Cybersecurity Extension for SAP

The Splunk App for the Cybersecurity Extension for SAP (CES) enables security operations teams to monitor, investigate, and respond to SAP security threats directly within Splunk. Integrating SAP security logs with Splunk is challenging due to the complexity of multiple SAP log sources, inconsistent log formats, high raw data volumes, and the lack of predefined SAP-specific detection rules in Splunk. The CES Splunk app addresses these challenges by providing a purpose-built integration that filters, normalises, enriches, and forwards SAP security events to Splunk in real time. The app provides preconfigured dashboards covering three security domains: Alerts, Vulnerabilities, and Security Notes. Alerts are based on more than 1,200 out-of-the-box threat detection patterns applied by CES across SAP systems. Vulnerabilities represent system and user-related security weaknesses detected by CES through daily automated scans using a library of 3,000+ SAP-related checks. Security Notes track relevant, unapplied SAP security patches and their implementation status across systems. Status changes for alerts, vulnerabilities, and security notes are synchronised between CES and Splunk at configurable intervals, ensuring results remain current. Results can be filtered by date, time, system, environment, priority, and status. The app supports deployment via Splunk Universal Forwarder or Syslog and is compatible with Splunk Enterprise and Splunk Cloud.