Skip to Content
Author's profile photo Matthias Kaempfer

SAP Enterprise Threat Detection and SIEM. What is the difference?

Hi all,

SAP Enterprise Threat Detection and SIEM systems. What is the difference? Here you can find an answer ….

So what is SIEM? SIEM stands for security information and event management. The application is  collecting security event information throughout a IT landscape. SIEM products are already a long time in the market.

A personal note

Some SIEM vendors really missed the opportunity to renew their architecture (security data is a big data issues nowadays which require a change in the architecture and the use of new analytical tools). Some products are distributed across several servers and databases, actual data in one database, historically in another and you have to jump between tools for analysis and reporting. But these are vendor specific issues and not a problem of the SIEM idea and there are also good vendors out there! So watch out if your are selecting a SIEM solution and do not implement yesterdays technology.

So what is difference to SAP Enterprise Threat Detection?

It is the focus of security events types. SIEM solutions traditionally use security events on the network and operation system level to detect attacks. But the most solutions have no idea what happens in the applications,. But nowadays sophisticated attacks cannot be only detected on the lower levels, you have to look into the applications stack! That is the starting point of SAP Enterprise Threat Detection. It collects security information on the application stack and correlated it with context information to detect cyber attacks when it happens. This is only working because we are using the newest technology on the market: SAP HANA as a big data platform in combination with SAP Event Streaming processor.





Just an example. How do you want to find an internal or external who stole some credentials to a SAP system (there are many techniques – this would fill a comlete own blog) and try to steal confidential data with the help of the credentials? It is about the user behaviour in the system in combination with context(region, device, HR information, IP, …) information –> SAP Enterprise Threat Detection.
Does SAP Enterprise Threat Detection replace existing SIEM solutions?

No, SIEM solution are very good on the operation system and network level. They incorporate the experience of many years. They are complementary to ETD like other security solutions (virus scanner, IPS, IDS, …). My opinion: There will be not one solution in the market, which can protect everything.


Does SAP Enterprise Threat Detection support also non-SAP data?

Yes, you can  also upload your proxy data (or any other) to analyze it and many other things which your exisitng system is perhaps not able to do because of an outdated technology. But the content (security patterns) delivered by SAP focuses on the SAP application level. By the way, there are many security partners planning to provide additional security patterns.So watch out for partners which not only provide impementation services but also additional content.


Why did SAP not build the ETD solution on existing SIEM solutions?

We would not invested into SAP Enterprise Threat Detection without our SAP HANA technology. SAP HANA allows us to analyze large amouts of data, correlate and visualize it. With the predictive, geospacial, data scaling and other functionalities we are able to provide a complete new experience in the future. Furthermore we do not want to lock-in our customers to one SIEM solution. SAP will rather integrate with leading SIEM solutions to use the strength of both worlds.


So the products is availabe since the end of 2014 and provides already now a great insight. But there is also a roadmap available and SAP will deliver innovations with each service pack.



Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Zachary Leahan
      Zachary Leahan

      Great post.  Thanks.  Can customers create their own "security patterns"?  Seems to be just SAP and their security partners per your article... but I just want to check.

      Author's profile photo Matthias Kaempfer
      Matthias Kaempfer
      Blog Post Author

      Customers can create their own patterns. They can also adjust SAP patterns if required.



      Author's profile photo Former Member
      Former Member

      Can SAP Security Audit Logs be integrated with SIEM tool ? If yes how can we achieve it ?




      Author's profile photo Matthias Kaempfer
      Matthias Kaempfer
      Blog Post Author

      SAP Enterprise Threat Detection supports also NetWeaver Audit Logs. So in the ABAP system you have only to run a regular ETD job, which collects all data and send it to SAP Enterprise Threat Detection.



      Author's profile photo Mario Bouchard
      Mario Bouchard

      Hi, this is the article I needed. Is the content of your post still relevant with release of ETD 2.0?. Regards, Mario

      Author's profile photo martin schmitt
      martin schmitt

      Thanks for that good overview. We are in the process of planing to integrate 2 customers into IBM SIIEM called QRadar. As far as I interpret this we would start with the infrastructure Level and then continue with the Application Level. For integrating ETD into this siem there exists an AP to make it easy: IBM QRadar Custom Properties for SAP Enterprise Threat Detection and Enterprise Threat Monitor for SAP. Does anyone has any experience in integrating SAP into a SIEM. Would be nice to share it.