Splunk® Security App for SAP® solutions

User Guide

Dashboards included with the Splunk Security App for SAP solutions

The Splunk Security App for SAP® solutions offers an Overview dashboard and additional dashboard panels to further examine your data and results.

Overview dashboard

The Overview dashboard consists of the most common searches for SAP Enterprise Threat Detection (ETD) data. You can filter this dashboard by time range and category.

For the best performance of panels and charts, accelerate the alerts data model. To learn more, see Accelerate data models in the Splunk Enterprise Knowledge Manager Manual.

See the following table for descriptions of each panel of the Overview dashboard:

Panel name Description
Alerts by Category Bar chart showing alerts based on category and pattern name over time. You can drill down into pages within the Categories tab if categories are present or drill down into searches from this dashboard. You can filter alerts which have a dedicated dashboard assigned to them. Those alert are marked with an asterisk ( * ).
Alerts count by Score Bar chart of a count of alerts by Score (0 to 100) over time.
Alert count trends by Severity Trend of alerts by severity over time (High, Medium, Low).
Alerts by Actors Pie chart of different alerts by signature and source. You can drill down into alert details for each host name.
Geolocation of Triggered Events
by Network IP Address Initiator
World map of host names and IPs that triggered alerts.
Alerts Pareto chart trend Count patterns in descending order with an overlay of cumulative percentage of all Alerts. You can drill down into alert details for each pattern name.

The Splunk Security App for SAP solutions includes additional dashboard panels that are available on the Overview tab. You can filter each dashboard by time range and other filtering criteria.

The app includes the following dashboards:

Access the dashboards

  1. From the Apps menu, open the Splunk Security App for SAP solutions.
  2. Select the Categories tab.
  3. From the Categories drop-down list, follow one of these paths to navigate to your preferred dashboard:
    1. Categories > Access to critical resource > Blocklisted ABAP HTTP URL paths
    2. Categories > Access to critical resource > Blocklisted function modules in productive systems
    3. Categories > Authorization Critical Assignment > Critical authorization assignment
    4. Categories > Cross Communication > Calls between a non productive and a productive system
    5. Categories > Suspicious Logon > Logon success same user from different Terminal IDs
    6. Categories > User Types > User morphing by changing user type and logon

Blocklisted ABAP HTTP URL paths dashboard

Use this dashboard to examine when a system has called a blocklisted HTTP URL path. You can further filter dashboard results using the Time Picker, Correlation ID, and Actor fields.

The dashboard includes the following dashboard panels:

Panel name Description
Accessed Paths by Actor The HTTP path accessed by the actor in question presented in an interactive Sankey diagram. Displays the many to many relations between Actors and HTTP paths.
Alert Timeline When filtering the dashboard by Correlation ID, this panel displays a timechart spanning 1 hour of the count of correlation ID occurrences over time.
Details for Correlation ID For the Correlation ID selected in the filter, this panel displays a table of the Actor, Service Instance, Event Name, Protocol, HTTP Path, HTTP Method, HTTP Port, and HTTP Response for the selected time range.

Blocklisted function modules in productive systems dashboard

You can further filter dashboard results using the Time Picker and Correlation ID fields.

The dashboard includes the following dashboard panels:

Panel name Description
Alert Timeline When filtering the dashboard by Correlation ID, this panel displays a timechart spanning 1 hour of the count of correlation ID occurrences over time.
Details for Correlation ID For the Correlation ID selected in the filter, this panel displays a table of the Source, Correlation ID, Event Semantic, Function Name, Actor IP, Initiator Hostname, Initiator IP, Different Initiator for the selected time range.
Function used by Actor The function run by the actor in question, presented in an interactive Sankey diagram. Displays the many to many relations between actors and function modules called.

Calls between a non-productive and productive system dashboard

Use this dashboard to examine when a non-productive system calls a productive system. You can further filter dashboard results using the Time Picker and Correlation ID fields.

The dashboard includes the following dashboard panels:

Panel name Description
Alerts by Correlation ID When filtering the dashboard by Correlation ID, this panel displays a statistical table of Source, Correlation ID, Event Semantic, Actor IP, Initiator Hostname, Initiator IP, and Different Initiator over the selected time range.

When the same alerts occur within the selected time frame, alerts are grouped together with timestamp of each occurance.

Geo Location by Network HostName Initiator IP Address When filtering the dashboard by Correlation ID, this panel displays geo statistical analysis of the count by Network IP address initiator.

Critical authorization assignment dashboard

Use this dashboard to examine the alerts generated when a user is assigned critical profiles such as SAP_ALL or SAP_NEW. You can further filter dashboard results using the Time Picker and User Pseudonym fields.

The User Pseudonyms drop-down menu is populated based on the selected User Account.

The dashboard includes the following dashboard panel:

Panel name Description
Alert by Targeted User Pseudonym When filtering the dashboard by User Pseudonym, this panel displays a statistical table of Actor, User Pseudonym Targeted, User Pseudonym Acting, Event Log Type, Event Semantic, and Generic Action over the selected time range.

When the same Alerts occur within the selected time frame, alerts are grouped together with timestamp of each occurance.

Logon success same user from different Terminal IDs

Use this dashboard to track a user's logins from different terminal IDs. You can further filter dashboard results using the Time Picker, User Account, User Pseudonym, and Actor fields. Values of Null or None mean that the alert was triggered, but the User Account or Pseudonym values are missing.

The User Pseudonyms drop-down menu is populated based on the selected User Account.

The dashboard includes the following dashboard panels:

Panel name Description
Alert by Targeted User Pseudonym by Actors over time This panel displays a timechart of alerts of all users login from different Terminal IDs over time. If the same Alerts occur within the selected time frame, they are grouped together with a timestamp of each occurance.
Targeted User Details More details on the user login events from different Terminal IDs. The panel displays a statistical table of the Targeted User Account Name/Pseudonym, System ID Actor, Event source ID, Event Semantic, Terminal ID, and Service Name.
Geo Location by Terminal ID World map of terminal IDs location and count.

User morphing by changing user type and logon dashboard

Use this dashboard to track when a user type changes from a non dialog to a dialog user and this changed user logs in within 1 week. You can further filter dashboard results using the Time Picker, User Account, and User Pseudonym fields.

The User Pseudonyms drop-down menu is populated based on the selected User Account.

The dashboard includes the following dashboard panels:

Panel name Description
Alert by Targeted User Pseudonym This panel displays a statistical table of Event Source Id, Event Semantic, Actor System Id, Targeted User, Network Host Initiator, and Network IP Initiator over the selected time range.

When the same Alerts occur within the selected time frame, alerts are grouped together with timestamp of each occurance.

Event Details by Targeted User Pseudonym When filtering the dashboard by either User Account or Pseudonym, this panel displays a statistical table of Event Code, Event Log Type, Event Semantic, Generic Action, Targeted User details, and Timestamp over the selected time range.
Last modified on 14 April, 2023
Configure macros in the Splunk Security App for SAP solutions   Troubleshoot the Splunk Security App for SAP solutions

This documentation applies to the following versions of Splunk® Security App for SAP® solutions: 1.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters