SP04 brings not only new attack detection patterns, developed in the forensic lab in the way you already know (ETD Patterns), but also new types of attack detection pattern – ETD Security Notes Pattern and ETD Anomaly Patterns.
New ETD Patterns
The DSAG ERP Auditing Guide (better known in the German-speaking world as the Prüfleitfaden SAP® ERP 6.0) is an important best-practices document with many recommendations for security checks. Many of these checks are of a static nature that can be covered by the Security Optimization Service of Solution Manager. Others are dynamic in nature and can be effectively covered by SAP Enterprise Threat Detection. For example, a recent US-CERT alert (TA16-132A) highlights a vulnerability that was patched long ago that is also on the DSAG checklist – the Invoker Servlet of the SAP NetWeaver Application Server Java. Attack detection patterns can warn if something is attempting to invoke the servlet or, worse, has successfully invoked the servlet on a misconfigured system.
ETD Security Notes Patterns
While there are some forensic lab patterns that are derived from security notes, these are quite different. With this feature, you can easily find out which systems are missing critical patches and whether there is some attempt to exploit this. Coverage in SP04 is of some 53 recent ABAP Security Notes that are to do with missing authorization, removed RFC flag, or disabled code execution.
Although these patterns are not developed in the forensic lab (they are part of the delivered monitoring functions), they do generate indicators that you can use in the forensic lab as normal.
ETD Anomaly Patterns
The third type of pattern generates alerts or indicators when certain activities deviate sufficiently from the expect values or if something completely new happens. There is a new tool (Anomaly Detection Lab) to create these patterns but the underlying charts are developed in the forensic lab, so you can build on your existing knowledge. An example of an ETD anomaly pattern delivered with SP04 is where someone makes a restricted service call that he has not used before.
Relevant SAP Notes
2307878 – Release Note SAP Enterprise Threat Detection 1.0 SP04