ETD: From Alert To Investigation
This is part two of a small blog series about how SAP runs SAP Enterprise Threat Detection. Part one (How SAP Runs SAP Enterprise Threat Detection) gave an overview about the Security Monitoring Center organizational setup and how the various applications in the SAP Enterprise Threat Detection solution are linked to the team roles. In this blog post I want to look into the process ‘from Alert to Investigation’, which will provide a good idea about the daily activities of the Monitoring Agent.
How is an Alert linked to a Monitoring Agent? Well, this depends on the team size and how to distribute tasks. In a small team most probably everybody has to pick-up every Alert which pops-up in the monitoring in his shift. In larger teams you may have a defined accountability for a set of patterns and systems.
Let’s start the solution. The Fiori Launchpad is the first screen you see and you might find some work in ‘Open Alerts on My Name’. So either your colleagues moved Alerts on your name, or you have some left over from the day before. If there is nothing on your name the next step is to check the Monitoring.
The monitoring application is highly customizable to your individual needs. I still prefer a start screen with only 6 tiles and the 3 indicators on top. But you can design and save several screen setups with more rows and columns, e.g. to fill your 70 inch flat-screen-array with as much alert pattern as you want. And you can save as much setups as you want and switch between these.
Ok, you have seen some new Alerts and want to have a closer look. You can go back to the Fiori Launchpad and start the application ‘Open Alerts Last 24 Hours’, or you use the direct link from the Alerts indicator on the top left of the monitoring screen to jump to ‘All Open Alerts’.
Whatever way you prefer you will see the Alerts. Now you can sort them ascending or descending according to pattern, severity, creation date, score, ID, status or processor. You can also use filter settings to customize your view, but you can’t save different views. (note to myself: let’s request this from ETD development)
In this example we pick the first ‘High’ Alert from the list. The threat is a forbidden logon via user/password on an ECC business system where only Single-Sign-On is allowed. The analyze button on the right will bring you directly into the Forensic Lab to check the pattern settings and access the log raw data. I will talk in detail about the Forensic Lab in the next blog post, where we will look into the tasks for the Security Expert within the Security Monitoring Center.
After collecting basic information about the case you need to decide how to move forward with this ticket. Is this a ‘False Positive’? Is no reaction required, e.g. because the system is in maintenance and the case is linked to this special situation? Do you need to trigger a new Investigation, or can you add this Alert to an existing Investigation? You switch to the change mode with the edit button and adjust the status information. Then you use one of the green buttons to link the Alert to an Investigation.
In this example I created a ‘High’ Investigation and linked 4 Alerts into it. I added some comments with my basic research and all the information I colleted until now. Then I save the Investigation and this is now visible for the Security Expert. Great, job done! Oh wait, I still have this Alert on my name and a lot of open Alerts in the system. Let’s move on chasing threats!