Onapsis

  • Published on Apr 29, 2025
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Onapsis logs

✅

✅

onapsis_logs

NDJSON

S3

Overview

Onapsis is a cybersecurity platform that specializes in protecting business-critical applications such as SAP and Oracle. It provides continuous monitoring, vulnerability management, compliance auditing, and threat detection for ERP systems that are often the backbone of enterprise operations. By delivering deep, application-specific insights, Onapsis helps organizations secure complex environments against cyber threats, misconfigurations, and unauthorized access—whether these systems are deployed on-premises, in the cloud, or in hybrid setups.

Supported data types

Onapsis logs

Table name: onapsis_logs

Onapsis logs capture security-relevant events, system activity, and threat intelligence related to business-critical applications like SAP and Oracle. These logs provide detailed insights into vulnerabilities, misconfigurations, unauthorized access attempts, and compliance issues. Typically generated by Onapsis sensors deployed on-premises, the logs can be forwarded to SIEMs or storage systems like Amazon S3 for centralized analysis, alerting, and long-term retention, enabling security teams to proactively defend high-value ERP systems.

Send data to Hunters

You can collect logs by routing logs to an S3 bucket and providing Hunters with the details.

Step 1: Enable Syslog Export in Onapsis

Most Onapsis products support exporting events via syslog. To do so, follow these steps:

  1. Log in to the Onapsis Platform.

  2. Navigate to Settings > Integrations or similar.

  3. Configure:

    1. Syslog server address: IP or hostname of the Fluent Bit/Fluentd host.

    2. Port: Typically UDP 514 or TCP 514 (based on your receiver).

    3. Protocol: Choose UDP or TCP.

    4. Format: Choose Syslog.

Once configured, Onapsis will begin pushing log events to the designated syslog destination.

Step 2: Set Up Fluentd to Receive Syslog

For more processing logic, you can use Fluentd with a syslog input plugin.

Sample td-agent.conf snippet:

<source>
  @type syslog
  port 5140
  bind 0.0.0.0
  tag onapsis.logs
</source>

<match onapsis.logs>
  @type s3
  aws_key_id YOUR_ACCESS_KEY
  aws_sec_key YOUR_SECRET_KEY
  s3_bucket your-onapsis-logs-bucket
  path logs/onapsis/
  buffer_path /var/log/td-agent/buffer/onapsis
  time_slice_format %Y%m%d-%H
</match>

📘Note

Don’t forget to replace your access key and secret key.

Step 3: Set Up Log Conversion to NDJSON

As Hunters supports these logs in NDJSON format, here’s how you can convert the logs en route:

<filter onapsis.logs>
  @type record_transformer
  enable_ruby true
  <record>
    message ${record.to_json}
  </record>
</filter>

<match onapsis.logs>
  @type s3
  format json
  ...
</match>

Step 4: IAM Policy for S3 Access

Ensure the process has access to write to the S3 bucket.

Example IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-onapsis-logs-bucket",
        "arn:aws:s3:::your-onapsis-logs-bucket/*"
      ]
    }
  ]
}

Step 5: Complete the Setup on Hunters

Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in NDJSON format.

Onapsis Logs

{
  "event": {
    "incident_type": "UserActivity",
    "alarm_profile_matches": [
      {
        "alarm_name": "OP_Shipped_Sec_Login of standard user",
        "profile_id": 32,
        "conditions": [
          {
            "condition_id": 70,
            "eval_value": {
              "protocol": null,
              "success": null
            },
            "matched": true
          }
        ]
      }
    ],
    "anomaly_score": null,
    "asset_name": "EP1",
    "client": "000",
    "column_bname": null,
    "column_profile": null,
    "confidence": 3,
    "created_at": "2024-12-06T00:38:44.462530",
    "destination_port": null,
    "detected_compliance": null,
    "downloaded_table": null,
    "dst": "__EMPTY__",
    "erp_event_source": "STAD",
    "erp_host": "10.1.3.234",
    "erp_time": "2024-12-06T00:38:25+00:00",
    "event_id": null,
    "event_type": "UserLogin",
    "events": null,
    "incident_detail": null,
    "incident_name": "OP_Shipped_Sec_Login of standard user",
    "job_name": null,
    "logline": null,
    "matching_rule": null,
    "modified": null,
    "module_category": null,
    "module_description": null,
    "module_name": null,
    "patch_applied": null,
    "policy": null,
    "program_name": null,
    "protocol": "RFC",
    "reason": null,
    "result": null,
    "sap_sec_notes": null,
    "severity": "6",
    "sid": "EP1",
    "source_port": null,
    "src": "10.1.3.234",
    "success": true,
    "system_type": "ABAP",
    "terminal_source": "10.1.3.234",
    "user_type": null,
    "username": "DDIC",
    "vulnerability_cvss": null
  },
  "sourcetype": "onapsis_incident"
}