IBM Security QRadar suite is a Security Information and Event Management (SIEM) solution that generates prioritised, high-fidelity alerts in real time by correlating analytics, threat intelligence, and network and user behaviour anomalies to assist security analysts in remaining focused on investigating and remediating the appropriate threats.

SAP Business Technology Platform (BTP) is a comprehensive technical platform provided by SAP which offers a set of tools, services, and technologies to aid in the creation, integration, and operation of cloud-based applications and services. SAP BTP provides a wide range of capabilities that enable enterprises to create, expand, and integrate flexible and scalable applications.

Objectives of learning

This article will walk you through the process of integrating SAP BTP application logs with the QRadar SIEM solution. This integration is designed to improve your ability to detect and mitigate potential vulnerabilities within the SAP BTP application environment.

The high-level overview of this configuration:

1. Configure the SAP BTP application to generate the audit logs using Audit log viewer.
2. Create a log source in QRadar SIEM to pull the generated logs from the SAP BTP application endpoint using the Universal Cloud REST API
3. Create a custom DSM to convert SAP BTP raw logs to QRadar-friendly events.

Prerequisites

Before you integrate SAP BTP application logs with QRadar, ensure you have the following prerequisites:

• SAP BTP with Audit log viewer access
• IBM Security QRadar SIEM

Steps

Step 1: Configure the SAP BTP application to generate the audit logs

The SAP Audit Log service is a platform service that keeps all audit logs created by other platform services on your behalf. It allows you to access your subaccount’s audit logs using the audit log retrieval API or view them using the Audit Log Viewer.

In this case, we used the audit log retrieval API and SAP’s official documentation to get audit logs from the SAP BTP Cloud Foundry environment subaccount. This API gives audit log results in the form of a comprehensive collection of JSON entities in a seamless manner.

First login into SAP BTP account and navigate to “Instances and Subscriptions” under “Services” as suggested below.

Select the “Authorization and Trust Management Service” and click on “View” under “…” button as highlighted below. In case, the service key is not available, click on “Create” under “Service Keys” section to get the details.

The service key will be displayed as below which needs to be downloaded.

Download JSON file by clicking on “Download” button and parameters from this output will be used for:

• OAuth Access Token and getting the audit logs
• Creating the workflow and workflow parameter values while configuring the QRadar log source

Note: The key parameters you require from the previous output message are listed below. The values for these parameters will vary for each individual user. Sample values are included here to help you recognize your own values.

Step 2: Create a log source in QRadar SIEM using Universal Cloud REST API

1. Log in to QRadar. On the Admin tab, click Log Source Management.
2. Click Create New Log Source.
3. For Log Source Type, select Universal DSM, and then click Step 2: Select Protocol Type.
4. For Protocol Type, select Universal Cloud REST API Protocol, and then click Step 3: Configure Log Source Parameters.
5. In the “Configure the Log Source parameters” window, enter a name and description for your log source. Leave all other fields with their default settings. (Note: You can click Show More to understand the fields or make adjustments, but no further updates are required for this tutorial.) Click Step 4: Configure Protocol Parameters.
6. In the Log Source Identifier field, type a name for your log source. You can use any valid value and you do not need to reference a specific server.
7. In the Workflow field, add an XML document that defines how the protocol instance collects events from the target API, similar to the following sample workflow:
8. In the Workflow Parameter Values field, add an XML document that contains the parameter values used directly by the workflow, similar to the following sample:
9. Enable or disable Allow Untrusted Certificates, depending on the availability of a Trusted Signer certificate or a self-signed certificate.
10. Set Use Proxy if the API is accessed using a proxy.
11. In the Recurrence field, specify how often the log collects data.
12. In the EPS Throttle field, specify a value to limit the maximum number of events per second.
13. Click Step 5: Test Protocol Parameters so you can test your source configuration to ensure that your parameters are correct.
14. On the “Test Protocol Parameters” window, click Start Test.
15. If your configuration is correct, you’ll see output similar to the image below. Click Save.
16. In the menu bar, click Admin and then click Deploy Changes.

Step 3: Create a custom Device Support Module (DSM)

You will now create a custom DSM to convert SAP BTP raw logs to QRadar-friendly events.

The next steps are based on the following sample log:

{“uuid”:”e7198a67-cb37-47ca-abf1-3dba2f2bfabd”,”user”:”sb-40efab32-b4ce-421c-b3d9-5021d968d8ac!b14882|auditlog-management!b18″,”time”:”2023-07-04T08:03:09.703Z”,”object”:{“type”:”data read event”,”id”:{“tenant_id”:”2639b500-b753-491d-ba00-6ddb0421a01c”}},”data_subject”:{“type”:”account”,”role”:”account”,”id”:{“id”:”sb-40efab32-b4ce-421c-b3d9-5021d968d8ac!b14882|auditlog-management!b18″}},”data_subjects”:[],”attributes”:[{“name”:”data read event”,”successful”:true}],”attachments”:[],”id”:”5be03220-4324-4e9b-82c0-b323c7f903b8″,”category”:”audit.data-access”,”tenant”:”2639b500-b753-491d-ba00-6ddb0421a01c”,”customDetails”:{}}

Show more

1. On the Log Activity tab, select the appropriate event.
2. Click Actions > DSM Editor.
3. In the Log Source Type window, click Change.
4. In the Select Log Source Type dialog, click Create New to create a new log source type for this event.
5. In the Select Log Source Type dialog, type a name for your new Log Source Type, click Save, and then click Select to access that type.
6. Click the Configuration tab and then in the Property Autodetection Configuration section, click the Enable Property Autodetection button.
7. Ensure that the Property Detection Format is JSON. Because our raw log is in JSON format, you can efficiently map the majority of fields without the need for manual parsing.
8. To map the Event ID, click the Properties tab. In the field, type Event ID and then select the Override system behavior checkbox.
9. In the Expressions panel, in the Expression Type menu, select JSON.
10. In the Expression field, type /”object”/”type” and click OK.
11. Follow the same steps to set the Event Category. In the first Properties field, type Event Category. Select the Override system behavior checkbox.
12. In the Expressions panel, in the Expression Type menu, select JSON.
13. In the Expression field, type /”category” and click OK.The status has now changed to Parsed but NOT mapped. Next, you’ll complete the mapping.

Mapping the event

1. Click the Event Mappings and then click the “+” button. In the “Create a new Event Mapping” dialog, the Event ID and Event Category details are displayed.
2. Click Choose QID. In the QID Records dialog, click Create New QID Record.
3. Enter the details for your new QID Record. Use the following screen as an example.
4. Click Save and then click OK. The “Create a new Event Mapping” dialog displays.
5. In the “Create a new Event Mapping” dialog, click Create.
6. The status has now changed to “Parsed and Mapped“. Click Save. All future events will be meticulously parsed and accurately mapped from this point on.

Log Activities in SAP BTP

Login into SAP BTP with your user-id and password. Once you are navigated to SAP BTP Cockpit as below:

Navigate to “Security” section on the left side panel and select “Role collection” where the change is required.

Select “Kyma” role from the role collection and click on “Edit” to remove one of the user from the users.

Click on delete button as highlighted below:

Confirm the deletion as we want to remove the user from this role collection and click on “Save”.

Click on “Audit log viewer” from the “Instances and Subscriptions” under “Services” section on the left hand side of the panel.

We’ll find the relevant log from “Auditlog Viewer 1.0”

The log details will be displayed as below:

Open IBM QRadar and navigate to respective log source. You will find the offense generated by IBM QRadar. In this case, it is “User Role Deleted by SAP Admin” and you will find more details once you double click on it.

Summary

Hence, integrating SAP BTP application audit logs with IBM QRadar SIEM provides a quick and effective way to improve cybersecurity. This integration takes advantage of both systems’ capabilities and creates a more robust environment for detecting and mitigating potential security threats.

Credit: Tushar Trivedi, Ankit Guria and IBM Security QRadar team.