As more organizations are moving towards a centralized way of Security Monitoring via SIEM solutions, functionality has been added to Protect4S VM to send relevant SAP Security Scan output directly into your SIEM provider of choice. This allows customers to feed SAP specific Security events into SIEM solutions for actionable insight and faster response to SAP threats.
Example for Splunk:
Splunk data supplied by Protect4S
In the Application Settings enable SIEM by selecting: the desired output format (CEF or LEEF), the desired directory path from which the files can be picked up by SIEM. Optionally, you can also add a desired prefix for the generated files:\
Selecting output format and location in SIEM settings
In the Project Configuration, for every relevant Scan, set the "Export to SIEM" flag and also select the appropriate Risk value (for example High for SAP production systems).
Note: For the chosen Risk value goes: Only failed checks with that Risk value or higher are forwarded to the SIEM solution. If you set this value to NONE; All output is forwarded, also the PASSED checks. After completing these 2 steps, the Protect4S VM setup for SIEM is completed, in addition the SIEM solution must be adapted to pick up the generated files from the Output Directory patch configured in Step 1.
Activating SIEM output for a Scan