitiator": "",
"NetworkPortIntermediary": "",
"NetworkPortReporter": "",
"NetworkPortTarget": "",
"NetworkPortBeforeNATInitiator": "",
"NetworkPortBeforeNATTarget": "",
"ParameterValueNumber": "",
"ParameterValueNumberContext": "",
"ParameterValueNumberPriorValue": "",
"ParameterValueDouble": "",
"ParameterValueDoublePriorValue": "",
"ResourceCount": "",
"ResourceRequestSize": "",
"ResourceResponseSize": "",
"ResourceSize": "",
"ResourceType": "",
"ResourceSumOverTime": "",
"ResourceUnitsOfMeasure": "",
"ServiceType": "",
"ServiceInstanceName": "",
"ServiceProgramName": "",
"SystemIdActor": "",
"SystemGroupIdActor": "",
"SystemGroupIdInitiator": "",
"SystemGroupIdIntermediary": "",
"SystemIdReporter": "",
"SystemGroupIdReporter": "",
"SystemGroupIdTarget": "",
"SystemTypeActor": "",
"SystemGroupTypeActor": "",
"SystemGroupTypeInitiator": "",
"SystemGroupTypeIntermediary": "",
"SystemTypeReporter": "",
"SystemGroupTypeReporter": "",
"SystemGroupTypeTarget": "",
"TimeDuration": "",
"TimestampOfEnd": "",
"TimestampOfStart": "",
"UsernameDomainNameActing": "",
"UsernameDomainTypeActing": "",
"UserPseudonymActing": "",
"EventName": "",
"EventNamespace": "",
"TechnicalTimestampInteger": ""
}
]
}

Included playbooks

The Sample - SAP Enterprise Threat Detection - 1.0.0 playbook collection comes bundled with the SAP Enterprise Threat Detection connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SAP Enterprise Threat Detection connector.

  • Get Alerts
  • >> SAP > Create Record
  • > SAP > Fetch
  • >> SAP > Handle Macro
  • SAP > Ingest

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alerts from SAP Enterprise Threat Detection. Currently, "alerts" ingested from SAP Enterprise Threat Detection are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming SAP Enterprise Threat Detection "alerts" to FortiSOAR™ "Alerts".

The Data Ingestion Wizard enables you to configure the scheduled pulling of data from SAP Enterprise Threat Detection into FortiSOAR™. It also lets you pull some sample data from SAP Enterprise Threat Detection using which you can define the mapping of data between SAP Enterprise Threat Detection and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the SAP Enterprise Threat Detection alert.

  1. To begin configuring data ingestion, click Configure Data Ingestion on the SAP Enterprise Threat Detection connector’s "Configurations" page.
    Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen:

    Sample data is required to create a field mapping between SAP Enterprise Threat Detection data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch SAP Enterprise Threat Detection data.
    You can type the query or ID of a pattern filter using which you want to retrieve alerts from SAP Enterprise Threat Detection in the Query and Pattern Filter fields respectively. Select the Include Events checkbox to include the triggering events in the response. In the Limit field, type the maximum number of alerts to be retrieved from SAP Enterprise Threat Detection; by default, this is set to 50. In the Pull Alerts Created in Last X Minutes field, type the time in minutes from when you want to pull alerts that were created in SAP Enterprise Threat Detection.

    The fetched data is used to create a mapping between the SAP Enterprise Threat Detection data and FortiSOAR™ alerts. Once you have completed specifying the configurations, click Fetch Data.
  3. On the Field Mapping screen, map the fields of an SAP Enterprise Threat Detection alert to the fields of an alert present in FortiSOAR™.
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the Category parameter of an SAP Enterprise Threat Detection alert to the Type parameter of a FortiSOAR™ alert, click the Type field and then click the Category field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping the fields, click Save Mapping & Continue.

  4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to SAP Enterprise Threat Detection, so that the content gets pulled from the SAP Enterprise Threat Detection integration into FortiSOAR™.
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from SAP Enterprise Threat Detection every 5 minutes, click Every X Minute, and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., alerts will be pulled from SAP Enterprise Threat Detection every 5 minutes.

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion, and exit the Data Ingestion Wizard.

Previous
Next

About the connector

SAP Enterprise Threat Detection helps you to identify the real attacks as they are happening and analyze the threats quickly enough to neutralize them before the occurrence of any serious damage.

This document provides information about the SAP Enterprise Threat Detection connector, which facilitates automated interactions, with the SAP Enterprise Threat Detection server using FortiSOAR™ playbooks. Add the SAP Enterprise Threat Detection connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving alerts from SAP Enterprise Threat Detection.

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alerts from SAP Enterprise Threat Detection. Currently, "alerts " in SAP Enterprise Threat Detection are mapped to "alerts" in FortiSOAR™. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 1.1.0

FortiSOAR™ Version Tested on: 7.2.2-1098

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.1.0

The following enhancements have been made to the SAP Enterprise Threat Detection in version 1.1.0:

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-sap-etd

Prerequisites to configuring the connector

Minimum Permissions Required

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the SAP Enterprise Threat Detection connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server Address The hostname of the SAP Enterprise Threat Detection server to which you will connect and perform automated operations to which you will connect and perform automated operations.
Username Username to access the SAP Enterprise Threat Detection endpoint to which you will connect and perform the automated operations.
Password Password to access the SAP Enterprise Threat Detection endpoint to which you will connect and perform the automated operations.
Port Port number used to access the SAP Enterprise Threat Detection server to which you will connect and perform the automated operations. By default, this is set to 443.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:

Function Description Annotation and Category
Get Alerts Retrieves alerts from SAP Enterprise Threat Detection in the JSON or LEEF format based on input parameters that you have specified. get_alert
Investigation

operation: Get Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Query The query using which you want to retrieve alerts from SAP Enterprise Threat Detection. You can use the following parameters in this query: AlertId, which is a unique and increasing integer number, and AlertCreationTimestamp, which is the timestamp in the UTC format. You can use the following operators in the query: "eq", "lt", "gt", "ge", or "le". The AlertId and AlertCreationTimestamp parameters can be combined using "and". For example, AlertId eq 20 and AlertCreationTimestamp ge 2015-11-22T22:00:00.00Z
Response Format Select the format in which you want to want this operation to return the format. You can choose between JSON or LEEF.
Limit The maximum number of results, per page, that this operation should return. By default, the default batch size is 50.
Pattern Filter The ID of a pattern filter using which you want to retrieve alerts from SAP Enterprise Threat Detection. A pattern filter is a set of patterns for which alerts are pulled from SAP Enterprise Threat Detection. You can define a pattern filter on the Settings user interface accessed from the launchpad of SAP Enterprise Threat Detection.
Include Events Select this option to include the triggering events in the operation's response. By default, it is cleared, i.e., triggering events are excluded from the operation's response.
Include TestAlerts Select this option (default) to include alerts whose status is set as "TestResult" in the operation's response.
Auto Confirm Select this option to confirm the successful retrieval of alerts from SAP Enterprise Threat Detection by changing the status of the alert Forwarded.
Note: The status of alerts whose status is set as "Forwarded" cannot be changed any further.

Output

The output contains the following populated JSON schema:
{
"Version": "",
"AlertCreationTimestamp": "",
"AlertId": "",
"AlertSeverity": "",
"AlertStatus": "",
"AlertSource": {
"NetworkIPAddressInitiator": "",
"ServiceFunctionName": "",
"ServiceRequestLine": "",
"SystemIdActor": ""
},
"AlertSystemIds": [],
"HostNames": [],
"Category": "",
"PatternId": "",
"PatternType": "",
"PatternName": "",
"PatternNameSpace": "",
"PatternDescription": "",
"MinTimestamp": "",
"MaxTimestamp": "",
"Text": "",
"Score": "",
"UiLink": "",
"TriggeringEvents": [
{
"Id": "",
"Timestamp": "",
"TechnicalLogEntryType": "",
"TechnicalNumber": "",
"TechnicalTimestampOfInsertion": "",
"CorrelationId": "",
"CorrelationSubId": "",
"EventCode": "",
"EventSemantic": "",
"EventLogType": "",
"EventSourceId": "",
"EventSourceType": "",
"GenericOrder": "",
"GenericScore": "",
"GenericSessionId": "",
"NetworkHostnameActor": "",
"NetworkHostnameInitiator": "",
"NetworkIPAddressInitiator": "",
"NetworkPortActor": "",
"NetworkPortInitiator": "",
"NetworkPortIntermediary": "",
"NetworkPortReporter": "",
"NetworkPortTarget": "",
"NetworkPortBeforeNATInitiator": "",
"NetworkPortBeforeNATTarget": "",
"ParameterValueNumber": "",
"ParameterValueNumberContext": "",
"ParameterValueNumberPriorValue": "",
"ParameterValueDouble": "",
"ParameterValueDoublePriorValue": "",
"ResourceCount": "",
"ResourceRequestSize": "",
"ResourceResponseSize": "",
"ResourceSize": "",
"ResourceType": "",
"ResourceSumOverTime": "",
"ResourceUnitsOfMeasure": "",
"ServiceType": "",
"ServiceInstanceName": "",
"ServiceProgramName": "",
"SystemIdActor": "",
"SystemGroupIdActor": "",
"SystemGroupIdInitiator": "",
"SystemGroupIdIntermediary": "",
"SystemIdReporter": "",
"SystemGroupIdReporter": "",
"SystemGroupIdTarget": "",
"SystemTypeActor": "",
"SystemGroupTypeActor": "",
"SystemGroupTypeInitiator": "",
"SystemGroupTypeIntermediary": "",
"SystemTypeReporter": "",
"SystemGroupTypeReporter": "",
"SystemGroupTypeTarget": "",
"TimeDuration": "",
"TimestampOfEnd": "",
"TimestampOfStart": "",
"UsernameDomainNameActing": "",
"UsernameDomainTypeActing": "",
"UserPseudonymActing": "",
"EventName": "",
"EventNamespace": "",
"TechnicalTimestampInteger": ""
}
]
}

Included playbooks

The Sample - SAP Enterprise Threat Detection - 1.0.0 playbook collection comes bundled with the SAP Enterprise Threat Detection connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SAP Enterprise Threat Detection connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alerts from SAP Enterprise Threat Detection. Currently, "alerts" ingested from SAP Enterprise Threat Detection are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming SAP Enterprise Threat Detection "alerts" to FortiSOAR™ "Alerts".

The Data Ingestion Wizard enables you to configure the scheduled pulling of data from SAP Enterprise Threat Detection into FortiSOAR™. It also lets you pull some sample data from SAP Enterprise Threat Detection using which you can define the mapping of data between SAP Enterprise Threat Detection and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the SAP Enterprise Threat Detection alert.

  1. To begin configuring data ingestion, click Configure Data Ingestion on the SAP Enterprise Threat Detection connector’s "Configurations" page.
    Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen:

    Sample data is required to create a field mapping between SAP Enterprise Threat Detection data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch SAP Enterprise Threat Detection data.
    You can type the query or ID of a pattern filter using which you want to retrieve alerts from SAP Enterprise Threat Detection in the Query and Pattern Filter fields respectively. Select the Include Events checkbox to include the triggering events in the response. In the Limit field, type the maximum number of alerts to be retrieved from SAP Enterprise Threat Detection; by default, this is set to 50. In the Pull Alerts Created in Last X Minutes field, type the time in minutes from when you want to pull alerts that were created in SAP Enterprise Threat Detection.

    The fetched data is used to create a mapping between the SAP Enterprise Threat Detection data and FortiSOAR™ alerts. Once you have completed specifying the configurations, click Fetch Data.
  3. On the Field Mapping screen, map the fields of an SAP Enterprise Threat Detection alert to the fields of an alert present in FortiSOAR™.
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the Category parameter of an SAP Enterprise Threat Detection alert to the Type parameter of a FortiSOAR™ alert, click the Type field and then click the Category field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping the fields, click Save Mapping & Continue.

  4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to SAP Enterprise Threat Detection, so that the content gets pulled from the SAP Enterprise Threat Detection integration into FortiSOAR™.
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from SAP Enterprise Threat Detection every 5 minutes, click Every X Minute, and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., alerts will be pulled from SAP Enterprise Threat Detection every 5 minutes.

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion, and exit the Data Ingestion Wizard.

Previous
Next