SAP enterprise threat detection is a HANA based SAP Solution that can monitor and correlate data from disparate SAP and non-SAP systems in the IT landscape and hence can help manage exposure to internal and external threats. The business case behind this product and the solution brief can be found on the following link.SAP Enterprise Threat Detection – Security Monitoring – Data Breach Protection.This blog lists the components of the ETD solution,the integration between these components and describes the configuration steps to be performed to make an ETD system ready for usage.
Components :The ETD solution has 3 components
- HANA component (delivery unit that is imported into the HANA system).
- ESP component (Event stream processor), which acts as an interface between the HANA system and the target system from which logs are being collected.
- Target system component . The target can be a SAP or a non-SAP system ( In this blog post, the target system is assumed to be a SAP ABAP system)
Step 1: Importing the delivery unit
1. Import the delivery unit into your HANA system. (If you receive error/s , while importing the file , you need check the HANA version compatibility with the delivery unit as the required HANA version can vary based on the SP level of the delivery unit ). HANA ALM can also be used for importing the delivery unit. The delivery unit to be imported is available on the SAP Service Market Place.
Before the actual import a simulation is performed, as shown below.
Step 2: Set up ESP and HANA Connectivity
The ESP projects enhance and enrich the content of the logs that are obtained from the target system.
Prerequisites: ESP should be installed. The installation process is fairly simple and details can be found on the ESP installation page. ESP Installation can be on a Linux or a windows machine. The configuration steps shown on this blog are relevant when ESP has been installed on a windows instance.
Once ESP is installed, connectivity between the HANA system and SAP ESP can be set up and this is done via an ODBC connection.
a) Create ODBC connection
On the windows machine, ( where ESP is installed) go to the start menu and search for ODBC and choose “data sources” as shown below.
Fill up values in fields: Data Source name and Description
While creating the ODBC connection, just copy the information from the “Additional Properties” section in the HANA Studio. Full path
HANA Studio => Server =>Right click and Properties => Database User Logon => Additional Properties
Provide user name and password for the HANA system and choose connect.
b) Create the Data Service
On the ESP studio, navigate to data services view
Select the server node and choose ad ODBC service
Right click and choose discover
c) Importing ESP projects
ESP projects are delivered as part of the HANA delivery unit. As a precursor to importing the projects into the ESP studio the esp folder must be checked out ( as shown below ) followed by placing the the contents of the ESP folder ( that also contains the ESP projects ) to a location which is accessible to the ESP studio.
Once the projects are accessible , they can be imported into the ESP studio as shown below.Files to be imported are transfer_log.zip and transfer_master_data.zip.
d) Start the SAP ESP web service provider
Use the esp_wsp.bat file, path C:\esp_rootpath\wsp\esp_wsp.bat
Step 3) Configure the Target system
ETD related corrections and reports are delivered with SAP_BASIS 7.4 SP10. However if upgrading to the required release and SP is not an option,individual notes can be applied manually.Once this perquisite is met, following steps are to be followed.
a) Configure report SECM_CONFIGURATION
Transaction SE38 = > Program SECM_CONFIGURATION
In the SECM: Configuration report, navigate to the second tab and provide login details of the adm user of the Netweaver system.
c) Transfer logs from ABAP system to ESP server
Execute report: SECM_LOG_2_ESP
In case there are issues, following SQL queries can be executed to check if logs have been pushed properly to the HANA system .
Log header: select * from “SAP_SEC_MON”.“sap.secmon.db::Log.LogHeader”
Log detail: select * from “SAP_SEC_MON”.“sap.secmon.db::Log.LogDetail”
To view the ETD home page, launch the url
Alerts can be browsed from the alerts section: Highlighted below