Skip to Content
Author's profile photo Michael Shea

Attack Detection Patterns of SAP Enterprise Threat Detection

Attack detection patterns are what powers the ability of SAP Enterprise Threat Detection to alert you to suspicious activity in your network. The patterns were created by our experts to uncover a variety of anomalous events. You have asked what patterns we deliver with our product. Here is an overview of the kinds of patterns you get with SAP Enterprise Threat Detection 1.0 SP01. Don’t worry, there is more to come in our future releases.

Category Description
ABAP and HANA Authorization These patterns look for escalation of privileges. An escalation of privileges is when you can exploit a weakness to gain access to resources you should not have access to. These patterns also watch for the assignment of critical roles or profiles.
ABAP Blacklists and Whitelists A number of patterns function on blacklists and whitelists. We deliver blacklists for function modules, reports, transactions, and URL paths expected not to be used in productive systems. Customers can enhance these blacklists according to their needs. The same applies to several patterns which come with whitelists, which lead to an alert being created in case a certain user is active or function module called but not part of the whitelist.
ABAP Calls to Productive Systems Your productive system runs your business. We have patterns that watch for calls from non-productive systems to productive systems. The patterns, like those in other categories,  have configurations to eliminate false positives.
ABAP and HANA Configuration The patterns for ABAP and HANA configuration make sure that no one is trying to disable security in the system by making configuration changes to the system. Such changes include deactivating logs or other security functions.
ABAP Debugging These patterns attempt to find developers behaving badly, for example, debugging in a productive system. The patterns can find an infiltrator exploring code in an ABAP system.
ABAP Denial of Service There are a number of indicators we can watch to identify if someone is trying to block access to the ABAP server.
ABAP Downloads If a user downloads data too often or in too large a volume from an ABAP server, patterns raise alerts in SAP Enterprise Threat Detection.
ABAP Internet Communication Framework SAP Enterprise Threat Detection also uses patterns to monitor access to the Internet Communication Framework (ICF).
ABAP and HANA Logon Too many failed logon attempts might indicate someone trying to brute force their way into the system. Suspicious activity is also trying to log on with users, who otherwise should be locked, expired, or deleted. We also look for replay attacks or other attempted manipulation of our security session technology.
ABAP Password Manipulation of passwords for critical users or by users not normally in an administrative role can warn of an intruder in your system.
HANA SQL Functions We include patterns to detect suspicious calls to SQL functions on SAP HANA platform.
ABAP User Morphing We also look for changes in users that indicate a manipulation of the user, such as the user type.

Want to know more?

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi SAP, any updates on this or sources where I can find more information about all current ETD ADP with SP03 and soon SP04? Thx