Skip to Content

SAP Enterprise Threat Detection enables companies to detect attacks or analyze the business impact of an known attack. It is about:

  • Security monitoring in real time – including historical data
  • Big data to actionable, high quality indicators
  • Market leading in-memory technology
  • Identify anomalies within your landscape

The focus of SAP Enterprise Threat Detection is to monitor SAP landscapes but is open to integrate also any non-SAP content. The solution provides techniques to receive security relevant data from the SAP system landscape and out-of-the-box rules to detect an external or insider attack.

But security has to be a common goal within a company, so integration is very important. There is not the ONE magic solution, which is able to protect the complete landscape (network, mobile, on-premise, cloud, social, dark web, virus scanner, applications, business processes, permissions, roles, …). In large enterprise there is also not ONE team with a deep knowledge on all security aspects. But it is important to integrate the alerts for an security operation center to have an holistic view.

 

So how to integrate with SAP Enterprise Threat Detection?

 

Use case A: Integrate/consume other data sources

  1. Partners provide content/services to integrate non-SAP data in SAP Enterprise Threat Detection -> see first blogs on: http://scn.sap.com/docs/DOC-58501
  2. Integrate non-SAP content
    1. Via SAP ETD  log learning (files and syslog) -> no coding
    2. Via SAP HANA Smart Data Streaming (SDS) which is part of SAP ETD -> coding required but extremely flexible + reuse of SDS standard components (ODBC, JDBC, File connector…)

 

Use case B: SAP ETD shares alerts with other systems (example: SIEM) (http://help.sap.com/sapetd –> implementation guide)

  1. SAP ETD sends automatically an alert when it occurs (alert publishing)
  2. The other solution asks regularly for new information (alert pulling)

Use case B is realized via HTTP(s) and the JSON Format.

Example JSON Format:

Example (?$query=AlertId eq 10923923)

[

{

“Version”: “1.0”,

“AlertCreationTimestamp”: “2016-02-10T12:00:00.000Z“,

“AlertId”: 12086661,

“AlertSeverity”: “HIGH”,

“AlertStatus”: “CRITICAL”,

“AlertSource”: {

“SystemIdActor”: “ABC/000”,

“NetworkHostnameInitiator”: xx.xx.xx.xx,

“UserPseudonymActing”: {

“Pseudonym”: “ZIILS-5181”

}

},

“AlertSystemIds”: [

“ABC/000”

],

“HostNames”: [

“…….”

],

“PatternName”: “Blacklisted transactions”,

“PatternNameSpace”: “http://sap.com/secmon/basis“,

“PatternDescription”: “A blacklisted transaction has been executed.”,

“Text”: “Measurement 3 exceeded the threshold 1 for (User Pseudonym, Acting/System ID, Actor/Network, Hostname, Initiator) = (‘ZUVLS-5181’/’ABC/000’/’null’)”,

“Score”: 75,

“UiLink”: “http:///sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=751BB83E1FC819499EDE612A21AAEC61“,

“TriggeringEvents”: [

{

“Id”: “436F6D62F3D47F017D31E4C7DC2A0500”,

“Timestamp”: “2016-02-10T12:14:47.000Z”,

“TechnicalLogEntryType”: “STAD_EXEC”,

“TechnicalTimestampOfInsertion”: “2016-02-10T12:15:08.084Z”,

“CorrelationId”: “FA163E2CA3221ED5B3FDFAC1349F85BB”,

“CorrelationSubId”: “00000000000000000000000000000000”,

“EventCode”: “STADEntry”,

“EventSemantic”: “Executable, Run”,

“EventLogType”: “BusinessTransactionLog”,

“EventSourceId”: “ABC/000”,

“EventSourceType”: “ABAP”,

“ParameterValueString”: “SAPLWB_MANAGER”,

“ResourceSize”: “319497”,

“ResourceType”: “Bytes transferred”,

“ResourceUnitsOfMeasure”: “Bytes”,

“ServiceTransactionName”: “SE37”,

“EventName”: “ExecutableRun”,

“EventNamespace”: “http://sap.com/secmon

}

]

}

]

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply