Splunk® Security Add-on for SAP® solutions

User Guide

Configure correlation searches in the Splunk Security Add-on for SAP solutions

The Splunk Security Add-on for SAP® solutions ships with three configured correlation searches that help you detect suspicious events based on certain SAP ETD alert categories and generate a notable event.

The correlation searches are turned off by default and must be turned on by the user. To turn on correlation searches follow these steps:

  1. Select Settings.
  2. Under Knowledge, choose Searches, reports, and alerts.
  3. Filter the page by app. From the app menu choose Splunk Security Add-on for SAP solutions (splunk_ta_sap_etd_alerts).
  4. For each of the listed searches, choose the Edit action and select Enable.
    This image shows the Searches, reports, and alerts page. The page has been filtered by app name to only show results for the Splunk Security Add-on for SAP solutions. Three search reports are listed. The button in the Actions column labeled Edit is selected. From the Edit drop-down menu, the word Enable is selected.
  5. On the resulting modal window confirm the status change by selecting Enable again.
    This image shows a modal window that appears from the action taken in the previous step. The modal window seeks to confirm the action of enabling the correlation search. The option of Cancel or Enable are available. The Enable option is highlighted.
  6. The search status is now updated.

For more information on correlation searches and how to use them, see Correlation search overview for Splunk Enterprise Security in the Administer Splunk Enterprise Security manual.

Available correlation searches

The following table lists the correlation searches that come configured with Splunk Security Add-on for SAP solutions:

Correlation search name Description ETD patterns Log type
Access - ETD - Sensitive Data Download via Blocklisted Reports - Rule Security audit log indicates a data download using a blocklisted ABAP report. Sensitive Data Download via Blocklisted Reports. Security Audit Log
Identity - ETD - Suspicious Logon - Rule Logon attempts using forbidden channels or methods. Logon with SAP standard users, Logon through forbidden logon method (Password), Logon of blocklisted users, Logon success same user from different Terminal IDs, Logon to client 066. Multiple
Threat - ETD - Access to critical resource - Rule Attempt to gain access to a critical resource through a blocklisted ABAP function module, a blocklisted report or transaction, or URL path. Blocklisted function modules in productive systems, Blocklisted ABAP HTTP URL paths, Blocklisted reports in productive system, Blocklisted transaction in productive systems, Suspicious Activity in Client 066. Security Audit Log
Last modified on 26 April, 2023
Get SAP ETD data into the Splunk Security Add-on for SAP solutions   Workflow actions in the Splunk Security Add-on for SAP solutions

This documentation applies to the following versions of Splunk® Security Add-on for SAP® solutions: 1.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters