SAP delivers attack detection patterns with SAP Enterprise Threat Detection, and in the course of time there will be more. However, you need to have the possibility to get patterns from elsewhere – and sometimes in a hurry. So it is essential that patterns can be easily created using the tools provided by SAP Enterprise Threat Detection.
There are two main steps for creating attack detection patterns. First, you make a series of filters to reduce the stored events to a subset that is of interest. Second, you specify what aspects of this subset you are going to measure and define the attack detection pattern. I am going to focus on the second step so my starting point is shown in the screenshot below.
The first filter restricts the set to the events of the last hour, the second filter further restricts the set to events relevant to the security audit log, and the final filter restricts the set to those security audit log events that have an Event ID equal to AU2 (representing failed logon attempts). I could now explore many aspects of this subset but I simply want to create my pattern. So I choose Create Pattern.
Let’s say my pattern should be automatically executed every 30 minutes and should generate a low-severity alert when the number of failed logons from any one terminal exceeds 5 in the preceding hour. I enter the relevant details.
Now a couple of OK clicks and I am done.
There is no programming knowledge necessary to create an attack detection pattern. For normal people, this is generally a good thing. Creating your patterns is easy enough, so you can focus on the more challenging aspect – finding patterns to create.