Splunk® Security Add-on for SAP® solutions

User Guide

Install and configure the Splunk Security Add-on for SAP solutions

Use the add-on setup and configuration user interface to link to your SAP account and configure data collection. After completing the add-on installation requirements, perform these steps to install the Splunk Security Add-on for SAP® solutions.

Download the Splunk Security Add-on for SAP solutions

You must be a licensed Splunk Security for SAP® solutions customer to download the add-on.

  1. After you purchase Splunk Security for SAP solutions, log in to Splunk.com with your username and password.
  2. Download the latest version of the Splunk Security Add-on for SAP solutions from Splunkbase. You might have to wait up to a day after completing the purchase for the download option to become visible.
  3. Select Download and save the Splunk Security Add-on for SAP solutions product file to your desktop.
  4. Log in to the search head as an administrator.

Extract SAP Enterprise Threat Detection (ETD)

After downloading the add-on from Splunkbase, extract SAP ETD and the associated components.

  1. Extract the downloaded add-on package.
  2. Open the splunk_ta_sap_etd_alerts folder.
  3. The following components get extracted and are required to install SAP ETD software:
    • ETDContentPack.zip
    • HCOSECURITYMON06_0-70004491.ZIP
    • IMDB_SERVER20_067_0-80002046.SAR
  4. Learn more information on how to install SAP ETD in your environment. See https://help.sap.com/docs/SAP_ENTERPRISE_THREAT_DETECTION?version=2.4.0.0 on the SAP Help Portal.
  5. (Optional) You can prevent pushing ETD related binaries to all of your Splunk instances. To do so, repackage the technology add-on (TA) without the ETD binary files. Doing so does not change any functionality of the TA but saves space and time during installation.
    Run the following from outside of app directory: 
    tar --exclude='ETDContentPack.zip' 
--exclude='HCOSECURITYMON06_0-70004491.ZIP'
--exclude='IMDB_SERVER20_067_0-80002046.SAR' -zcvf 
splunk_ta_sap_etd_alerts_extracted-1.0.0.tar.gz 
splunk_ta_sap_etd_alerts

Installation steps

The installer detects if you're installing in a single search head environment or search head cluster environment. The installer is also bigger than the default upload limit for Splunk Web.

Increase the Splunk Web upload limit to 5 GB by creating a file called $SPLUNK_HOME/etc/system/local/web.conf with the following stanza:

[settings]<br>
max_upload_size = 5000<br>
splunkdConnectionTimeout = 300

This step is not required if ETD binaries are extracted out of the TA package.

After you create the file, follow these steps:

  1. Restart the Splunk software from the toolbar.
  2. Select Settings > Server controls and select Restart Splunk.
  3. On the Splunk toolbar, select Apps > Manage Apps and select Install App from File.
  4. Select Choose File and select the Splunk Security Add-on for SAP solutions product file.
  5. Select Upload to begin the installation.
  6. Configure application privileges.
  7. Get SAP ETD data into the Splunk Security Add-on for SAP solutions.

Install the Splunk Security Add-on for SAP solutions on Splunk Cloud Platform

Follow these instructions to check if you have the Splunk Security Add-on for SAP solutions installed, to obtain the files you need, or to get assistance from support to install or upgrade the add-on. If you do not know whether you are on a managed or self-service Splunk Cloud Platform, see Splunk Cloud Platform deployment types in the Splunk Cloud Platform Admin Manual.

  1. See if Splunk Security Add-on for SAP solutions appears in the app list on your Manage Apps page. The add-on folder name is splunk_ta_sap_etd_alerts and the version number is 1.0.0. Check the version number if the add-on appears in the list.
    If the add-on is turned off, select Enable under the Status column to turn it on.
  2. If you do not have the Splunk Security Add-on for SAP solutions installed, contact Splunk support to obtain an entitlement license assistance for the add-on.

Install on managed Splunk Cloud Platform

If the app is not installed or you have an older version of the app, contact Splunk Support for assistance. Support can install the correct version of the app and its dependencies, and assist you with any migration tasks necessary.

Configure application privileges

The Splunk Security Add-on for SAP solutions retrieves alerts generated by SAP Enterprise Threat Detection (ETD) software. SAP ETD detects potential attacks on SAP systems at the application level by gathering and analyzing log data.

The add-on depends on data collected by the SAP ETD API. You must install and configure the add-on to pull alerts from the ETD platform into your Splunk platform.

To use SAP Enterprise Threat Detection Streaming, you must fulfill some prerequisites on the SAP ETD side. The client calling the API must have the following application privileges:

  • sap.secmon::Execute
  • sap.secmon.ui::Execute
  • sap.secmon::AlertRead
  • sap.secmon::NormalizedLogRead

If you need to see the real users when pulling alerts, you must have the sap.secmon::ResolveUserOnAlertService application privilege. Otherwise, you see only the user pseudonyms.

Last modified on 05 May, 2023
Installation requirements and version dependencies   Get SAP ETD data into the Splunk Security Add-on for SAP solutions

This documentation applies to the following versions of Splunk® Security Add-on for SAP® solutions: 1.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters