SP03 brings some significant improvements to SAP Enterprise Threat Detection. A major focus was on throughput, performance, and sizing. A visible manifestation of this is the disappearance of the details table and the expansion of the header table. However, in this blog I am going to mention two functional features that stand out.
Many security operations have already invested heavily in one or other SIEM solution and are looking to SAP Enterprise Threat Detection to cover the SAP part of their landscape. Ideally, the two solutions should be able to exchange information about what is happening in the areas that they are covering. SAP Enterprise Threat Detection alerts can now be sent (pulled or pushed) in JSON format.
This a subject that deserves its own blog so I will merely touch upon it here. In SP02 we introduced semantic events. Now we have semantic attributes, which complete the meaning of semantic events. Events, concepts, and the relationships between them are standardized. Consistent use of events and attributes across sources makes it easier to do cross-log analysis. The bubble diagram shown in the screenshot is new way of displaying and quickly filtering the attributes in the forensic lab.
Relevant SAP Notes
2192334 – Release Note SAP Enterprise Threat Detection 1.0 SP03