SAP Enterprise Threat Detection(ETD) and Read Access Logging (RAL). What is the difference?
Read Access Logging (RAL) is available on SAP NetWeaver ABAP and is able to log “read access” to sensitive information from various sources. Currently RAL is supporting Dynpro, Web Dynpro, RFC and web services. You can define rules in RAL, which screens/fields you want to monitor. The log data will be stored in the database and you have the possibility to archive the information via the archive development kit.
Sometimes I get the question, how RAL fits together with SAP Enterprise Threat Detection (ETD)?RAL is one of many other security information sources for ETD (http log, business transaction log, audit …). So if you want to analyze in ETD read access in ABAP, RAL is a good choice. The goal of RAL is not, to analyze security critical events in a system landscape – the goal is to provide log data per client for read accesses. But there are many attacks, where you need other information and so ETD is the central point of view for all security relevant data in a SAP system landscape.
ETD is more than a central store for security information:
In a first step, ETD is normalizing all the data from various sources. That is one of the most important steps. If you want to correlate data and keep the false positives low, you need a clean data basis of your security information. For that SAP introduced a security knowledge base with defined events and attributes. In a second step ETD pseudonymize the user ID, which is extremely important is some countries. The third step is about enrichment. ETD can enrich incoming events. One example would be to add to an IP address the MAC address. The forth step is to transfer the data to SAP HANA. After all these steps an administrator or security expert has the opportunity, to use pre-delivered patterns or they can browse through the normalized security information. So if you want to know, which transactions where used throughout the complete system landscape from a special terminal and time frame, you are only a few clicks away. Without ETD, this is a job that requires hours or days of manual work to answer only one question.
Other questions which you can answer in some clicks:
Who read HR critical data but is not working the HR organization?
Who accessed blacklisted function modules?
Was there a debugging session in my productive systems?
Any suspicious profile changes?