Reference Architecture for Log Driven Security Operations (SAP ETD, FortiSIEM & FortiSOAR) #759
Conversation
randomstr1ng
changed the title
|
|
|
Preview website is available here. |
|
SAP employees are expected to use their SAP-email address for commits related to their work. Our compliance check has detected usage of an email other than a SAP one by a SAP employee. Please update your pull request accordingly. If you think this is wrong or need any assistance, please contact [email protected]. |
|
Preview website is available here. |
|
@randomstr1ng Hi - thanks for your collaboration. Overall, this is a solid RA. It’s a positive step for the architect community. The value prop is clear: SAP ETD is excellent at deep, SAP-specific detection, but it’s not designed to look at the rest of the world—firewalls, endpoints, network traffic, AD, etc. If you want to correlate SAP events with infrastructure-wide data, you need a SIEM to aggregate it and a SOAR to handle the ops. That’s exactly where the integration fits in. That said, I have a few specific requests to improve the positioning: Vendor Neutrality: Please rewrite the content to be vendor-neutral throughout. The text should describe the synergy of integrating ETD with a generic SIEM/SOAR, using FortiSIEM and FortiSOAR strictly as the vendor-specific examples for this iteration. We want to avoid locking the concepts down to one vendor. "Umbrella" Approach: Ideally, we want this to be an umbrella RA for "SIEM/SOAR with ETD." Fortinet is the first mover here, but we’ll eventually add others (like Microsoft Sentinel). Writing it this way keeps the guidance relevant for all our architects, regardless of their stack. Line 39: Let's change the phrasing "must be combined" to "can be integrated." Saying "must" is too prescriptive and accidentally downplays SAP ETD’s value as a standalone solution. Architecture Diagram: It's clear and transmit the key integration points perfectly. No changes needed there. Once these changes are applied, we'll be glad to review again. |
guilherme-segantini
left a comment
guilherme-segantini
left a comment
There was a problem hiding this comment.
Thanks for your collaboration.
Overall, this is a solid RA. It’s a positive step for the architect community.
The value prop is clear: SAP ETD is excellent at deep, SAP-specific detection, but it’s not designed to look at the rest of the world—firewalls, endpoints, network traffic, AD, etc. If you want to correlate SAP events with infrastructure-wide data, you need a SIEM to aggregate it and a SOAR to handle the ops. That’s exactly where the integration fits in.
That said, I have a few specific requests to improve the positioning:
Vendor Neutrality: Please rewrite the content to be vendor-neutral throughout. The text should describe the synergy of integrating ETD with a generic SIEM/SOAR, using FortiSIEM and FortiSOAR strictly as the vendor-specific examples for this iteration. We want to avoid locking the concepts down to one vendor.
"Umbrella" Approach: Ideally, we want this to be an umbrella RA for "SIEM/SOAR with ETD." Fortinet is the first mover here, but we’ll eventually add others (like Microsoft Sentinel). Writing it this way keeps the guidance relevant for all our architects, regardless of their stack.
Line 39: Let's change the phrasing "must be combined" to "can be integrated." Saying "must" is too prescriptive and accidentally downplays SAP ETD’s value as a standalone solution.
Architecture Diagram: It's clear and transmit the key integration points perfectly. No changes needed there.
Once these changes are applied, we'll be glad to review again.
Thanks again.
|
Thank you for your detailed feedback - much appreciated! I have reworked the content to be more vendor-neutral and highlighted that it is built based on Vendor Products as an example. Let me know what you think. Would love to hear your thoughts. |
|
Preview website is available here. |
|
Hey @guilherme-segantini , please let me know once the content review is done. I've marked it as Draft but you can switch back to Ready for review (please add the corresponding label when ready). Thanks! |
cernus76
added
reference-architecture
|
Preview website is available here. |
|
Preview website is available here. |
…center into etd-fortisiem merge online updates
|
Preview website is available here. |
jmsrpp
left a comment
jmsrpp
left a comment
There was a problem hiding this comment.
Thanks @randomstr1ng and @guilherme-segantini for making the relevant updates. This is approved!
|
@cernus76 I have reviewed and approved. This is good to go from our POV. |
cernus76
dismissed
guilherme-segantini’s stale review
The review has been approved
5 participants
What reference architecture does this PR apply to?
This PR relates to the Log Driven Security Operations reference architecture. It adds a concrete example showing how SAP Enterprise Threat Detection can be combined with SIEM and SOAR solutions, using FortiSIEM and FortiSOAR, to support centralized monitoring, correlation, and automated incident response in SAP environments.
Who should review your contribution? (Use @mention)
@jmsrpp
Checklist before submitting